`(12) Patent Application Publication (10) Pub. No.: US 2014/0032758 A1
`(43) Pub. Date:
`Jan. 30, 2014
`Barton et al.
`
`US 2014003 2758A1
`
`(54)
`
`(71)
`(72)
`
`POLICY-BASED APPLICATION
`MANAGEMENT
`
`Applicant: Citrix Systems, Inc., Bedford, MA (US)
`
`Inventors: Gary Barton, Boca Raton, FL (US);
`James Robert Walker, Deerfield Beach,
`FL (US); Nitin Desai, Fort Lauderdale,
`FL (US); Zhongmin Lang, Parkland, FL
`(US)
`
`(73)
`
`(21)
`
`Assignee:
`
`CITRIXSYSTEMS, INC., Bedford,
`MA (US)
`Appl. No.: 14/045,005
`
`(22)
`
`Filed:
`
`Oct. 3, 2013
`
`(63)
`
`(60)
`
`Related U.S. Application Data
`Continuation of application No. 14/043.902, filed on
`Oct. 2, 2013, which is a continuation-in-part of appli
`cation No. 13/649,076, filed on Oct. 10, 2012, which is
`a continuation-in-part of application No. 13/886,889,
`filed on May 3, 2013, which is a continuation-in-part
`of application No. 13/886,765, filed on May 3, 2013.
`Provisional application No. 61/861,736, filed on Aug.
`2, 2013, provisional application No. 61/806,577, filed
`on Mar. 29, 2013, provisional application No. 61/714,
`469, filed on Oct. 16, 2012, provisional application No.
`61/713.762, filed on Oct. 15, 2012, provisional appli
`cation No. 61/713,718, filed on Oct. 15, 2012, provi
`sional application No. 61/546,021, filed on Oct. 11,
`2011, provisional application No. 61/546,922, filed on
`Oct. 13, 2011, provisional application No. 61/649,134,
`
`filed on May 18, 2012, provisional application No.
`61/702,671, filed on Sep. 18, 2012, provisional appli
`cation No. 61/714,293, filed on Oct. 16, 2012, provi
`sional application No. 61/713,554, filed on Oct. 14,
`2012, provisional application No. 61/712,948, filed on
`Oct. 12, 2012, provisional application No. 61/712,953,
`filed on Oct. 12, 2012, provisional application No.
`61/712.956, filed on Oct. 12, 2012, provisional appli
`cation No. 61/712,962, filed on Oct. 12, 2012.
`Publication Classification
`
`(2006.01)
`
`(51) Int. Cl.
`H04L 29/08
`(52) U.S. Cl.
`CPC ...................................... H04L 67/10 (2013.01)
`USPC ........................................... 709/225; 709/223
`ABSTRACT
`(57)
`Improved techniques for managing enterprise applications on
`mobile devices are described herein. Each enterprise mobile
`application running on the mobile device has an associated
`policy through which it interacts with its environment. The
`policy selectively blocks or allows activities involving the
`enterprise application in accordance with rules established by
`the enterprise. Together, the enterprise applications running
`on the mobile device form a set of managed applications.
`Managed applications are typically allowed to exchange data
`with other managed applications, but are blocked from
`exchanging data with other applications, such as the user's
`own personal applications. Policies may be defined to man
`age data sharing, mobile resource management, application
`specific information, networking and data access Solutions,
`device cloud and transfer, dual mode application software,
`enterprise app store access, and virtualized application and
`resources, among other things.
`
`S2-1 S2-1
`
`&S
`
`SS
`
`
`
`
`
`Management Server
`210
`
`2O3a
`
`204a
`
`Network
`Element
`A
`
`Network
`Element
`B
`
`C
`
`Network
`Element
`D
`
`> s
`
`s
`
`s
`
`s
`
`Storage
`
`C
`
`sa
`
`Metwork
`Element
`C
`
`MetWork
`
`Element
`D
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`APPL-1010
`APPLE INC. / Page 1 of 99
`
`
`
`Patent Application Publication
`
`Jan. 30, 2014 Sheet 1 of 39
`
`US 2014/0032758 A1
`
`
`
`APPL-1010
`APPLE INC. / Page 2 of 99
`
`
`
`Patent Application Publication
`
`US 2014/0032758 A1
`
`JIŽ
`
`
`
`
`
`APPL-1010
`APPLE INC. / Page 3 of 99
`
`
`
`Patent Application Publication
`
`Jan. 30, 2014 Sheet 3 of 39
`
`US 2014/0032758 A1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`agno3S
`
`APPL-1010
`APPLE INC. / Page 4 of 99
`
`
`
`Patent Application Publication
`
`Jan. 30, 2014 Sheet 4 of 39
`
`US 2014/0032758 A1
`
`907
`
`907
`
`807
`
`607
`
`807<!----------
`
`º – – – – – – – – – –
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`>
`N
`
`p
`
`Cs
`
`APPL-1010
`APPLE INC. / Page 5 of 99
`
`
`
`Patent Application Publication
`
`Jan. 30, 2014 Sheet 5 of 39
`
`US 2014/0032758 A1
`
`LNOYSFYOLSOL
`
`
`ddvGA9VNVWSACIAOdd
`
`
`
`ALIMLNAYVMLAOSGaZITVID3adSONINNNY
`
`SddVGA9VNVA
`
`90S,dOLASSLANDAYdd¥LNOYASYOLS
`
`
`
`
`
`INOYSAYOLSWOdsSAINI10dIOULNOD
`
`oO”
`
`GSa9VNVN
`
`TIVLSNI
`
`
`LSANDaYddVOLASNOdS3YNi
`ddVLNOYSSYOLS©OLS
`
`
`
`(SALISASM“9°3)
`
`
`YAAMESLNONSSHOLS
`
`
`ddvVGADVNVWSSqdIAOddLNOYARYOLS
`
`
`
`(OLS‘LaTgvL
`
`
`
`
`
`(SASVHOUNdD'S)SLSANOAYddVLNOYSSYOLS
`
`
`
`
`
`LINOYASYOLSWOddv¥GSDVNVA
`
`ASIAAUdOW
`
`
`
`
`
`‘SNOHdLYVWNS“9°3)
`
`
`
`ddvVGADVNVI
`
`
`
`LNAWdINDANOISHSANO9D
`
`
`
`ONYSSIOI1OdIOULNOD
`
`
`
`SLSSNOAYATANILNOY
`
`
`
`SaLVddNADI1Od
`
`SALVeAdOddVGADVNVIN(6)OLS
`HLIMSONVAYOOOVNI
`
`
`
`LSSNOAdYADIIOdOL
`
`SAlomodAOLASSACIAOddLNOYSSYOLS
`
`ASNOdS3dNISAIDITOdTIONLNOO(@)
`
`
`ddVQA9VNVWN80
`
`
`
`TOULNODNOddW
`
`ATNEOW
`
`SaloimlodSoIAaG
`
`‘40090JOwUNOSATavdvsaYNVANH
`
`
`
`
`ddVGH9VNVAINN
`
`00S
`
`
`
`ddVGS9VNVWWHOJOL3009030yNNOS
`
`vOS
`
`GS‘Old
`
`
`
`
`
`
`
`JIEVGVaYNVNNHGSISIGOWSatdNOO(II)
`
`
`
`
`
`JONNOSJIVAVSYNVANHSHLSSISIGOW(1)
`
`
`
`
`
`JONLNODSADI1OdAGNIONIOL3GOO
`
`ddVGSA9VNVAINN
`
`GNV‘SauNnLVvaa
`
`AYVMLAOS
`
`AOYNOS
`
`c0S
`
`APPL-1010
`APPLEINC./ Page 6 of 99
`
`
`
`
`
`OLNIddvVGHODVNVAINNSATIdWOOAd(1)
`
`SAdIAOUd
`
`APPL-1010
`APPLE INC. / Page 6 of 99
`
`
`
`
`
`
`
`
`
`Patent Application Publication
`
`Jan. 30, 2014 Sheet 6 of 39
`
`US 2014/0032758 A1
`
`
`
`ELECTRONIC MOBILE DEVICE
`(E.G., SMART PHONE, TABLET, ETC.)
`
`6O1
`
`603
`
`605
`
`6O7
`
`609
`
`611
`
`613
`
`USER INTERFACE
`(E.G., TOUCH DISPLAY)
`
`GENERAL CLIPBOARD
`
`HDDEN ENCRYPTED PASTEBOARD
`
`OTHER MEMORY CONSTRUCTS
`(E.G., OPERATING SYSTEM,
`UNSECURE APPS, SECURE APPS,
`PICTURES, MUSIC, TEXTFILES, ETC.)
`
`PROCESSING CIRCUITRY
`CONSTRUCTED AND ARRANGED TO
`(1) CONVEY DATA BETWEEN SECURE
`APPS VIA THE HIDDEN ENCRYPTED
`PASTEBOARD, AND
`(II) PROVIDE UNSECURE APPS WITH
`ACCESS TO THE GENERAL CLIPBOARD
`
`FIG. 6
`
`APPL-1010
`APPLE INC. / Page 7 of 99
`
`
`
`Patent Application Publication
`
`Jan. 30, 2014 Sheet 7 of 39
`
`US 2014/0032758 A1
`
`
`
`FIRST
`SECURE
`APPLICATION
`WHICH
`ENCRYPTS
`DATA PRIOR
`TO COPYING
`
`ENCRYPTED
`DATA
`
`ENCRYPTED
`DATA
`
`HDDEN ENCRYPTED
`PASTEBOARD
`
`
`
`
`
`SECOND
`SECURE
`APPLICATION
`WHCH
`DECRYPTS
`DATA UPON
`PASTING
`
`0
`
`707
`
`GENERAL
`CLIPBOARD
`
`703
`
`FIG. 7
`
`
`
`Mobile Device 810 Shared
`Vault
`842
`
`App 2
`
`EMM
`Client
`
`App 1
`822
`
`824a
`822a
`
`EMM Server
`850
`
`Auth. Server
`852
`o
`
`A
`PSpe
`
`Key Server
`856
`
`APPL-1010
`APPLE INC. / Page 8 of 99
`
`
`
`Patent Application Publication
`
`Jan. 30, 2014 Sheet 8 of 39
`
`US 2014/0032758 A1
`
`
`
`
`
`
`
`
`
`
`
`APPL-1010
`APPLE INC. / Page 9 of 99
`
`
`
`Patent Application Publication
`
`
`
`
`
`
`
`
`
`APPL-1010
`APPLE INC. / Page 10 of 99
`
`
`
`Patent Application Publication
`
`Jan. 30, 2014 Sheet 10 of 39
`
`US 2014/0032758 A1
`
`
`
`
`
`
`
`996
`
`APPL-1010
`APPLE INC. / Page 11 of 99
`
`
`
`Patent Application Publication
`
`Jan. 30, 2014 Sheet 11 of 39
`
`US 2014/0032758 A1
`
`| | | | | | | | |
`
`|096 | | | | | |
`STENN[]|
`
`ESIHdèHELNE
`WEILSÅS
`
`=? | | 1 | | LENHEINI | |}|}|OWALEN | HEIHHVO
`
`OZ6
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`APPL-1010
`APPLE INC. / Page 12 of 99
`
`
`
`Patent Application Publication
`
`Jan. 30, 2014 Sheet 12 of 39
`
`US 2014/0032758 A1
`
`096
`
`
`
`S?
`
`
`
`
`
`
`
`
`
`
`
`
`
`APPL-1010
`APPLE INC. / Page 13 of 99
`
`
`
`Patent Application Publication
`
`Jan. 30, 2014
`
`Sheet 13 Of 39
`
`US 2014/0032758 A1
`
`Receive/Instal
`Managed App On
`Mobile Device
`
`u— 1401
`
`Receive COPY
`Command from
`Managed App
`
`u— 1501
`
`Receive/Install Policy
`File(s) on Mobile
`Device
`
`u-1403
`
`Execute Managed App
`in ACCOrdance with
`Policy File(s)
`
`u 1405
`
`Policy File Acts to
`Restrict Data Sharing
`
`u-1407
`
`Fig. 14
`
`Encrypt Data to be
`Copied
`
`u- 1503
`
`Write Encrypted Data
`to Secure Clipboard
`
`u 1505
`
`u- 1507
`
`Managed App
`Retrieves Data via
`PASTE COmmand
`
`Fig.15
`
`APPL-1010
`APPLE INC. / Page 14 of 99
`
`
`
`Patent Application Publication
`
`Jan. 30, 2014 Sheet 14 of 39
`
`US 2014/0032758 A1
`
`
`
`APPL-1010
`APPLE INC. / Page 15 of 99
`
`
`
`Patent Application Publication
`
`Jan. 30, 2014 Sheet 15 of 39
`
`US 2014/0032758 A1
`
`981),
`
`07]]
`
`
`
`90/)
`
`
`
`
`
`Specialized
`PIM Appl
`1733
`
`101||
`
`APPL-1010
`APPLE INC. / Page 16 of 99
`
`
`
`Patent Application Publication
`
`Jan. 30, 2014 Sheet 16 of 39
`
`US 2014/0032758 A1
`
`
`
`1720
`
`Mobile Device
`
`1748
`
`1750
`
`Secure Virtual Machine
`
`1750A
`
`175OB
`
`1750C
`
`175OD
`
`Enterprise Appe
`Enterprise App
`
`Native Code
`Security Code
`
`Personal Apple
`Personal App
`
`FIG. 18
`
`APPL-1010
`APPLE INC. / Page 17 of 99
`
`
`
`Patent Application Publication
`
`Jan. 30, 2014 Sheet 17 of 39
`
`US 2014/0032758 A1
`
`Application Modification System
`Control
`Interface
`(UI)
`
`Application Transformer
`
`1900
`
`Mobile application
`(e.g., .APK or IPA file)
`
`
`
`
`
`1900A
`190OB
`
`application with
`added behaviors
`
`Rebuilder
`
`1900C
`1900D
`
`F.G. 19
`
`APPL-1010
`APPLE INC. / Page 18 of 99
`
`
`
`Patent Application Publication
`
`Jan. 30, 2014 Sheet 18 of 39
`
`US 2014/0032758 A1
`
`Open .APK file
`
`Disassemble executable to
`generate small (text) files
`
`Analyze and map the
`application Code
`
`Replace relevant API call(s) based on
`selected Policy or Policies, and add
`relevant code from Policy Library
`
`Add additional code (if applicable) to
`implement any features that do
`not require changes to existing Code
`
`Modify Manifest
`
`2000
`
`2002
`
`2004
`
`2006
`
`2008
`
`2010
`
`Rebuild into new .APK file
`
`2012
`
`Sign new APK file
`
`2014
`
`FIG. 20
`
`APPL-1010
`APPLE INC. / Page 19 of 99
`
`
`
`Patent Application Publication
`
`Jan. 30, 2014 Sheet 19 of 39
`
`US 2014/0032758 A1
`
`ELECTRONIC MOBILE
`DEVICE EOUPPED
`WITH PER-APP
`POLICYCONTROLLED
`VPN UNNELNG
`
`REMOTE
`ACCESS
`POINT
`
`COMPUTERIZED
`RESOURCE
`(E.G., FILE SERVER,
`EMAIL SERVER,
`WEBSERVER, ETC.)
`
`FIG 21
`
`
`
`ELECTRONIC MOBILE DEVICE
`E.G., SMART PHONE, TABLET, ETC.)
`
`USER INTERFACE
`(E.G., TOUCH DISPLAY)
`
`MEMORY
`
`SPECIALIZED NETWORKSOFTWARE,
`POLICES AND METADATA
`
`SPECIFIC APPLICATION(S)
`
`OTHER MEMORY CONSTRUCTS
`(E.G., OPERATING SYSTEM,
`UNTRUSTED APPS, PICTURES,
`MUSIC, TEXTFILES, ETC.)
`
`PROCESSING CIRCUTRY
`CONSTRUCTED AND ARRANGED TO
`SECURELY ACCESS REMOTE
`COMPUTERIZED RESOURCES
`VAAPPLICATION SPECIFIC TUNNEL
`
`FIG. 22
`
`APPL-1010
`APPLE INC. / Page 20 of 99
`
`
`
`Patent Application Publication
`
`Jan. 30, 2014 Sheet 20 of 39
`
`US 2014/0032758 A1
`
`RECEIVE, BY PROCESSING CIRCUITRY OF THE ELECTRONIC
`MOBILE DEVICE, USER AUTHENTICATION INFORMATION FROMA
`USER TONITIALLY AUTHENTICATE AUSER
`
`VERIFY THAT THE USER SENTITLED TO USEA SPECIFIC
`APPLICATION ON THE ELECTRONIC MOBILE DEVICE
`
`OBTAIN ANUPDATED SET OF POLICIES CORRESPONDING TO THE
`SPECIFIC APPLICATION FROMA REMOTEACCESS POINT
`
`
`
`APPLY THE UPDATED SET OF POLICES TO DETERMINE WHETHER
`THE USER IS PERMITTED TO REMOTELY ACCESS AREMOTE
`COMPUTERIZED RESOURCE VIA THE SPECIFIC APPLICATION AND
`AN APPLICATION SPECIFIC TUNNEL
`
`DIRECT A SPECIALIZED NETWORKAPPLICATION TO INITIATEA
`SECURE CONNECTION TO THE REMOTEACCESS POINT
`
`AUTHENTICATE THE USER TO THE REMOTEACCESS POINT
`
`CONSTRUCT THE APPLICATION SPECIFIC TUNNEL (E.G. A
`VPN-STYLE TUNNEL FROM THE SPECIFIC APPLICATION TO THE
`REMOTE COMPUTERIZED RESOURCE THROUGH THE REMOTE
`ACCESS POINT)
`
`ACCESS THE REMOTE COMPUTERIZED RESOURCEVATHE
`SPECIFIC APPLICATION AND THE APPLICATION SPECIFIC TUNNEL
`
`FIG. 23
`
`APPL-1010
`APPLE INC. / Page 21 of 99
`
`
`
`Patent Application Publication
`
`Jan. 30, 2014 Sheet 21 of 39
`
`US 2014/0032758 A1
`
`Application
`2422
`
`2422a
`
`2410
`
`Read
`
`2412
`
`
`
`
`
`Keys
`(From EMM
`Server)
`2450
`
`Policy-Aware
`Interception Layer
`
`2420
`
`Private App Vault
`2422b
`
`
`
`
`
`Shared Vault
`2442
`
`
`
`
`
`
`
`
`
`
`
`
`
`Client Device
`2505
`
`Proxy Device
`2510
`
`FIG. 25
`
`
`
`
`
`Authentication Service
`
`2515
`
`ReSOUrce
`
`252O
`
`APPL-1010
`APPLE INC. / Page 22 of 99
`
`
`
`Patent Application Publication
`
`Jan. 30, 2014 Sheet 22 of 39
`
`US 2014/0032758 A1
`
`
`
`
`
`
`
`APPL-1010
`APPLE INC. / Page 23 of 99
`
`
`
`Patent Application Publication
`
`Jan. 30, 2014 Sheet 23 of 39
`
`US 2014/0032758 A1
`
`Key use cases
`-ie- Push webpage to another device
`Particularly videos sent to iPad
`-- Send this window to that device
`To help with clutter and organization
`-> Copy/Paste to specific Word doc
`Easy one-touchsend content to adoc, minimize shuffling
`-- GTM spread acroSS devices
`isolate the Complexity for specific devices
`
`
`
`
`
`
`
`
`
`Targets
`
`
`
`asS
`
`/2S
`A
`s Source
`/ - \
`Move apps & Content
`Web Pages | Apps
`Email Calendar
`Conferencing Office
`Apps Videos
`
`th
`
`Step 1
`Test to be Selected is here.
`Step
`2
`Test to be selected is here
`
`Test is sent to Word DOC
`Fr.
`
`Alternative 2
`
`phone HDTV tablet
`
`Alternative 3
`
`Conic device Selector
`
`Alternative 1
`
`
`
`Vertical scrolling menu
`
`Device "peeking" c.
`
`FIG. 27
`
`APPL-1010
`APPLE INC. / Page 24 of 99
`
`
`
`Patent Application Publication
`
`Jan. 30, 2014 Sheet 24 of 39
`
`US 2014/0032758 A1
`
`
`
`aseqejeg Jesm
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`APPL-1010
`APPLE INC. / Page 25 of 99
`
`
`
`Patent Application Publication
`
`Jan. 30, 2014 Sheet 25 of 39
`
`US 2014/0032758 A1
`
`O)
`
`
`O) O)
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`APPL-1010
`APPLE INC. / Page 26 of 99
`
`
`
`Patent Application Publication
`
`Jan. 30, 2014 Sheet 26 of 39
`
`US 2014/0032758 A1
`
`Peer-to-Peer
`COmmunication
`SeSSion
`
`Orchestration
`Agent
`
`Orchestration
`Agent
`
`Computing Device
`
`Computing Device
`
`
`
`
`
`Cloud Storage
`ReSOUrCe
`
`Rules Database
`
`Device
`Database
`
`
`
`USer Database
`
`FIG. 29B
`
`APPL-1010
`APPLE INC. / Page 27 of 99
`
`
`
`Patent Application Publication
`
`Jan. 30, 2014 Sheet 27 of 39
`
`US 2014/0032758 A1
`
`ReCeive/Install
`Managed App On
`Mobile Device
`
`— 3001
`
`Receive/install Policy — 3003
`File(s) on Mobile
`Device
`
`Execute Managed App — 3005
`in ACCOrdance with
`Policy File(s)
`
`Policy File Acts to
`Enable/Disable SSO
`
`3007
`
`Fig. 30
`
`APPL-1010
`APPLE INC. / Page 28 of 99
`
`
`
`Patent Application Publication
`
`Jan. 30, 2014 Sheet 28 of 39
`
`US 2014/0032758 A1
`
`Select file to share
`3102
`
`M
`
`Select destination
`3110
`
`Initiate CrOSS-device request
`3104
`
`Launch multi-device client
`3106
`
`Present list of destinations for Selected file
`3.108
`
`Automatically retrieve shared file from file
`sharing service
`3130
`
`Upload selected file to file sharing service
`3112
`
`Notify cloud service of shared file
`3114
`
`Notify destination of shared file
`3116
`
`Personal device?
`3118
`
`N
`
`
`
`Y
`
`
`
`Launch application and display file
`3128
`
`Display notification of shared file at destination
`3120
`
`
`
`
`
`
`
`
`
`Retrieve shared file from file sharing service L.
`3126
`
`3100
`
`FIG. 31
`
`APPL-1010
`APPLE INC. / Page 29 of 99
`
`
`
`Patent Application Publication
`
`Jan. 30, 2014 Sheet 29 of 39
`
`US 2014/0032758 A1
`
`Select URL to share
`3202
`
`Initiate cross-device request
`3204
`
`Launch multi-device client
`3206
`
`Automatically launch Web browser and request
`URL
`3224
`
`
`
`
`
`
`
`Launch Web browser and initiate request for
`URL
`3222
`
`Select destination from list of destinations
`3208
`
`
`
`
`
`Upload URL to cloud service
`3210
`
`
`
`Notify destination of shared URK
`3212
`
`Personal device?
`3214
`
`N
`
`Display notification of shared URL at
`destination
`3216
`
`3200
`
`FIG. 32
`
`APPL-1010
`APPLE INC. / Page 30 of 99
`
`
`
`Patent Application Publication
`
`Jan. 30, 2014 Sheet 30 of 39
`
`US 2014/0032758 A1
`
`Select and copy content to share
`3302
`
`Initiate Cross-device request
`3304
`
`Launch multi-device client
`3306
`
`
`
`
`
`Upload selected Content to global clipboard at
`Cloud Service
`3308
`
`Notify devices connected to cloud service of
`new content in global clipboard
`3310
`
`
`
`Receive request for Content in global clipboard
`3312
`
`Download content in global clipboard to
`requesting device
`3314
`
`Paste downloaded Content into application at
`requesting device
`3316
`
`s
`
`F.G. 33
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Receive notification of shared file at cloud
`Service
`3402
`
`Determine whether destination device is
`capable of opening shared file
`3404
`
`Capable of opening file?
`3406
`
`Y
`
`Launch application and open file
`3408
`
`Launch virtual environment
`3410
`
`Configure virtual environment with capability to
`open file
`3412
`
`Provide file to virtual environment
`3414
`
`Launch virtualized application and open file
`3416
`
`Launch virtualization client at destination
`device
`3418
`
`
`
`Connect to virtual environment via
`virtualization client
`3420
`
`/
`
`3400
`
`FIG. 34
`
`APPL-1010
`APPLE INC. / Page 31 of 99
`
`
`
`Patent Application Publication
`
`Jan. 30, 2014 Sheet 31 of 39
`
`US 2014/0032758 A1
`
`
`
`Mobile Device 3510
`
`EMM Server
`3550
`
`Auth. Server
`3552.
`
`App Store
`3554
`
`Application
`A
`
`Application
`B
`
`Application
`C
`
`Application
`E
`
`FIG. 36
`
`APPL-1010
`APPLE INC. / Page 32 of 99
`
`
`
`Patent Application Publication
`
`Jan. 30, 2014 Sheet 32 of 39
`
`US 2014/0032758 A1
`
`
`
`
`
`Present a plurality of applications
`3702
`
`Detect an account to be accessed
`3802
`
`Receive a selection for One of the plurality of
`applications
`3704
`
`Determine an account type for the account to be
`accessed
`3804.
`
`Determine a Context for the selected application
`3706
`
`Compare account type to account type policy
`3806
`
`Determine an operation mode for the selected
`application based on the context
`3708
`
`Determine an operation mode based on the
`Comparison
`3808
`
`Run the selected application in the determined
`operation mode
`3710
`
`FG, 37
`
`FIG. 3 8
`
`Determine location for a mobile device
`
`3902
`
`Monitor whether a predetermined application is
`running on a device
`4002
`
`Compare determined location to location policy
`3904
`
`Compare monitored application to policy
`4004
`
`Determine an Operation mode based on the
`Comparison
`3906
`
`Determine an operation mode based on the
`Comparison
`4006
`
`FIG. 39
`
`FIG. 40
`
`APPL-1010
`APPLE INC. / Page 33 of 99
`
`
`
`Patent Application Publication
`
`Jan. 30, 2014 Sheet 33 of 39
`
`US 2014/0032758 A1
`
`Detect one or more network Connections for a
`device
`4102
`
`Compare detected network Connections to network
`Connection policy
`4104
`
`Detect one or more settings for a mobile device
`
`202
`
`Compare detected settings to settings policy
`
`4204
`
`Determine an operation mode based on the
`Comparison
`4106
`
`Determine an operation mode based on the
`Comparison
`420
`
`F.G. 41
`
`F.G. 42
`
`
`
`Monitor, while a selected application is running, one
`or more contexts for the selected application
`4302
`
`Determine a change in operation mode based on
`the monitoring
`4304
`
`switch the operation mode for the selected
`application
`A300
`
`FIG. 43
`
`APPL-1010
`APPLE INC. / Page 34 of 99
`
`
`
`Patent Application Publication
`
`Jan. 30, 2014 Sheet 34 of 39
`
`US 2014/0032758 A1
`
`Receive/Install
`Managed App On
`Mobile Device
`
`u-4401
`
`Receive? install
`Managed AppS On
`Mobile Device
`
`u- 4901
`
`Receive/Install Policy
`File(s) on Mobile
`Device
`
`u-4403
`
`Receive/Install Policy
`File(s) on Mobile
`Device
`
`u- 4903
`
`Execute Managed App
`in ACCOrdance with
`Policy File(s)
`
`u-4405
`
`Execute Managed App
`in ACCOrdance with
`Policy File(s)
`
`u- 4905
`
`Policy File Restricts
`Clipboard ACCess
`
`-
`
`4407
`
`Fig. 44
`
`---
`
`4907
`
`Only Allow Data
`Sharing Between
`Managed AppS
`
`Fig. 49
`
`APPL-1010
`APPLE INC. / Page 35 of 99
`
`
`
`Patent Application Publication
`
`Jan. 30, 2014 Sheet 35 of 39
`
`US 2014/0032758 A1
`
`Device enrolls in MDM, includes one or more
`managed app + One Ormore unmanaged app
`
`"
`
`Initiate data export operation
`4503
`
`siccan
`NO y -
`vis
`
`46O1
`YES
`
`Apple
`4603
`
`Apply in policy
`4605
`-------
`
`v
`
`Device App requests resource
`4607
`
`Disallow data export
`operation
`4507
`
`Allow data export
`operation
`4509
`
`Allow disallow aCCeSS to resource based On
`applicable policy
`4609
`
`FG. A.5
`
`F.G. 46
`
`
`
`
`
`APPL-1010
`APPLE INC. / Page 36 of 99
`
`
`
`Patent Application Publication
`
`Jan. 30, 2014 Sheet 36 of 39
`
`US 2014/0032758 A1
`
`Receive Request for
`Updated Policy
`Information for an
`Application from a Policy
`Agent
`
`4705
`
`Policy Updated?
`
`
`
`
`
`Notify Policy Agent that
`Updates Are Not
`Available
`
`4715
`
`
`
`Provide Policy Update to
`Policy Agent
`
`472O
`
`FIG. 47
`
`APPL-1010
`APPLE INC. / Page 37 of 99
`
`
`
`Patent Application Publication
`
`Jan. 30, 2014 Sheet 37 of 39
`
`US 2014/0032758 A1
`
`
`
`Receive a Policy Change
`for an Application
`
`4805
`
`I
`
`Determine that the
`Application is Present on
`Device(s)
`
`481O
`
`Provide Policy Change to
`Device(s)
`
`4815
`
`End
`
`FIG. 48
`
`APPL-1010
`APPLE INC. / Page 38 of 99
`
`
`
`Patent Application Publication
`
`Jan. 30, 2014 Sheet 38 of 39
`
`US 2014/0032758 A1
`
`Receive? Install
`Managed App on
`Mobile Device
`
`-
`
`-— 5001
`
`Receive/installManaged
`Secure Browser App on
`Mobile Device
`
`510
`
`Receive/Install Policy
`File(s) on Mobile -
`Device
`
`-
`
`5003
`
`Receive/Install Policy
`File(s) on Mobile
`Device
`
`-
`
`-
`
`5103
`
`Execute Managed App
`in Accordance with -
`Policy File(s)
`
`- 5005
`
`Execute Managed Secure
`BrOWser App in ACCordancer
`with Policy File(s)
`
`5105
`
`Policy File Acts to
`Restrict Application- -
`Specific Feature
`
`-
`
`5007
`
`
`
`Policy File Acts to
`Restrict Application- -
`Specific Feature
`
`-
`
`5107
`
`Fig. 50
`
`Fig. 51
`
`Receive/InstallManaged u- 5201
`PIM App on Mobile Device
`
`Receive/InstallManaged
`Client Agent App on Mobile -
`Device
`
`-
`
`5301
`
`Receive/install Policy
`File(s) on Mobile
`Device
`
`-
`
`- 5203
`
`Receive/Install Policy
`File(s) on Mobile
`Device
`
`-
`
`- 5303
`
`
`
`
`
`Execute Managed PIM App|
`in ACCordance with Policy -
`File(s)
`
`5205
`
`Execute Managed Client
`Agent App in ACCOrdance -
`with Policy File(s)
`
`5305
`
`Policy File Acts to
`Restrict Application- -
`Specific Feature
`
`Fig. 52
`
`Policy File Acts to
`Restrict Application- -
`Specific Feature
`
`---
`
`5307
`
`Fig. 53
`
`APPL-1010
`APPLE INC. / Page 39 of 99
`
`
`
`Patent Application Publication
`
`Jan. 30, 2014 Sheet 39 of 39
`
`US 2014/0032758 A1
`
`Receive/Install
`Managed App on
`Mobile Device
`
`u— 5401
`
`Receive/Install Policy
`File(s) on Mobile
`Device
`
`- 5403
`
`Execute Managed App
`in ACCOrdance With
`Policy File(s)
`
`u-
`Policy File Acts to Restrict
`Access to Enterprise Data 1
`Storage
`
`5407
`
`Fig. 54
`
`Receive/Instal
`Managed App On
`Mobile Device
`
`u 5501
`
`Receive/Install
`Managed App on
`Mobile Device
`
`Receive/Instal Policy
`File(s) on Mobile
`Device
`
`-->
`
`5503
`
`Receive/instal Policy
`File(s) on Mobile
`Device
`
`u- 5603
`
`Execute Managed App
`in one of Multiple
`Operation Modes
`
`ul
`
`---
`
`5505
`
`Execute Managed App
`in ACCOrdance with
`Policy File(s)
`
`u-
`
`5605
`
`Select Policy File(s)
`based on Operation
`MOde
`
`u 5507
`
`Policy File Acts to
`Enable/Disable SSO
`
`u 5607
`
`Fig. 55
`
`Fig. 56
`
`APPL-1010
`APPLE INC. / Page 40 of 99
`
`
`
`US 2014/0032758 A1
`
`Jan. 30, 2014
`
`POLICY-BASED APPLICATION
`MANAGEMENT
`
`CROSS-REFERENCE TO RELATED
`APPLICATIONS
`0001. This application is a continuation of Ser. No.
`14/043,902, filed Oct. 2, 2013, entitled “Policy Based Appli
`cation Management, which in turn claims priority to: provi
`sional application 61/861,736, filed Aug. 2, 2013, entitled
`“Policy-Based Application Management': provisional appli
`cation 61/806,577, filed Mar. 29, 2013, and entitled “Systems
`and Methods for Enterprise Mobility Management'; provi
`sional application 61/714,469, filed Oct. 16, 2012, entitled
`“Policy-Based Control of a Managed Application Derived
`from an Unmanaged Application': provisional application
`61/713.762, filed Oct. 15, 2012, entitled “Conveying Data
`Between Secure Applications Running on an Electronic
`Mobile Device'; provisional application 61/713,718, filed
`Oct. 15, 2012, entitled “Secure Data Sharing Among Man
`aged Applications'; non-provisional application Ser. No.
`13/649,076, filed Oct. 10, 2012, entitled “Gateway for Con
`trolling Mobile Device Access to Enterprise Resources’
`(which in turn claims priority to provisional application
`61/546,021, filed Oct. 11, 2011, entitled “Systems and Meth
`ods for Management of Enterprise Mobile Devices': provi
`sional application 61/546,922, filed Oct. 13, 2011, entitled
`“Systems and Methods for Management of Enterprise Mobile
`Devices”; and provisional application 61/649,134, filed May
`18, 2012, entitled “Mobile Device Management and Secu
`rity”; and provisional application 61/702,671, filed Sep. 18.
`2012, entitled “Mobile Device Management and Security');
`provisional application 61/713,763, filed Oct. 15, 2012,
`entitled “Per-Application Policy Controlled Access to Com
`puterized Resources': provisional application 61/714.293,
`filed Oct. 16, 2012, entitled “Managing Encrypted File Vaults
`for Managed Applications on Unmanaged Mobile Device':
`non-provisional application Ser. No. 13/886,889, filed May 3,
`2013, entitled “Application with Multiple Operation Modes':
`provisional application 61/713,554, filed Oct. 14, 2012,
`entitled “Automated Meeting Room': provisional application
`61/712,948, filed Oct. 12, 2012, entitled “Frictionless Dis
`tributive Collaborative Work Across Time and Space'; pro
`visional application 61/712,953, filed Oct. 12, 2012, entitled
`“Mobile Work and Micro Work Using an Activity Interface':
`provisional application 61/712.956, filed Oct. 12, 2012,
`entitled “Multi-Device Interaction': provisional application
`61/712,962, filed Oct. 12, 2012, entitled “Orchestration
`Framework for Connected Devices'; and non-provisional
`application Ser. No. 13/886,765, filed May 3, 2013, entitled
`“Mobile Device Locking with Context. Each of the afore
`mentioned application(s) is herein incorporated by reference
`in its entirety for all purposes.
`
`FIELD
`0002 Aspects described herein generally relate to mobile
`computing devices. More specifically, aspects described
`herein relate to techniques for imposing control over man
`aged applications executing on mobile computing devices.
`
`prise users, such as employees, access to enterprise resources,
`Such as hardware and Software applications for email, cus
`tomer relationship management (CRM), document manage
`ment, enterprise resource planning (ERP), and the like, as
`well as other data controlled by the enterprise. Enterprises
`Sometimes allow remote access. Such as when enterprise
`users are not in the enterprise network. Also, some enterprises
`allow users to access the enterprise network via mobile
`devices, such as Smartphones, tablet computers, PDAs (per
`Sonal digital assistant), and the like. Enterprises typically
`deploy enterprise mobility management (EMM) solutions to
`assist in the management and control of remote access to
`enterprise resources. EMM solutions have traditionally taken
`the approach of managing entire mobile devices through what
`are known as mobile device management (MDM)
`approaches. In preexisting EMM Solutions, enterprises typi
`cally issue mobile devices to employees, which are intended
`exclusively for business use, and the enterprise maintains
`control over the mobile devices and all of its applications and
`data. A recent trend is to allow employees to use their own
`mobile device(s) for work purposes (a scenario known as
`BYOD bring your own device). However, BYOD scenarios
`pose inherent security risks, because there is neither uniform
`nor universal control over each device.
`
`SUMMARY
`0004. The following presents a simplified summary of
`various aspects described herein. This Summary is not an
`extensive overview, and is not intended to identify key or
`critical elements or to delineate the scope of the claims. The
`following Summary merely presents some concepts in a sim
`plified form as an introductory prelude to the more detailed
`description provided below.
`0005 To overcome limitations in the prior art described
`above, and to overcome other limitations that will be apparent
`upon reading and understanding the present specification,
`aspects described herein are directed towards mobile appli
`cations operating under the control of one or more indepen
`dent policy files defining one or more security, feature and/or
`resource limitations. Each application may execute in accor
`dance with its corresponding set of policy files, optionally
`received separate from the application and which define one
`or more security parameters, features, resource restrictions,
`and/or other access controls that are enforced by a mobile
`device management system when that application is execut
`ing on the device. By operating in accordance with its respec
`tive policy file(s), each application may be allowed or
`restricted from communications with one or more other appli
`cations and/or resources. Policy files may define acceptable
`behavior, e.g., based on user credentials, user role, geo
`graphic location, network location, location types, enterprise
`mobile management (EMM) information, and/or any other
`information accessible or determinable by the operating
`device.
`0006. These and additional aspects will be appreciated
`with the benefit of the disclosures discussed in further detail
`below.
`
`BACKGROUND
`0003. Some enterprises (e.g., corporations, partnerships,
`governments, academic institutions, other organizations,
`etc.) maintain enterprise computer networks that allow enter
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`0007. A more complete understanding of aspects
`described herein and the advantages thereof may be acquired
`by referring to the following description in consideration of
`
`APPL-1010
`APPLE INC. / Page 41 of 99
`
`
`
`US 2014/0032758 A1
`
`Jan. 30, 2014
`
`the accompanying drawings, in which like reference numbers
`indicate like features, and wherein:
`0008 FIG.1 depicts an illustrative computer system archi
`tecture that may be used in accordance with one or more
`illustrative aspects described herein.
`0009 FIG. 2 depicts an illustrative cloud-based system
`architecture that may be used in accordance with one or more
`illustrative aspects described herein.
`0010 FIG. 3 depicts an illustrative enterprise mobility
`management System.
`0011
`FIG. 4 depicts another illustrative enterprise mobil
`ity management system.
`0012 FIG. 5 depicts a process flow according to illustra
`tive aspects described herein.
`0013 FIG. 6 depicts a device according to illustrative
`aspects described herein.
`0014 FIG. 7 depicts a data flow according to illustrative
`aspects described herein.
`0015 FIG. 8 depicts a system architecture according to
`illustrative aspects described herein.
`0016 FIG. 9 depicts a system architecture according to
`illustrative aspects described herein.
`0017 FIG. 10 depicts a system architecture according to
`illustrative aspects described herein.
`0018 FIG. 11 depicts a system architecture according to
`illustrative aspects described herein.
`0019 FIG. 12 depicts a system architecture according to
`illustrative aspects described herein.
`0020 FIG. 13 depicts a system architecture according to
`illustrative aspects described herein.
`0021
`FIG. 14 depicts an illustrative method for perform
`ing policy based app management according to illustrative
`aspects described herein.
`0022 FIG. 15 depicts an illustrative method for perform
`ing policy based app management according to illustrative
`aspects described herein.
`0023 FIG. 16 depicts a device according to illustrative
`aspects described herein.
`0024 FIG. 17 depicts a device according to illustrative
`aspects described herein.
`0025 FIG. 18 depicts a device according to illustrative
`aspects described herein.
`0026 FIG. 19 depicts a process flow according to illustra
`tive aspects described herein.
`0027 FIG. 20 depicts a process flow according to illustra
`tive aspects described herein.
`0028 FIG. 21 depicts a system according to illustrative
`aspects described herein.
`0029 FIG. 22 depicts a device according to illustrative
`aspects described herein.
`0030 FIG. 23 depicts a process flow according to illustra
`tive aspects described herein.
`0031
`FIG. 24 depicts a device according to illustrative
`aspects described herein.
`0032 FIG. 25 depicts a system according to illustrative
`aspects described herein.
`0033 FIG. 26 depicts a system according to illustrative
`aspects described herein.
`0034 FIG. 27 depicts a process flow according to illustra
`tive aspects described herein.
`0035 FIG. 28 depicts a system according to illustrative
`aspects described herein.
`0036 FIGS. 29A and 29B depict systems according to
`illustrative aspects described herein.
`
`0037 FIG. 30 depicts an illustrative method for perform
`ing policy based app management according to illustrative
`aspects