Policy-based application management
US-9213850-B2 · Dec 15, 2015 · US
Controlling mobile device access to enterprise resources
US9529996B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9529996-B2 |
| Application number | US-201213649073-A |
| Country | US |
| Kind code | B2 |
| Filing date | Oct 10, 2012 |
| Priority date | Oct 11, 2011 |
| Publication date | Dec 27, 2016 |
| Grant date | Dec 27, 2016 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A system is disclosed that includes components and features for enabling enterprise users to securely access enterprise resources (documents, data, application servers, etc.) using their mobile devices. An enterprise can use some or all components of the system to, for example, securely but flexibly implement a BYOD (bring your own device) policy in which users can run both personal applications and secure enterprise applications on their mobile devices. The system may, for example, implement policies for controlling mobile device accesses to enterprise resources based on device attributes (e.g., what mobile applications are installed), user attributes (e.g., the user's position or department), behavioral attributes, and other criteria. Client-side code installed on the mobile devices may further enhance security by, for example, creating a secure container for locally storing enterprise data, creating a secure execution environment for running enterprise applications, and/or creating secure application tunnels for communicating with the enterprise system.
First claim
Opening claim text (preview).
What is claimed is: 1. A system comprising: one or more processors; and non-transitory computer-readable media storing executable instructions that, when executed by the one or more processors, cause the system to: receive, from an enterprise agent installed on a mobile device, mobile device property information that includes information regarding an application installed on the mobile device; store the mobile device property information that includes the information regarding the application installed on the mobile device; store user information regarding a user of the mobile device, the user information including information specifying a role of the user in an enterprise; store at least one enterprise access policy for controlling access to a particular enterprise resource of the enterprise, the at least one enterprise access policy being based on the application installed on the mobile device and the information specifying the role of the user in the enterprise; receive a request from the application installed on the mobile device to access the particular enterprise resource; inspect a payload of the request from the application installed on the mobile device to access the particular enterprise resource; and determine whether to grant or deny access to the particular enterprise resource by the application installed on the mobile device, in response to the request, based on the mobile device property information that includes the information regarding the application installed on the mobile device, the user information including the information specifying the role of the user in the enterprise, and the at least one enterprise access policy. 2. The system of claim 1 , wherein the non-transitory computer-readable media stores executable instructions that, when executed by the one or more processors, cause the system to: determine whether to grant or deny the access to the particular enterprise resource based on whether the application installed on the mobile device is an unauthorized application, as determined from information reported by the enterprise agent installed on the mobile device. 3. The system of claim 1 , wherein the non-transitory computer-readable media stores executable instructions that, when executed by the one or more processors, cause the system to: responsive to the request from the application installed on the mobile device to access the particular enterprise resource: look up the mobile device property information, look up the user information regarding the user of the mobile device, determine whether the looked-up mobile device property information and the looked-up user information comply with the at least one enterprise access policy associated with the particular enterprise resource. 4. The system of claim 3 , wherein the request from the application installed on the mobile device to access the particular enterprise resource comprises a request to form an application tunnel between the particular enterprise resource and the application installed on the mobile device. 5. The system of claim 1 , wherein the non-transitory computer-readable media stores executable instructions that, when executed by the one or more processors, cause the system to: generate a plurality of gateway rules based on the at least one enterprise access policy and one or more of the mobile device property information and the user information including the information specifying the role of the user in the enterprise; and provide the plurality of gateway rules to a mobile gateway that controls the access to the particular enterprise resource. 6. The system of claim 5 , wherein the non-transitory computer-readable media stores executable instructions that, when executed by the one or more processors, cause the system to: translate a plurality of enterprise access policies into a plurality of lower-level gateway rules based on at least the mobile device property information, the user information including the information specifying the role of the user in the enterprise, and a location of the mobile device; and provide the plurality of lower-level gateway rules to the mobile gateway. 7. The system of claim 5 , wherein the mobile gateway is configured to apply the plurality of gateway rules to determine whether to grant or deny an access request for the particular enterprise resource received from the mobile device, wherein the mobile gateway comprises a mobile gateway filter configured to run on an enterprise firewall server. 8. The system of claim 1 , wherein the non-transitory computer-readable media stores executable instructions that, when executed by the one or more processors, cause the system to: send, to the mobile device, at least one rule indicating a specific condition that requires an associated remedial action, wherein the enterprise agent is configured to enforce the rule and apply the associated remedial action on the mobile device. 9. The system of claim 1 , wherein the non-transitory computer-readable media stores executable instructions that, when executed by the one or more processors, cause the system to: determine that the mobile device has multiple applications of a particular application type installed; deny, to a first application of the particular application type, the access to the particular enterprise resource; and permit, to a second application of the particular application type, the access to the particular enterprise resource. 10. The system of claim 1 , wherein the non-transitory computer-readable media stores executable instructions that, when executed by the one or more processors, cause the system to: determine that the mobile device has multiple applications of a particular application type installed; encrypt data transmitted to a first application of the particular application type from the particular enterprise resource; and not encrypt data transmitted to a second application of the particular application type from the particular enterprise resource. 11. The system of claim 1 , wherein the non-transitory computer-readable media stores executable instructions that, when executed by the one or more processors, cause the system to: determine that the request from the application installed on the mobile device to access the particular enterprise resource uses a particular protocol, wherein determining whether to grant or deny the access is based on the request using the particular protocol. 12. The system of claim 11 , wherein the non-transitory computer-readable media stores executable instructions that, when executed by the one or more processors, cause the system to: encrypt attachment data before sending the attachment data to the mobile device, based on the request using the particular protocol. 13. Non-transitory computer-readable media storing executable instructions that, when executed by one or more processors, cause a mobile device to: install, on the mobile device, an agent component configured to: provide a secure path for one or more authorized applications installed on the mobile device to access enterprise resources of an enterprise system; identify an application installed on the mobile device; send mobile device property information that includes information regarding the application installed on the mobile device; send a request from the application installed on the mobile device to access a particular enterprise resource of the enterprise resources; and receive or be denied access to the particular enterprise resource based on the mobile device property information that includes the information regarding the application installed on the mobile device, a role of a
Assignees
Inventors
Classifications
Location-based management or tracking services · CPC title
to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself · CPC title
against software analysis or reverse engineering, e.g. by obfuscation · CPC title
wherein the data content is protected, e.g. by encrypting or encapsulating the payload · CPC title
Multi-level security, e.g. mandatory access control · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9529996B2 cover?
- A system is disclosed that includes components and features for enabling enterprise users to securely access enterprise resources (documents, data, application servers, etc.) using their mobile devices. An enterprise can use some or all components of the system to, for example, securely but flexibly implement a BYOD (bring your own device) policy in which users can run both personal application…
- Who is the assignee on this patent?
- Citrix Systems Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F21/53. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Dec 27 2016 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).