Providing virtualized private network tunnels
First Claim
1. A method, comprising:
- detecting that an application is capable of running in both a first mode and a second mode on a mobile device, wherein the first mode is a managed mode operating under control of one or more policies separate from the application and usable to manage operations of multiple applications executing on the mobile device;
running, on the mobile device, the application in the first mode;
when the application is running in the first mode under the control of the one or more policies;
transmitting, to an access gateway, a ticket configured to provide authentication in connection with establishing a per-application policy-controlled virtual private network (VPN) tunnel for the application to at least one resource, and providing the application with access to the at least one resource via the per-application policy-controlled VPN tunnel, wherein the ticket includes a validity duration;
transmitting, during the validity duration, the ticket to the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a first time;
closing the per-application policy-controlled VPN tunnel after re-establishing the per-application policy-controlled VPN tunnel the first time; and
after closing the per-application policy-controlled VPN tunnel, transmitting, during the validity duration, the ticket to the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a second time.
7 Assignments
0 Petitions
Accused Products
Abstract
Various aspects of the disclosure relate to providing a per-application policy-controlled virtual private network (VPN) tunnel. In some embodiments, tickets may be used to provide access to an enterprise resource without separate authentication of the application and, in some instances, can be used in such a manner as to provide a seamless experience to the user when reestablishing a per-application policy controlled VPN tunnel during the lifetime of the ticket. Additional aspects relate to an access gateway providing updated policy information and tickets to a mobile device. Other aspects relate to selectively wiping the tickets from a secure container of the mobile device. Yet further aspects relate to operating applications in multiple modes, such as a managed mode and an unmanaged mode, and providing authentication-related services based on one or more of the above aspects.
298 Citations
19 Claims
-
1. A method, comprising:
-
detecting that an application is capable of running in both a first mode and a second mode on a mobile device, wherein the first mode is a managed mode operating under control of one or more policies separate from the application and usable to manage operations of multiple applications executing on the mobile device; running, on the mobile device, the application in the first mode; when the application is running in the first mode under the control of the one or more policies;
transmitting, to an access gateway, a ticket configured to provide authentication in connection with establishing a per-application policy-controlled virtual private network (VPN) tunnel for the application to at least one resource, and providing the application with access to the at least one resource via the per-application policy-controlled VPN tunnel, wherein the ticket includes a validity duration;transmitting, during the validity duration, the ticket to the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a first time; closing the per-application policy-controlled VPN tunnel after re-establishing the per-application policy-controlled VPN tunnel the first time; and after closing the per-application policy-controlled VPN tunnel, transmitting, during the validity duration, the ticket to the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a second time. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An apparatus, comprising:
-
at least one processor; and memory storing executable instructions configured to, when executed by the at least one processor, cause the apparatus to; detect that an application is capable of running in both a first mode and a second mode on the apparatus, wherein the first mode is a managed mode operating under control of one or more policies separate from the application and usable to manage operations of multiple applications executing on the apparatus, run the application in the first mode, when the application is running in the first mode under the control of the one or more policies;
transmit, to an access gateway, a ticket configured to provide authentication in connection with establishing a per-application policy-controlled virtual private network (VPN) tunnel for the application to at least one resource, and provide the application with access to the at least one resource via the per-application policy-controlled VPN tunnel, wherein the ticket includes a validity duration;transmit, during the validity duration, the ticket to the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a first time, close the per-application policy-controlled VPN tunnel after re-establishing the per-application policy-controlled VPN tunnel the first time, and after closing the per-application policy-controlled VPN tunnel, transmit, during the validity duration, the ticket to the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a second time. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. One or more non-transitory computer-readable media storing instructions configured to, when executed, cause a computing device to:
-
detect that an application is capable of running in both a first mode and a second mode on the computing device, wherein the first mode is a managed mode operating under control of one or more policies separate from the application and usable to manage operations of multiple applications executing on the computing device; run the application in the first mode; and when the application is running in the first mode under the control of the one or more policies;
transmit, to an access gateway, a ticket configured to provide authentication in connection with establishing a per-application policy-controlled virtual private network (VPN) tunnel for the application to at least one resource, and provide the application with access to the at least one resource via the per-application policy-controlled VPN tunnel, wherein the ticket includes a validity duration;transmit, during the validity duration, the ticket to the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a first time; close the per-application policy-controlled VPN tunnel after re-establishing the per-application policy-controlled VPN tunnel the first time; and after closing the per-application policy-controlled VPN tunnel, transmit, during the validity duration, the ticket to the access gateway to cause the per-application policy-controlled VPN tunnel to be re-established a second time. - View Dependent Claims (17, 18, 19)
-
Specification