US20150281003A1 - Mobile application control - Google Patents

Mobile application control Download PDF

Info

Publication number
US20150281003A1
US20150281003A1 US14/319,166 US201414319166A US2015281003A1 US 20150281003 A1 US20150281003 A1 US 20150281003A1 US 201414319166 A US201414319166 A US 201414319166A US 2015281003 A1 US2015281003 A1 US 2015281003A1
Authority
US
United States
Prior art keywords
user
corporate network
access
client device
applications
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US14/319,166
Inventor
Chris D. Peterson
Praveen Kumar
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Quest Software Inc
SonicWall LLC
Aventail LLC
SonicWall US Holdings Inc
Original Assignee
SonicWall LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to US14/319,166 priority Critical patent/US20150281003A1/en
Application filed by SonicWall LLC filed Critical SonicWall LLC
Publication of US20150281003A1 publication Critical patent/US20150281003A1/en
Assigned to THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT reassignment THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT SECURITY AGREEMENT Assignors: AVENTAIL LLC, DELL PRODUCTS L.P., DELL SOFTWARE INC.
Assigned to CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT reassignment CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT SECURITY AGREEMENT Assignors: AVENTAIL LLC, DELL PRODUCTS, L.P., DELL SOFTWARE INC.
Assigned to AVENTAIL LLC, DELL SOFTWARE INC., DELL PRODUCTS, L.P. reassignment AVENTAIL LLC RELEASE BY SECURED PARTY (SEE DOCUMENT FOR DETAILS). Assignors: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH
Assigned to DELL SOFTWARE INC., DELL PRODUCTS L.P., AVENTAIL LLC reassignment DELL SOFTWARE INC. RELEASE OF SECURITY INTEREST IN CERTAIN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040039/0642) Assignors: THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A.
Assigned to CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT reassignment CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT FIRST LIEN PATENT SECURITY AGREEMENT Assignors: DELL SOFTWARE INC.
Assigned to CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT reassignment CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT SECOND LIEN PATENT SECURITY AGREEMENT Assignors: DELL SOFTWARE INC.
Assigned to AVENTAIL LLC, QUEST SOFTWARE INC. (F/K/A DELL SOFTWARE INC.) reassignment AVENTAIL LLC CORRECTIVE ASSIGNMENT TO CORRECT THE ASSIGNEE PREVIOUSLY RECORDED AT REEL: 040587 FRAME: 0624. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT. Assignors: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH
Assigned to SONICWALL US HOLDINGS INC. reassignment SONICWALL US HOLDINGS INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: PETERSON, CHRIS D
Assigned to SONICWALL US HOLDINGS INC. reassignment SONICWALL US HOLDINGS INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: PETERSON, CHRISTOPHER D.
Assigned to QUEST SOFTWARE INC. (F/K/A DELL SOFTWARE INC.), AVENTAIL LLC reassignment QUEST SOFTWARE INC. (F/K/A DELL SOFTWARE INC.) RELEASE OF FIRST LIEN SECURITY INTEREST IN PATENTS RECORDED AT R/F 040581/0850 Assignors: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT
Assigned to SONICWALL US HOLDINGS INC. reassignment SONICWALL US HOLDINGS INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: TELEHOWSKI, DAVID
Assigned to UBS AG, STAMFORD BRANCH, AS COLLATERAL AGENT reassignment UBS AG, STAMFORD BRANCH, AS COLLATERAL AGENT FIRST LIEN PATENT SECURITY AGREEMENT Assignors: SONICWALL US HOLDINGS INC.
Assigned to UBS AG, STAMFORD BRANCH, AS COLLATERAL AGENT reassignment UBS AG, STAMFORD BRANCH, AS COLLATERAL AGENT SECOND LIEN PATENT SECURITY AGREEMENT Assignors: SONICWALL US HOLDINGS INC.
Assigned to SONICWALL US HOLDINGS, INC. reassignment SONICWALL US HOLDINGS, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: KUMAR, PRAVEEN
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/50Network service management, e.g. ensuring proper service fulfilment according to agreements
    • H04L41/5003Managing SLA; Interaction between SLA and QoS
    • H04L41/5006Creating or negotiating SLA contracts, guarantees or penalties
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/30Security of mobile devices; Security of mobile applications
    • H04W12/37Managing security policies for mobile devices or for controlling mobile applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/141Setup of application sessions

Definitions

  • VPN virtual private network
  • An appliance works in conjunction with an agent on a remote device to control application access to a corporate network.
  • granular application control may be implemented.
  • a device user may determine what applications from a set of applications may access the corporate network and which applications do not access the network.
  • a user agreement indicating of the limits on what a corporate network may access on a user personal device may be provided to a user and either accepted or rejected.
  • the user if the user agreement is accepted, may receive a list of allowed applications and modify the list by removing applications on the list which the user does not want to send data to the corporate network.
  • Both the user and a corporate network administrator may view the user accepted limits and track what user device applications actually have accessed the corporate network to confirm compliance with the limits.
  • An embodiment may include a method for establishing a connection.
  • the method may include establishing a connection between a user client device and a server.
  • the user client device may have a plurality of applications and be associated with a user.
  • a user agreement regarding what a corporate network will access on the user client device may be presented to the user through the user client device and from the server.
  • a confirmation may be received of the user agreement from the user by the client device.
  • the client may be provided with access to the corporate network by the server.
  • a system for establishing a connection may include a device having a processor, memory, and an agent stored in memory and executable by the processor to establish a connection between a user client device and a server, the user client device having a plurality of applications and associated with a user, present to the user through the user client device a user agreement on what a corporate network will access on the user client device, receive a confirmation of the user agreement from the user by the client device, and provide the client access to the corporate network.
  • FIG. 1 illustrates a block diagram of a client communicating with a remote server.
  • FIG. 2 illustrates a block diagram of a client having an agent.
  • FIG. 3 illustrates a method for providing application access to a network.
  • FIG. 4 illustrates a method for verifying user acceptance of a user agreement.
  • FIG. 5 is a block diagram of an exemplary system for implementing a computing device.
  • An intranet appliance works in conjunction with an agent on a remote device to control application access to a corporate network.
  • granular application control may be implemented.
  • a device user may determine what applications from a set of applications may access the corporate network and which applications do not access the network.
  • a device user may determine what applications from a set of applications may access the corporate network and which applications do not access the network.
  • a user agreement indicating what a corporate network may access on a user personal device may provided to a user and either accepted or rejected.
  • the user if the user agreement is accepted, may receive a list of allowed applications and modify the list by removing applications on the list which the user does not want to send data to the corporate network.
  • Both the user and a corporate network administrator may view the user accepted limits and track what user device applications actually have accessed the corporate network to confirm compliance with the limits.
  • FIG. 1 illustrates a block diagram of a client communicating with a remote server.
  • the system of FIG. 1 includes client device 110 , network 120 , VPN appliance 130 , and corporate network 140 .
  • VPN appliance 130 may include tunnel server 136 , policy server 134 , and data store 138 .
  • corporate network 140 may include one or more servers such as corporate server 142 .
  • Client 110 may include a user device that is not controlled by the entity that provides 1 1 corporate network 140 .
  • Client 110 may be implemented as a mobile device such as a smart phone, tablet or laptop computer, a desk top computer, or other computing device.
  • Network 120 may include one or more networks used to communicate data between client device 120 and, ultimately, corporate server 142 .
  • network 120 may include a private network, public network, the Internet, an intranet, a local area network, a wide area network, a wireless network, a cellular network, and a combination of these networks.
  • Tunnel server 130 on VPN appliance 125 may establish a VPN tunnel and communicate with client device 110 and serve as an intermediary between client device 110 and corporate server 142 .
  • This VPN may be used to allow applications on the client device 110 to communicate with a corporate server 142 in a secure fashion even though traffic is flowing over a public network 120 .
  • the policy server may include one or more applications that perform functionality discussed herein, such as for example generating and applying policy rules.
  • Datastore 138 may store and process data, and is accessible by servers 132 , 134 and 136 .
  • datastore 138 may store communication log data, application lists, application information, and other data.
  • the client device 110 may communicate with tunnel server 136 to authorize access to corporate server 142 .
  • the client may also communicate through an API Server 132 which is a peer to the tunnel server and is used to authenticate the user, retrieve the list of applications, authenticate a device, and other functionality. Both API Server 132 and Tunnel Server 136 may communicate with policy server 134 to obtain policy decisions to help provide responses to client requests
  • corporate server 142 of corporate network 140 may be accessed by the user device 110 through tunnel server 136 of VPN appliance 130 .
  • tunnel server 136 may receive and analyze all network traffic to confirm the traffic is from an authorized application before the traffic may access the corporate server. Access to corporate server 142 and other resources on corporate network 140 is determined by both policy server 134 and tunnel server 136 .
  • Tunnel Server 136 provides policy enforcement and traffic analysis while policy server 134 is the policy decision point, and the two servers work in concert to both analyze traffic and apply policy.
  • FIG. 2 illustrates a block diagram of a client having an agent.
  • Agent 240 may communicate with tunnel sever 230 and API Server 280 to implement client side functionality of the present technology. For example, agent 240 may provide an interface to a user for selecting one or more of a set of applications allowed to access the corporate network 140 , collect data at the device and provide the data to tunnel server 136 or API server 132 , and other functionality.
  • Agent 240 may communicate with applications 210 - 230 on device 110 and may generate and manage application objects 250 - 260 .
  • An application may correspond to each application object.
  • An application object may include the application name, version, and other data for a corresponding application.
  • Agent 240 may transmit application information within each application object to tunnel server 136 or API server 132 to allow policy server 134 to make access control decisions.
  • FIG. 3 illustrates a method for providing application access to a network.
  • a VPN connection is established between the tunnel server and an agent 240 on the client at step 310 .
  • the agent may initiate the VPN establishment by sending a VPN request to the VPN appliance.
  • a user is authenticated at step 310 .
  • User authentication is performed to identify the user of the device.
  • a user device is then classified to determine if it meets acceptable parameters at step 315 .
  • an administrator defines a set of device attributes, and the system may attempt to find a set of attributes that match the device.
  • Classification of the device may include retrieval of a unique equipment identifier along with other device attribute data.
  • the unique equipment identifier and device attribute data may be collected by an agent and transmitted to policy server 134 .
  • the attribute data may be used by the policy server to determine if client device 110 may allow for application control by the policy server via the agent.
  • the data store is queried to determine if a matching entry for the user and device exist. If the user and device combination are found in the data store, then the user and device have established a connection with the corporate network before and the version of the user agreement previously agreed to by the user is checked against the most recent version at step 317 . If the user has already accepted the current user agreement at step 317 , and therefore the most recent user agreement has not changed from the stored user agreement for the user and device combination, then the method continues to step 325 and the present system does not provide the user with the same user agreement and a portion of or all of step 320 (and corresponding method of FIG. 4 ) will not per performed for the current session.
  • step 317 If the device requires a new user agreement to be accepted, either because the user and device combination is not found in the data store or the current version of the user agreement does not match the stored version of the user agreement, the method continues from step 317 to step 320 .
  • User acceptance of a user agreement is verified at step 320 .
  • the user may be authorized for the corporate network access.
  • a policy server determines authorization of the user, device, and checks access permissions. The policy allows for application access to particular data for a particular device type and user type. Once the user has accepted the user agreement, the user may be authorized to access a corporate network. More detail for user acceptance of the user agreement is provided with respect to FIG. 4 .
  • Application traffic may be transmitted to the corporate network at step 325 .
  • An agent on the client device may monitor communication data and provide information to the user of the device regarding what applications are communicating with the corporate network.
  • An audit may be performed on the application data sent to the corporate network at step 330 .
  • the server will collect data as packets are transmitted to the corporate network regarding which user and device are sending traffic.
  • the data may include an application identifier and version specific hash, which is collected for any application that sends data to the corporate network.
  • the server may receive the data and store the data for each session between the user and device combination and the corporate network.
  • the administrator may access the stored session data on the VPN appliance and identify which applications on the particular user device and for a particular user have sent data to the corporate network.
  • the user may access data stored by the agent on the client device to identify which applications have sent data to which destination on the corporate network.
  • the user and administrator may also access the limits agreed to by the user regarding application data to be sent to the corporate network. From this information, the user or administrator may each determine whether the application data transmitted complied with the limits agreed to by the user, thereby auditing the application data access by the corporate network.
  • FIG. 4 illustrates a method for verifying user acceptance of a user agreement.
  • the method of FIG. 4 provides more detail for step 325 of the method of FIG. 3 .
  • a user is provided with a user agreement regarding corporate network access to application data from applications on the user's device at step 405 .
  • the user agreement is a mutual contract between the corporate network operator and the end user where the end user can choose to accept it to be granted access to the corporate network or decline and end their session.
  • the language contained within the user agreement may be drafted by the corporate network legal counsel.
  • the user agreement may specify policies and rules regarding how the network access may access data, when it may access data, and generally inform the user of application data access over the corporate network.
  • the user agreement may be a contract offer to the user.
  • the indication received by the user device from a server and provided to the user through an interface of the user device.
  • a determination is then made as to whether the user accepts the user agreement at step 410 . If the user does not accept the limits indicated, access to a corporate access is denied to the user and user device combination at step 415 . If the user has not accepted the user agreement, upon a subsequent login attempt, the user may again be prompted to comply with the user agreement. If the user does accept the limits, the user's acceptance of the limits and the indication of the limits are stored at step 420 .
  • a copy of the user agreement is stored on the client device.
  • a record for the user, device and user agreement version number may also be created or updated at the VPN appliance to reflect the user's acceptance. The user's acceptance will not be required from the user again for the same user agreement for the particular user and user device combination.
  • the agent on the client device is provided with a list of applications from the VPN appliance, wherein the listed applications are allowed to access the corporate network at step 425 .
  • the list of applications is determined by the access policy configured by an administrator which contains detailed information on which users, devices, applications, and destinations should be granted access. If the received application list is the same list as that received during the previous session, the agent does nothing (e.g., will not present the newly received list to the user) and the method of FIG. 4 continues to step 440 (i.e., no input is received from the user as no applications from the newly received list are provided to the user).
  • the agent on the client device presents the list of applications to the user via an interface of the device.
  • the user may choose to block applications on this list from accessing the corporate network and have network traffic data flow over the VPN.
  • the application type may be specified along with particular versions or configurations of the application that may be allowed to access the corporate network.
  • a determination is then made as to whether input is received from the user to remove applications from the list at step 430 . If such input is received, the user selected applications are removed from the list at step 435 and the method continues to step 440 . In some instances, if the user removes all the applications from the list, the session may be terminated. Otherwise, network access may be provided to application data from applications on the list at step 440 . At any time during the session, the user may change the applications on the current list which are authorized to send data to the corporate server.
  • the client device will not send traffic from that application to the corporate network.
  • a network administrator may not be notified that the user chose to limit the application set to less than what was authorized by the network administrator.
  • what the user decides to allow or not allow with the company to use on their device is not shared with the network administrator. For example, if the user would like to user a particular network browser to access monster.com to look for a new job, the user likely will not want to have to explain to her supervisor why they disabled it.
  • a network administrator may access the version number of the user agreement accepted by the user, as this information is stored in the data store 138 .
  • the user may also access a copy of the user agreement that they have previously agreed to, and may access a copy which has been stored on their device.
  • the user may access a copy at any time via a menu setting on a UI provided by the VPN agent 240 .
  • FIG. 5 is a block diagram of an exemplary system for implementing a computing device.
  • System 500 of FIG. 5 may be implemented in the contexts of the likes of client device 110 VPN appliance 130 and corporate server 140 .
  • the computing system 500 of FIG. 5 includes one or more processors 510 and memory 520 .
  • Main memory 510 stores, in part, instructions and data for execution by processor 510 .
  • Main memory 520 can store the executable code when in operation.
  • the system 500 of FIG. 5 further includes a mass storage device 530 , portable storage medium drive(s) 540 , output devices 550 , user input devices 560 , a graphics display 570 , and peripheral devices 580 .
  • processor unit 510 and main memory 520 may be connected via a local microprocessor bus, and the mass storage device 530 , peripheral device(s) 580 , portable storage device 540 , and display system 570 may be connected via one or more input/output (I/O) buses.
  • I/O input/output
  • Mass storage device 530 which may be implemented with a magnetic disk drive or an optical disk drive, is a non-volatile storage device for storing data and instructions for use by processor unit 510 . Mass storage device 530 can store the system software for implementing embodiments of the present invention for purposes of loading that software into main memory 520 .
  • Portable storage device 540 operates in conjunction with a portable non-volatile storage medium, such as a floppy disk, compact disk or Digital video disc, to input and output data and code to and from the computer system 500 of FIG. 5 .
  • the system software for implementing embodiments of the present invention may be stored on such a portable medium and input to the computer system 500 via the portable storage device 540 .
  • Input devices 560 provide a portion of a user interface.
  • Input devices 560 may include an alpha-numeric keypad, such as a keyboard, for inputting alpha-numeric and other information, or a pointing device, such as a mouse, a trackball, stylus, or cursor direction keys.
  • the system 500 as shown in FIG. 5 includes output devices 550 . Examples of suitable output devices include speakers, printers, network interfaces, and monitors.
  • Display system 570 may include a liquid crystal display (LCD) or other suitable display device.
  • Display system 570 receives textual and graphical information, and processes the information for output to the display device.
  • LCD liquid crystal display
  • Peripherals 580 may include any type of computer support device to add additional functionality to the computer system.
  • peripheral device(s) 580 may include a modem or a router.
  • the components contained in the computer system 500 of FIG. 5 are those typically found in computer systems that may be suitable for use with embodiments of the present invention and are intended to represent a broad category of such computer components that are well known in the art.
  • the computer system 500 of FIG. 5 can be a personal computer, hand held computing device, telephone, mobile computing device, workstation, server, minicomputer, mainframe computer, or any other computing device.
  • the computer can also include different bus configurations, networked platforms, multi-processor platforms, etc.
  • Various operating systems can be used including Unix, Linux, Windows, Macintosh OS, Palm OS, and other suitable operating systems.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

A device user may determine what applications from a set of applications may access the corporate network and which applications do not access the network. An indication of the limits on what a corporate network may access on a user personal device may provided to a user and either accepted or rejected. The user, if the user agreement is accepted, may receive a list of allowed applications and modify the list by removing applications on the list which the user does not want to send data to the corporate network. Both the user and a corporate network administrator may view the user accepted limits and track what user device applications actually have accessed the corporate network to confirm compliance with the limits.

Description

    CROSS-REFERENCE TO RELATED APPLICATIONS
  • This application claims the priority benefit of U.S. Provisional Application Ser. No. 61/973,248, titled “Mobile Connect,” filed Mar. 31, 2014, the disclosure of which is incorporated herein by reference.
  • BACKGROUND OF THE INVENTION
  • Consumers continue to push for a mechanism that allows them to use their own device to perform typical work tasks. In most cases, these devices are owned by the individual user, which means the company may have zero control over them. Because companies have little if any control over these user devices, there is concern regarding providing the device access to corporate remote networks due to the potential for attacks vectors (nefarious applications, leaking, tampering, or otherwise disclosing of critical intellectual property owned by company). The market has coined the term “unmanaged device” or “BYOD” (bring your own device) to represent any device that is not owned or controlled by the company that needs access to the corporate network so the employee can do their work. In most cases, this device is owned by the employee requesting access. Some companies require employee devices to be put under mobile device management (MDM) control before allowed onto the corporate network, but such a configuration is not really zero control.
  • Most mobile solutions are all or nothing—all data is shared or no data is shared with respect to a corporate intranet (i.e., an appliance based network). With the advent of BYOD, users need to access the corporate intranet but do not want their personal information to be available to the corporate intranet. Likewise, the corporate intranet may not want to risk exposure to certain content on the user device that is not germane (or appropriate) for the corporate network.
  • Secure communication with a corporate network can be achieved through virtual private network (VPN) connections. Current VPN clients that provide application level control block traffic in that VPN application running on the client device. For example, some companies provide a per-app VPN solution. Despite current VPN per application solutions, there are still concerns regarding the vulnerability of corporate network access from personal user devices.
  • There is a need in the art for managing access to corporate networks by user's personal devices at the application level that protects corporate interests while protecting personal data of users.
  • SUMMARY OF THE CLAIMED INVENTION
  • An appliance works in conjunction with an agent on a remote device to control application access to a corporate network. In conjunction with an SSL tunnel and policy operating at the appliance, granular application control may be implemented. In particular, a device user may determine what applications from a set of applications may access the corporate network and which applications do not access the network. A user agreement indicating of the limits on what a corporate network may access on a user personal device may be provided to a user and either accepted or rejected. The user, if the user agreement is accepted, may receive a list of allowed applications and modify the list by removing applications on the list which the user does not want to send data to the corporate network. Both the user and a corporate network administrator may view the user accepted limits and track what user device applications actually have accessed the corporate network to confirm compliance with the limits.
  • An embodiment may include a method for establishing a connection. The method may include establishing a connection between a user client device and a server. The user client device may have a plurality of applications and be associated with a user. A user agreement regarding what a corporate network will access on the user client device may be presented to the user through the user client device and from the server. A confirmation may be received of the user agreement from the user by the client device. The client may be provided with access to the corporate network by the server.
  • In an embodiment, a system for establishing a connection may include a device having a processor, memory, and an agent stored in memory and executable by the processor to establish a connection between a user client device and a server, the user client device having a plurality of applications and associated with a user, present to the user through the user client device a user agreement on what a corporate network will access on the user client device, receive a confirmation of the user agreement from the user by the client device, and provide the client access to the corporate network.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 illustrates a block diagram of a client communicating with a remote server.
  • FIG. 2 illustrates a block diagram of a client having an agent.
  • FIG. 3 illustrates a method for providing application access to a network.
  • FIG. 4 illustrates a method for verifying user acceptance of a user agreement.
  • FIG. 5 is a block diagram of an exemplary system for implementing a computing device.
  • DETAILED DESCRIPTION
  • An intranet appliance works in conjunction with an agent on a remote device to control application access to a corporate network. In conjunction with an SSL tunnel and policy operating at the appliance, granular application control may be implemented. In particular, a device user may determine what applications from a set of applications may access the corporate network and which applications do not access the network.
  • A device user may determine what applications from a set of applications may access the corporate network and which applications do not access the network. A user agreement indicating what a corporate network may access on a user personal device may provided to a user and either accepted or rejected. The user, if the user agreement is accepted, may receive a list of allowed applications and modify the list by removing applications on the list which the user does not want to send data to the corporate network. Both the user and a corporate network administrator may view the user accepted limits and track what user device applications actually have accessed the corporate network to confirm compliance with the limits.
  • FIG. 1 illustrates a block diagram of a client communicating with a remote server. The system of FIG. 1 includes client device 110, network 120, VPN appliance 130, and corporate network 140. VPN appliance 130 may include tunnel server 136, policy server 134, and data store 138. Corporate network 140 may include one or more servers such as corporate server 142.
  • Client 110 may include a user device that is not controlled by the entity that provides 1 1 corporate network 140. Client 110 may be implemented as a mobile device such as a smart phone, tablet or laptop computer, a desk top computer, or other computing device.
  • Network 120 may include one or more networks used to communicate data between client device 120 and, ultimately, corporate server 142. For example, network 120 may include a private network, public network, the Internet, an intranet, a local area network, a wide area network, a wireless network, a cellular network, and a combination of these networks.
  • Tunnel server 130 on VPN appliance 125 may establish a VPN tunnel and communicate with client device 110 and serve as an intermediary between client device 110 and corporate server 142. This VPN may be used to allow applications on the client device 110 to communicate with a corporate server 142 in a secure fashion even though traffic is flowing over a public network 120.
  • 1The policy server may include one or more applications that perform functionality discussed herein, such as for example generating and applying policy rules. Datastore 138 may store and process data, and is accessible by servers 132, 134 and 136. For example, datastore 138 may store communication log data, application lists, application information, and other data. The client device 110 may communicate with tunnel server 136 to authorize access to corporate server 142. The client may also communicate through an API Server 132 which is a peer to the tunnel server and is used to authenticate the user, retrieve the list of applications, authenticate a device, and other functionality. Both API Server 132 and Tunnel Server 136 may communicate with policy server 134 to obtain policy decisions to help provide responses to client requests
  • Corporate server 142 of corporate network 140 may be accessed by the user device 110 through tunnel server 136 of VPN appliance 130. In this case, tunnel server 136 may receive and analyze all network traffic to confirm the traffic is from an authorized application before the traffic may access the corporate server. Access to corporate server 142 and other resources on corporate network 140 is determined by both policy server 134 and tunnel server 136. Tunnel Server 136 provides policy enforcement and traffic analysis while policy server 134 is the policy decision point, and the two servers work in concert to both analyze traffic and apply policy.
  • FIG. 2 illustrates a block diagram of a client having an agent. Agent 240 may communicate with tunnel sever 230 and API Server 280 to implement client side functionality of the present technology. For example, agent 240 may provide an interface to a user for selecting one or more of a set of applications allowed to access the corporate network 140, collect data at the device and provide the data to tunnel server 136 or API server 132, and other functionality.
  • Agent 240 may communicate with applications 210-230 on device 110 and may generate and manage application objects 250-260. An application may correspond to each application object. An application object may include the application name, version, and other data for a corresponding application. Agent 240 may transmit application information within each application object to tunnel server 136 or API server 132 to allow policy server 134 to make access control decisions.
  • FIG. 3 illustrates a method for providing application access to a network. A VPN connection is established between the tunnel server and an agent 240 on the client at step 310. The agent may initiate the VPN establishment by sending a VPN request to the VPN appliance.
  • A user is authenticated at step 310. User authentication is performed to identify the user of the device. A user device is then classified to determine if it meets acceptable parameters at step 315. In some instances, an administrator defines a set of device attributes, and the system may attempt to find a set of attributes that match the device. Classification of the device may include retrieval of a unique equipment identifier along with other device attribute data. The unique equipment identifier and device attribute data may be collected by an agent and transmitted to policy server 134. The attribute data may be used by the policy server to determine if client device 110 may allow for application control by the policy server via the agent.
  • Once the user is authenticated and the device is classified, the data store is queried to determine if a matching entry for the user and device exist. If the user and device combination are found in the data store, then the user and device have established a connection with the corporate network before and the version of the user agreement previously agreed to by the user is checked against the most recent version at step 317. If the user has already accepted the current user agreement at step 317, and therefore the most recent user agreement has not changed from the stored user agreement for the user and device combination, then the method continues to step 325 and the present system does not provide the user with the same user agreement and a portion of or all of step 320 (and corresponding method of FIG. 4) will not per performed for the current session.
  • If the device requires a new user agreement to be accepted, either because the user and device combination is not found in the data store or the current version of the user agreement does not match the stored version of the user agreement, the method continues from step 317 to step 320.
  • User acceptance of a user agreement is verified at step 320. Once a user accepts a user agreement, the user may be authorized for the corporate network access. In some embodiments, a policy server determines authorization of the user, device, and checks access permissions. The policy allows for application access to particular data for a particular device type and user type. Once the user has accepted the user agreement, the user may be authorized to access a corporate network. More detail for user acceptance of the user agreement is provided with respect to FIG. 4.
  • Application traffic may be transmitted to the corporate network at step 325. An agent on the client device may monitor communication data and provide information to the user of the device regarding what applications are communicating with the corporate network.
  • An audit may be performed on the application data sent to the corporate network at step 330. The server will collect data as packets are transmitted to the corporate network regarding which user and device are sending traffic. The data may include an application identifier and version specific hash, which is collected for any application that sends data to the corporate network. The server may receive the data and store the data for each session between the user and device combination and the corporate network.
  • The administrator may access the stored session data on the VPN appliance and identify which applications on the particular user device and for a particular user have sent data to the corporate network. The user may access data stored by the agent on the client device to identify which applications have sent data to which destination on the corporate network. The user and administrator may also access the limits agreed to by the user regarding application data to be sent to the corporate network. From this information, the user or administrator may each determine whether the application data transmitted complied with the limits agreed to by the user, thereby auditing the application data access by the corporate network.
  • FIG. 4 illustrates a method for verifying user acceptance of a user agreement. The method of FIG. 4 provides more detail for step 325 of the method of FIG. 3. A user is provided with a user agreement regarding corporate network access to application data from applications on the user's device at step 405. The user agreement is a mutual contract between the corporate network operator and the end user where the end user can choose to accept it to be granted access to the corporate network or decline and end their session. The language contained within the user agreement may be drafted by the corporate network legal counsel.
  • The user agreement may specify policies and rules regarding how the network access may access data, when it may access data, and generally inform the user of application data access over the corporate network. In some instances, the user agreement may be a contract offer to the user. The indication received by the user device from a server and provided to the user through an interface of the user device. A determination is then made as to whether the user accepts the user agreement at step 410. If the user does not accept the limits indicated, access to a corporate access is denied to the user and user device combination at step 415. If the user has not accepted the user agreement, upon a subsequent login attempt, the user may again be prompted to comply with the user agreement. If the user does accept the limits, the user's acceptance of the limits and the indication of the limits are stored at step 420. If the user accepts the user agreement a copy of the user agreement is stored on the client device. A record for the user, device and user agreement version number may also be created or updated at the VPN appliance to reflect the user's acceptance. The user's acceptance will not be required from the user again for the same user agreement for the particular user and user device combination.
  • The agent on the client device is provided with a list of applications from the VPN appliance, wherein the listed applications are allowed to access the corporate network at step 425. The list of applications is determined by the access policy configured by an administrator which contains detailed information on which users, devices, applications, and destinations should be granted access. If the received application list is the same list as that received during the previous session, the agent does nothing (e.g., will not present the newly received list to the user) and the method of FIG. 4 continues to step 440 (i.e., no input is received from the user as no applications from the newly received list are provided to the user).
  • If the list is different from the previous session for the user and device, or the list is provided during the first session for the user and device combination, the agent on the client device presents the list of applications to the user via an interface of the device. The user may choose to block applications on this list from accessing the corporate network and have network traffic data flow over the VPN. For each application, the application type may be specified along with particular versions or configurations of the application that may be allowed to access the corporate network. A determination is then made as to whether input is received from the user to remove applications from the list at step 430. If such input is received, the user selected applications are removed from the list at step 435 and the method continues to step 440. In some instances, if the user removes all the applications from the list, the session may be terminated. Otherwise, network access may be provided to application data from applications on the list at step 440. At any time during the session, the user may change the applications on the current list which are authorized to send data to the corporate server.
  • If the user removes an application from the list by deselecting it, the client device will not send traffic from that application to the corporate network. A network administrator may not be notified that the user chose to limit the application set to less than what was authorized by the network administrator. Hence, what the user decides to allow or not allow with the company to use on their device is not shared with the network administrator. For example, if the user would like to user a particular network browser to access monster.com to look for a new job, the user likely will not want to have to explain to her supervisor why they disabled it.
  • At any time during the current session, a network administrator may access the version number of the user agreement accepted by the user, as this information is stored in the data store 138. The user may also access a copy of the user agreement that they have previously agreed to, and may access a copy which has been stored on their device. The user may access a copy at any time via a menu setting on a UI provided by the VPN agent 240.
  • FIG. 5 is a block diagram of an exemplary system for implementing a computing device. System 500 of FIG. 5 may be implemented in the contexts of the likes of client device 110 VPN appliance 130 and corporate server 140. The computing system 500 of FIG. 5 includes one or more processors 510 and memory 520. Main memory 510 stores, in part, instructions and data for execution by processor 510. Main memory 520 can store the executable code when in operation. The system 500 of FIG. 5 further includes a mass storage device 530, portable storage medium drive(s) 540, output devices 550, user input devices 560, a graphics display 570, and peripheral devices 580.
  • The components shown in FIG. 5 are depicted as being connected via a single bus 590. However, the components may be connected through one or more data transport means. For example, processor unit 510 and main memory 520 may be connected via a local microprocessor bus, and the mass storage device 530, peripheral device(s) 580, portable storage device 540, and display system 570 may be connected via one or more input/output (I/O) buses.
  • Mass storage device 530, which may be implemented with a magnetic disk drive or an optical disk drive, is a non-volatile storage device for storing data and instructions for use by processor unit 510. Mass storage device 530 can store the system software for implementing embodiments of the present invention for purposes of loading that software into main memory 520.
  • Portable storage device 540 operates in conjunction with a portable non-volatile storage medium, such as a floppy disk, compact disk or Digital video disc, to input and output data and code to and from the computer system 500 of FIG. 5. The system software for implementing embodiments of the present invention may be stored on such a portable medium and input to the computer system 500 via the portable storage device 540.
  • Input devices 560 provide a portion of a user interface. Input devices 560 may include an alpha-numeric keypad, such as a keyboard, for inputting alpha-numeric and other information, or a pointing device, such as a mouse, a trackball, stylus, or cursor direction keys. Additionally, the system 500 as shown in FIG. 5 includes output devices 550. Examples of suitable output devices include speakers, printers, network interfaces, and monitors.
  • Display system 570 may include a liquid crystal display (LCD) or other suitable display device. Display system 570 receives textual and graphical information, and processes the information for output to the display device.
  • Peripherals 580 may include any type of computer support device to add additional functionality to the computer system. For example, peripheral device(s) 580 may include a modem or a router.
  • The components contained in the computer system 500 of FIG. 5 are those typically found in computer systems that may be suitable for use with embodiments of the present invention and are intended to represent a broad category of such computer components that are well known in the art. Thus, the computer system 500 of FIG. 5 can be a personal computer, hand held computing device, telephone, mobile computing device, workstation, server, minicomputer, mainframe computer, or any other computing device. The computer can also include different bus configurations, networked platforms, multi-processor platforms, etc. Various operating systems can be used including Unix, Linux, Windows, Macintosh OS, Palm OS, and other suitable operating systems.
  • The foregoing detailed description of the technology herein has been presented for purposes of illustration and description. It is not intended to be exhaustive or to limit the technology to the precise form disclosed. Many modifications and variations are possible in light of the above teaching. The described embodiments were chosen in order to best explain the principles of the technology and its practical application to thereby enable others skilled in the art to best utilize the technology in various embodiments and with various modifications as are suited to the particular use contemplated. It is intended that the scope of the technology be defined by the claims appended hereto. [0036-0044 look like boilerplate to me, did not bother checking them closely.]

Claims (33)

What is claimed is:
1. A method for establishing a connection, comprising:
establishing a connection between a user client device and a server, the user client device having a plurality of applications and associated with a user;
presenting to the user through the user client device and from the server user agreement on what a corporate network will access on the user client device;
receiving a confirmation of the user agreement from the user by the client device; and
providing the client access to the corporate network by the server.
2. The method of claim 1, further comprising generating the user agreement for the user and user client device combination.
3. The method of claim 1, further comprising storing the user acceptance of the user agreement for the user and user client device combination.
4. The method of claim 1, further comprising providing the user agreement to the user subsequent to the providing the client access to the corporate network.
5. The method of claim 1, further comprising:
receiving login information from the user by the server via the user client device;
determining if the limits on what a corporate network will access on the user client device has changed;
providing an updated version of the limits on what a corporate network will access on the user client device; and
providing the client access to the corporate network by the server once the user has accepted the updated version of the limits on what a corporate network will access on the user client device.
6. The method of claim 1, further comprising:
providing the user with information regarding what applications have sent data to the corporate network; and
providing an indication of compliance to the user regarding whether the data sent by the applications complies with the user agreement on what a corporate network will access on the user client device.
7. The method of claim 1, further comprising:
providing an administrator of the corporate network with information regarding what applications have sent data to the corporate network; and
providing an indication of compliance to the administrator regarding whether the data sent by the applications complies with the user agreement on what a corporate network will access on the user client device.
8. The method of claim 1, further comprising providing a list of applications allowed to access the corporate network to the user, the list provided from the server to the user through the user client device.
9. The method of claim 8, further comprising receiving input from the user to select a subset of the list of applications to access the corporate network, wherein the one or more applications not selected by the user are blocked access to the corporate network.
10. The method of claim 8, wherein the list is provided to the user at the start of the connection between the user client device and the server.
11. The method of claim 10, further comprising:
detecting during the connection a change to the list of applications allowed to access the corporate network; and
providing the user with an updated list of applications allowed to access the corporate network.
12. A non-transitory computer readable storage medium having embodied thereon a program, the program being executable by a processor to perform a method for establishing a connection, the method comprising:
establishing a connection between a user client device and a server, the user client device having a plurality of applications and associated with a user;
presenting to the user through the user client device user agreement on what a corporate network will access on the user client device;
receiving a confirmation of the user agreement from the user by the client device; and
providing the client access to the corporate network.
13. The non-transitory computer readable storage medium of claim 12, further comprising generating the user agreement for the user and user client device combination.
14. The non-transitory computer readable storage medium of claim 12, further comprising storing the user acceptance of the user agreement for the user and user client device combination.
15. The non-transitory computer readable storage medium of claim 12, further comprising providing the user agreement to the user subsequent to the providing the client access to the corporate network.
16. The non-transitory computer readable storage medium of claim 12, further comprising:
receiving login information from the user by the server via the user client device;
determining if the limits on what a corporate network will access on the user client device has changed;
providing an updated version of the limits on what a corporate network will access on the user client device; and
providing the client access to the corporate network by the server once the user has accepted the updated version of the limits on what a corporate network will access on the user client device.
17. The non-transitory computer readable storage medium of claim 12, further comprising:
providing the user with information regarding what applications have sent data to the corporate network; and
providing an indication of compliance to the user regarding whether the data sent by the applications complies with the user agreement on what a corporate network will access on the user client device.
18. The non-transitory computer readable storage medium of claim 12, further comprising:
providing an administrator of the corporate network with information regarding what applications have sent data to the corporate network; and
providing an indication of compliance to the administrator regarding whether the data sent by the applications complies with the user agreement on what a corporate network will access on the user client device.
19. The non-transitory computer readable storage medium of claim 12, further comprising providing a list of applications allowed to access the corporate network to the user, the list provided from the server to the user through the user client device.
20. The non-transitory computer readable storage medium of claim 19, further comprising receiving input from the user to select a subset of the list of applications to access the corporate network, wherein the one or more applications not selected by the user are blocked access to the corporate network.
21. The non-transitory computer readable storage medium of claim 19, wherein the list is provided to the user at the start of the connection between the user client device and the server.
22. The non-transitory computer readable storage medium of claim 21, further comprising:
detecting during the connection a change to the list of applications allowed to access the corporate network; and
providing the user with an updated list of applications allowed to access the corporate network.
23. A device for establishing a connection with a remote server, the device including:
a processor;
memory;
an agent stored in memory and executed by the processor to establish a connection between a user client device and a server, the user client device having a plurality of applications and associated with a user, present to the user through the user client device a user agreement on what a corporate network will access on the user client device, receive a confirmation of the user agreement from the user by the client device, and provide the client access to the corporate network.
24. The device of claim 23, further comprising generating the user agreement for the user and user client device combination.
25. The device of claim 23, further comprising storing the user acceptance of the user agreement for the user and user client device combination by the server.
26. The device of claim 23, further comprising providing the user agreement to the user subsequent to the providing the client access to the corporate network by the server.
27. The device of claim 23, further comprising:
receiving login information from the user by the server via the user client device;
determining if the limits on what a corporate network will access on the user client device has changed;
providing an updated version of the limits on what a corporate network will access on the user client device; and
providing the client access to the corporate network by the server once the user has accepted the updated version of the limits on what a corporate network will access on the user client device.
28. The device of claim 23, further comprising:
providing the user with information regarding what applications have sent data to the corporate network; and
providing an indication of compliance to the user regarding whether the data sent by the applications complies with the user agreement on what a corporate network will access on the user client device.
29. The device of claim 23, further comprising:
providing an administrator of the corporate network with information regarding what applications have sent data to the corporate network; and
providing an indication of compliance to the administrator regarding whether the data sent by the applications complies with the user agreement on what a corporate network will access on the user client device.
30. The device of claim 23, further comprising providing a list of applications allowed to access the corporate network to the user, the list provided from the server to the user through the user client device.
31. The device of claim 30, further comprising receiving input from the user to select a subset of the list of applications to access the corporate network, wherein the one or more applications not selected by the user are blocked access to the corporate network.
32. The device of claim 30, wherein the list is provided to the user at the start of the connection between the user client device and the server.
33. The device of claim 32, further comprising:
detecting during the connection a change to the list of applications allowed to access the corporate network; and
providing the user with an updated list of applications allowed to access the corporate network.
US14/319,166 2014-03-31 2014-06-30 Mobile application control Abandoned US20150281003A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US14/319,166 US20150281003A1 (en) 2014-03-31 2014-06-30 Mobile application control

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201461973248P 2014-03-31 2014-03-31
US14/319,166 US20150281003A1 (en) 2014-03-31 2014-06-30 Mobile application control

Publications (1)

Publication Number Publication Date
US20150281003A1 true US20150281003A1 (en) 2015-10-01

Family

ID=54191900

Family Applications (4)

Application Number Title Priority Date Filing Date
US14/319,145 Active US10382398B2 (en) 2014-03-31 2014-06-30 Application signature authorization
US14/319,136 Abandoned US20150281281A1 (en) 2014-03-31 2014-06-30 Identification of unauthorized application data in a corporate network
US14/319,166 Abandoned US20150281003A1 (en) 2014-03-31 2014-06-30 Mobile application control
US16/533,665 Active 2034-11-12 US11140131B2 (en) 2014-03-31 2019-08-06 Application signature authorization

Family Applications Before (2)

Application Number Title Priority Date Filing Date
US14/319,145 Active US10382398B2 (en) 2014-03-31 2014-06-30 Application signature authorization
US14/319,136 Abandoned US20150281281A1 (en) 2014-03-31 2014-06-30 Identification of unauthorized application data in a corporate network

Family Applications After (1)

Application Number Title Priority Date Filing Date
US16/533,665 Active 2034-11-12 US11140131B2 (en) 2014-03-31 2019-08-06 Application signature authorization

Country Status (1)

Country Link
US (4) US10382398B2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10382398B2 (en) 2014-03-31 2019-08-13 Sonicwall Inc. Application signature authorization

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10581852B2 (en) * 2014-05-14 2020-03-03 Sequitur Labs, Inc. Hardware implementation methods and system for secure, policy-based access control for computing devices
US10511632B2 (en) 2017-03-03 2019-12-17 Microsoft Technology Licensing, Llc Incremental security policy development for an enterprise network
US10419488B2 (en) 2017-03-03 2019-09-17 Microsoft Technology Licensing, Llc Delegating security policy management authority to managed accounts

Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030229786A1 (en) * 2002-05-15 2003-12-11 Hollis Robert L. System and Method for Application-Level Virtual Private Network
US6963740B1 (en) * 2001-07-31 2005-11-08 Mobile-Mind, Inc. Secure enterprise communication system utilizing enterprise-specific security/trust token-enabled wireless communication devices
US20080313186A1 (en) * 2007-05-11 2008-12-18 Marsh Robert E Method and computer-readable media for creating verified business transaction documents
US20120167162A1 (en) * 2009-01-28 2012-06-28 Raleigh Gregory G Security, fraud detection, and fraud mitigation in device-assisted services systems
US20130247147A1 (en) * 2011-02-11 2013-09-19 Mocana Corporation Creating a virtual private network (vpn) for a single app on an internet-enabled device or system
US20130254889A1 (en) * 2013-03-29 2013-09-26 Sky Socket, Llc Server-Side Restricted Software Compliance
US20130298185A1 (en) * 2012-05-02 2013-11-07 Kony Solutions, Inc. Mobile application management systems and methods thereof
US20130336284A1 (en) * 2012-06-15 2013-12-19 James S. Hiscock Controlling communication of data for different user personas
US20140007222A1 (en) * 2011-10-11 2014-01-02 Zenprise, Inc. Secure execution of enterprise applications on mobile devices
US20140207950A1 (en) * 2012-07-09 2014-07-24 Parentsware Llc Schedule and location responsive agreement compliance controlled information throttle
US20140259178A1 (en) * 2013-03-06 2014-09-11 Microsoft Corporation Limiting enterprise applications and settings on devices
US20150020148A1 (en) * 2013-05-02 2015-01-15 Gary Scott Greenbaum Identity Based Connected Services
US20150059006A1 (en) * 2013-08-23 2015-02-26 Cellco Partnership (D/B/A Verizon Wireless) Secure Device Management Abstraction and Unification Module

Family Cites Families (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7076568B2 (en) * 1997-10-14 2006-07-11 Alacritech, Inc. Data communication apparatus for computer intelligent network interface card which transfers data between a network and a storage device according designated uniform datagram protocol socket
US20020129271A1 (en) * 2001-03-12 2002-09-12 Lucent Technologies Inc. Method and apparatus for order independent processing of virtual private network protocols
EP1402355B1 (en) * 2001-05-23 2018-08-29 Tekelec Global, Inc. Methods and systems for automatically configuring network monitoring system
US7526800B2 (en) 2003-02-28 2009-04-28 Novell, Inc. Administration of protection of data accessible by a mobile device
US7353533B2 (en) 2002-12-18 2008-04-01 Novell, Inc. Administration of protection of data accessible by a mobile device
US20080109679A1 (en) 2003-02-28 2008-05-08 Michael Wright Administration of protection of data accessible by a mobile device
US8020192B2 (en) 2003-02-28 2011-09-13 Michael Wright Administration of protection of data accessible by a mobile device
US7099974B2 (en) * 2003-03-20 2006-08-29 International Business Machines Corporation Method, apparatus, and system for reducing resource contention in multiprocessor systems
US7448080B2 (en) * 2003-06-30 2008-11-04 Nokia, Inc. Method for implementing secure corporate communication
US20050183143A1 (en) 2004-02-13 2005-08-18 Anderholm Eric J. Methods and systems for monitoring user, application or device activity
CA2564186C (en) 2004-04-30 2019-08-20 Research In Motion Limited System and method of operation control on an electronic device
EP1803271A1 (en) * 2004-10-20 2007-07-04 Rateflex Systems, Inc. System and method for managing use and access of a communication network
US7617541B2 (en) 2005-09-09 2009-11-10 Netapp, Inc. Method and/or system to authorize access to stored data
US20070220511A1 (en) * 2006-03-15 2007-09-20 Clarke James C Ensuring a stable application debugging environment via a unique hashcode identifier
US7917963B2 (en) 2006-08-09 2011-03-29 Antenna Vaultus, Inc. System for providing mobile data security
US8280373B2 (en) * 2007-09-04 2012-10-02 Airwide Solutions Inc. Terminal device control server and method for controlling access to a mobile communication network
US8589541B2 (en) 2009-01-28 2013-11-19 Headwater Partners I Llc Device-assisted services for protecting network capacity
US8451272B2 (en) * 2008-11-11 2013-05-28 Oracle International Corporation Time expansion for displaying path information
US9195982B2 (en) * 2010-02-04 2015-11-24 Rick N. Orr System and method for interfacing a client device with a point of sale system
US8938809B2 (en) * 2011-06-24 2015-01-20 Google Technology Holdings LLC Retrieval of data across multiple partitions of a storage device using digital signatures
US20140032733A1 (en) 2011-10-11 2014-01-30 Citrix Systems, Inc. Policy-Based Application Management
US8713684B2 (en) 2012-02-24 2014-04-29 Appthority, Inc. Quantifying the risks of applications for mobile devices
US9305298B2 (en) * 2013-03-22 2016-04-05 Nok Nok Labs, Inc. System and method for location-based authentication
US10382398B2 (en) 2014-03-31 2019-08-13 Sonicwall Inc. Application signature authorization

Patent Citations (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6963740B1 (en) * 2001-07-31 2005-11-08 Mobile-Mind, Inc. Secure enterprise communication system utilizing enterprise-specific security/trust token-enabled wireless communication devices
US20030229786A1 (en) * 2002-05-15 2003-12-11 Hollis Robert L. System and Method for Application-Level Virtual Private Network
US20080313186A1 (en) * 2007-05-11 2008-12-18 Marsh Robert E Method and computer-readable media for creating verified business transaction documents
US20120167162A1 (en) * 2009-01-28 2012-06-28 Raleigh Gregory G Security, fraud detection, and fraud mitigation in device-assisted services systems
US20130247147A1 (en) * 2011-02-11 2013-09-19 Mocana Corporation Creating a virtual private network (vpn) for a single app on an internet-enabled device or system
US20140007222A1 (en) * 2011-10-11 2014-01-02 Zenprise, Inc. Secure execution of enterprise applications on mobile devices
US20130298185A1 (en) * 2012-05-02 2013-11-07 Kony Solutions, Inc. Mobile application management systems and methods thereof
US20130336284A1 (en) * 2012-06-15 2013-12-19 James S. Hiscock Controlling communication of data for different user personas
US20140207950A1 (en) * 2012-07-09 2014-07-24 Parentsware Llc Schedule and location responsive agreement compliance controlled information throttle
US20140259178A1 (en) * 2013-03-06 2014-09-11 Microsoft Corporation Limiting enterprise applications and settings on devices
US20130254889A1 (en) * 2013-03-29 2013-09-26 Sky Socket, Llc Server-Side Restricted Software Compliance
US20150020148A1 (en) * 2013-05-02 2015-01-15 Gary Scott Greenbaum Identity Based Connected Services
US20150059006A1 (en) * 2013-08-23 2015-02-26 Cellco Partnership (D/B/A Verizon Wireless) Secure Device Management Abstraction and Unification Module

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10382398B2 (en) 2014-03-31 2019-08-13 Sonicwall Inc. Application signature authorization
US11140131B2 (en) 2014-03-31 2021-10-05 Sonicwall Inc. Application signature authorization

Also Published As

Publication number Publication date
US11140131B2 (en) 2021-10-05
US20200053051A1 (en) 2020-02-13
US20150281281A1 (en) 2015-10-01
US10382398B2 (en) 2019-08-13
US20150281282A1 (en) 2015-10-01

Similar Documents

Publication Publication Date Title
CN107113302B (en) Security and permission architecture in multi-tenant computing systems
CN106716404B (en) Proxy server in computer subnet
US9716724B1 (en) Cloud data loss prevention system
CN113196724A (en) System and method for application pre-launch
US20130061335A1 (en) Method, Apparatus, Computer Readable Media for a Storage Virtualization Middleware System
US9225744B1 (en) Constrained credentialed impersonation
CN112930670A (en) System and method for integrated service discovery for network applications
US10579810B2 (en) Policy protected file access
US20140150070A1 (en) Mobile device identify factor for access control policies
EP3714388B1 (en) Authentication token in manifest files of recurring processes
US20140304830A1 (en) Generating a data audit trail for cross perimeter data transfer
US11140131B2 (en) Application signature authorization
KR20110117136A (en) Secure system access without password sharing
US9998439B2 (en) Mobile device identify factor for access control policies
US11916897B2 (en) Isolating networks and credentials using on-demand port forwarding
US11368487B2 (en) Applying security policies to web traffic while maintaining privacy
US11063922B2 (en) Virtual content repository
US20160234215A1 (en) Method and system for managing data access within an enterprise
WO2022144024A1 (en) Attribute-based encryption keys as key material for key-hash message authentication code user authentication and authorization
US10021036B2 (en) Managing persistent cookies on a corporate web portal
US20170024187A1 (en) Automated approval
CN113168343A (en) Filtering authorization
CN113039769A (en) System and method for deep linking of SAAS applications via embedded browser
US20130219486A1 (en) Vpn deep packet inspection
US20220255970A1 (en) Deploying And Maintaining A Trust Store To Dynamically Manage Web Browser Extensions On End User Computing Devices

Legal Events

Date Code Title Description
AS Assignment

Owner name: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT, NORTH CAROLINA

Free format text: SECURITY AGREEMENT;ASSIGNORS:AVENTAIL LLC;DELL PRODUCTS, L.P.;DELL SOFTWARE INC.;REEL/FRAME:040030/0187

Effective date: 20160907

Owner name: THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., AS NOTES COLLATERAL AGENT, TEXAS

Free format text: SECURITY AGREEMENT;ASSIGNORS:AVENTAIL LLC;DELL PRODUCTS L.P.;DELL SOFTWARE INC.;REEL/FRAME:040039/0642

Effective date: 20160907

Owner name: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLAT

Free format text: SECURITY AGREEMENT;ASSIGNORS:AVENTAIL LLC;DELL PRODUCTS, L.P.;DELL SOFTWARE INC.;REEL/FRAME:040030/0187

Effective date: 20160907

Owner name: THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., A

Free format text: SECURITY AGREEMENT;ASSIGNORS:AVENTAIL LLC;DELL PRODUCTS L.P.;DELL SOFTWARE INC.;REEL/FRAME:040039/0642

Effective date: 20160907

AS Assignment

Owner name: DELL PRODUCTS, L.P., TEXAS

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:040521/0467

Effective date: 20161031

Owner name: DELL PRODUCTS L.P., TEXAS

Free format text: RELEASE OF SECURITY INTEREST IN CERTAIN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040039/0642);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A.;REEL/FRAME:040521/0016

Effective date: 20161031

Owner name: AVENTAIL LLC, CALIFORNIA

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:040521/0467

Effective date: 20161031

Owner name: DELL SOFTWARE INC., CALIFORNIA

Free format text: RELEASE OF SECURITY INTEREST IN CERTAIN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040039/0642);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A.;REEL/FRAME:040521/0016

Effective date: 20161031

Owner name: DELL SOFTWARE INC., CALIFORNIA

Free format text: RELEASE BY SECURED PARTY;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:040521/0467

Effective date: 20161031

Owner name: AVENTAIL LLC, CALIFORNIA

Free format text: RELEASE OF SECURITY INTEREST IN CERTAIN PATENTS PREVIOUSLY RECORDED AT REEL/FRAME (040039/0642);ASSIGNOR:THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A.;REEL/FRAME:040521/0016

Effective date: 20161031

AS Assignment

Owner name: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT, NEW YORK

Free format text: FIRST LIEN PATENT SECURITY AGREEMENT;ASSIGNOR:DELL SOFTWARE INC.;REEL/FRAME:040581/0850

Effective date: 20161031

Owner name: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLAT

Free format text: FIRST LIEN PATENT SECURITY AGREEMENT;ASSIGNOR:DELL SOFTWARE INC.;REEL/FRAME:040581/0850

Effective date: 20161031

AS Assignment

Owner name: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT, NEW YORK

Free format text: SECOND LIEN PATENT SECURITY AGREEMENT;ASSIGNOR:DELL SOFTWARE INC.;REEL/FRAME:040587/0624

Effective date: 20161031

Owner name: CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLAT

Free format text: SECOND LIEN PATENT SECURITY AGREEMENT;ASSIGNOR:DELL SOFTWARE INC.;REEL/FRAME:040587/0624

Effective date: 20161031

AS Assignment

Owner name: QUEST SOFTWARE INC. (F/K/A DELL SOFTWARE INC.), CALIFORNIA

Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE ASSIGNEE PREVIOUSLY RECORDED AT REEL: 040587 FRAME: 0624. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:044811/0598

Effective date: 20171114

Owner name: QUEST SOFTWARE INC. (F/K/A DELL SOFTWARE INC.), CA

Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE ASSIGNEE PREVIOUSLY RECORDED AT REEL: 040587 FRAME: 0624. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:044811/0598

Effective date: 20171114

Owner name: AVENTAIL LLC, CALIFORNIA

Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE ASSIGNEE PREVIOUSLY RECORDED AT REEL: 040587 FRAME: 0624. ASSIGNOR(S) HEREBY CONFIRMS THE ASSIGNMENT;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH;REEL/FRAME:044811/0598

Effective date: 20171114

AS Assignment

Owner name: SONICWALL US HOLDINGS INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:PETERSON, CHRIS D;REEL/FRAME:045068/0250

Effective date: 20160901

AS Assignment

Owner name: SONICWALL US HOLDINGS INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:PETERSON, CHRISTOPHER D.;REEL/FRAME:045931/0960

Effective date: 20160901

AS Assignment

Owner name: QUEST SOFTWARE INC. (F/K/A DELL SOFTWARE INC.), CALIFORNIA

Free format text: RELEASE OF FIRST LIEN SECURITY INTEREST IN PATENTS RECORDED AT R/F 040581/0850;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT;REEL/FRAME:046211/0735

Effective date: 20180518

Owner name: QUEST SOFTWARE INC. (F/K/A DELL SOFTWARE INC.), CA

Free format text: RELEASE OF FIRST LIEN SECURITY INTEREST IN PATENTS RECORDED AT R/F 040581/0850;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT;REEL/FRAME:046211/0735

Effective date: 20180518

Owner name: AVENTAIL LLC, CALIFORNIA

Free format text: RELEASE OF FIRST LIEN SECURITY INTEREST IN PATENTS RECORDED AT R/F 040581/0850;ASSIGNOR:CREDIT SUISSE AG, CAYMAN ISLANDS BRANCH, AS COLLATERAL AGENT;REEL/FRAME:046211/0735

Effective date: 20180518

AS Assignment

Owner name: SONICWALL US HOLDINGS INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:TELEHOWSKI, DAVID;REEL/FRAME:046287/0434

Effective date: 20180530

AS Assignment

Owner name: UBS AG, STAMFORD BRANCH, AS COLLATERAL AGENT, CONNECTICUT

Free format text: SECOND LIEN PATENT SECURITY AGREEMENT;ASSIGNOR:SONICWALL US HOLDINGS INC.;REEL/FRAME:046321/0393

Effective date: 20180518

Owner name: UBS AG, STAMFORD BRANCH, AS COLLATERAL AGENT, CONNECTICUT

Free format text: FIRST LIEN PATENT SECURITY AGREEMENT;ASSIGNOR:SONICWALL US HOLDINGS INC.;REEL/FRAME:046321/0414

Effective date: 20180518

Owner name: UBS AG, STAMFORD BRANCH, AS COLLATERAL AGENT, CONN

Free format text: SECOND LIEN PATENT SECURITY AGREEMENT;ASSIGNOR:SONICWALL US HOLDINGS INC.;REEL/FRAME:046321/0393

Effective date: 20180518

Owner name: UBS AG, STAMFORD BRANCH, AS COLLATERAL AGENT, CONN

Free format text: FIRST LIEN PATENT SECURITY AGREEMENT;ASSIGNOR:SONICWALL US HOLDINGS INC.;REEL/FRAME:046321/0414

Effective date: 20180518

AS Assignment

Owner name: SONICWALL US HOLDINGS, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:KUMAR, PRAVEEN;REEL/FRAME:047112/0663

Effective date: 20180912

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION