Policy-based application management
US-9213850-B2 · Dec 15, 2015 · US
Gateway for controlling mobile device access to enterprise resources
US9378359B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9378359-B2 |
| Application number | US-201213649076-A |
| Country | US |
| Kind code | B2 |
| Filing date | Oct 10, 2012 |
| Priority date | Oct 11, 2011 |
| Publication date | Jun 28, 2016 |
| Grant date | Jun 28, 2016 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A system is disclosed that includes components and features for enabling enterprise users to securely access enterprise resources (documents, data, application servers, etc.) using their mobile devices. An enterprise can use some or all components of the system to, for example, securely but flexibly implement a BYOD (bring your own device) policy in which users can run both personal applications and secure enterprise applications on their mobile devices. The system may, for example, implement policies for controlling mobile device accesses to enterprise resources based on device attributes (e.g., what mobile applications are installed), user attributes (e.g., the user's position or department), behavioral attributes, and other criteria. Client-side code installed on the mobile devices may further enhance security by, for example, creating a secure container for locally storing enterprise data, creating a secure execution environment for running enterprise applications, and/or creating secure application tunnels for communicating with the enterprise system.
First claim
Opening claim text (preview).
What is claimed is: 1. A system comprising: an enterprise resource comprising computer hardware configured to electronically communicate with a computing device over a communication network; and a gateway comprising computer hardware, the gateway configured to: receive a request from a mobile device to access the enterprise resource, the request formatted according to a protocol and including a property of the mobile device, the request comprising a header and a payload; store a gateway rule comprising an indication to encrypt data transmitted to the mobile device via the gateway when the property of the request from the mobile device corresponds to a property value in the gateway rule; parse the payload of the request from the mobile device to determine a character-encoding scheme of the payload of the request; based on the character-encoding scheme of the payload of the request, determine whether the property of the request from the mobile device corresponds to the property value in the gateway rule; and responsive to determining that the property of the request from the mobile device corresponds to the property value in the gateway rule, cause the data transmitted to the mobile device via the gateway to be encrypted. 2. The system of claim 1 , wherein the gateway is configured to: based on the property of the request from the mobile device, either allow access to the enterprise resource or deny access to the enterprise resource. 3. The system of claim 1 , wherein the gateway is configured to: store a second gateway rule comprising an indication to deny the request from the mobile device to access the enterprise resource when the mobile device has a particular application stored thereon. 4. The system of claim 1 , wherein the gateway is configured to: based on the property of the request from the mobile device, block the mobile device from receiving an email attachment. 5. The system of claim 1 , wherein the gateway is configured to: store a second gateway rule comprising an indication to take first action based on a user of the mobile device having a first role in the enterprise, and a second action based on the user of the mobile device having a second role in the enterprise different from the first role. 6. The system of claim 1 , wherein one or more computing devices configured to implement the gateway comprise at least one of a firewall server and a computing device configured to control a firewall server. 7. The system of claim 1 , wherein the gateway is configured to: store at least one statically defined gateway rule; and store at least one gateway rule received from one or more gateway rule providers. 8. The system of claim 1 , wherein the property of the request from the mobile device is associated with an identity of a user of the mobile device. 9. Non-transitory computer-readable media storing executable instructions that, when executed by one or more processors, cause a system to: receive, from a mobile device, a request to access an enterprise resource, the request formatted according to a protocol and including a property of the mobile device, the request comprising a header and a payload; parse the payload of the request to determine a character-encoding scheme of the payload of the request; based on the character-encoding scheme of the payload of the request, determine whether the property of the request from the mobile device corresponds to a property value in a gateway rule stored on the system; and responsive to determining that the property of the request corresponds to the property value in the gateway rule, cause data transmitted to the mobile device via the gateway to be encrypted. 10. The non-transitory computer-readable media of claim 9 , wherein the executable instructions, when executed by the one or more processors, cause the system to: determine a relative priority among a plurality of gateway rules each having a property value corresponding to the property of the request, wherein an action taken responsive to determining the relative priority corresponds to the gateway rule of the plurality of gateway rules that has a highest relative priority. 11. The non-transitory computer-readable media of claim 9 , wherein the executable instructions, when executed by the one or more processors, cause the system to: periodically send requests for new gateway rules to one or more gateway rule providers; and receive the new gateway rules from the one or more gateway rule providers, in response to the requests for the new gateway rules. 12. The non-transitory computer-readable media of claim 9 , wherein the executable instructions, when executed by the one or more processors, cause the system to: receive the gateway rule from a meta-application; and store the gateway rule on the system. 13. A method comprising: monitoring, by a computing device, communications between a mobile device and an enterprise resource of an enterprise-computing system; detecting, by the computing device, that a selected one of the communications between the mobile device and the enterprise resource is formatted according to a protocol; parsing, by the computing device, a payload of the selected one of the communications to determine a character-encoding scheme of the payload; based on the character-encoding scheme of the payload, determining, by the computing device, whether a condition of the selected one of the communications corresponds to a condition identified in one or more predefined rules; and responsive to determining that the condition of the selected one of the communications corresponds to the condition identified in the one or more predefined rules, encrypting, by the computing device, data in the selected one of the communications between to the mobile device and the enterprise resource, the data being transmitted via the computing device. 14. The method of claim 13 , comprising: determining, by the computing device, based on a first protocol-specific condition of the selected one of the communications, a particular role of a user associated with the mobile device in the enterprise; determining, by the computing device, based on a second protocol-specific condition of the selected one of the communications, one or more properties of the mobile device; and determining, by the computing device, whether to allow or deny access to the enterprise resource by the mobile device based on the particular role of the user and the one or more properties of the mobile device. 15. The method of claim 14 , comprising: determining, by the computing device, based on the second protocol-specific condition, whether a particular application is installed on the mobile device; and determining, by the computing device, whether to allow or deny the access to the enterprise resource by the mobile device based on whether the particular application is installed on the mobile device. 16. The method of claim 14 , comprising: determining, by the computing device, based on the second protocol-specific condition, a geographical location of the mobile device; and determining, by the computing device, whether to allow or deny the access to the enterprise resource by the mobile device based on the geographic location of the mobile device. 17. The method of claim 14 , comprising: determining, by the computing device, based on the second protocol-specific condition, a time of the selected one of the communications; and determining, by the computing device, whether to allow or deny the access to the enterprise resource by the mobile device based on the
Assignees
Inventors
Classifications
Protecting access to data via a platform, e.g. using keys or access control rules · CPC title
to a system of files or objects, e.g. local or distributed file system or database · CPC title
Location-based management or tracking services · CPC title
against software analysis or reverse engineering, e.g. by obfuscation · CPC title
Protecting executable software · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9378359B2 cover?
- A system is disclosed that includes components and features for enabling enterprise users to securely access enterprise resources (documents, data, application servers, etc.) using their mobile devices. An enterprise can use some or all components of the system to, for example, securely but flexibly implement a BYOD (bring your own device) policy in which users can run both personal application…
- Who is the assignee on this patent?
- Citrix Systems Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/20. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jun 28 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).