Policy enforcement in mobile devices

US 8,935,741 B2
Filed: 04/17/2008
Issued: 01/13/2015
Est. Priority Date: 04/17/2008
Status: Active Grant

First Claim

Patent Images

1. A method of controlling access to a resource in a mobile device, comprising:

intercepting a request to access said resource;

determining a type of intended operation of a resource functionality based on said request, wherein said type of intended operation corresponds to a user'"'"'s purpose of intended use associated with a communication type of said mobile device;

selectively authorizing access to said resource according to said determined type of intended operation based on an encrypted enforcement policy stored in said mobile device, wherein said selectively authorizing comprises granting access to said resource when said intended operation utilizes resource functionality of a first communication type, and denying access to said resource when said intended operation utilizes resource functionality of a second communication type;

applying said encrypted enforcement policy;

monitoring one or more settings associated with said resource when said mobile device is offline;

detecting a change in said one or more settings, wherein said one or more settings are enforced by said encrypted enforcement policy;

determining whether said change in said one or more settings is authorized by said encrypted enforcement policy; and

restoring said one or more settings to a state based on determining that said change is not authorized, wherein said state is based on said encrypted enforcement policy.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods and computer program products for enabling enforcement of an administrative policy on one or more mobile devices are described herein. In an embodiment, an administrator uses a policy server to create and provide an enforcement policy to a mobile device. An enforcement policy may include information on mobile device resources which may be controlled by an administrator. An enforcement policy also includes information on how mobile device features will be set, configured or disabled. An enforcement device driver and an enforcement monitor on a mobile device use the enforcement policy to control access to resources associated with the mobile device regardless of whether the mobile device is “online” and connected to a network or “offline” and disconnected from a network.

6 Citations

View as Search Results

17 Claims

1. A method of controlling access to a resource in a mobile device, comprising:
- intercepting a request to access said resource;
  
  determining a type of intended operation of a resource functionality based on said request, wherein said type of intended operation corresponds to a user'"'"'s purpose of intended use associated with a communication type of said mobile device;
  
  selectively authorizing access to said resource according to said determined type of intended operation based on an encrypted enforcement policy stored in said mobile device, wherein said selectively authorizing comprises granting access to said resource when said intended operation utilizes resource functionality of a first communication type, and denying access to said resource when said intended operation utilizes resource functionality of a second communication type;
  
  applying said encrypted enforcement policy;
  
  monitoring one or more settings associated with said resource when said mobile device is offline;
  
  detecting a change in said one or more settings, wherein said one or more settings are enforced by said encrypted enforcement policy;
  
  determining whether said change in said one or more settings is authorized by said encrypted enforcement policy; and
  
  restoring said one or more settings to a state based on determining that said change is not authorized, wherein said state is based on said encrypted enforcement policy.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising:
    - decrypting said enforcement policy to obtain a decrypted enforcement policy;
      
      storing said decrypted enforcement policy in memory; and
      
      using said decrypted enforcement policy to control access to said resource;
      
      wherein said decrypted enforcement policy is removed from memory after said using step is completed.
  - 3. The method of claim 1, further comprising:
    - receiving said encrypted enforcement policy over a short messaging service (SMS) channel.
  - 4. The method of claim 1, further comprising:
    - instantiating an enforcement device driver to intercept said request.
  - 5. The method of claim 1, wherein determining said type of said intended operation includes consideration to a user-supplied intended operation in response to prompting.
  - 6. The method of claim 1, wherein selectively authorizing comprises either:
    - granting access to said resource when said intended operation utilizes resource functionality of a voice communication type, and denying access to said resource when said intended operation utilizes resource functionality of a data communication type, orgranting access to said resource when said intended operation utilizes resource functionality of a data communication type, and denying access to said resource when said intended operation utilizes resource functionality of a voice communication type.

7. A method of controlling resources in a mobile device, comprising:
- determining a type of intended operation of a resource functionality based on said request, wherein said type of intended operation corresponds to a user'"'"'s purpose of intended use associated with a communication type of said mobile device;
  
  selectively authorizing access to said resource according to aid determined type of intended operation based on an encrypted enforcement policy stored in said mobile device, wherein said selectively authorizing comprises granting access to said resource when said intended operation utilizes resource functionality of a first communication type, and denying access to said resource when said intended operation utilizes resource functionality of a second communication type;
  
  applying said encrypted enforcement policy;
  
  monitoring one or more settings associated with said resource when said mobile device is offline;
  
  detecting a presence of an external data store;
  
  determining whether an addition of said external data store is authorized by said enforcement policy; and
  
  restoring said one or more settings to a state based on determining that said addition is not authorized, wherein said state is based on said enforcement policy.
- View Dependent Claims (8)
- - 8. The method of claim 7, further comprising:
    - instantiating an enforcement monitor to monitor said one or more settings.

9. A processor-based system for controlling access to resources in a mobile device, comprising:
- one or more computer processors;
  
  a first module configured to intercept a request to access said resource;
  
  a second module configured to determine a type of intended operation of a resource functionality based on said request, wherein said type of intended operation corresponds to a user'"'"'s purpose of intended use associated with a communication type of said mobile device;
  
  a third module configured to selectively authorize access to said resource according to said determined type of intended operation based on an encrypted enforcement policy stored in said mobile device, wherein said selectively authorizing comprises granting access to said resource when said intended operation utilizes resource functionality of a first communication type, and denying access to said resource when said intended operation utilizes resource functionality of a second communication type; and
  
  a fourth module configured to;
  
  monitor one or more settings associated with said resource when said mobile device is offline,detect a change in said one or more settings, wherein said one or more settings are enforced by said encrypted enforcement policy,determine whether said change in said one or more settings is authorized by said encrypted enforcement policy, andrestore said one or more settings to a desired state, wherein said desired state is based on said encrypted enforcement policy,wherein said first module, said second module, said third module and said fourth module are implemented using said one or more computer processors.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The system of claim 9, further comprising:
    - a fifth module configured to decrypt said encrypted enforcement policy to obtain a decrypted enforcement policy;
      
      a sixth module configured to store said decrypted enforcement policy in memory; and
      
      a seventh module configured to control access to said resource using said decrypted enforcement policy, wherein said fifth module, said sixth module, and said seventh module are implemented using said one or more computer processors.
  - 11. The system of claim 9, further comprising:
    - a fifth module configured to receive said encrypted enforcement policy over a short messaging service (SMS) channel, wherein said fifth module is implemented using said one or more computer processors.
  - 12. The system of claim 9, further comprising:
    - a fifth module configured to instantiate an enforcement device driver to intercept said request, wherein said fifth module is implemented using said one or more computer processors.
  - 13. The system of claim 9, further comprising:
    - a eighth module configured to instantiate an enforcement monitor to monitor said settings, wherein said eighth module is implemented using said one or more computer processors.

14. A computer program product including a non-transitory computer-readable medium having instructions stored thereon that, if executed by a processing device, cause the processing device to perform operations comprising:
- intercepting a request to access said resource;
  
  determining a type of intended operation of a resource functionality based on said request, wherein said type of intended operation corresponds to a user'"'"'s purpose of intended use associated with a communication type of said mobile device;
  
  selectively authorizing access to said resource according to said determined type of intended operation based on an encrypted enforcement policy stored in said mobile device, wherein said selectively authorizing comprises granting access to said resource when said intended operation utilizes resource functionality of a first communication type, and denying access to said resource when said intended operation utilizes resource functionality of a second communication type;
  
  applying said encrypted enforcement policy;
  
  monitoring one or more settings associated with said resource when said mobile device is offline;
  
  detecting a change in said one or more settings, wherein said one or more settings are enforced by said encrypted enforcement policy;
  
  determining whether said change in said one or more settings is authorized by said encrypted enforcement policy; and
  
  restoring said one or more settings to a state based on determining that said change is not authorized, wherein said state is based on said encrypted enforcement policy.
- View Dependent Claims (15, 16, 17)
- - 15. The computer program product of claim 14, the operations further comprising:
    - decrypting said enforcement policy to obtain a decrypted enforcement policy;
      
      storing said decrypted enforcement policy in memory; and
      
      using said decrypted enforcement policy to control access to said resource.
  - 16. The computer program product of claim 14, the operations further comprising:
    - receiving said encrypted enforcement policy over a short messaging service (SMS) channel.
  - 17. The computer program product of claim 14, the operations further comprising:
    - instantiating an enforcement device driver to intercept said request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
iAnywhere Solutions Incorporated (SAP SE)
Original Assignee
iAnywhere Solutions Incorporated (SAP SE)
Inventors
Hinds, Donald W.
Primary Examiner(s)
Siddiqi, Mohammad A

Application Number

US12/105,003
Publication Number

US 20090265754A1
Time in Patent Office

2,462 Days
Field of Search

726/1, 726/2, 726/4, 726/22, 726 27- 30, 455/432.1, 455/54.1, 455/54.2, 713/150, 713/153
US Class Current

726/1
CPC Class Codes

G06F 21/6218 to a system of files or obj...

G06F 2221/2149 Restricted operating enviro...

Policy enforcement in mobile devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

6 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Policy enforcement in mobile devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

6 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links