throbber
(19) United States
`(12) Patent Application Publication (10) Pub. No.: US 2014/0032758 A1
`(43) Pub. Date:
`Jan. 30, 2014
`Barton et al.
`
`US 2014003 2758A1
`
`(54)
`
`(71)
`(72)
`
`POLICY-BASED APPLICATION
`MANAGEMENT
`
`Applicant: Citrix Systems, Inc., Bedford, MA (US)
`
`Inventors: Gary Barton, Boca Raton, FL (US);
`James Robert Walker, Deerfield Beach,
`FL (US); Nitin Desai, Fort Lauderdale,
`FL (US); Zhongmin Lang, Parkland, FL
`(US)
`
`(73)
`
`(21)
`
`Assignee:
`
`CITRIXSYSTEMS, INC., Bedford,
`MA (US)
`Appl. No.: 14/045,005
`
`(22)
`
`Filed:
`
`Oct. 3, 2013
`
`(63)
`
`(60)
`
`Related U.S. Application Data
`Continuation of application No. 14/043.902, filed on
`Oct. 2, 2013, which is a continuation-in-part of appli
`cation No. 13/649,076, filed on Oct. 10, 2012, which is
`a continuation-in-part of application No. 13/886,889,
`filed on May 3, 2013, which is a continuation-in-part
`of application No. 13/886,765, filed on May 3, 2013.
`Provisional application No. 61/861,736, filed on Aug.
`2, 2013, provisional application No. 61/806,577, filed
`on Mar. 29, 2013, provisional application No. 61/714,
`469, filed on Oct. 16, 2012, provisional application No.
`61/713.762, filed on Oct. 15, 2012, provisional appli
`cation No. 61/713,718, filed on Oct. 15, 2012, provi
`sional application No. 61/546,021, filed on Oct. 11,
`2011, provisional application No. 61/546,922, filed on
`Oct. 13, 2011, provisional application No. 61/649,134,
`
`filed on May 18, 2012, provisional application No.
`61/702,671, filed on Sep. 18, 2012, provisional appli
`cation No. 61/714,293, filed on Oct. 16, 2012, provi
`sional application No. 61/713,554, filed on Oct. 14,
`2012, provisional application No. 61/712,948, filed on
`Oct. 12, 2012, provisional application No. 61/712,953,
`filed on Oct. 12, 2012, provisional application No.
`61/712.956, filed on Oct. 12, 2012, provisional appli
`cation No. 61/712,962, filed on Oct. 12, 2012.
`Publication Classification
`
`(2006.01)
`
`(51) Int. Cl.
`H04L 29/08
`(52) U.S. Cl.
`CPC ...................................... H04L 67/10 (2013.01)
`USPC ........................................... 709/225; 709/223
`ABSTRACT
`(57)
`Improved techniques for managing enterprise applications on
`mobile devices are described herein. Each enterprise mobile
`application running on the mobile device has an associated
`policy through which it interacts with its environment. The
`policy selectively blocks or allows activities involving the
`enterprise application in accordance with rules established by
`the enterprise. Together, the enterprise applications running
`on the mobile device form a set of managed applications.
`Managed applications are typically allowed to exchange data
`with other managed applications, but are blocked from
`exchanging data with other applications, such as the user's
`own personal applications. Policies may be defined to man
`age data sharing, mobile resource management, application
`specific information, networking and data access Solutions,
`device cloud and transfer, dual mode application software,
`enterprise app store access, and virtualized application and
`resources, among other things.
`
`S2-1 S2-1
`
`&S
`
`SS
`
`
`
`
`
`Management Server
`210
`
`2O3a
`
`204a
`
`Network
`Element
`A
`
`Network
`Element
`B
`
`C
`
`Network
`Element
`D
`
`> s
`
`s
`
`s
`
`s
`
`Storage
`
`C
`
`sa
`
`Metwork
`Element
`C
`
`MetWork
`
`Element
`D
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`APPL-1010
`APPLE INC. / Page 1 of 99
`
`

`

`Patent Application Publication
`
`Jan. 30, 2014 Sheet 1 of 39
`
`US 2014/0032758 A1
`
`
`
`APPL-1010
`APPLE INC. / Page 2 of 99
`
`

`

`Patent Application Publication
`
`US 2014/0032758 A1
`
`JIŽ
`
`
`
`
`
`APPL-1010
`APPLE INC. / Page 3 of 99
`
`

`

`Patent Application Publication
`
`Jan. 30, 2014 Sheet 3 of 39
`
`US 2014/0032758 A1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`agno3S
`
`APPL-1010
`APPLE INC. / Page 4 of 99
`
`

`

`Patent Application Publication
`
`Jan. 30, 2014 Sheet 4 of 39
`
`US 2014/0032758 A1
`
`907
`
`907
`
`807
`
`607
`
`807<!----------
`
`º – – – – – – – – – –
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`>
`N
`
`p
`
`Cs
`
`APPL-1010
`APPLE INC. / Page 5 of 99
`
`

`

`Patent Application Publication
`
`Jan. 30, 2014 Sheet 5 of 39
`
`US 2014/0032758 A1
`
`LNOYSFYOLSOL
`
`
`ddvGA9VNVWSACIAOdd
`
`
`
`ALIMLNAYVMLAOSGaZITVID3adSONINNNY
`
`SddVGA9VNVA
`
`90S,dOLASSLANDAYdd¥LNOYASYOLS
`
`
`
`
`
`INOYSAYOLSWOdsSAINI10dIOULNOD
`
`oO”
`
`GSa9VNVN
`
`TIVLSNI
`
`
`LSANDaYddVOLASNOdS3YNi
`ddVLNOYSSYOLS©OLS
`
`
`
`(SALISASM“9°3)
`
`
`YAAMESLNONSSHOLS
`
`
`ddvVGADVNVWSSqdIAOddLNOYARYOLS
`
`
`
`(OLS‘LaTgvL
`
`
`
`
`
`(SASVHOUNdD'S)SLSANOAYddVLNOYSSYOLS
`
`
`
`
`
`LINOYASYOLSWOddv¥GSDVNVA
`
`ASIAAUdOW
`
`
`
`
`
`‘SNOHdLYVWNS“9°3)
`
`
`
`ddvVGADVNVI
`
`
`
`LNAWdINDANOISHSANO9D
`
`
`
`ONYSSIOI1OdIOULNOD
`
`
`
`SLSSNOAYATANILNOY
`
`
`
`SaLVddNADI1Od
`
`SALVeAdOddVGADVNVIN(6)OLS
`HLIMSONVAYOOOVNI
`
`
`
`LSSNOAdYADIIOdOL
`
`SAlomodAOLASSACIAOddLNOYSSYOLS
`
`ASNOdS3dNISAIDITOdTIONLNOO(@)
`
`
`ddVQA9VNVWN80
`
`
`
`TOULNODNOddW
`
`ATNEOW
`
`SaloimlodSoIAaG
`
`‘40090JOwUNOSATavdvsaYNVANH
`
`
`
`
`ddVGH9VNVAINN
`
`00S
`
`
`
`ddVGS9VNVWWHOJOL3009030yNNOS
`
`vOS
`
`GS‘Old
`
`
`
`
`
`
`
`JIEVGVaYNVNNHGSISIGOWSatdNOO(II)
`
`
`
`
`
`JONNOSJIVAVSYNVANHSHLSSISIGOW(1)
`
`
`
`
`
`JONLNODSADI1OdAGNIONIOL3GOO
`
`ddVGSA9VNVAINN
`
`GNV‘SauNnLVvaa
`
`AYVMLAOS
`
`AOYNOS
`
`c0S
`
`APPL-1010
`APPLEINC./ Page 6 of 99
`
`
`
`
`
`OLNIddvVGHODVNVAINNSATIdWOOAd(1)
`
`SAdIAOUd
`
`APPL-1010
`APPLE INC. / Page 6 of 99
`
`
`
`
`
`
`
`

`

`Patent Application Publication
`
`Jan. 30, 2014 Sheet 6 of 39
`
`US 2014/0032758 A1
`
`
`
`ELECTRONIC MOBILE DEVICE
`(E.G., SMART PHONE, TABLET, ETC.)
`
`6O1
`
`603
`
`605
`
`6O7
`
`609
`
`611
`
`613
`
`USER INTERFACE
`(E.G., TOUCH DISPLAY)
`
`GENERAL CLIPBOARD
`
`HDDEN ENCRYPTED PASTEBOARD
`
`OTHER MEMORY CONSTRUCTS
`(E.G., OPERATING SYSTEM,
`UNSECURE APPS, SECURE APPS,
`PICTURES, MUSIC, TEXTFILES, ETC.)
`
`PROCESSING CIRCUITRY
`CONSTRUCTED AND ARRANGED TO
`(1) CONVEY DATA BETWEEN SECURE
`APPS VIA THE HIDDEN ENCRYPTED
`PASTEBOARD, AND
`(II) PROVIDE UNSECURE APPS WITH
`ACCESS TO THE GENERAL CLIPBOARD
`
`FIG. 6
`
`APPL-1010
`APPLE INC. / Page 7 of 99
`
`

`

`Patent Application Publication
`
`Jan. 30, 2014 Sheet 7 of 39
`
`US 2014/0032758 A1
`
`
`
`FIRST
`SECURE
`APPLICATION
`WHICH
`ENCRYPTS
`DATA PRIOR
`TO COPYING
`
`ENCRYPTED
`DATA
`
`ENCRYPTED
`DATA
`
`HDDEN ENCRYPTED
`PASTEBOARD
`
`
`
`
`
`SECOND
`SECURE
`APPLICATION
`WHCH
`DECRYPTS
`DATA UPON
`PASTING
`
`0
`
`707
`
`GENERAL
`CLIPBOARD
`
`703
`
`FIG. 7
`
`
`
`Mobile Device 810 Shared
`Vault
`842
`
`App 2
`
`EMM
`Client
`
`App 1
`822
`
`824a
`822a
`
`EMM Server
`850
`
`Auth. Server
`852
`o
`
`A
`PSpe
`
`Key Server
`856
`
`APPL-1010
`APPLE INC. / Page 8 of 99
`
`

`

`Patent Application Publication
`
`Jan. 30, 2014 Sheet 8 of 39
`
`US 2014/0032758 A1
`
`
`
`
`
`
`
`
`
`
`
`APPL-1010
`APPLE INC. / Page 9 of 99
`
`

`

`Patent Application Publication
`
`
`
`
`
`
`
`
`
`APPL-1010
`APPLE INC. / Page 10 of 99
`
`

`

`Patent Application Publication
`
`Jan. 30, 2014 Sheet 10 of 39
`
`US 2014/0032758 A1
`
`
`
`
`
`
`
`996
`
`APPL-1010
`APPLE INC. / Page 11 of 99
`
`

`

`Patent Application Publication
`
`Jan. 30, 2014 Sheet 11 of 39
`
`US 2014/0032758 A1
`
`| | | | | | | | |
`
`|096 | | | | | |
`STENN[]|
`
`ESIHdèHELNE
`WEILSÅS
`
`=? | | 1 | | LENHEINI | |}|}|OWALEN | HEIHHVO
`
`OZ6
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`APPL-1010
`APPLE INC. / Page 12 of 99
`
`

`

`Patent Application Publication
`
`Jan. 30, 2014 Sheet 12 of 39
`
`US 2014/0032758 A1
`
`096
`
`
`
`S?
`
`
`
`
`
`
`
`
`
`
`
`
`
`APPL-1010
`APPLE INC. / Page 13 of 99
`
`

`

`Patent Application Publication
`
`Jan. 30, 2014
`
`Sheet 13 Of 39
`
`US 2014/0032758 A1
`
`Receive/Instal
`Managed App On
`Mobile Device
`
`u— 1401
`
`Receive COPY
`Command from
`Managed App
`
`u— 1501
`
`Receive/Install Policy
`File(s) on Mobile
`Device
`
`u-1403
`
`Execute Managed App
`in ACCOrdance with
`Policy File(s)
`
`u 1405
`
`Policy File Acts to
`Restrict Data Sharing
`
`u-1407
`
`Fig. 14
`
`Encrypt Data to be
`Copied
`
`u- 1503
`
`Write Encrypted Data
`to Secure Clipboard
`
`u 1505
`
`u- 1507
`
`Managed App
`Retrieves Data via
`PASTE COmmand
`
`Fig.15
`
`APPL-1010
`APPLE INC. / Page 14 of 99
`
`

`

`Patent Application Publication
`
`Jan. 30, 2014 Sheet 14 of 39
`
`US 2014/0032758 A1
`
`
`
`APPL-1010
`APPLE INC. / Page 15 of 99
`
`

`

`Patent Application Publication
`
`Jan. 30, 2014 Sheet 15 of 39
`
`US 2014/0032758 A1
`
`981),
`
`07]]
`
`
`
`90/)
`
`
`
`
`
`Specialized
`PIM Appl
`1733
`
`101||
`
`APPL-1010
`APPLE INC. / Page 16 of 99
`
`

`

`Patent Application Publication
`
`Jan. 30, 2014 Sheet 16 of 39
`
`US 2014/0032758 A1
`
`
`
`1720
`
`Mobile Device
`
`1748
`
`1750
`
`Secure Virtual Machine
`
`1750A
`
`175OB
`
`1750C
`
`175OD
`
`Enterprise Appe
`Enterprise App
`
`Native Code
`Security Code
`
`Personal Apple
`Personal App
`
`FIG. 18
`
`APPL-1010
`APPLE INC. / Page 17 of 99
`
`

`

`Patent Application Publication
`
`Jan. 30, 2014 Sheet 17 of 39
`
`US 2014/0032758 A1
`
`Application Modification System
`Control
`Interface
`(UI)
`
`Application Transformer
`
`1900
`
`Mobile application
`(e.g., .APK or IPA file)
`
`
`
`
`
`1900A
`190OB
`
`application with
`added behaviors
`
`Rebuilder
`
`1900C
`1900D
`
`F.G. 19
`
`APPL-1010
`APPLE INC. / Page 18 of 99
`
`

`

`Patent Application Publication
`
`Jan. 30, 2014 Sheet 18 of 39
`
`US 2014/0032758 A1
`
`Open .APK file
`
`Disassemble executable to
`generate small (text) files
`
`Analyze and map the
`application Code
`
`Replace relevant API call(s) based on
`selected Policy or Policies, and add
`relevant code from Policy Library
`
`Add additional code (if applicable) to
`implement any features that do
`not require changes to existing Code
`
`Modify Manifest
`
`2000
`
`2002
`
`2004
`
`2006
`
`2008
`
`2010
`
`Rebuild into new .APK file
`
`2012
`
`Sign new APK file
`
`2014
`
`FIG. 20
`
`APPL-1010
`APPLE INC. / Page 19 of 99
`
`

`

`Patent Application Publication
`
`Jan. 30, 2014 Sheet 19 of 39
`
`US 2014/0032758 A1
`
`ELECTRONIC MOBILE
`DEVICE EOUPPED
`WITH PER-APP
`POLICYCONTROLLED
`VPN UNNELNG
`
`REMOTE
`ACCESS
`POINT
`
`COMPUTERIZED
`RESOURCE
`(E.G., FILE SERVER,
`EMAIL SERVER,
`WEBSERVER, ETC.)
`
`FIG 21
`
`
`
`ELECTRONIC MOBILE DEVICE
`E.G., SMART PHONE, TABLET, ETC.)
`
`USER INTERFACE
`(E.G., TOUCH DISPLAY)
`
`MEMORY
`
`SPECIALIZED NETWORKSOFTWARE,
`POLICES AND METADATA
`
`SPECIFIC APPLICATION(S)
`
`OTHER MEMORY CONSTRUCTS
`(E.G., OPERATING SYSTEM,
`UNTRUSTED APPS, PICTURES,
`MUSIC, TEXTFILES, ETC.)
`
`PROCESSING CIRCUTRY
`CONSTRUCTED AND ARRANGED TO
`SECURELY ACCESS REMOTE
`COMPUTERIZED RESOURCES
`VAAPPLICATION SPECIFIC TUNNEL
`
`FIG. 22
`
`APPL-1010
`APPLE INC. / Page 20 of 99
`
`

`

`Patent Application Publication
`
`Jan. 30, 2014 Sheet 20 of 39
`
`US 2014/0032758 A1
`
`RECEIVE, BY PROCESSING CIRCUITRY OF THE ELECTRONIC
`MOBILE DEVICE, USER AUTHENTICATION INFORMATION FROMA
`USER TONITIALLY AUTHENTICATE AUSER
`
`VERIFY THAT THE USER SENTITLED TO USEA SPECIFIC
`APPLICATION ON THE ELECTRONIC MOBILE DEVICE
`
`OBTAIN ANUPDATED SET OF POLICIES CORRESPONDING TO THE
`SPECIFIC APPLICATION FROMA REMOTEACCESS POINT
`
`
`
`APPLY THE UPDATED SET OF POLICES TO DETERMINE WHETHER
`THE USER IS PERMITTED TO REMOTELY ACCESS AREMOTE
`COMPUTERIZED RESOURCE VIA THE SPECIFIC APPLICATION AND
`AN APPLICATION SPECIFIC TUNNEL
`
`DIRECT A SPECIALIZED NETWORKAPPLICATION TO INITIATEA
`SECURE CONNECTION TO THE REMOTEACCESS POINT
`
`AUTHENTICATE THE USER TO THE REMOTEACCESS POINT
`
`CONSTRUCT THE APPLICATION SPECIFIC TUNNEL (E.G. A
`VPN-STYLE TUNNEL FROM THE SPECIFIC APPLICATION TO THE
`REMOTE COMPUTERIZED RESOURCE THROUGH THE REMOTE
`ACCESS POINT)
`
`ACCESS THE REMOTE COMPUTERIZED RESOURCEVATHE
`SPECIFIC APPLICATION AND THE APPLICATION SPECIFIC TUNNEL
`
`FIG. 23
`
`APPL-1010
`APPLE INC. / Page 21 of 99
`
`

`

`Patent Application Publication
`
`Jan. 30, 2014 Sheet 21 of 39
`
`US 2014/0032758 A1
`
`Application
`2422
`
`2422a
`
`2410
`
`Read
`
`2412
`
`
`
`
`
`Keys
`(From EMM
`Server)
`2450
`
`Policy-Aware
`Interception Layer
`
`2420
`
`Private App Vault
`2422b
`
`
`
`
`
`Shared Vault
`2442
`
`
`
`
`
`
`
`
`
`
`
`
`
`Client Device
`2505
`
`Proxy Device
`2510
`
`FIG. 25
`
`
`
`
`
`Authentication Service
`
`2515
`
`ReSOUrce
`
`252O
`
`APPL-1010
`APPLE INC. / Page 22 of 99
`
`

`

`Patent Application Publication
`
`Jan. 30, 2014 Sheet 22 of 39
`
`US 2014/0032758 A1
`
`
`
`
`
`
`
`APPL-1010
`APPLE INC. / Page 23 of 99
`
`

`

`Patent Application Publication
`
`Jan. 30, 2014 Sheet 23 of 39
`
`US 2014/0032758 A1
`
`Key use cases
`-ie- Push webpage to another device
`Particularly videos sent to iPad
`-- Send this window to that device
`To help with clutter and organization
`-> Copy/Paste to specific Word doc
`Easy one-touchsend content to adoc, minimize shuffling
`-- GTM spread acroSS devices
`isolate the Complexity for specific devices
`
`
`
`
`
`
`
`
`
`Targets
`
`
`
`asS
`
`/2S
`A
`s Source
`/ - \
`Move apps & Content
`Web Pages | Apps
`Email Calendar
`Conferencing Office
`Apps Videos
`
`th
`
`Step 1
`Test to be Selected is here.
`Step
`2
`Test to be selected is here
`
`Test is sent to Word DOC
`Fr.
`
`Alternative 2
`
`phone HDTV tablet
`
`Alternative 3
`
`Conic device Selector
`
`Alternative 1
`
`
`
`Vertical scrolling menu
`
`Device "peeking" c.
`
`FIG. 27
`
`APPL-1010
`APPLE INC. / Page 24 of 99
`
`

`

`Patent Application Publication
`
`Jan. 30, 2014 Sheet 24 of 39
`
`US 2014/0032758 A1
`
`
`
`aseqejeg Jesm
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`APPL-1010
`APPLE INC. / Page 25 of 99
`
`

`

`Patent Application Publication
`
`Jan. 30, 2014 Sheet 25 of 39
`
`US 2014/0032758 A1
`
`O)
`
`
`O) O)
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`APPL-1010
`APPLE INC. / Page 26 of 99
`
`

`

`Patent Application Publication
`
`Jan. 30, 2014 Sheet 26 of 39
`
`US 2014/0032758 A1
`
`Peer-to-Peer
`COmmunication
`SeSSion
`
`Orchestration
`Agent
`
`Orchestration
`Agent
`
`Computing Device
`
`Computing Device
`
`
`
`
`
`Cloud Storage
`ReSOUrCe
`
`Rules Database
`
`Device
`Database
`
`
`
`USer Database
`
`FIG. 29B
`
`APPL-1010
`APPLE INC. / Page 27 of 99
`
`

`

`Patent Application Publication
`
`Jan. 30, 2014 Sheet 27 of 39
`
`US 2014/0032758 A1
`
`ReCeive/Install
`Managed App On
`Mobile Device
`
`— 3001
`
`Receive/install Policy — 3003
`File(s) on Mobile
`Device
`
`Execute Managed App — 3005
`in ACCOrdance with
`Policy File(s)
`
`Policy File Acts to
`Enable/Disable SSO
`
`3007
`
`Fig. 30
`
`APPL-1010
`APPLE INC. / Page 28 of 99
`
`

`

`Patent Application Publication
`
`Jan. 30, 2014 Sheet 28 of 39
`
`US 2014/0032758 A1
`
`Select file to share
`3102
`
`M
`
`Select destination
`3110
`
`Initiate CrOSS-device request
`3104
`
`Launch multi-device client
`3106
`
`Present list of destinations for Selected file
`3.108
`
`Automatically retrieve shared file from file
`sharing service
`3130
`
`Upload selected file to file sharing service
`3112
`
`Notify cloud service of shared file
`3114
`
`Notify destination of shared file
`3116
`
`Personal device?
`3118
`
`N
`
`
`
`Y
`
`
`
`Launch application and display file
`3128
`
`Display notification of shared file at destination
`3120
`
`
`
`
`
`
`
`
`
`Retrieve shared file from file sharing service L.
`3126
`
`3100
`
`FIG. 31
`
`APPL-1010
`APPLE INC. / Page 29 of 99
`
`

`

`Patent Application Publication
`
`Jan. 30, 2014 Sheet 29 of 39
`
`US 2014/0032758 A1
`
`Select URL to share
`3202
`
`Initiate cross-device request
`3204
`
`Launch multi-device client
`3206
`
`Automatically launch Web browser and request
`URL
`3224
`
`
`
`
`
`
`
`Launch Web browser and initiate request for
`URL
`3222
`
`Select destination from list of destinations
`3208
`
`
`
`
`
`Upload URL to cloud service
`3210
`
`
`
`Notify destination of shared URK
`3212
`
`Personal device?
`3214
`
`N
`
`Display notification of shared URL at
`destination
`3216
`
`3200
`
`FIG. 32
`
`APPL-1010
`APPLE INC. / Page 30 of 99
`
`

`

`Patent Application Publication
`
`Jan. 30, 2014 Sheet 30 of 39
`
`US 2014/0032758 A1
`
`Select and copy content to share
`3302
`
`Initiate Cross-device request
`3304
`
`Launch multi-device client
`3306
`
`
`
`
`
`Upload selected Content to global clipboard at
`Cloud Service
`3308
`
`Notify devices connected to cloud service of
`new content in global clipboard
`3310
`
`
`
`Receive request for Content in global clipboard
`3312
`
`Download content in global clipboard to
`requesting device
`3314
`
`Paste downloaded Content into application at
`requesting device
`3316
`
`s
`
`F.G. 33
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Receive notification of shared file at cloud
`Service
`3402
`
`Determine whether destination device is
`capable of opening shared file
`3404
`
`Capable of opening file?
`3406
`
`Y
`
`Launch application and open file
`3408
`
`Launch virtual environment
`3410
`
`Configure virtual environment with capability to
`open file
`3412
`
`Provide file to virtual environment
`3414
`
`Launch virtualized application and open file
`3416
`
`Launch virtualization client at destination
`device
`3418
`
`
`
`Connect to virtual environment via
`virtualization client
`3420
`
`/
`
`3400
`
`FIG. 34
`
`APPL-1010
`APPLE INC. / Page 31 of 99
`
`

`

`Patent Application Publication
`
`Jan. 30, 2014 Sheet 31 of 39
`
`US 2014/0032758 A1
`
`
`
`Mobile Device 3510
`
`EMM Server
`3550
`
`Auth. Server
`3552.
`
`App Store
`3554
`
`Application
`A
`
`Application
`B
`
`Application
`C
`
`Application
`E
`
`FIG. 36
`
`APPL-1010
`APPLE INC. / Page 32 of 99
`
`

`

`Patent Application Publication
`
`Jan. 30, 2014 Sheet 32 of 39
`
`US 2014/0032758 A1
`
`
`
`
`
`Present a plurality of applications
`3702
`
`Detect an account to be accessed
`3802
`
`Receive a selection for One of the plurality of
`applications
`3704
`
`Determine an account type for the account to be
`accessed
`3804.
`
`Determine a Context for the selected application
`3706
`
`Compare account type to account type policy
`3806
`
`Determine an operation mode for the selected
`application based on the context
`3708
`
`Determine an operation mode based on the
`Comparison
`3808
`
`Run the selected application in the determined
`operation mode
`3710
`
`FG, 37
`
`FIG. 3 8
`
`Determine location for a mobile device
`
`3902
`
`Monitor whether a predetermined application is
`running on a device
`4002
`
`Compare determined location to location policy
`3904
`
`Compare monitored application to policy
`4004
`
`Determine an Operation mode based on the
`Comparison
`3906
`
`Determine an operation mode based on the
`Comparison
`4006
`
`FIG. 39
`
`FIG. 40
`
`APPL-1010
`APPLE INC. / Page 33 of 99
`
`

`

`Patent Application Publication
`
`Jan. 30, 2014 Sheet 33 of 39
`
`US 2014/0032758 A1
`
`Detect one or more network Connections for a
`device
`4102
`
`Compare detected network Connections to network
`Connection policy
`4104
`
`Detect one or more settings for a mobile device
`
`202
`
`Compare detected settings to settings policy
`
`4204
`
`Determine an operation mode based on the
`Comparison
`4106
`
`Determine an operation mode based on the
`Comparison
`420
`
`F.G. 41
`
`F.G. 42
`
`
`
`Monitor, while a selected application is running, one
`or more contexts for the selected application
`4302
`
`Determine a change in operation mode based on
`the monitoring
`4304
`
`switch the operation mode for the selected
`application
`A300
`
`FIG. 43
`
`APPL-1010
`APPLE INC. / Page 34 of 99
`
`

`

`Patent Application Publication
`
`Jan. 30, 2014 Sheet 34 of 39
`
`US 2014/0032758 A1
`
`Receive/Install
`Managed App On
`Mobile Device
`
`u-4401
`
`Receive? install
`Managed AppS On
`Mobile Device
`
`u- 4901
`
`Receive/Install Policy
`File(s) on Mobile
`Device
`
`u-4403
`
`Receive/Install Policy
`File(s) on Mobile
`Device
`
`u- 4903
`
`Execute Managed App
`in ACCOrdance with
`Policy File(s)
`
`u-4405
`
`Execute Managed App
`in ACCOrdance with
`Policy File(s)
`
`u- 4905
`
`Policy File Restricts
`Clipboard ACCess
`
`-
`
`4407
`
`Fig. 44
`
`---
`
`4907
`
`Only Allow Data
`Sharing Between
`Managed AppS
`
`Fig. 49
`
`APPL-1010
`APPLE INC. / Page 35 of 99
`
`

`

`Patent Application Publication
`
`Jan. 30, 2014 Sheet 35 of 39
`
`US 2014/0032758 A1
`
`Device enrolls in MDM, includes one or more
`managed app + One Ormore unmanaged app
`
`"
`
`Initiate data export operation
`4503
`
`siccan
`NO y -
`vis
`
`46O1
`YES
`
`Apple
`4603
`
`Apply in policy
`4605
`-------
`
`v
`
`Device App requests resource
`4607
`
`Disallow data export
`operation
`4507
`
`Allow data export
`operation
`4509
`
`Allow disallow aCCeSS to resource based On
`applicable policy
`4609
`
`FG. A.5
`
`F.G. 46
`
`
`
`
`
`APPL-1010
`APPLE INC. / Page 36 of 99
`
`

`

`Patent Application Publication
`
`Jan. 30, 2014 Sheet 36 of 39
`
`US 2014/0032758 A1
`
`Receive Request for
`Updated Policy
`Information for an
`Application from a Policy
`Agent
`
`4705
`
`Policy Updated?
`
`
`
`
`
`Notify Policy Agent that
`Updates Are Not
`Available
`
`4715
`
`
`
`Provide Policy Update to
`Policy Agent
`
`472O
`
`FIG. 47
`
`APPL-1010
`APPLE INC. / Page 37 of 99
`
`

`

`Patent Application Publication
`
`Jan. 30, 2014 Sheet 37 of 39
`
`US 2014/0032758 A1
`
`
`
`Receive a Policy Change
`for an Application
`
`4805
`
`I
`
`Determine that the
`Application is Present on
`Device(s)
`
`481O
`
`Provide Policy Change to
`Device(s)
`
`4815
`
`End
`
`FIG. 48
`
`APPL-1010
`APPLE INC. / Page 38 of 99
`
`

`

`Patent Application Publication
`
`Jan. 30, 2014 Sheet 38 of 39
`
`US 2014/0032758 A1
`
`Receive? Install
`Managed App on
`Mobile Device
`
`-
`
`-— 5001
`
`Receive/installManaged
`Secure Browser App on
`Mobile Device
`
`510
`
`Receive/Install Policy
`File(s) on Mobile -
`Device
`
`-
`
`5003
`
`Receive/Install Policy
`File(s) on Mobile
`Device
`
`-
`
`-
`
`5103
`
`Execute Managed App
`in Accordance with -
`Policy File(s)
`
`- 5005
`
`Execute Managed Secure
`BrOWser App in ACCordancer
`with Policy File(s)
`
`5105
`
`Policy File Acts to
`Restrict Application- -
`Specific Feature
`
`-
`
`5007
`
`
`
`Policy File Acts to
`Restrict Application- -
`Specific Feature
`
`-
`
`5107
`
`Fig. 50
`
`Fig. 51
`
`Receive/InstallManaged u- 5201
`PIM App on Mobile Device
`
`Receive/InstallManaged
`Client Agent App on Mobile -
`Device
`
`-
`
`5301
`
`Receive/install Policy
`File(s) on Mobile
`Device
`
`-
`
`- 5203
`
`Receive/Install Policy
`File(s) on Mobile
`Device
`
`-
`
`- 5303
`
`
`
`
`
`Execute Managed PIM App|
`in ACCordance with Policy -
`File(s)
`
`5205
`
`Execute Managed Client
`Agent App in ACCOrdance -
`with Policy File(s)
`
`5305
`
`Policy File Acts to
`Restrict Application- -
`Specific Feature
`
`Fig. 52
`
`Policy File Acts to
`Restrict Application- -
`Specific Feature
`
`---
`
`5307
`
`Fig. 53
`
`APPL-1010
`APPLE INC. / Page 39 of 99
`
`

`

`Patent Application Publication
`
`Jan. 30, 2014 Sheet 39 of 39
`
`US 2014/0032758 A1
`
`Receive/Install
`Managed App on
`Mobile Device
`
`u— 5401
`
`Receive/Install Policy
`File(s) on Mobile
`Device
`
`- 5403
`
`Execute Managed App
`in ACCOrdance With
`Policy File(s)
`
`u-
`Policy File Acts to Restrict
`Access to Enterprise Data 1
`Storage
`
`5407
`
`Fig. 54
`
`Receive/Instal
`Managed App On
`Mobile Device
`
`u 5501
`
`Receive/Install
`Managed App on
`Mobile Device
`
`Receive/Instal Policy
`File(s) on Mobile
`Device
`
`-->
`
`5503
`
`Receive/instal Policy
`File(s) on Mobile
`Device
`
`u- 5603
`
`Execute Managed App
`in one of Multiple
`Operation Modes
`
`ul
`
`---
`
`5505
`
`Execute Managed App
`in ACCOrdance with
`Policy File(s)
`
`u-
`
`5605
`
`Select Policy File(s)
`based on Operation
`MOde
`
`u 5507
`
`Policy File Acts to
`Enable/Disable SSO
`
`u 5607
`
`Fig. 55
`
`Fig. 56
`
`APPL-1010
`APPLE INC. / Page 40 of 99
`
`

`

`US 2014/0032758 A1
`
`Jan. 30, 2014
`
`POLICY-BASED APPLICATION
`MANAGEMENT
`
`CROSS-REFERENCE TO RELATED
`APPLICATIONS
`0001. This application is a continuation of Ser. No.
`14/043,902, filed Oct. 2, 2013, entitled “Policy Based Appli
`cation Management, which in turn claims priority to: provi
`sional application 61/861,736, filed Aug. 2, 2013, entitled
`“Policy-Based Application Management': provisional appli
`cation 61/806,577, filed Mar. 29, 2013, and entitled “Systems
`and Methods for Enterprise Mobility Management'; provi
`sional application 61/714,469, filed Oct. 16, 2012, entitled
`“Policy-Based Control of a Managed Application Derived
`from an Unmanaged Application': provisional application
`61/713.762, filed Oct. 15, 2012, entitled “Conveying Data
`Between Secure Applications Running on an Electronic
`Mobile Device'; provisional application 61/713,718, filed
`Oct. 15, 2012, entitled “Secure Data Sharing Among Man
`aged Applications'; non-provisional application Ser. No.
`13/649,076, filed Oct. 10, 2012, entitled “Gateway for Con
`trolling Mobile Device Access to Enterprise Resources’
`(which in turn claims priority to provisional application
`61/546,021, filed Oct. 11, 2011, entitled “Systems and Meth
`ods for Management of Enterprise Mobile Devices': provi
`sional application 61/546,922, filed Oct. 13, 2011, entitled
`“Systems and Methods for Management of Enterprise Mobile
`Devices”; and provisional application 61/649,134, filed May
`18, 2012, entitled “Mobile Device Management and Secu
`rity”; and provisional application 61/702,671, filed Sep. 18.
`2012, entitled “Mobile Device Management and Security');
`provisional application 61/713,763, filed Oct. 15, 2012,
`entitled “Per-Application Policy Controlled Access to Com
`puterized Resources': provisional application 61/714.293,
`filed Oct. 16, 2012, entitled “Managing Encrypted File Vaults
`for Managed Applications on Unmanaged Mobile Device':
`non-provisional application Ser. No. 13/886,889, filed May 3,
`2013, entitled “Application with Multiple Operation Modes':
`provisional application 61/713,554, filed Oct. 14, 2012,
`entitled “Automated Meeting Room': provisional application
`61/712,948, filed Oct. 12, 2012, entitled “Frictionless Dis
`tributive Collaborative Work Across Time and Space'; pro
`visional application 61/712,953, filed Oct. 12, 2012, entitled
`“Mobile Work and Micro Work Using an Activity Interface':
`provisional application 61/712.956, filed Oct. 12, 2012,
`entitled “Multi-Device Interaction': provisional application
`61/712,962, filed Oct. 12, 2012, entitled “Orchestration
`Framework for Connected Devices'; and non-provisional
`application Ser. No. 13/886,765, filed May 3, 2013, entitled
`“Mobile Device Locking with Context. Each of the afore
`mentioned application(s) is herein incorporated by reference
`in its entirety for all purposes.
`
`FIELD
`0002 Aspects described herein generally relate to mobile
`computing devices. More specifically, aspects described
`herein relate to techniques for imposing control over man
`aged applications executing on mobile computing devices.
`
`prise users, such as employees, access to enterprise resources,
`Such as hardware and Software applications for email, cus
`tomer relationship management (CRM), document manage
`ment, enterprise resource planning (ERP), and the like, as
`well as other data controlled by the enterprise. Enterprises
`Sometimes allow remote access. Such as when enterprise
`users are not in the enterprise network. Also, some enterprises
`allow users to access the enterprise network via mobile
`devices, such as Smartphones, tablet computers, PDAs (per
`Sonal digital assistant), and the like. Enterprises typically
`deploy enterprise mobility management (EMM) solutions to
`assist in the management and control of remote access to
`enterprise resources. EMM solutions have traditionally taken
`the approach of managing entire mobile devices through what
`are known as mobile device management (MDM)
`approaches. In preexisting EMM Solutions, enterprises typi
`cally issue mobile devices to employees, which are intended
`exclusively for business use, and the enterprise maintains
`control over the mobile devices and all of its applications and
`data. A recent trend is to allow employees to use their own
`mobile device(s) for work purposes (a scenario known as
`BYOD bring your own device). However, BYOD scenarios
`pose inherent security risks, because there is neither uniform
`nor universal control over each device.
`
`SUMMARY
`0004. The following presents a simplified summary of
`various aspects described herein. This Summary is not an
`extensive overview, and is not intended to identify key or
`critical elements or to delineate the scope of the claims. The
`following Summary merely presents some concepts in a sim
`plified form as an introductory prelude to the more detailed
`description provided below.
`0005 To overcome limitations in the prior art described
`above, and to overcome other limitations that will be apparent
`upon reading and understanding the present specification,
`aspects described herein are directed towards mobile appli
`cations operating under the control of one or more indepen
`dent policy files defining one or more security, feature and/or
`resource limitations. Each application may execute in accor
`dance with its corresponding set of policy files, optionally
`received separate from the application and which define one
`or more security parameters, features, resource restrictions,
`and/or other access controls that are enforced by a mobile
`device management system when that application is execut
`ing on the device. By operating in accordance with its respec
`tive policy file(s), each application may be allowed or
`restricted from communications with one or more other appli
`cations and/or resources. Policy files may define acceptable
`behavior, e.g., based on user credentials, user role, geo
`graphic location, network location, location types, enterprise
`mobile management (EMM) information, and/or any other
`information accessible or determinable by the operating
`device.
`0006. These and additional aspects will be appreciated
`with the benefit of the disclosures discussed in further detail
`below.
`
`BACKGROUND
`0003. Some enterprises (e.g., corporations, partnerships,
`governments, academic institutions, other organizations,
`etc.) maintain enterprise computer networks that allow enter
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`0007. A more complete understanding of aspects
`described herein and the advantages thereof may be acquired
`by referring to the following description in consideration of
`
`APPL-1010
`APPLE INC. / Page 41 of 99
`
`

`

`US 2014/0032758 A1
`
`Jan. 30, 2014
`
`the accompanying drawings, in which like reference numbers
`indicate like features, and wherein:
`0008 FIG.1 depicts an illustrative computer system archi
`tecture that may be used in accordance with one or more
`illustrative aspects described herein.
`0009 FIG. 2 depicts an illustrative cloud-based system
`architecture that may be used in accordance with one or more
`illustrative aspects described herein.
`0010 FIG. 3 depicts an illustrative enterprise mobility
`management System.
`0011
`FIG. 4 depicts another illustrative enterprise mobil
`ity management system.
`0012 FIG. 5 depicts a process flow according to illustra
`tive aspects described herein.
`0013 FIG. 6 depicts a device according to illustrative
`aspects described herein.
`0014 FIG. 7 depicts a data flow according to illustrative
`aspects described herein.
`0015 FIG. 8 depicts a system architecture according to
`illustrative aspects described herein.
`0016 FIG. 9 depicts a system architecture according to
`illustrative aspects described herein.
`0017 FIG. 10 depicts a system architecture according to
`illustrative aspects described herein.
`0018 FIG. 11 depicts a system architecture according to
`illustrative aspects described herein.
`0019 FIG. 12 depicts a system architecture according to
`illustrative aspects described herein.
`0020 FIG. 13 depicts a system architecture according to
`illustrative aspects described herein.
`0021
`FIG. 14 depicts an illustrative method for perform
`ing policy based app management according to illustrative
`aspects described herein.
`0022 FIG. 15 depicts an illustrative method for perform
`ing policy based app management according to illustrative
`aspects described herein.
`0023 FIG. 16 depicts a device according to illustrative
`aspects described herein.
`0024 FIG. 17 depicts a device according to illustrative
`aspects described herein.
`0025 FIG. 18 depicts a device according to illustrative
`aspects described herein.
`0026 FIG. 19 depicts a process flow according to illustra
`tive aspects described herein.
`0027 FIG. 20 depicts a process flow according to illustra
`tive aspects described herein.
`0028 FIG. 21 depicts a system according to illustrative
`aspects described herein.
`0029 FIG. 22 depicts a device according to illustrative
`aspects described herein.
`0030 FIG. 23 depicts a process flow according to illustra
`tive aspects described herein.
`0031
`FIG. 24 depicts a device according to illustrative
`aspects described herein.
`0032 FIG. 25 depicts a system according to illustrative
`aspects described herein.
`0033 FIG. 26 depicts a system according to illustrative
`aspects described herein.
`0034 FIG. 27 depicts a process flow according to illustra
`tive aspects described herein.
`0035 FIG. 28 depicts a system according to illustrative
`aspects described herein.
`0036 FIGS. 29A and 29B depict systems according to
`illustrative aspects described herein.
`
`0037 FIG. 30 depicts an illustrative method for perform
`ing policy based app management according to illustrative
`aspects

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket