Location and time based mobile app policies
-
2016-08-23
14/137,853
2013-12-20
β Patent granted
US 9,426,120 B1
2016-08-23
-
-
Mohammad W Reza
Van Pelt, Yi & James LLP
2034-01-30
Smart Summary: Mobile apps can have rules based on where and when they are used. A device receives these rules, which are created by looking at user and group information. If the device is in a location where an app isn't allowed, the app can be blocked from being used. This system helps manage which apps can be accessed in specific places, like a hospital or factory, and during certain times, like business hours. Additionally, users must authenticate themselves to access authorized apps, ensuring secure use of the device even when shared with others. π TL;DR
Abstract:
Location and time based mobile app policies are disclosed. One or more location and time policies are received at a management agent on a device. The policies are calculated by processing user and group information. Policy information in a bus is updated with a current allowed state. Location information is received from the device. The location information includes a new location that is not an allowed location. A use of an application may be blocked by the management agent based at least in part on the received location information.
Inventors:
- Suresh Kumar Batchu 47 πΊπΈ Milpitas, CA, United States
- Mansu Kim 33 πΊπΈ Cupertino, CA, United States
- Joshua Sirota 16 πΊπΈ Los Altos, CA, United States
Assignee:
- MOBILE IRON, INC. 97 πΊπΈ Mountain View, CA, United States
Applicant:
Interested in similar patents?
Get notified when new applications in this technology area are published.
Classification:
H04L63/0227 » CPC main
Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls Filtering policies
G06F17/00 IPC
Digital computing or data processing equipment or methods, specially adapted for specific functions
Description
CROSS REFERENCE TO OTHER APPLICATIONS
This application claims priority to U.S. Provisional Patent Application No. 61/745,487 entitled LOCATION AND TIME BASED MOBILE APP POLICIES filed Dec. 21, 2012 which is incorporated herein by reference for all purposes.
BACKGROUND OF THE INVENTION
Today many enterprises are building multiple enterprise apps, for example, Patient information app, Factory automation app, ERP, CRM, Factory automation to reserving conference rooms. Some of those apps have to be allowed or disallowed in certain situations.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 is a table including apps that may be installed on a mobile device according to various embodiments.
FIG. 2 is a block diagram illustrating a system including location and time based app policies according to various embodiments.
DETAILED DESCRIPTION
Techniques to provide an Enterprise zone which will be aware of device location and time/day before authorizing app launching are disclosed.
Some apps have to be allowed or disallowed (i.e., their use prevented) while devices are physically in certain location (for example, allow certain apps to run only when devices are in hospital building or factory building) or certain time schedule (for example, allow use between 8 am to 5 pm).
In summary, location and time awareness are provided in a mobile device enterprise zone. The enterprise zone is a zone within which a degree of control or management is provided over apps, and apps not in the zone are not able to communicate with or access data of apps in the zone. In some embodiments, the enterprise zone provides the ability to allow or disallow information to apps which have had an enterprise zone library embedded into them, e.g, using a software developer kit (SDK) or other tool.
User authentication, authorization, and lock zone code (enterprise zone library) added to apps developed for the Zone. For each session authentication will validate the user's credential with the enterprise authentication and store an authentication cookie with expiration based on authentication policy. After authentication, list of authorized apps will be updated. Lock zone is to lock the zone apps, so user can share the device with other employees, customers, family members and friends. The user can unlock the zone with the zone passcode and continue previous enterprise zone session.
VSP stands for Virtual Smartphone Platform by MobileIron. In some embodiments, VSP is used to provide and/or configure an enterprise zone as described herein. All managed mobile devices' configuration, policies and apps are managed from here. MobileIron clients connect to VSP on a periodic basis to update the device status as well as get the new configuration and policies.
FIG. 1 is a table including apps that may be installed on a mobile device according to various embodiments.
FIG. 2 is a block diagram illustrating a system including location and time based app policies according to various embodiments.
(1) Enterprise IT administrator configure enterprise policies (Location, Time schedule, and device posture) to VSP. For example, {app=ERP, allowLocation={wifi=[{ssid=hospital, bssid=001c.0ed1.ac80} ], cellular=[{mnc=123,mcc=123}],latlong=[{lat=1.1,long=2.2,radius=2}]}, disallowLocation=={wifi=[{ssid=hospital, bssid=001c.0ed1.ac80}], cellular=[{mnc=123,mcc=123}],latlong=[{lat=1.1,long=2.2,radius=2} ]} }
(2) VSP will calculate applicable policies to each device by processing user and group relationship in enterprise directory.
(3) Management Agent will receive this location and time based policies
For example, {app=ERP,allowLocation={wifi=[{ssidhash=abcd123, bssidhash=cdef1234}], cellularhash=[{mncmcc=fda123}],latlong=[{lat=1.1,long=2.2,radius=2}]} }
(4) Management Agent will update policies information in AppConnect Bus with current allowed state. AppConnect Bus in various embodiments provides secure communication between apps within the enterprise zone; e.g., via encrypted content shared via a pasteboard or other mechanism. For example, if device is currently connected with wifi ssid hospital with bssid 001c.0ed1.ac80, ERP app will be allowed to authorized app list. {Zone={authenticationExpire=1343071545, AuthorizedApps=[{appid=company.files.Se,locationPolicy=1}, {appid=company.browser.Be,locationPolicy=2}, {appid=company.SFA.Ae,locationPolicy2}, {appid=company.viewer.De, location policy=3}, {appid=company.ERP.Ee, LocationPolicy=1], zoneLock=false}, LocationPolicy={1={wifi=[{ssidhash=abcd123, bssidhash=cdef1234}]}}}
(5) User can use ERP app. Enterprise zone library in ERP app will receive location change from device.
(6) When user moved to new location where location is not in allowLocation, Enterprise Zone library will forward user to Management agent and Management agent will block the user from using the app and inform the user appropriately
Location information will be gathered by the management agent either from the operating system or an app that can determine the location (app could be part of AppConnect bus or outside AppConnect bus)
Claims
What is claimed is:1. A method, comprising:
receiving, at a management agent on a device from a remote enterprise server, one or more location and time policies that include policy information, wherein the one or more location and time policies are calculated by processing user and group information, wherein the device includes applications located inside an enterprise zone and applications located outside of the enterprise zone;
updating the policy information in a bus with a current allowed state;
receiving location information from the device, wherein the location information includes a new location that is not an allowed location; and
blocking, by the management agent, a user of the device from using an application located in the enterprise zone on the device based at least in part on the received location information, wherein the management agent blocks the user of the all applications within the enterprise zone according to the one or more policies.
2. The method of claim 1, further comprising:
authenticating the user of the device; and
in response to authenticating the user of the device, updating a list of authorized applications.
3. The method of claim 2, wherein the authenticating a user of the device comprises validating credentials of the user.
4. The method of claim 1, wherein the blocking of the use of the application includes blocking the use of all applications within the enterprise zone, wherein the enterprise zone is a zone within a degree of control is managed by the management agent on the device.
5. The method of claim 4, wherein the bus corresponds to a secure communication zone over which one or more applications in the enterprise zone communicate.
6. The method of claim 4, wherein at least one of the applications within the enterprise zone is associated with an enterprise library, wherein the enterprise library receives the location information.
7. The method of claim 6, wherein in the event that the location information indicates that a location of the device is not within an allowed location, the enterprise library forwards the at least one of the applications within the enterprise zone to the management agent on the device and the management agent restricts the user from using the at least one of the applications.
8. The method of claim 1, wherein the blocking of the user of the device form using an application on the device comprises restricting the application from being accessed by the user.
9. The method of claim 1, wherein the applications located outside of the zone are unable to communicate with or access data of the applications located in the enterprise zone.
10. A device, comprising:
at least one hardware processor configured to:
receive, at a management agent on the device from a remote enterprise server, one or more location and time policies that include policy information, wherein the one or more location and time policies are calculated by processing user and group information, wherein the device includes applications located inside an enterprise zone and applications located outside of the enterprise zone;
update the policy information in a bus with a current allowed state;
receive location information from the device, wherein the location information includes a new location that is not an allowed location; and
block, by the management agent, a user of the device from using an application located in the enterprise zone on the device based at least in part on the received location information, wherein the management agent blocks the user of the all applications within the enterprise zone according to the one or more policies; and
a memory coupled to the at least one processor and configured to provide the at least one processor with instructions.
11. The device of claim 10, wherein the at least one hardware processor is further configured to:
authenticate the user of the device; and
in response to authenticating the user of the device, update a list of authorized applications.
12. The device of claim 11, wherein the authenticating a user of the device comprises validating credentials of the user.
13. The device of claim 10, wherein the blocking of the use of the application includes blocking the use of all applications within the enterprise zone, wherein the enterprise zone is a zone within a degree of control is managed by the management agent on the device.
14. The device of claim 13, wherein the bus corresponds to a secure communication zone over which one or more applications in the enterprise zone communicate.
15. The device of claim 13, wherein at least one of the applications within the enterprise zone is associated with an enterprise library, wherein the enterprise library receives the location information.
16. The device of claim 15, wherein in the event that the location information indicates that a location of the device is not within an allowed location, the enterprise library forwards the at least one of the applications within the enterprise zone to the management agent on the device and the management agent restricts the user from using the at least one of the applications.
17. A computer program product embodied in a tangible, non-transitory computer readable storage medium, comprising computer instructions for:
receiving, at a management agent on a device from a remote enterprise server, one or more location and time policies that include policy information, wherein the one or more location and time policies are calculated by processing user and group information, wherein the device includes applications located inside an enterprise zone and applications located outside of the enterprise zone;
updating the policy information in a bus with a current allowed state;
receiving location information from the device, wherein the location information includes a new location that is not an allowed location; and
blocking, by the management agent, a user of the device from using an application located in the enterprise zone on the device based at least in part on the received location information, wherein the management agent blocks the user of the all applications within the enterprise zone according to the one or more policies.
Images & Drawings included:
Sources:
- United States Patent and Trademark Office - verify current appl. status at the USPTOβ
Similar patent applications:
- » 14137758
Location and time based mobile app policies - » 20180018471
Location and time based mobile app policies
Recent applications in this class:
- » 20250260666 2025-08-14
Systems and methods for endpoint process metadata based policy enforcement - » 20250260665 2025-08-14
SYSTEM TO MANAGE PRIVACY PREFERENCES - » 20250211569 2025-06-26
Network Threat Prediction and Blocking - » 20250211568 2025-06-26
ZERO TRUST PACKET ROUTING ARCHITECTURE - » 20250211567 2025-06-26
SECURED NETWORK SWITCH AND METHOD FOR SECURE AND CONFIGURABLE FILTERING - » 20250175451 2025-05-29
Communication System and Method for Securely Transmitting Time-Critical Data within the Communication System - » 20250168146 2025-05-22
HOMOMORPHIC ENCRYPTION FOR WEB APPLICATION FIREWALL PROCESSING - » 20250158960 2025-05-15
Prioritization For Time-Deterministic Firewalls - » 20250150436 2025-05-08
SYSTEM FOR ADVANCED NETWORK TRAFFIC ANALYSIS IN A COMPUTING ENVIRONMENT - » 20250141839 2025-05-01
Cloud-Based Application Resource Mapping
Recent applications for this Assignee:
- » 20190319962 2019-10-17
Identity proxy to provide access control and single sign on - » 20190188393 2019-06-20
Mobile device management broker - » 20190028480 2019-01-24
Identity proxy to provide access control and single sign on - » 20180351960 2018-12-06
Secure access to cloud-based services - » 20180316565 2018-11-01
Leveraging and extending mobile operating system MDM protocol - » 20180288619 2018-10-04
Managing applications across multiple management domains - » 20180248884 2018-08-30
Identity proxy to provide access control and single sign on - » 20180145924 2018-05-24
Enrolling a mobile device with an enterprise mobile device management environment - » 20180077577 2018-03-15
Mobile device traffic splitter - » 20180018471 2018-01-18
Location and time based mobile app policies