Controlling mobile device access to secure data
First Claim
1. A method, comprising:
- configuring a mobile device such that a managed application of the mobile device is able to be executed in accordance with policy information that defines a management framework for executing the managed application by at least;
configuring, based on at least one first setting of the policy information, a private secure container, which is to be private to the managed application, such that a first set of read or write operations from the managed application is to be redirected to the private secure container;
configuring, based on at least one second setting of the policy information, a shared secure container, which is to be accessible by the managed application and at least one other managed application of the mobile device, such that a second set of read or write operations from the managed application is to be redirected to the shared secure container;
determining that legacy data, which is associated with an application of the mobile device that was executed not in accordance with the management framework, is to be configured for the managed application;
responsive to determining that the legacy data is to be configured for the managed application, encrypting the legacy data, resulting in encrypted legacy data;
storing a first set of the encrypted legacy data in the private secure container; and
storing a second set of the encrypted legacy data in the shared secure container.
7 Assignments
0 Petitions
Accused Products
Abstract
Various aspects of the disclosure relate to providing secure containers or data vaults for data of one or more managed applications. In some embodiments, each managed application may be assigned its own private data vault and/or may be assigned a shared data vault that is accessible to at least one other managed application. As the managed application executes, calls for access to the data may be intercepted and redirected to the secure containers. Data stored in a secure container may be encrypted according to a policy. Other aspects relate to deleting data from a secure container, such as via a selective wipe of data associated with a managed application. Further aspects relate to configuring and creating the secure containers, retrieving key information required to encrypt/decrypt the data stored in the secure containers, and publishing the managed applications, policy information and key information for download to a mobile device.
582 Citations
20 Claims
-
1. A method, comprising:
configuring a mobile device such that a managed application of the mobile device is able to be executed in accordance with policy information that defines a management framework for executing the managed application by at least; configuring, based on at least one first setting of the policy information, a private secure container, which is to be private to the managed application, such that a first set of read or write operations from the managed application is to be redirected to the private secure container; configuring, based on at least one second setting of the policy information, a shared secure container, which is to be accessible by the managed application and at least one other managed application of the mobile device, such that a second set of read or write operations from the managed application is to be redirected to the shared secure container; determining that legacy data, which is associated with an application of the mobile device that was executed not in accordance with the management framework, is to be configured for the managed application; responsive to determining that the legacy data is to be configured for the managed application, encrypting the legacy data, resulting in encrypted legacy data; storing a first set of the encrypted legacy data in the private secure container; and storing a second set of the encrypted legacy data in the shared secure container. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
8. A method, comprising:
-
configuring a mobile device such that a managed application of the mobile device is able to be executed in accordance with policy information that defines a management framework for executing the managed application by at least; configuring, based on at least one first setting of the policy information, a private secure container, which is to be private to the managed application, such that a first set of read or write operations from the managed application is to be redirected to the private secure container, and configuring, based on at least one second setting of the policy information, a shared secure container, which is to be accessible by the managed application and at least one other managed application of the mobile device, such that a second set of read or write operations from the managed application is to be redirected to the shared secure container; intercepting a first read or write operation from the managed application while the managed application is executing on the mobile device, wherein the first read or write operation comprises an application programming interface (API) call available via a file system of the mobile device, wherein the file system of the mobile device is different from both a file system of the private secure container and a file system of the shared secure container; determining, based on the policy information, whether to redirect the read or write operation to the shared secure container or the private secure container; and based on the determining, redirecting the first read or write operation to the private secure container or the shared secure container. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. An apparatus, comprising:
-
at least one processor; and memory storing executable instructions configured to, when executed by the at least one processor, cause the apparatus to; configure the apparatus such that a managed application of the apparatus is able to be executed in accordance with policy information that defines a management framework for executing the managed application by at least; configuring, based on at least one first setting of the policy information, a private secure container, which is to be private to the managed application, such that a first set of read or write operations from the managed application is to be redirected to the private secure container, and configuring, based on at least one second setting of the policy information, a shared secure container, which is to be accessible by the managed application and at least one other managed application of the apparatus, such that a second set of read or write operations from the managed application is to be redirected to the shared secure container; intercept a first read or write operation from the managed application while the managed application is executing on the apparatus, wherein the first read or write operation comprises an application programming interface (API) call available via a file system of the apparatus, wherein the file system of the apparatus is different from both a file system of the private secure container and a file system of the shared secure container; determine, based on the policy information, whether to redirect the read or write operation to the shared secure container or the private secure container; and based on the determination of whether to redirect the read or write operation to the shared secure container or the private secure container, redirect the first read or write operation to the private secure container or the shared secure container. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification