Secure execution of enterprise applications on mobile devices
First Claim
1. A method comprising:
- generating, by an enterprise agent executing on a client device, a secure container in a first portion of a computer-readable storage of the client device, the secure container being encrypted and comprising a file system, wherein the first portion of the computer-readable storage is separate from a second portion of the computer-readable storage;
verifying, by the enterprise agent, a user of the client device based on one or more enterprise credentials associated with the user;
establishing, by the enterprise agent, a secure tunnel between the enterprise agent and a server associated with an enterprise;
receiving, by the enterprise agent, enterprise data from the server, the enterprise data received via the secure tunnel; and
storing, by the enterprise agent, the enterprise data in the secure container in accordance with one or more data policies of the enterprise,wherein the secure container is only accessible by a verified user and by one or more applications associated with the enterprise, andwherein access to the second portion of the computer-readable storage is provided independently of the one or more data policies of the enterprise.
9 Assignments
0 Petitions
Accused Products
Abstract
A system is disclosed that includes components and features for enabling enterprise users to securely access enterprise resources (documents, data, application servers, etc.) using their mobile devices. An enterprise can use some or all components of the system to, for example, securely but flexibly implement a BYOD (bring your own device) policy in which users can run both personal applications and secure enterprise applications on their mobile devices. The system may, for example, implement policies for controlling mobile device accesses to enterprise resources based on device attributes (e.g., what mobile applications are installed), user attributes (e.g., the user'"'"'s position or department), behavioral attributes, and other criteria. Client-side code installed on the mobile devices may further enhance security by, for example, creating a secure container for locally storing enterprise data, creating a secure execution environment for running enterprise applications, and/or creating secure application tunnels for communicating with the enterprise system.
755 Citations
21 Claims
-
1. A method comprising:
-
generating, by an enterprise agent executing on a client device, a secure container in a first portion of a computer-readable storage of the client device, the secure container being encrypted and comprising a file system, wherein the first portion of the computer-readable storage is separate from a second portion of the computer-readable storage; verifying, by the enterprise agent, a user of the client device based on one or more enterprise credentials associated with the user; establishing, by the enterprise agent, a secure tunnel between the enterprise agent and a server associated with an enterprise; receiving, by the enterprise agent, enterprise data from the server, the enterprise data received via the secure tunnel; and storing, by the enterprise agent, the enterprise data in the secure container in accordance with one or more data policies of the enterprise, wherein the secure container is only accessible by a verified user and by one or more applications associated with the enterprise, and wherein access to the second portion of the computer-readable storage is provided independently of the one or more data policies of the enterprise. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A method comprising:
-
generating a secure container in a first portion of a computer-readable storage of a client device, the secure container being encrypted and comprising a file system, and being separate from a second portion of the computer-readable storage; verifying a user of the client device based on one or more enterprise credentials associated with the user; establishing a secure tunnel between the client device and a server associated with an enterprise; and storing enterprise data in the secure container in accordance with one or more data policies of the enterprise, the enterprise data received from the server via the secure tunnel, wherein the secure container is only accessible by a verified user and by one or more applications associated with the enterprise, wherein access to the second portion of the computer-readable storage is provided independently of the one or more data policies of the enterprise, wherein private data associated with the user is stored in the second portion of the computer-readable storage, the private data associated with activity of the user outside of a role of the user in the enterprise, and wherein the second portion of the computer-readable storage is inaccessible to the one or more applications associated with the enterprise. - View Dependent Claims (17, 18, 19, 20)
-
-
21. A method comprising:
-
establishing a secure tunnel between a client device and a server associated with an enterprise, wherein the secure tunnel is established for a verified user of the client device based on one or more enterprise credentials associated with the verified user; determining one or more applications associated with the enterprise; transmitting enterprise data from the server to the client device via the secure tunnel, wherein the enterprise data is stored in a secure container of the client device in accordance with one or more data policies of the enterprise, the secure container being encrypted and comprising a file system, wherein the secure container is located in a first portion of a computer-readable storage of the client device, wherein the first portion of the computer-readable storage is separate from a second portion of the computer-readable storage, and wherein the secure container is only accessible by the verified user and by the one or more applications associated with the enterprise; and preventing the enterprise data stored in the secure container from being copied and stored in the second portion of the computer-readable storage.
-
Specification