Providing secure mobile device access to enterprise resources using application tunnels
First Claim
1. A non-transitory computer-readable medium having stored thereon an agent component that is configured to be installed on a mobile device of a user to provide secure access over a network to an enterprise resource of an enterprise system, the agent component comprising executable code that implements a process that comprises:
- intercepting, by the agent component installed on the mobile device, a hypertext transfer protocol (HTTP) request generated by an application installed on the mobile device;
modifying the HTTP request by replacing a hostname of the HTTP request with a hostname of the enterprise resource;
encapsulating, by the agent component installed on the mobile device, a representation of the modified HTTP request according to a tunneling protocol; and
sending, by the agent component installed on the mobile device, the encapsulated representation of the HTTP request from the mobile device over a network to a tunnel mediator that is configured to extract and forward the representation of the HTTP request to a corresponding enterprise resource, wherein the agent component is configured to send the encapsulated representation of the HTTP request using a tunnel definition that is specific to the application installed on the mobile device.
8 Assignments
0 Petitions
Accused Products
Abstract
A system is disclosed that includes components and features for enabling enterprise users to securely access enterprise resources (documents, data, application servers, etc.) using their mobile devices. An enterprise can use some or all components of the system to, for example, securely but flexibly implement a BYOD (bring your own device) policy in which users can run both personal applications and secure enterprise applications on their mobile devices. The system may, for example, implement policies for controlling mobile device accesses to enterprise resources based on device attributes (e.g., what mobile applications are installed), user attributes (e.g., the user'"'"'s position or department), behavioral attributes, and other criteria. Client-side code installed on the mobile devices may further enhance security by, for example, creating a secure container for locally storing enterprise data, creating a secure execution environment for running enterprise applications, and/or creating secure application tunnels for communicating with the enterprise system.
464 Citations
24 Claims
-
1. A non-transitory computer-readable medium having stored thereon an agent component that is configured to be installed on a mobile device of a user to provide secure access over a network to an enterprise resource of an enterprise system, the agent component comprising executable code that implements a process that comprises:
-
intercepting, by the agent component installed on the mobile device, a hypertext transfer protocol (HTTP) request generated by an application installed on the mobile device; modifying the HTTP request by replacing a hostname of the HTTP request with a hostname of the enterprise resource; encapsulating, by the agent component installed on the mobile device, a representation of the modified HTTP request according to a tunneling protocol; and sending, by the agent component installed on the mobile device, the encapsulated representation of the HTTP request from the mobile device over a network to a tunnel mediator that is configured to extract and forward the representation of the HTTP request to a corresponding enterprise resource, wherein the agent component is configured to send the encapsulated representation of the HTTP request using a tunnel definition that is specific to the application installed on the mobile device. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A computer system comprising:
-
one or more processors; and non-transitory computer-readable media storing computer-readable instructions that, when executed by the one or more processors, implement; a repository of application tunnel definitions, each application tunnel definition defined for a particular mobile device application and indicating a particular server port associated with a particular resource of the computer system; and a tunneling mediator that is configured to; receive an application tunnel formation request from an agent installed on a mobile device, the application tunnel formation request identifying one of the application tunnel definitions; retrieve the identified application tunnel definition from the repository; determine, from the retrieved application tunnel definition, a server port of a resource of the computer system; receive at least one agent-generated communication from the agent installed on the mobile device, the agent-generated communication comprising an application-generated communication from an application installed on the mobile device, the retrieved application tunnel definition being defined for the application installed on the mobile device, the application-generated communication being encapsulated by the agent installed on the mobile device within one or more headers of an encapsulation protocol; extract the application-generated communication from the agent-generated communication; modifying the application-generated communication by replacing a hostname of the application-generated communication with a hostname of the resource of the computer system; and send the application-generated communication to the server port via a resource network connection. - View Dependent Claims (7, 8, 9, 10, 11)
-
-
12. A mobile device comprising a processor and storage, the mobile device comprising:
-
one or more application tunnel definitions stored in the storage, each application tunnel definition being uniquely associated with a particular mobile device application and indicating a local mobile device port; and an agent installed on the storage of the mobile device, the agent being associated with a remote computer system and comprising instructions that, when executed by the processor, cause the mobile device to; receive, by the agent installed on the mobile device, an application-generated communication comprising a hypertext transfer protocol (HTTP) request generated by an application installed on the mobile device, the application configured to communicate with a resource of the remote computer system; search the storage to retrieve an application tunnel definition of the one or more application tunnel definitions, wherein the retrieved tunnel definition is uniquely associated with the application; generate, by the agent installed on the mobile device, an application tunnel formation request based on the retrieved application tunnel definition; modify the HTTP request by replacing a hostname in the HTTP request with a hostname of the resource; encapsulate at least a portion of the application-generated communication, comprising the modified HTTP request, within one or more headers of an encapsulation protocol; and send, by the agent installed on the mobile device, the application tunnel formation request and the encapsulated application-generated communication to a tunneling mediator of the remote computer system. - View Dependent Claims (13, 14, 15, 16)
-
-
17. Non-transitory computer storage storing executable instructions that cause a mobile device to perform a process that comprises:
-
intercepting, by an agent component installed on the mobile device, a message sent by a mobile application running on the mobile device; modifying, by the agent component installed on the mobile device, a hostname specified by the message to correspond to a target application server; encapsulating, by the agent component installed on the mobile device, the modified message according to an application tunneling protocol specified for the mobile application; and sending, by the agent component installed on the mobile device, the encapsulated, modified message on a wireless network for delivery to the target application server via an application tunnel. - View Dependent Claims (18, 19)
-
-
20. A method comprising:
-
intercepting, by an agent component installed on a mobile device, a hypertext transfer protocol (HTTP) request generated by an application installed on the mobile device; modifying the HTTP request by replacing a hostname of the HTTP request with a hostname of an enterprise resource; encapsulating, by the agent component installed on the mobile device, a representation of the modified HTTP request according to a tunneling protocol; and sending, by the agent component installed on the mobile device, the encapsulated representation of the HTTP request from the mobile device over a network to a tunnel mediator that is configured to extract and forward the representation of the HTTP request to a corresponding enterprise resource, wherein the agent component is configured to send the encapsulated representation of the HTTP request using a tunnel definition that is specific to the application installed on the mobile device. - View Dependent Claims (21, 22, 23, 24)
-
Specification