• 专利附录
  • 专利说明
  • 权利要求
  • 类似技术
  • 同族专利
  • 引用文献
  • 法律状态
  • 优先权
    • 专利摘要:
    limiting applications and company settings on devices. the present invention relates to installing applications and adjusting the configuration on a device. a method includes receiving user input. user input indicates a level of control that a user is willing to give a company over the device. the method also includes determining, based on the level of control indicated by the user input, a set of applications allowed to install on the device. the set of applications allowed to install on the device is limited by the level of control indicated by the user. the method also includes authorizing the installation of the suite of applications on the device while restricting the installation of other applications that would be authorized if the user selected a different level of control that the user is willing to give the company over the device.
    公开号:BR112015019610A2
    申请号:R112015019610-1
    申请日:2014-03-03
    公开日:2020-10-13
    发明作者:Hassen Karaa;Michael Healy;Brett D. A. Flegg;Gaurav Dhawan;Jeffrey Sutherland
    申请人:Microsoft Technology Licensing, Llc;
    IPC主号:
    专利说明:

    [0001] [0001] Computers and computing systems have affected virtually all aspects of modern life. Computers are generally involved in work, recreation, healthcare, transportation, entertainment, home management, etc.
    [0002] [0002] In addition, the computing system's functionality can be improved by the ability of computing systems to be interconnected to other computing systems through network connections. Network connections can include, but are not limited to, wired or wireless Ethernet connections, cellular connections, or even computer-to-computer connections via serial, parallel, USB, or other connections. Connections allow a computer system to access services on other computer systems and quickly and efficiently receive application data from other computer systems.
    [0003] [0003] Current networks have allowed many new and different types of devices to be networked. One of the biggest trends in IT in recent years has been the push towards "IT consumerization," which is a term that describes how consumer technology, from phones to PCs, is infiltrating organizations. in all forms and modes. And increasingly, the devices that are appearing are the property and responsibility of the employee rather than the organization for which he works. This is seen most notably in the smartphone device category, but more recently also in tablets or other portable device form factors that are increasingly appearing.
    [0004] [0004] The device can be stolen or the device can host a mobile application that turns out to be Trojan horses that collects saved passwords or records keystrokes and other data. Thus, there may be a desire to control which data and applications can be stored on the device. However, since the device can be used for personal purposes, and not just business purposes, there may also be some desire on the part of the user to have personal data and applications not under the company's control. Previous solutions either have a very heavy hand with management and take complete control over users' devices or are so light in management and security that they allow almost unrestricted access by a user to company resources using their devices.
    [0005] [0005] The subject claimed here is not limited to modalities that resolve any disadvantages or that operate only in environments such as those described above. Instead, this predecessor is only provided to illustrate an area of exemplary technology where some of the modalities described here can be practiced. BRIEF SUMMARY
    [0006] [0006] A modality illustrated here includes a method of installing applications and adjusting a configuration on a device. The method includes receiving user input. User input indicates a level of control that a user is willing to give a company over a device. The method also includes determining, based on the level of control indicated by the user, a set of applications allowed to install on the device. The set of applications allowed to install on the device is limited by the level of control indicated by the user. The method also includes authorizing the installation of the set of applications on the device while restricting the installation of other applications that would be authorized if the user selected a different level of control that the user is willing to give the company over the device.
    [0007] [0007] This Summary is provided to introduce a selection of concepts in a simplified form which are further described below in the Detailed Description. This Summary is not intended to identify the key features or essential features of the claimed subject, nor is it intended to be used as an aid in determining the scope of the claimed subject.
    [0008] [0008] Additional features and advantages will be presented in the description which follows, and in part will be obvious from the description, or can be learned by practicing the teachings here. The characteristics and advantages of the invention can be realized and obtained by means of the instruments and combinations specifically highlighted in the appended claims. The characteristics of the present invention from the following description and the appended claims, or can be learned from the practice of the invention as presented hereinafter. BRIEF DESCRIPTION OF THE DRAWINGS
    [0009] [0009] In order to describe the way in which the above recited and other advantages and characteristics can be obtained, a more specific description of the subject briefly described above will be presented by reference to specific modalities which are illustrated in the attached drawings . Understanding that these drawings have only typical modalities and, therefore, they should not be considered limiting in scope, the modalities will be described and explained with specificity and additional details through the use of accompanying drawings in which:
    [0010] [0010] Figure 1 illustrates an environment that includes a company network and a device connected to the company network;
    [0011] [0011] Figure 2 illustrates a user interface for authenticating a user to a company network;
    [0012] [0012] Figure 3 illustrates a user interface for a user to select company applications to install on a device;
    [0013] [0013] Figure 4 illustrates a message flow for installing company applications on a device;
    [0014] [0014] Figure 5 illustrates a method for installing applications on a device; and
    [0015] [0015] Figure 6 illustrates a method of installing applications and adjusting the configuration on a device. DETAILED DESCRIPTION
    [0016] [0016] The modalities described here include a functionality to manage devices, which in some modalities can be personal property devices that are used in a company environment. Specifically, a device may be generally controlled by a user and not the company, but it may still be able to be used in the company environment with appropriate control over the device. Specifically, the company can exercise control over certain aspects of the device, while allowing the user to control other aspects of the device without company interference or intrusion. This management proposal harmonizes meeting the company's security needs while maintaining user control over the device and minimizing any impact on device performance. The modalities resolve how to provide a configuration and software that users need in the context of the company, such as applications and data access on any device, with sufficient IT control to assure that the device is reliable, while avoiding compromise. user privacy on your device.
    [0017] [0017] Several modalities can exhibit several aspects. For example, modalities can implement an engagement experience where a user can pass through an embedded OS component to connect to the company's work environment. Alternatively or in addition, the modalities may display a limited amount of inventory collection that is sufficient to assess the security of the device but not sufficient to take control of the device and intrude on the user's privacy. Alternatively or in addition, modalities can display performance-aware application distribution on demand where a notification service is used to initiate application installation. Alternatively or in addition, the modalities may display disconnecting from a company that blocks all applications and / or reinitializes the adjustments obtained from the company. COMPANY DEVICE MANAGEMENT
    [0018] [0018] With more and more people providing their own hardware for work, "bring your own device" (BYOD) is becoming more common and IT Pros want to have the confidence that they can support their customers who follow this trend. The presence of BYOD does not change the need for IT Pros to manage, secure, and remain responsible for an organization's network properties. Written policies are often ineffective in enforcing company policies.
    [0019] [0019] The modalities illustrated here may include a functionality to manage a personal property device in a company providing the settings and software that users need, such as applications and data access with any device,
    [0020] [0020] Referring now to Figure 1, a device 102 is illustrated. Device 102 can be a computing device such as a cell phone, pda, tablet, laptop, or other device that a user can choose to connect to a corporate environment network
    [0021] [0021] The management solution has two parts installed per client: the system management component, which can be referred to as an agent 104; and a user interface, which can be referred to as a self-service portal, or SSP 112, which the device user uses to browse and install the LOB applications developed for them. SSP 112 can be implemented in a number of different ways such as an application on device 102, a page / web service that runs in the user's browser on device 102, or another interface. Notably, a request to install an application for the user of device 102 does not have to originate from device 102. In some embodiments, this can be done from another machine. In the illustrated example, however, both portions of the management solution installed on the client can
    [0022] [0022] Agent 104 does most of the heavy lifting on client device 102. This configures client device 102 to communicate with the organization's management infrastructure 108; periodically, or by some trigger of the management infrastructure 108, synchronizes with the management infrastructure 108 to check for any updated LOB applications and apply the last adjustment policies configured by IT for device 102; and performs the actual download and installation of any LOB applications that the user wants to install. Finally, if the user or administrator chooses to remove device 102 from management infrastructure 108, it erases the configuration of agent 104 itself or disables, or securely deletes, any LOB applications that the user has installed from the SSP 112.
    [0023] [0023] The following now illustrates additional details regarding the connection of client device 102 to management infrastructure 108. In some embodiments, connecting a client device 102 to management infrastructure 108 begins by specifying an IT administrator the user group, such as, for example, a group of Active Directory & (AD) domain users (available from Microsoft & Corporation of Redmond Washington) who are authorized to connect devices 102 to the 110 company network. The administrator also has the option of specifying the maximum number of devices allowed per user or other restrictions related to the user engagement policy. For example, other user engagement policy considerations may specify that the user can only engage when on a specific network, with authentication.
    [0024] [0024] Once agent 104 has found the correct address, it establishes a secure connection with the management infrastructure 108 and authenticates the user. If the user has been successfully authenticated and has been authorized by the administrator to connect the devices (for example, device 102), company network 110 issues the correct commands to configure agent 104 for its continued communications with the management infrastructure 108. Once complete, the user is directed to install SSP 112 while agent 104 completes the connection at the bottom. Alternatively, SSP 112 could be installed automatically by the management infrastructure at the time of engagement. Although in the illustrated example, a user has been authenticated to the management infrastructure 108, in alternative or additional modalities, the device itself can be authenticated to the management infrastructure. For example, device 102 could be redirected to a management service which would allow the device to be engaged in the company's name.
    [0025] [0025] Next, agent 104 automatically starts a section with the management infrastructure 108, using the adjustments it has already obtained. This section and any subsequent sections can be performed over a secure connection. This initial section completes the registration of device 102 with company network 110 providing some basic device information such as the manufacturer and model of device 102, the version of the device's operating system.
    [0026] [0026] Following the initial section, agent 104 initiates a communication with the management infrastructure 108 in two circumstances:
    [0027] [0027] First, according to a maintenance task that runs on a pre-set schedule, or from management infrastructure triggers or other triggers, that do not impact the user experience. The activities performed during these maintenance sections focus on reporting updated hardware information to the management infrastructure 108, applying changes to the adjustment policies for device 102, reporting back compliance to management infrastructure 108, and applying application updates to LOB applications, or retrying any previously failed LOB application installations started from SSP 112.
    [0028] [0028] Secondly, agent 104 will communicate with management infrastructure 108 anytime the user initiates an application installation of SSP 112. In some modalities, these user-initiated sections are only focused on application installation and do not perform the maintenance and management activities described in the first case.
    [0029] [0029] Regardless of whether a section is started automatically by a scheduled maintenance task or manually by the user, client device 102 continues to behave well in relation to the battery status on the device and its current network conditions. ADJUSTMENT POLICY MANAGEMENT
    [0030] [0030] As already discussed, access to LOB applications typically requires that systems comply with basic security and data protection policies. From the management infrastructure 108, the IT administrator is able to configure a set of policies that the IT administrator believes are important to provide IT with the guarantees they need without seriously affecting the user's experience with their device. Specifically, administrators can enforce password policies and shut down certain peripherals.
    [0031] [0031] In addition to the configurable policies described above, agent 104 can also be used to automatically configure other settings such as network settings, VPN configuration, WiFi settings, etc., so that managed device 102 can easily - connect to a company network 110. Finally, agent 104 can also monitor and report device 102 accordingly with a set of policies.
    [0032] [0032] By leveraging this compliance information, IT administrators can more effectively control access to corporate resources on the 110 company network if a device is determined to be a risk. Once again, the user's basic experience with the device is left intact and their personal privacy is maintained.
    [0033] [0033] In some modalities, the policies that may be imposed by the company or other third parties may be configurable by the user of the device 102. For example, a user may be willing to accept some policies while refusing to accept other policies that the company would like to impose. Thus, a user can accept a level of control that the user is willing to give a company over the device. This level of control indicated by the user of device 102 can affect which settings the company will automatically configure on device 102 and which applications the company is willing to allow to be installed on device 102.
    [0034] [0034] For example, if a user is unwilling to accept all policies that the company would like to enforce, then device 102 may only be allowed to install a limited set of applications on the device while being restricted from installing others. - assets on the device. Illustratively, SSP 112 can provide a user interface that allows a user to select the policies that the user is willing to accept. For example, the user interface can provide a list of policies with a set of checkboxes from which the user can select, by checking the checkboxes, which policies the user is willing to impose on device 102. Alternatively, a wizard interface or another interface can be employed to obtain information about which policies the user is willing to have imposed on the device 102.
    [0035] [0035] Policies that the user can select may include, for example, restrictions on the device. For example, such restrictions may include items such as requiring a password on the device, requiring certain applications or software to be installed on the device, requiring certain adjustments on the device, limiting the device for use with certain types or certain networks, etc. .
    [0036] [0036] Alternatively or in addition, policies that the user can select may include policies relating to data access control on device 102. For example, the user may indicate that the company is able to completely lock the device, delete all data on the device, restore the device to factory settings, erase all company data on the device, erase data associated with certain applications on the device (such as company applications, mail applications, etc.) etc. LOB APPLICATION MANAGEMENT
    [0037] [0037] The previous discussion focused on the mechanics of client device 102 and management infrastructure 108 along with the needs of the IT administrator. However, an important aspect of the above is the benefit that can be provided to the end user by allowing access to their LOB applications.
    [0038] [0038] There are several different categories and types of applications that TI can publish for users on SSP 112. For example, TI can publish: internally developed applications, developed by the company; applications produced by independent software vendors that are licensed to the organization for internal distribution; launching web connections, websites and web-based applications directly in the browser; connections for listing applications in other application markets (this is a convenient way for IT to make users aware of useful commercial applications that are publicly available); etc.
    [0039] [0039] As the user specified their corporate credentials as part of the initial connection to the management infrastructure 108, as illustrated in Figure 2, the IT administrator can then specify which applications are published for each user in - individually. As a result, the user only sees those applications that are applicable to this SSP 112. Figure 3 illustrates an example of the SSP 112 user experience for a user navigating to LOB applications on SSP 112 for a fictional company called "Woodgrove ".
    [0040] [0040] Notably, the modalities can be implemented in a closed application market environment. In such an environment, the typical user scenario is that users are only allowed to install applications from a pre-approved set of applications available from an authorized market. For example, using Windows
    [0041] [0041] The modalities can be extended to allow applications that are of a style or format to be typically offered in a closed application market environment, but which are not generally offered in the closed application market environment despite of everything being "loaded sideways" in order to allow company-specific applications not offered on the closed market, despite everything being installed on device 102. For example, a WindowsO Phone would be able to install applications not offered on the market official application. Alternatively, a WindowsO 8 device would be able to install Windows Store Applications not available on the official application market.
    [0042] [0042] In some modalities, this, or allowing certain adjustments or management functions, can be achieved by installing a side loading key 114 in device 102 which, as long as side loading key 114 is valid, allows the provision - sitivo 102 laterally load applications 116 from a content server 118 of the management infrastructure, where applications 116 are not generally offered in the closed application market 120,
    [0043] [0043] However, while applications 116 that can be installed using the side loading key 114 are not generally offered in the closed application market 120, in some modalities, applications 116 must still be validated and authorized. to be installed on the device by a central authority. For example, the same central authority that validates and authorizes the applications provided in the closed application market 120 can validate and authorize applications intended to be loaded laterally on device 102, provided that device 102 has a loading key. side 114 (or other indication that the device is authorized to load applications laterally).
    [0044] [0044] The side loading key 114 can be obtained in a number of different ways. For example, in some modalities, the side loading key 114 can be purchased from the closed application market 120. In other modalities, the key may be purchased by a central authority company. In some embodiments, a single side loading key 114 may be valid for a specific number of installations on the devices. For example, the side loading switch may be able to be installed on multiple different devices at any given time
    [0045] [0045] In some modalities, when the user chooses to install an SSP 112 application, the request is sent to management infrastructure 108 and a download connection is provided to agent 104. Agent 104 then downloads application, check the validity of the content, verify the signature, and install the application. All of this typically occurs within seconds and is generally invisible to the user. In the event that an error occurs during any part of this process (for example, the location of the content is unavailable), agent 104 queues the application for a retry during its next regularly scheduled maintenance section. In any case, agent 104 reports the state of the facility back to management infrastructure 108. Figure 4 details this interaction.
    [0046] [0046] Specifically, Figure 4 illustrates in 402 that SSP 112 obtains a targeted list of applications from management service 128 in management infrastructure 108. Management service 128, as illustrated in 404, in management infrastructure 108 sends a list of applications back to SSP 112 where the list of applications includes an enumeration of applications available to be installed by device 102. As illustrated in 406, user 126 interacts with SSP 112 and requests installation of an app. As illustrated in 408, SSP 112 requests that the application requested by the user be installed by management server 128. As illustrated in 410, management service 128 confirms the request. As illustrated in 412, SSP 112 signals agent 104 indicating to the agent that the application selected by user 126 must be installed. As illustrated in 414, agent 104 confirms signaling for SSP 112. As illustrated in 416, agent 104 requests application details and confirms the installation request by user 126 for management service 128. As illustrated in 418, the management service confirms application requests for agent 104. As illustrated in 420, agent 104 requests the application content of content service 118 in management infrastructure 108. As illustrated in 422 , content service 118 returns application content to agent 104 on device 102. As illustrated in 424, agent 104 communicates with a package manager 130 on device 102 indicating that the application must be added for user 126. As illustrated in 426, package manager 130 indicates that the application installation is complete. As illustrated in 428, agent 104 informs management service 128 that the application has been installed. As illustrated in 430, the management service 128 confirms for agent 104 that the installation of the application selected by the user has been recorded.
    [0047] [0047] In some alternative modalities, the closed application market itself 120 may have certain application offers available that are only available for devices with a side loading key installed on device 102. For example, the application market closed 120 could provide a set of applications 122 generally for devices, but provide additional applications 124 for installation for devices based on side load switches installed on the devices. The additional applications available for installation may be dependent on which side loading key is installed on the device. Thus, the closed application market 120 could maintain a set of applications, on behalf of the company, for installation on devices authorized by the company.
    [0048] [0048] As part of its regular maintenance sections, agent 104 will take an inventory of which LOB applications are currently installed and report this information back to management infrastructure 108 so that the IT administrator can effectively manage your LOB applications. In some embodiments, only applications that have been installed using SSP 112 and client device 102 are included in this device inventory. In some modalities, generally available applications installed from a closed application market are not reported as part of the inventory. In some embodiments, agent 104 may be restricted to only be able to inventory company applications 116 and not be able to inventory applications 122 on device 102 that the user installs.
    [0049] [0049] Any time the IT administrator publishes an update for an application that was installed on a device authorized by company 102, agent 104 will automatically download and install the update during its next regular maintenance section . Alternatively, during a regular maintenance window, the management infrastructure 108 can detect that an update is available and applicable, and as a result, notifies the user.
    [0050] [0050] Details are now illustrated on how to disconnect a device from the management infrastructure 108. The disconnection can be initiated either locally by the user or remotely by the user or the IT administrator. Users can choose to disconnect for any number of reasons, including leaving the company or obtaining a new device and no longer having to access their LOB applications from the old device. Administrators can choose to disconnect a device from the user after they leave the company or because the device is regularly failing to comply with the organization's security settings policy. In another alternative embodiment, the company can automatically disconnect a user device 102 if the device has not connected to the company network 110 for a given period of time.
    [0051] [0051] During disconnection, agent 104 performs a number of actions (and / or ceases to perform a number of actions). For example, agent 104 removes access to all applications that the user has obtained from the company. In some embodiments, agent 104 may block access to applications 116 or may completely remove applications 116 from device 102. Agent 104 ceases to impose
    [0052] [0052] The following discussion now refers to a number of methods and method acts that can be performed. Although acts of method can be discussed in a certain order or illustrated in a flowchart as occurring in a specific order, no specific ordering required unless specifically stated or required because an act is dependent on another act being completed earlier the act is executed.
    [0053] [0053] Referring now to Figure 5, a method 500 is illustrated. Method 500 includes acts for installing applications on a device. the device is generally configured to be used in a closed market environment that only allows applications available from the closed market to be installed. Method 500 includes determining that the device has been authorized to install applications outside a set of applications generally available on the closed market and a set of applications available only to users of a specific company (act 502). For example, method 500 can be executed where determining that the device has been authorized to install the applications outside of a set of applications generally available on the closed market comprises determining that a side load switch has been installed on the device. Such an example is illustrated in Figure 1 using the side loading key 114 with device 102.
    [0054] [0054] Method 500 further includes determining that an application, which is not generally available from the closed market, has been verified by a central authority (act 504). The 500 method can be practiced where determining that an application that is not generally available on the closed market has been verified by a central authority includes determining that the application has been verified by a central authority responsible for the closed market. For example, if Micro-soft & runs a closed market, but the application is not provided by the closed market run by Microsoft & Corporation, Microsoft & Corporation could nevertheless verify the application. For example, as illustrated in Figure 1, the entity responsible for maintaining market 120 and verifying applications 122 can also verify applications 116 despite the fact that applications 116 are not offered in market 120. Thus applications 116 available from the corporate network 110 nevertheless have a chain of authority for a central authority.
    [0055] [0055] Method 500 still includes installing the application on the device despite the fact that the device is generally configured to be used in a closed market environment (at 506).
    [0056] [0056] Method 500 may also include providing a user interface for a user to allow a user to select the application among the set of applications available for devices authorized to connect in the specific company; receive user input by selecting the application; notify a service that the user has selected the application; receive a notification from the service that the application is available to be installed; and where installing the app on the device runs in a mode that minimizes disruption to the device. Examples of this functionality are illustrated in Figures 3 and 4. Specifically, Figure 3 illustrates a user interface that can be presented to a user to allow a user to select applications for installation. Figure 4 illustrates an example of communication between various entities to allow a user to indicate which applications the user would like to install in the process to install the applications. In some such modalities, the application can be installed when the device determines that it has sufficient free resources to install the application without a serious impact on the device's user experience.
    [0057] [0057] Method 500 may also include maintaining an enumeration of applications from the application set available only to users of a specific company that has been installed on the device. Specifically, a manifest can be kept on device 102 and agent 104 which lists the various applications that have been installed on device 102. This can be used to report to a central company authority information about which applications are installed on the device 102.
    [0058] [0058] Method 500 may also include providing a report to a company administrator. The report can include an enumeration of all applications in the application set available only to users from a specific company that were installed on the device without identifying other applications that were installed on the device in the report. For example, the report can identify any of the applications 116 that were installed on device 102, but it will not identify any applications selected from the set of applications 122 that were installed on device 102.
    [0059] [0059] Method 500 also includes several acts to remove device 102 from company network 110. For example, method 500 may include disallowing the device so that the device can no longer install applications from the set of devices. applications available only to users of a specific company; disable or delete any applications within the set of available applications
    [0060] [0060] Referring now to Figure 6, a method 600 is illustrated. Method 600 includes acts for installing applications and adjusting the configuration on a device. Method 600 includes receiving user input from a user of a device, user input indicating a level of control the user is willing to give a company over the device (act 602). Method 600 can be practiced where user input comprises a user indicating that the company can impose one or more restrictions on the device. For example, one or more restrictions may include one or more of requiring a password, requiring certain applications to be installed on the device, limiting the device's access to certain networks or the like. Alternatively or in addition, method 600 can be practiced where user input comprises a user indicating that the company can control data access on the device. For example, user input may indicate that the company can perform one or more of the device lock, erase all user data on the device, restore the device to factory settings, erase all company data on the device, erase data associated with certain applications on the device, or similar. The 600 method can be practiced where user input comprises a user selecting a plurality of items from a predetermined list, such as a checkbox list, which the user is willing to let the company control or restrict on the device.
    [0061] [0061] Method 600 also includes determining, based on the level of control indicated by the user, a set of applications that the user is allowed to install on the device (act 604). The set of applications that the user is allowed to install on the device is limited by the level of control indicated by the user.
    [0062] [0062] Method 600 further includes authorizing the device to install the suite of applications while restricting the device from installing other applications that would be authorized if the user selected a different level of control that the user is willing to give the company over the device (act 606). For example, a device, such as device 102, may be allowed to install some applications, but not other applications based on the user setting and the level of control the user is willing to allow the company to have over device 102. In some modalities, method 600 can be practiced where the device is generally configured to be used in a closed market environment that only generally allows applications available from the closed market to be installed on the device, but the device is authorized to install applications outside the set of applications generally available in the closed market and where the set of applications is available only to users of the specific company.
    [0063] [0063] Still, the methods can be practiced by a computer system that includes one or more processors and a computer-readable medium such as a computer memory. Specifically, computer memory can store instructions executed
    [0064] [0064] The embodiments of the present invention may comprise or use a special-purpose or general-purpose computer that includes computer hardware, as discussed in more detail below. The modalities within the scope of the present invention also include a physical computer-readable medium and another for executing or storing executable instructions by computer and / or data structures. Such a computer-readable medium can be any available medium that can be accessed by a general purpose or special use computer system. The computer-readable medium that stores computer-executable instructions is a physical storage medium. The computer-readable medium that loads the computer-executable instructions is a transmission medium. Thus, as an example, and not a limitation, the modalities of the invention can comprise at least two distinctly different types of computer-readable media: physical computer-readable storage medium and computer-readable transmission medium.
    [0065] [0065] The physical computer-readable storage medium includes RAM, ROM, EEPROM, CD-ROM or other optical disc storage (such as CDs, DVDs, etc.), magnetic disk storage or other storage devices. magnetic storage, or any other medium which can be used to store a desired program code medium in the form of instructions executable by computer or data structures and which can be accessed by a general purpose or special use computer.
    [0066] [0066] A "network" is defined as one or more data connections that allow the transport of electronic data between computer systems and / or modules and / or other electronic devices.
    [0067] [0067] Also, when reaching various computer system components, the program code medium in the form of instructions executable by computer or data structures can be transferred automatically from the computer-readable medium of transmission to the storage medium legible by physical computer (or vice versa). For example, instructions executable by computer or data structures received over a network or data connection can be stored in RAM inside a network interface module (for example, a "NIC"), and then eventually transferred to computer system RAM and / or less volatile computer-readable physical storage medium in a computer system. Thus, computer-readable physical storage media can be included in computer system components that also (or even primarily) use the transmission medium.
    [0068] [0068] The instructions executable by computer comprise, for example, the instructions and data which make a general purpose computer special use computer, or special use processing device perform a certain function or group of functions. Computer executable instructions can be, for example, binary, intermediate format instructions such as Assembly language, or even source code. Although the subject has been described in a specific language with structural features and / or methodological acts, it must be understood that the subject defined in the attached claims is not necessarily limited to the characteristics or acts described above. Instead, the characteristics and acts described are presented as exemplary ways of implementing the claims.
    [0069] [0069] Those skilled in the art will appreciate that the invention can be practiced in network computing environments with many types of computer system configurations, including, personal computers, desktop computers, laptop computers, message processors , portable devices, multi-processor systems, microprocessor-based or programmable consumer electronics, network PCs, minicomputers, mainframe computers, mobile phones, PDAs, pagers, routers, switches, and the like. The invention can also be practiced in distributed system environments where local and remote computer systems, which are connected (either by wired data connections, wireless data connections, or by a combination of wired and wireless data connections) over a network, both perform tasks. In a distributed system environment, program modules can be located on memory storage slides, both local and remote.
    [0070] [0070] Alternatively, or in addition, the functionality described here can be performed, at least in part, by one or more logical hardware components. For example, and without limitation, illustrative types of logical hardware components that can be used include Field Programmable Port Networks (FPGAs), Program Specific Integrated Circuits (ASICs),
    [0071] [0071] The present invention can be incorporated in other specific ways without departing from its spirit or characteristics. The described modalities should be considered in all aspects only as illustrative and not restrictive. The scope of the invention is therefore indicated by the appended claims instead of the description above. Any changes that come within the meaning and equivalence range of the claims must be covered within their scope.
    权利要求:
    Claims (21)
    [1]
    1. Method implemented by a computer system having a hardware processor and memory with computer executable instructions stored to provide applications to a device, the method characterized by the fact that it comprises: the computer system providing the device with a list of a plurality of restrictions associated with a level of control over the device that a device user is required to grant to a company administrator, including presenting a first data access control that the company administrator requires permission to perform on the device and a second control of data access that the company administrator requires permission to perform on the device; the computer system receiving, from the device user, selections from the plurality of restrictions, including a first user selection on the device that gives the company administrator permission to perform the first data access control on the device and a second user selection on the device that denies the company administrator permission to perform the second data access control on the device; the computing system determining, based on user selections, a first set of one or more applications that are allowed to be installed on the device, in which the first set of one or more applications that are allowed to be installed on device is a filtered set of apps that includes one or more first apps that are allowed to be installed on the device based on the user having given the administrator permission to perform the first data access control on the device, and that excludes a second set one or more applications that would be allowed to be installed on the device if the user had granted the company administrator permission to perform the second data access control on the device; and the computing system providing the device with a list of the first set of one or more subsequent applications to provide the device with a list of the plurality of restrictions and subsequent receipt of user selections.
    [2]
    2. Method, according to claim 1, characterized by the fact that the plurality of restrictions includes at least one inside requiring a password, requires that certain applications be installed on the device, limiting the device's access to certain networks, requiring that the device has encryption enabled, requires that it has an antivirus application installed, requires that the antivirus application is up to date, requires that the device meets a minimum operating system version, requires that a password on the device has a certain level complexity, require the password on the device to have certain history requirements, require the device hardware to be configured in a certain way, require a camera on the device to be disabled, or require that the Bluetooth on the device be disabled.
    [3]
    3. Method, according to claim 1, characterized by the fact that the first data access control comprises at least one among deleting all user data on the device, restoring the device to factory settings, deleting all data company data on the device, or erase data associated with certain applications on the device.
    [4]
    4, Method, according to claim 1, characterized by the fact that the device is generally configured to be used in a closed mark environment that only allows applications generally available from the closed market to be installed on the device, and in which the method still comprises authorizing the device
    to install applications outside the applications generally available in the closed market, including sending a company side loading key to the device.
    [5]
    5. Method, according to claim 4, characterized by the fact that it still comprises receiving a list of applications that are installed on the device, the list excluding any applications that are installed on the device and that were obtained by the device a from a closed market.
    [6]
    6. Method, according to claim 1, characterized by the fact that the first and second sets of one or more applications are selected from applications provided by a company, and are not generally available from a market closed which only allows applications generally available from the closed market to be installed on the device, but which have been verified by a central authority responsible for the closed market.
    [7]
    7. Method, according to claim 1, characterized by the fact that the first set of one or more applications is installable on the device only when the device has a first side loading key, and the second set of one or more applications are installable on the device only when the device has a second side loading key, the method further comprising providing only the first side loading key to the device based on user selections.
    [8]
    8. System for installing applications and configuring settings on a device, the system characterized by the fact that it comprises: one or more hardware processors; and one or more computer-readable media, in which the one or more computer-readable media comprise computer-executable instructions that are executable by one or more of the processors and that configure the system to perform at least the following:
    provide the device with a list of a plurality of restrictions associated with a level of control over the device that a device user is required to grant to a company administrator, including presenting a first data access control that the company administrator requires permission to perform on the device and a second data access control that the business administrator requires permission to perform on the device;
    receive from the device user, selections from the plurality of restrictions, including a first user selection on the device that grants the company administrator permission to perform the first data access control on the device and a second user selection on the device that denies the company administrator permission to perform the second data access control on the device;
    determine, based on user selections, a first set of one or more applications that are allowed to be installed on the device, where the first set of one or more applications that are allowed to be installed on the device is a con - along with filtered applications that includes one or more first applications that are allowed to be installed on the device based on the user having granted the administrator permission to perform the first data access control on the device, and which excludes a second set of one or more applications that would be allowed to be installed on the device if the user had granted the company administrator permission to perform the second data access control on the device; and providing the device with a list of the first set of one or more applications subsequent to providing the device with the list of the plurality of restrictions and subsequent to receiving user selections.
    [9]
    9. System, according to claim 8, characterized by the fact that the plurality of restrictions includes at least one inside requiring a password, requiring certain applications to be installed on the device, limiting the device's access to certain networks, require that the device has encryption enabled, require that it have an antivirus application installed, require that the antivirus application is up to date, require that the device meets a minimum version of the operating system, require that a password on the device have a certain level of complexity, requiring a password on the device has certain historical requirements, requiring the device hardware to be configured in a certain way, requiring a camera on the device to be disabled, or requiring Bluetooth on the device to be disabled.
    [10]
    10. System, according to claim 8, characterized by the fact that the first data access control comprises at least one among erasing all user data on the device, restoring the device to factory settings , erase all company data on the device, or erase data associated with certain applications on the device.
    [11]
    11. System according to claim 8, characterized by the fact that the device is generally configured to be used in a closed market environment that only allows applications generally available from the closed market to be installed on the device, and where computer executable instructions also configure the system to authorize the device to install applications outside of applications generally available from the closed market, including sending a company side loading key to the device.
    [12]
    12. System, according to claim 11, characterized by the fact that the executable instructions by computer also configure the system to receive a list of applications that are installed on the device, the list excluding any applications that are installed on the device and that were obtained by the device from a closed market.
    [13]
    13. System according to claim 8, characterized by the fact that the first and second sets of one or more applications are selected from applications provided by a company, and which are not generally available from a closed market which only allows applications generally available from the closed market to be installed on the device, but which have been verified by a central authority responsible for the closed market.
    [14]
    14. Method according to claim 8, characterized by the fact that the first set of one or more applications is installable on the device only when the device has a first side loading key, and the second set of one or more applications are installable on the device only when the device has a second side loading key, and the computer executable instructions also configure the system to provide only the first side loading key to the device based on selections user.
    [15]
    15. Computer program product characterized by the fact that it comprises one or more computer-readable hardware storage devices that comprise computer executable instructions that are executable by one or more processors of a computer system and that configure the computing system to perform at least the following: provide the device with a list of a plurality of responses
    constraints associated with a level of control over the device that a device user is required to grant to a company administrator, including presenting a first data access control that the administrator requires permission to perform on the device and a second control of data access that the company administrator requires permission to perform on the device; receive, from the device user, selections among the plurality of restrictions, including a first user selection on the device that grants the company administrator permission to perform the first data access control on the device and a second user selection on the device which denies the company administrator permission to perform the second data access control on the device; determine, based on user selections, a first set of one or more applications that are allowed to be installed on the device, where the first set of one or more applications that are allowed to be installed on the device is a filtered set of applications that includes one or more first applications that are allowed to be installed on the device based on the user having granted the administrator permission to perform the first data access control on the device, and which excludes a second set of one or more applications that would be allowed to be installed on the device if the user had granted the company administrator permission to perform the second data access control on the device; and providing the device with a list of the first set of one or more applications subsequent to providing the device with the list of the plurality of restrictions and subsequent to receiving user selections.
    [16]
    16. Computer program product according to claim 15, characterized by the fact that the plurality of restrictions includes at least one of them requiring a password, requiring certain applications to be installed on the device, or limiting the device's access to certain networks.
    [17]
    17. Computer program product, according to claim 15, characterized by the fact that the first data access control comprises at least one among erasing all user data on the device, restoring the device to factory settings , erase all company data on the device, or erase data associated with certain applications on the device.
    [18]
    18. Computer program product according to claim 15, characterized by the fact that the first and second sets of one or more applications are selected from applications provided by a company, and which are not generally available levels from a closed market that only allows applications generally available from the closed market to be installed on the device, but which have been verified by a central authority responsible for the closed market.
    [19]
    19. Computer program product according to claim 15, characterized by the fact that the device is generally configured to be used in a closed market environment that only allows applications generally available from the closed market to be installed on the device, and where computer executable instructions also configure the computing system to authorize the device to install applications outside the applications generally available in the closed market, including sending a company side loading key to the device .
    [20]
    20. Computer program product according to claim 15, characterized by the fact that the first set of one or more applications is installable on the device only when the device has a first side loading key, and in which the second set of one or more applications is installable on the device only when the device has a second side loading key, and the instructions executable by computer also configure the computing system to provide only the first side loading key to the device based on user selections.
    [21]
    21. Computer program product according to claim 15, characterized by the fact that the executable instructions by computer also configure the computing system to receive a list of applications that are installed on the device, the list excluding any applications that are installed on the device and that were obtained by the device from the closed market.
    1. Method of installing applications and adjusting the configuration on a device, the method characterized by understanding: receiving a user input, the user input indicating a level of control that a user wants to give a company over a device; determine, based on the level of control indicated by the user input, a set of applications allowed to install on the device, in which the set of applications allowed to install on the device is limited by the level of control indicated by the user; and authorize the installation of the set of applications on the device while restricting the installation of other applications that would be authorized if the user selected a different level of control that the user is willing to give the company over the device.
    2. Method according to claim 1, characterized by the fact that the user input comprises a user selecting a plurality of items from a predetermined list that the user is willing to let the company control or restrict on the device.
    3. Method according to claim 1, characterized by the fact that the user input comprises a user indicating that the company can impose one or more restrictions on the device.
    4. Method according to claim 3, characterized by the fact that one or more restrictions include one or more of requiring a password, requiring certain applications to be installed on the device, limiting the device's access to certain networks, requiring that encryption is turned on on the device, requires that an antivirus is installed, requires that the antivirus is updated, requires that the device meets a minimum OS version, requires that a password on the device has a certain level of complexity, requires that a password on the device has certain historical requirements, require that the device hardware be configured in a certain way, require that a camera on the device be disabled, or require that Bluetooth on the device be disabled.
    5. Method according to claim 1, characterized by the fact that the user input comprises a user indicating that the company can control data access on the device.
    6. Method according to claim 5, characterized by the fact that the user input indicates that the company can perform one or more of locking the device, erase all user data on the device, restore the device to settings of factory, erase all company data on the device, or erase data associated with certain applications on the device.
    7. Method according to claim 1, characterized by the fact that the device is generally configured to be used in a closed market environment that only allows applications generally available from the closed market to be installed on the device, but the device is authorized to install applications outside a set of applications generally available in the closed market and where the set of applications is available only to users of the specific company.
    类似技术:
    公开号 | 公开日 | 专利标题
    BR112015019610A2|2020-10-13|method implemented by computer system, system for installing applications and configuring settings on device and computer program product
    EP3130110B1|2018-02-14|Device policy manager
    US9444849B2|2016-09-13|Enforcing policy compliance on a device
    US9071518B2|2015-06-30|Rules based actions for mobile device management
    US8839375B2|2014-09-16|Managing distributed operating system physical resources
    WO2013039649A1|2013-03-21|Securing data usage in computing devices
    US10880175B2|2020-12-29|Developing security policies for deployment to mobile devices
    US9361083B2|2016-06-07|Enterprise management for devices
    WO2020081237A1|2020-04-23|Systems and methods for managing device privileges
    US20210211517A1|2021-07-08|Automatically Executing Responsive Actions Upon Detecting an Incomplete Account Lineage Chain
    US10848563B2|2020-11-24|On-device, application-specific compliance enforcement
    US11245704B2|2022-02-08|Automatically executing responsive actions based on a verification of an account lineage chain
    US11100232B1|2021-08-24|Systems and methods to automate networked device security response priority by user role detection
    同族专利:
    公开号 | 公开日
    WO2014137865A1|2014-09-12|
    CN105144186A|2015-12-09|
    ES2719442T3|2019-07-10|
    US9245128B2|2016-01-26|
    EP2965255A1|2016-01-13|
    US20140259178A1|2014-09-11|
    ES2872261T3|2021-11-02|
    US9805189B2|2017-10-31|
    EP2965255B1|2019-01-16|
    TW201447628A|2014-12-16|
    EP3490277B1|2021-04-21|
    US20160300055A1|2016-10-13|
    CN105144186B|2018-07-10|
    EP3490277A1|2019-05-29|
    引用文献:
    公开号 | 申请日 | 公开日 | 申请人 | 专利标题
    US7013461B2|2001-01-05|2006-03-14|International Business Machines Corporation|Systems and methods for service and role-based software distribution|
    WO2003083688A1|2002-03-22|2003-10-09|Sun Microsystems, Inc.|Mobile download system|
    US20040203681A1|2002-07-01|2004-10-14|Ross David J.|Application catalog on an application server for wireless devices|
    EP1540446A2|2002-08-27|2005-06-15|TD Security, Inc., dba Trust Digital, LLC|Enterprise-wide security system for computer devices|
    US20040103214A1|2002-11-22|2004-05-27|Sandeep Adwankar|Method, apparatus, and system for enterprise management of mobile and non-mobile terminals|
    JP2006516339A|2002-12-02|2006-06-29|エレメンタルセキュリティー|System and method for providing an enterprise-based computer security policy|
    US7409208B1|2003-07-02|2008-08-05|Cellco Partnership|Self-subscription to catalogs of mobile application software|
    US20050125525A1|2003-12-09|2005-06-09|International Business Machines|Method, system, and storage medium for providing intelligent distribution of software and files|
    US8285578B2|2004-01-21|2012-10-09|Hewlett-Packard Development Company, L.P.|Managing information technology infrastructure of an enterprise using a centralized logistics and management tool|
    US7289788B2|2004-05-26|2007-10-30|Avaya Technology Corp.|Mobile gateway for secure extension of enterprise services to mobile devices|
    US8924469B2|2008-06-05|2014-12-30|Headwater Partners I Llc|Enterprise access control and accounting allocation for access networks|
    US8229858B1|2004-09-30|2012-07-24|Avaya Inc.|Generation of enterprise-wide licenses in a customer environment|
    US7970386B2|2005-06-03|2011-06-28|Good Technology, Inc.|System and method for monitoring and maintaining a wireless device|
    US8321859B2|2005-12-22|2012-11-27|Alan Joshua Shapiro|Method and apparatus for dispensing on a data-storage medium customized content comprising selected assets|
    US8707385B2|2008-02-11|2014-04-22|Oracle International Corporation|Automated compliance policy enforcement in software systems|
    WO2009115921A2|2008-02-22|2009-09-24|Ipath Technologies Private Limited|Techniques for enterprise resource mobilization|
    US20100031249A1|2008-08-04|2010-02-04|International Business Machines Corporation|Method for policy based enforcement of business requirements for software install|
    CA2665939C|2008-10-08|2014-10-21|Research In Motion Limited|Mobile wireless communications device and system providing dynamic management of carrier applications and related methods|
    CA2664297C|2008-10-08|2014-06-03|Research In Motion Limited|Mobile wireless communications system providing downloading and installation of mobile device applications upon registration and related methods|
    US8650290B2|2008-12-19|2014-02-11|Openpeak Inc.|Portable computing device and method of operation of same|
    US20100299152A1|2009-05-20|2010-11-25|Mobile Iron, Inc.|Selective Management of Mobile Devices in an Enterprise Environment|
    US8484728B2|2009-06-03|2013-07-09|Apple Inc.|Managing securely installed applications|
    EP2454713A1|2009-07-17|2012-05-23|Pierre Bonnat|Method and system for reliable and fast mobile marketing|
    EP2360583A3|2010-02-12|2011-09-28|Samsung Electronics Co., Ltd.|Method and system for installing applications|
    US8473743B2|2010-04-07|2013-06-25|Apple Inc.|Mobile device management|
    KR101781129B1|2010-09-20|2017-09-22|삼성전자주식회사|Terminal device for downloading and installing an application and method thereof|
    CN102446106A|2010-09-30|2012-05-09|联想有限公司|Installation management method, server and terminal for application program|
    US8359016B2|2010-11-19|2013-01-22|Mobile Iron, Inc.|Management of mobile applications|
    US20120232945A1|2011-03-10|2012-09-13|Hong Kong R&D Centre for Logistics and Supply Chain Management Enabling Technologies|Lightweight privacy protection protocol, methods, and systems for rfid and sensor based logistics track and trace data sharing over business subcontracting relationships|
    TW201301118A|2011-06-30|2013-01-01|Gcca Inc|Cloud-based communication device and smart mobile device using cloud-based communication device|
    US8239918B1|2011-10-11|2012-08-07|Google Inc.|Application marketplace administrative controls|
    US9378359B2|2011-10-11|2016-06-28|Citrix Systems, Inc.|Gateway for controlling mobile device access to enterprise resources|
    US8595489B1|2012-10-29|2013-11-26|Google Inc.|Grouping and ranking of application permissions|
    US20140157256A1|2012-11-30|2014-06-05|Donotgeotrack|Owner/user-driven controlled distribution of software for mobile devices and personal computer through a privileged portal|
    US9400682B2|2012-12-06|2016-07-26|Hewlett Packard Enterprise Development Lp|Ranking and scheduling of monitoring tasks|
    US9361083B2|2013-03-06|2016-06-07|Microsoft Technology Licensing, Llc|Enterprise management for devices|
    US9245128B2|2013-03-06|2016-01-26|Microsoft Technology Licensing, Llc|Limiting enterprise applications and settings on devices|US9378359B2|2011-10-11|2016-06-28|Citrix Systems, Inc.|Gateway for controlling mobile device access to enterprise resources|
    CN104854561B|2012-10-16|2018-05-11|思杰系统有限公司|Application program for application management framework encapsulates|
    US9245128B2|2013-03-06|2016-01-26|Microsoft Technology Licensing, Llc|Limiting enterprise applications and settings on devices|
    US20140282876A1|2013-03-15|2014-09-18|Openpeak Inc.|Method and system for restricting the operation of applications to authorized domains|
    US10284627B2|2013-03-29|2019-05-07|Citrix Systems, Inc.|Data management for an application with multiple operation modes|
    US9280377B2|2013-03-29|2016-03-08|Citrix Systems, Inc.|Application with multiple operation modes|
    JP2014235541A|2013-05-31|2014-12-15|株式会社東芝|Electronic apparatus, management method, and program|
    US10129242B2|2013-09-16|2018-11-13|Airwatch Llc|Multi-persona devices and management|
    US20150281003A1|2014-03-31|2015-10-01|Sonicwall, Inc.|Mobile application control|
    KR102337990B1|2014-09-18|2021-12-13|삼성전자주식회사|Electronic Device Using Token for Setting Permission|
    US9652212B2|2014-09-24|2017-05-16|Oracle International Corporation|Managing change events for devices in an enterprise system|
    JP2016139322A|2015-01-28|2016-08-04|株式会社リコー|Image processor and electronic blackboard provided with the same|
    US9367270B1|2015-02-04|2016-06-14|Xerox Corporation|Method and system for shuttling client resident data to servers in a client-server printing environment|
    US9825834B2|2015-03-30|2017-11-21|Airwatch Llc|Network speed detection|
    CN106575373B|2015-07-08|2020-10-20|安全创造有限责任公司|Metal smart card with dual interface capability|
    US11089132B2|2016-03-29|2021-08-10|Microsoft Technology Licensing, Llc|Extensibility for context-aware digital personal assistant|
    US10402181B2|2016-07-18|2019-09-03|Airwatch Llc|Generating and optimizing deployment configurations for enrolled devices|
    CN109711171B|2018-05-04|2021-07-20|360企业安全技术有限公司|Method, device and system for positioning software bugs, storage medium and electronic device|
    CN110489171A|2018-05-11|2019-11-22|珠海市魅族科技有限公司|Method for controlling mobile terminal, mobile terminal and storage medium|
    US11171964B1|2020-12-23|2021-11-09|Citrix Systems, Inc.|Authentication using device and user identity|
    法律状态:
    2018-11-13| B06F| Objections, documents and/or translations needed after an examination request according [chapter 6.6 patent gazette]|
    2020-03-03| B06U| Preliminary requirement: requests with searches performed by other patent offices: procedure suspended [chapter 6.21 patent gazette]|
    2020-03-10| B06I| Publication of requirement cancelled [chapter 6.9 patent gazette]|Free format text: ANULADA A PUBLICACAO CODIGO 6.21 NA RPI NO 2565 DE 03/03/2020 POR TER SIDO INDEVIDA. |
    2020-10-13| B06U| Preliminary requirement: requests with searches performed by other patent offices: procedure suspended [chapter 6.21 patent gazette]|
    2021-11-16| B07A| Application suspended after technical examination (opinion) [chapter 7.1 patent gazette]|
    2021-11-23| B350| Update of information on the portal [chapter 15.35 patent gazette]|
    优先权:
    申请号 | 申请日 | 专利标题
    US13/787,420|US9245128B2|2013-03-06|2013-03-06|Limiting enterprise applications and settings on devices|
    US13/787,420|2013-03-06|
    PCT/US2014/019793|WO2014137865A1|2013-03-06|2014-03-03|Limiting enterprise applications and settings on devices|
    [返回顶部]