Secure access to mobile applications

Description

CROSS REFERENCE TO OTHER APPLICATIONS

This application claims priority to U.S. Provisional Patent Application No. 61/745,350 entitled ENTERPRISE ZONE filed Dec. 21, 2012 which is incorporated herein by reference for all purposes.

BACKGROUND OF THE INVENTION

Today most of the enterprises are building multiple enterprise apps, for example, ERP, CRM, Factory automation to reserving conference rooms. But mobile devices can be shared with other employees, customers, family members and friends, Enterprises want to restrict access to content for apps to authenticated and authorized employee users only. Also, Enterprises don't want to make this difficult to use by their employee by asking each and every app to authenticate and authorize the user separately before use.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a table including apps that may be installed on a mobile device according to various embodiments.

FIG. 2 is a block diagram illustrating embodiments of an enterprise zone.

FIG. 3 is a block diagram illustrating embodiments of an enterprise zone.

DETAILED DESCRIPTION

Techniques are disclosed to provide on a mobile device an “Enterprise zone” which provides secure sharing of enterprise authentication and authorization between management agent apps and other enterprise apps, so user only need to provide his authenticated and authorization once for all the apps in the enterprise zone.

In various embodiments, an Enterprise Zone is provided on a mobile device, which will provide user authentication, authorization, and lock zone to apps developed for the Zone. Each authentication will validate the user's credential with the enterprise authentication directory and store authentication cookie with expiration based on authentication policy. After authentication, a list of authorized apps will be updated, for example based on configuration information provided to the mobile device by a mobile device management or other server. A “lock zone” command will lock the zone apps, so the user can share the device with other employees, customers, family members and friends, without such other users having access to apps and/or associated app data for apps in the Enterprise Zone. The user can unlock the zone with the zone passcode and continue previous enterprise zone session.

VSP stands for Virtual Smartphone Platform by MobileIron. In some embodiments, all managed mobile devices' configuration, policies and apps are managed from the VSP or a similar management node. MobileIron clients (e.g., trusted agent on mobile device) connect to VSP on a periodic basis to update the device status as well as get the new configuration and policies.

FIG. 1 is a table including apps that may be installed on a mobile device according to various embodiments. The table of apps may be installed, for example, and the Enterprise Zone disclosed herein provided at least in part by the technique illustrated below.

FIG. 2 is a block diagram illustrating embodiments of an enterprise zone.

(1) User clicks enterprise zone app (for example, managed browser)

(2) Enterprise zone app detects that enterprise zone is not authenticated yet, it forwards user to management agent for authentication

(3) User types in enterprise credential to management agent's enterprise zone authentication screen; management agent transfers this to VSP with secure protocol

(4) VSP will validate user's credential with enterprise directory

(5) VSP look up app authorization for the user and applicable policies based on device status (for example, jailbreak status or application installation status)

(6) Management agent receives the authentication and authorization status from VSP

(7) Management agent saves authentication, authorization, and Lock info to AppConnect bus in encrypted format. For example: {authenticationExpire=1343071545,AuthorizedApps=[{appid=company.files.Se}, {appid=company.browser.Be}, {appid=company.SFA.Ae}, {appid=company.viewer.De}], zoneLock=false}

(8) Management agent will forward user back to enterprise zone app which the user launched first call authentication. (for example, managed browser). Enterprise app will validate the authentication and authorization information based on the information shared on the AppConnect bus. Now user can use enterprise apps (for example, browsing company intranet web sites)

In above case, even if ERP app has embedded enterprise zone library, user will not be allowed to use this app because user was not authorized to use app (based on authorized apps list).

FIG. 3 is a block diagram illustrating embodiments of an enterprise zone.

Lock Zone Case:

(1) User can set the unlock zone passcode as part of the setup which can unlock the enterprise zone so apps can run.

(2) To lock the zone user clicks “Lock zone” command in Management Agent which will store this lock status to AppConnect bus in encrypted format. For example: {authenticationExpire=1343071545,AuthorizedApps=[{appid=company.files.Se}, {appid=company.browser.Be}, {appid=company.SFA.Ae}, {appid=company.viewer.De}], zoneLock=true}

(3) User try to use enterprise zone apps (for example, Managed browser),

(4) Browser find that zone is locked, so user will be forwarded to Management agent which will eventually ask the user to unlock the zone using unlock passcode.

(5) After user successfully validate unlock passcode, Management agent will update AppConnect Bus in encrypted format. For example: {authenticationExpire=1343071545,AuthorizedApps=[{appid=company.files.Se}, {appid=company.browser.Be}, {appid=company.SFA.Ae}, {appid=company.viewer.De}], zoneLock=false}

(6) Management agent will forward back user to enterprise zone app which called unlock in the first place. (for example, Managed browser). Now user can use enterprise zone apps.

In some embodiments, an administrator can set up an idle timeout for Enterprise Zone to lock automatically after the time expires. Idle timeout is where no enterprise app is active within a set period. This timeout will be configured in VSP as part of policy which gets delivered to management agent on the mobile device.