CN106031128A - Providing mobile device management functionalities - Google Patents

Abstract

Methods, systems, computer-readable media, and apparatuses for providing mobile device management (MDM) functionalities are presented. In some embodiments, a pseudo device representative of a physical end user device may be established within a cloud computing environment. The pseudo device may be provisioned for use with MDM service providers and configured to receive commands from the MDM service providers on behalf of the physical end user device. In some embodiments, multiple pseudo devices each representative of a physical end user device may be established within a cloud computing environment. A first pseudo device may be provisioned for use with a first MDM service provider and configured to receive commands from the first MDM service provider on behalf of the physical end user device. A second pseudo device may be provisioned for use with a second MDM service provider and configured to receive commands from the second MDM service provider.

Description

Mobile device management function is provided

Background

The each side of the disclosure relates to computer hardware and software.Specifically, or many of the disclosure Individual aspect relates generally to computer hardware and software for providing mobile device management function.

Company and other tissue are supplied to their employee and other mobile device of working together more and more And/or otherwise make their employee and other colleague enable mobile device, such as smart phone, Tablet PC and other mobile computing device.Owing to these equipment persistently become increasingly popular and provide more Carrying out the most functions, therefore many tissues may want to how can using these equipment, these set For being able to access that how what resource and the application run on devices can be with other resources Interact and carry out some and control.

General introduction

Various aspects of the disclosure provides more effective, actual, functionalization and convenient mode to come permissible Mobile device, mobile device how is used to be able to access that what resource and run on devices How application and other software can be controlled with other resource alternately.Specifically, the most detailed In the thin one or more embodiments discussed, mobile device management function in several different ways by Dispose, realize and/or use providing these and/or one or more advantages of further advantage.

In some embodiments, pseudo-device can be set up in cloud computing environment.Pseudo-device can generation Table physical terminal subscriber equipment.Pseudo-device can be supplied for one or more mobile device managements (MDM) service provider is used together.Pseudo-device can be configured to represent physical terminal user Equipment receives the one or more orders from one or more MDM service providers.

In some embodiments, multiple pseudo-device can be set up in cloud computing environment.Each puppet sets For representing physical terminal subscriber equipment.First pseudo-device can be supplied for a MDM Service provider is used together.Second pseudo-device can be supplied for providing with the 2nd MDM service Business is used together.First pseudo-device can be configured to represent physical terminal subscriber equipment and receive from the The order of one MDM service provider.Second pseudo-device can be configured to represent physical terminal user Equipment receives the order from the 2nd MDM service provider.

These features are discussed in greater detail below together with many further features.

Accompanying drawing is sketched

The disclosure illustrates in an illustrative manner and is not limited to accompanying drawing, in the accompanying drawings, and similar ginseng Examine and number the element that instruction is similar, and wherein:

Fig. 1 depict can according to one or more illustrative aspects described herein use illustrative Computer system architecture.

Fig. 2 depict can according to one or more illustrative aspects described herein use illustrative Remote access system framework.

Fig. 3 depict can according to one or more illustrative aspects described herein use illustrative Virtualization (Hypervisor) system architecture.

Fig. 4 depict can according to one or more illustrative aspects described herein use illustrative System architecture based on cloud.

Fig. 5 depicts illustrative enterprise mobility management system.

Fig. 6 depicts another illustrative enterprise mobility management system.

Fig. 7 depict can according to one or more illustrative aspects described herein use another Illustrative Enterprise Mobile management system.

Fig. 8 depicts another that can use according to one or more illustrative aspects described herein Individual illustrative Enterprise Mobile management system.

Fig. 9 depicts and illustrates via pseudo-device according to one or more illustrative aspects discussed in this article One or more mobile device management strategies are applied to the flow process of the method for physical terminal subscriber equipment Figure.

Figure 10 depicts and illustrates according to one or more illustrative aspects discussed in this article and supplied use Stream in the method for the pseudo-device being used together with one or more mobile device management service providers Cheng Tu.

Figure 11 depict according to one or more illustrative aspect discussed herein illustrate in response to from The flow chart of the method for the order of mobile device management service provider.

Figure 12 depicts and illustrates number of resources according to one or more illustrative aspects discussed in this article Flow chart according to the method being pushed to physical terminal subscriber equipment.

Figure 13 depicts and illustrates that amendment puppet sets according to one or more illustrative aspects discussed in this article The flow chart of the method for the order at standby place.

Figure 14 depicts and illustrates that application selects according to one or more illustrative aspects discussed in this article Property erasing order the flow chart of method.

Figure 15 depicts and illustrates information portion according to one or more illustrative aspects discussed in this article Be deployed to physical terminal subscriber equipment and from physical terminal subscriber equipment the flow process of the method for revocation information Figure.

Figure 16 depicts and illustrates that solution is not according to one or more illustrative aspects discussed in this article The flow chart of the method for the conflict between the strategy of same mobile device management service provider.

Describe in detail

In the following description of each embodiment, with reference to identified above and its form herein The accompanying drawing of part, and wherein by the way of explanation, show each embodiment, retouch the most herein The each side stated can be put into practice.It should be appreciated that other embodiment can be used, and can To make structural and functional amendment without departing from scope described herein.Various aspects can It is other embodiment and can be practiced or carried out in a variety of ways.

As the general introduction to the theme described in greater detail below, aspects described herein for Managed Mobile solution is used to control the resource at enterprise computing system at mobile computing device Remote access.Access manager can perform to determine the Mobile solution asking the access to ERM Self whether it is accurately identified and the most not follow-up after being arranged on mobile computing device The proof procedure being changed.By this way, access manager may insure that ERM is visited by request The Mobile solution asked can be trusted and be not intended to the safety evaded for protecting those ERMs Mechanism.Therefore, the individuality being associated with enterprise can advantageously make at their individual mobile device Use ERM.

It should be appreciated that phraseology and terminology employed herein is for purposes of description, and should not When being viewed as a limitation.On the contrary, the explanation that phrase used herein and term are broadest by being presented them And implication." include (including) " and " comprising (comprising) " and modification thereof make purpose Comprising the item listed thereafter and its equivalent and its additional item and equivalent.Term " is installed ", " connection ", " coupling ", " location ", " joint " and similar terms make purpose Including installation directly or indirectly, connecting, couple, position and engage both.

Computing architecture

Computer software, hardware and network can be used, wherein in various different system environmentss Various different system environmentss include that independent, networking, remote access (is named again inter alia Do remote desktop), virtualized and/or based on cloud environment.Fig. 1 shows and may be used in independence And/or the environment of networking realizes the system architecture of one or more illustrative aspect described herein An example with data handling equipment.Each network node 103,105,107 and 109 can be through Interconnected by wide area network (WAN) 101 (such as the Internet).It is also possible to use or optionally use it Its network, including privately owned Intranet, corporate networks, LAN (LAN), Metropolitan Area Network (MAN) (MAN), Wireless network, personal network (PAN) etc..Purpose that network 101 illustrates that and can using Less or additional computer network replaces.LAN can have in any of LAN topology One or more, and can use in multiple different agreement one or more, such as Ethernet. Equipment 103,105,107,109 and miscellaneous equipment (not shown) can be via twisted-pair feeders, coaxial It is one or more that cable, optical fiber, radio wave or other communication media are connected in network.

The term " network " described as used herein and in the accompanying drawings refers not only to its medium-long range The system that storage device is coupled together via one or more communication paths, but also refer to can To be frequently coupled to the independent equipment with such system of storage capacity.Therefore, term " net Network " not only include " physical network ", also include " content network ", it is by being positioned at whole physical network On belong to single entity data composition.

Assembly can include data server 103, the webserver 105 and client computer 107, 109.Data server 103 provides always the accessing, control and manage and for performing basis of data base The control software of the one or more illustrative aspect that literary composition describes.Data server 103 may be coupled to The webserver 105, user is as desired by the webserver 105 and data interaction and acquisition number According to.Alternatively, data server 103 can serve as the webserver itself and can be directly connected to To the Internet.Data server 103 can by network 101 (such as the Internet) via directly or It is indirectly connected with or is connected to the webserver 105 via some other networks.User can use remotely Computer 107,109 is mutual, such as via by the webserver 105 with data server 103 The website of one or more exposures of trustship is connected to the web browser of data server 103.Client End computer 107,109 can be with data server 103 with the use of the number wherein stored with access According to or may be used for other purpose.Such as, can be as known in the art from client device 107 user Use Internet-browser or upper with network clothes by performing at computer network (such as the Internet) The software application that business device 105 and/or data server 103 communicate is to access the webserver 105.

Server and application can be combined on identical physical machine and keep independent virtual Or logical address, or may reside within independent physical machine.Fig. 1 illustrate only and can use An example of the network architecture, and it will be appreciated by those skilled in the art that used spy The fixed network architecture and data handling equipment can change, and the function provided for them is secondary , as further described herein.Such as, the webserver 105 and data server 103 carry The service of confession can be combined on a single server.

Each assembly 103,105,107,109 can be any kind of known computer, clothes Business device or data handling equipment.Data server 103 such as can include speed control server 103 The processor 111 of integrated operation.Data server 103 can also include RAM 113, ROM 115, Network interface 117, input/output interface 119 (such as, keyboard, mouse, display, printer Deng) and memorizer 121.I/O 119 can include for reading, write, show and/or printing number According to or the various interface units of file and equipment.Memorizer 121 also can store for controlling data process The operating system software 123 of the integrated operation of equipment 103, it is used for indicating data server 103 to perform The control logic 125 of aspects described herein and auxiliary is provided, supports and/or other can be used for Maybe can be not used in other application software 127 of the function being used in combination with aspects described herein.Control Logic is also referred to as data server software 125 herein.The function of data server software can That the rule controlling logic is carried out automatically, by providing input in system to refer to based on being encoded into The operation that manually carries out of user and decision and/or input (such as inquiry, data renewal etc.) based on user The combination automatically processed.

Memorizer 121 can also be stored in the number used when performing one or more aspect described herein According to, including the first data base 129 and the second data base 131.In some embodiments, the first number The second data base (such as, as single form, report etc.) can be included according to storehouse.It is to say, Designing according to system, information can be stored in individual data storehouse, or be separated into different logic, Virtual or physical database.Equipment 105,107,109 can have and describes with about equipment 103 The similar or different framework of framework.It will be appreciated by those skilled in the art that as described herein The function of data handling equipment 103 (or equipment 105,107,109) can spread all at multiple data Reason equipment, such as to cross over multiple computer distribution process load, with based on geographical position, Yong Hufang Ask that rank, service quality (QoS) etc. carry out separating work.

One or more aspects can be embodied in by one or more computers as described herein or its The such as computer in one or more program modules that its equipment performs can with or readable data and/ Or in computer executable instructions.Generally, program module includes when by computer or miscellaneous equipment Processor perform time perform specific task or realize the routine of specific abstract data type, program, Object, assembly, data structure etc..This module useful source code programming language is write, and it is compiled subsequently Translate for execution, or Available scripts language write, such as (but not limited to) Javascript or ActionScript.Computer executable instructions can be stored in computer-readable medium (the most non-easily The property lost storage device) on.Any suitable computer-readable recording medium can be used, including hard disk, CD-ROM, optical storage apparatus, magnetic storage apparatus and/or its any combination.Additionally, represent such as Various transmission (non-memory) medium of data described herein or event can be to be situated between by signal conduction Matter (such as, metal wire, optical fiber) and/or wireless transmission medium (such as, air and/or space) The form of the electromagnetic wave propagated is transmitted between a source and a destination.Various aspects described herein can be with body It is now method, data handling system or computer program.Therefore, each function can all or Partly it is embodied in software, firmware and/or hardware or hardware equivalents, such as, integrated circuit, existing Field programmable gate array (FPGA) etc..Specific data structure may be used for more effectively realizing this One or more aspects that literary composition describes, and such data structure is expected at calculating described herein Within the scope of machine executable instruction and computer data available.

With further reference to Fig. 2, one or more aspects described herein can be in remote access environment Realize.Fig. 2 depicts showing of the universal computing device 201 that is included in illustrative computing environment 200 Example system architecture, it can use according to one or more illustrative aspects described herein.General Calculating equipment 201 can serve as being configured to supply the list clothes of the virtual machine for client access device Server in business device or multiserver desktop virtual system (such as, remote access or cloud system) 206a.Universal computing device 201 can have the processor 203 of the integrated operation for controlling server And associated component, including random access storage device (RAM) 205, read only memory (ROM) 207, input/output (I/O) module 209 and memorizer 215.

I/O module 209 can include mouse, keyboard, touch screen, scanner, optical reader and/ Or contact pilotage (or other input equipment), the user of universal computing device 201 can provide defeated by it Enter, and could be included for provide audio frequency output speaker and for provide text, audiovisual and / or the video display apparatus of images outputting in one or more.Software can be stored in memorizer 215 and/or other bin in to processor 203 provide instruction for by universal computing device 201 are configured to dedicated computing equipment to perform various function as described herein.Such as, memorizer 215 can store the software used by calculating equipment 201, such as, operating system 217, application journey Sequence 219 and the data base 221 being associated.

Calculating equipment 201 can support such as terminal 240 (also referred to as client device) The networked environment of the connection of one or more remote computers operates.Terminal 240 can be individual's meter Calculation machine, mobile device, laptop computer, panel computer or include setting above with respect to general-purpose computations A lot of or whole server in standby 103 or 201 elements described.The network described in fig. 2 Connect and include LAN (LAN) 225 and wide area network (WAN) 229, it is also possible to include it His network.When using in lan network environment, calculating equipment 201 can pass through network interface Or adapter 223 is connected to LAN 225.When using in WAN network environment, calculate equipment 201 can include modem 227 or in such as computer network 230 (such as, interconnection Net) WAN 229 on set up other Wide Area Network interface of communication.It will be appreciated that shown It is illustrative that network connects, and can use other dress setting up communication link between the computers Put.Calculating equipment 201 and/or terminal 240 can also is that mobile terminal (such as, mobile phone, intelligence Can phone, PDA, notebook computer etc.), it includes other assembly various, such as battery, raises Sound device and antenna (not shown).

Aspects described herein can also utilize other universal or special computing system environment numerous or join Put and operate.Other calculating system of may be adapted to be used together with aspects described herein, environment and / or configuration example include but not limited to personal computer, server computer, handheld device or above-knee Type equipment, multicomputer system, system based on microprocessor, Set Top Box, programmable-consumer electricity Sub-product, network PC, minicomputer, mainframe computer, include in system above or equipment appoint Distributed computing environment of one etc..

As shown in Figure 2, one or more client devices 240 can be with one or more servers 206a-206n (being commonly referred to " server 206 " in this article) communicates.An embodiment party In case, computing environment 200 can include being arranged between server 206 and client machine 240 The network equipment.The network equipment can connect with managing customer end/server, and the most permissible Between multiple back-end servers 206, client is connected and carry out load balancing.

In some embodiments, client machine 240 can be referred to as single client machine 240 Or single group of client machine 240, server 206 can be referred to as individual server 206 simultaneously Or single group of server 206.In one embodiment, single client machine 240 be more than One server 206 communicates, but in another embodiment, individual server 206 with More than one client machine 240 communicates.In still another embodiment, single client machines Device 240 communicates with individual server 206.

In some embodiments, client machine 240 can be by appointing in following non exhaustive term What quote for one: (multiple) client machine；(multiple) client；(multiple) client meter Calculation machine；(multiple) client device；(multiple) client computing device；Local machine；Remote machine Device；(multiple) client node；(multiple) end points；Or (multiple) endpoint node.Real at some Executing in scheme, server 206 can be quoted by any one in following non exhaustive term: (many Individual) server；Local machine；Remote machine；(multiple) server zone or (multiple) host computer Equipment.

In one embodiment, client machine 240 can be virtual machine.Virtual machine can be to appoint What virtual machine, and in some embodiments, virtual machine can be by 1 type or 2 type Hypervisors (such as, by thinking outstanding system, the Hypervisor of IBM, VMware exploitation) or any other surpass Any virtual machine of level overseer's management.In certain aspects, virtual machine can be managed by Hypervisor Reason, and in certain aspects, virtual machine can by the Hypervisor performed on server 206 or The Hypervisor performed in client 240 manages.

Some embodiments include showing by long-range on the machine of server 206 or other long range positioning Perform the client device 240 of the application output that ground application is generated.In these enforcement cases, client End equipment 240 can perform virtual-machine client Agent or application, with application window, browser, Or other output window shows output.In one example, application is desktop, and in other example In, application is the application generating or presenting desktop.Desktop can be included as the example of operating system to be provided The figure shell of user interface, the most locally and/or remotely application can be integrated.As used herein should With being to have performed after the example of operating system (and, alternatively, also have desktop) has been loaded Program.

In some embodiments, server 206 uses long-range presentation protocol or other program to send Data to thin-client or the remotely display application that performs on the client to present by server 206 The display output that the application of upper execution generates.Thin-client or remote display protocol can be agreement with Any one in lower non-exhaustive listing: by the Si Jie system house of the Fort Lauderdale of Florida State Independent computing architecture (ICA) agreement of exploitation；Or the Microsoft by the Redmond of the State of Washington The RDP (RDP) manufactured.

Remote computing environment can comprise more than a server 206a-206n so that server 206a-206n is such as logically grouped together in cloud computing environment becomes bundle of services 206.Clothes Business device group 206 can be included in and be geographically spread out but and the server that is logically grouped together The server 206 that 206 or close to each other location are logically grouped together simultaneously.Implement at some In scheme, the server 206a-206n being geographically spread out in server zone 206 can use WAN (wide area), MAN (metropolitan area) or LAN (local) communicate, the most different geography Region can be characterized as being: different continents；The zones of different in continent；Different countries；Different states； Different cities；Different gardens；Different rooms；Or any combination in aforementioned geographical position.? In some embodiments, server zone 206 can manage as single entity, and implements at other In scheme, server zone 206 can include multiple server zone.

In some embodiments, server zone can include performing the operation system substantially like type System platform (such as, WINDOWS, UNIX, LINUX, iOS, ANDROID, SYMBIAN Etc.) server 206.In other embodiments, server zone 206 can include performing One or more servers of first group of the operating system platform of one type and execution Second Type One or more servers of second group of operating system platform.

Server 206 can be configured to any kind of server (such as, file clothes as required Business device, application server, the webserver, proxy server, equipment, the network equipment, gateway, Application gateway, gateway server, virtualized server, deployment server, SSL vpn server, Fire wall, the webserver, application server) or it is configured to master application server, execution activity The server of catalogue or execution provide the application of firewall functionality, application function or load-balancing function to add The server of speed program.Other type of server can also be used.

Some embodiments include first server 206a, and it receives asking from client machine 240 Ask, forward request to second server 206b and ring with the response from second server 206b The request that Ying Yu is generated by client machine 240.First server 206a can obtain and can be used for client Enumerating and the application service of the application enumerating interior identification with hosts applications of the application of terminal device 240 The address information that device 206 is associated.It is right that then first server 206a can use network interface to present The response of the request of client, and directly communicate to carry to client 240 with client 240 For the access to the application identified.One or more clients 240 and/or one or more server 206 can transmit data by network 230 (such as, network 101).

Fig. 2 illustrates the high level architecture of illustrative desktop virtual system.As shown, desktop is empty Planization system can be Single-Server or multi-server system or cloud system, and it includes being configured to void Plan desktop and/or virtual application provide at least one of one or more client access device 240 Virtualized server 206.As used herein, to refer to wherein one or more application permissible for desktop In trust and/or perform graphics environment or space.Desktop can be included as the example of operating system to be provided The figure shell of user interface, the most locally and/or remotely application can be integrated.Application can be included in The program that the example of operating system (and, alternatively, also have desktop) has performed after being loaded. Each example of operating system can be physics (such as, one operating system of each equipment) or void (such as, the many examples of operation OS on a single device) intended.Each application can be in this locality Perform on equipment or perform (such as, long-range) on the equipment of long range positioning.

With further reference to Fig. 3, at virtualized environment (such as, computer equipment 301 can be configured to Single-Server, multiserver or cloud computing environment) in virtualized server.Figure 3 illustrates Virtualized server 301 can be deployed as one or more realities of the server 206 shown in Fig. 2 Execute scheme or calculating equipment known to other and/or by one or many of the server 206 shown in Fig. 2 Individual embodiment or the equipment that calculates known to other realize.It is included in virtualized server 301 Be hardware layer, this hardware layer can include one or more physical disk 304, one or more thing Reason equipment 306, one or more concurrent physical processor 308 and one or more physical storage 316. In some embodiments, the memory element during firmware 312 can be stored in physical storage 316 Within and can be performed by one or more in concurrent physical processor 308.Virtualized server 301 Can also include operating system 314, it can be stored in the memory element in physical storage 316 In and performed by one or more in concurrent physical processor 308.Further, Hypervisor 302 can be stored in the memory element in physical storage 316 and can be by concurrent physical processor One or more in 308 perform.

Performing on one or more in concurrent physical processor 308 can be one or more virtual machine 332A-C (usually 332).Each virtual machine 332 can have virtual disk 326A-C and virtual Processor 328A-C.In some embodiments, the first virtual machine 332A can use virtual process Device 328A performs to include the control program 320 of instrument storehouse 324.Control program 320 can be claimed For controlling virtual machine, Dom0, Domain 0 or being used for system administration and/or other virtual machine of control. In some embodiments, one or more virtual machine 332B-C can use virtual processor 328B-C performs client operating system 330A-B.

Virtualized server 301 can include having communicated with virtualized server 301 or many The hardware layer 310 of the hardware of individual block.In some embodiments, hardware layer 310 can include one Or multiple physical disk 304, one or more physical equipment 306, one or more concurrent physical processor 308 and one or more memorizer 216.Physical assemblies 304,306,308 and 316 can include Such as in assembly described above any one.Physical equipment 306 can include such as network interface Card, video card, keyboard, mouse, input equipment, watch-dog, display device, speaker, CD-ROM drive, The connection of storage facilities, USB (universal serial bus), printer, scanner, network element (such as, route Device, fire wall, network address translater, load equalizer, VPN (virtual private network) (VPN) gateway, DHCP (DHCP) router etc.) or be connected to virtualized server 301 or Any equipment communicated with virtualized server 301.Physical storage in hardware layer 310 316 can include any kind of memorizer.Physical storage 316 can store data, and In some embodiments, one or more program or one group of executable instruction can be stored.Fig. 3 illustrates Enforcement within wherein firmware 312 is stored in the physical storage 316 of virtualized server 301 Scheme.It is stored in the program in physical storage 316 or executable instruction can be by virtualization services One or more processors 308 of device 301 perform.

Virtualized server 301 can also include Hypervisor 302.In some embodiments, Hypervisor 302 can be to be performed to create by the processor 308 on virtualized server 301 With the program managing any amount of virtual machine 332.Hypervisor 302 can be referred to as virtual machine Watch-dog or platform virtualization software.In some embodiments, Hypervisor 302 can be can Perform instruction and monitoring any combination of the hardware of the virtual machine of execution on computing machine.Super supervision Person 302 can be 2 type Hypervisors, the Hypervisor wherein performed in operating system 314 Virtualized server 301 performs.Then virtual machine performs in the level higher than Hypervisor. In some embodiments, 2 type Hypervisors perform in the environment of the operating system of user, make The operating system of 2 type Hypervisors and user interacts.In other embodiments, in void One or more virtualized servers 201 in planization environment can include 1 type Hypervisor on the contrary (not shown).1 type Hypervisor can be by directly accessing the hardware in hardware layer 310 and resource Perform on virtualized server 301.Although it is to say, 2 type Hypervisors 302 pass through Master operating system 314 (as shown) access system resources, but 1 type Hypervisor can be direct Access all system resource and without master operating system 314.1 type Hypervisor can be directly in void Perform on one or more concurrent physical processors 308 of planization server 301, and storage can be included Routine data in physical storage 316.

In some embodiments, Hypervisor 302 can be with simulated operating system 330 or control Any mode of the direct access system resources of program 320 is to performing the operating system on virtual machine 332 330 or control program 320 virtual resource is provided.System resource can include but not limited to physical equipment 306, physical disk 304, concurrent physical processor 308, physical storage 316 and be included in virtualization clothes Other assembly any in the hardware layer 310 of business device 301.Hypervisor 302 may be used for emulation Virtual hardware, physical hardware is carried out subregion, virtualization physical hardware and/or perform provide to calculate ring The virtual machine of the access in border.In other other embodiment, Hypervisor 302 is for execution Virtual machine 332 on virtualized server 301 controls processor scheduling and memory partition.Super Overseer 302 can include by the VMWare company manufacture of the Ma Luoaertuo of California Those；XEN Hypervisor, its exploitation is increased income product by the one of Xen.org group supervision of increasing income； HyperV, VirtualServer of being thered is provided by Microsoft or Virtual PC Hypervisor or other super prison The person of superintending and directing.In some embodiments, virtualized server 301 performs Hypervisor 302, its wound Build virtual machine platform, client operating system can be performed thereon.In these embodiments, virtual Change server 301 and can be referred to as host server.One example of such virtualized server is The XEN SERVER provided by the Si Jie system house of the Fort Lauderdale of Florida State.

Hypervisor 302 can create one or more virtual machine 332B-C (usually 332), Client operating system 330 performs wherein.In some embodiments, Hypervisor 302 is permissible Loaded virtual machine is videoed to create virtual machine 332.In other embodiments, Hypervisor 302 Client operating system 330 can be performed in virtual machine 332.In other other embodiment, Virtual machine 332 can perform client operating system 330.

In addition to creating virtual machine 332, Hypervisor 302 can control at least one virtual machine The execution of 332.In other embodiments, Hypervisor 302 can be at least one virtual machine 332 present the abstract of at least one hardware resource provided by virtualized server 301 (such as, exists Any hardware resource available in hardware layer 310).In other embodiments, Hypervisor 302 Virtual machine 332 can be controlled and access the side of concurrent physical processor 308 available in virtualized server 301 Formula.Control the access of concurrent physical processor 308 being can include determining that, whether virtual machine 332 should access How processor 308 and concurrent physical processor ability present to virtual machine 332.

As shown in Figure 3, virtualized server 301 can be with trustship or perform one or more virtual machine 332.Virtual machine 332 is one group of executable instruction, and it is when being performed by processor 308, analogies Reason computer operation so that virtual machine 332 equally can perform like physical computing devices program and Process.Although Fig. 3 is shown in which the enforcement of virtualized server 301 three virtual machines 332 of trustship Scheme, but in other embodiments, virtualized server 301 can be with any amount of void of trustship Plan machine 332.In some embodiments, Hypervisor 302 provides thing to each virtual machine 332 Reason hardware, memorizer, processor and to this virtual machine 332 can other system resource unique Virtual view.In some embodiments, during unique virtual view can be permitted based on virtual machine One or more, to one or more virtual machine identifier policy engine application, access virtual machine User, the application performed on a virtual machine, the virtual machine network accessed or any other is desired Criterion.Such as, Hypervisor 302 can create one or more unsafe virtual machine 332 He One or more safe virtual machines 332.Unsafe virtual machine 332 can be prevented from accessing safety Resource, hardware, memory location and the program that virtual machine 332 can be licensed for access to.Real at other Execute in scheme, Hypervisor 302 can to each virtual machine 332 provide physical hardware, memorizer, Processor and to virtual machine 332 can other system resource substantially like virtual view.

Each virtual machine 332 can include virtual disk 326A-C (usually 326) and virtual process Device 328A-C (usually 328).In some embodiments, virtual disk 326 is virtualization clothes The virtualized view of one or more physical disks 304 of business device 301 or virtualized server 301 A part for one or more physical disks 304.The virtualized view of physical disk 304 can be by surpassing Level overseer 302 generate, provide and manage.In some embodiments, Hypervisor 302 to Each virtual machine 332 provides the unique views of physical disk 304.Therefore, in these embodiments, The specific virtual disk 326 being included in each virtual machine 332 is comparing with other virtual disks 326 Time can be unique.

Virtual processor 328 can be one or more concurrent physical processors of virtualized server 301 The virtualized view of 308.In some embodiments, the virtualized view of concurrent physical processor 308 can To be generated by Hypervisor 302, provide and to be managed.In some embodiments, virtual process Device 328 has the essentially all of identical characteristics of at least one concurrent physical processor 308.Real at other Executing in scheme, virtual processor 308 provides the amendment view of concurrent physical processor 308 so that virtual place At least some characteristic in the characteristic of reason device 328 is different from the characteristic of the concurrent physical processor 308 of correspondence.

With further reference to Fig. 4, aspects more described herein can realize in environment based on cloud. Fig. 4 shows the example of cloud computing environment (or cloud system) 400.As shown in Figure 4, client Computer 411-414 can communicate to access the calculating money of cloud system with cloud management server 410 Source (such as, host server 403, storage resources 404 and Internet resources 405).

Management server 410 can realize on one or more physical servers.Management server 410 Can run such as by the Si Jie system house of the Fort Lauderdale of Florida State CLOUDSTACK or OPENSTACK, inter alia.Management server 410 can be managed Managing various calculating resource, it includes cloud hardware and software resource, such as, host computer 403, number According to storage facilities 404 and the network equipment 405.Cloud hardware and software resource can include private or public Assembly.Such as, cloud can be configured to by one or more specific clients or client computer 411-414 and/or the privately owned cloud used on the private network.In other embodiments, public cloud or Mix public-privately owned cloud opening or to be used by other clients on hybrid network.

Management server 410 can be configured to supply user interface, is turned round and look at by its cloud operator and cloud Visitor can be mutual with cloud system.Such as, management server 410 can provide and have the one of user interface Group API and/or the application of one or more cloud operator's control station are (such as, network or independent Application), with allow cloud operator manage cloud resource, configuration virtualization layer, management clients account, with And perform other cloud management tasks.Management server 410 can also include a group with user interface API and/or the application of one or more customer console, this user interface is configured to via client meter The cloud computing that calculation machine 411-414 receives from terminal use is asked, and such as, creates, revises or destroys The request of the virtual machine in cloud.Client computer 411-414 can via the Internet or other lead to Communication network is connected to manage server 410, and can ask by managing what server 410 managed Calculate the one or more access in resource.Asking in response to client, management server 410 can To include being configured to select based on client request and provide the thing in the hardware layer of cloud system The explorer of reason resource.Such as, the add-on assemble of management server 410 and cloud system can be by Being configured to upper at network (such as, the Internet) is that the client at client computer 411-414 carries For, create and manage virtual machine and their operating environment (such as, Hypervisor, storage resources, Service provided by network element etc.), provide calculating resource, data store-service, net to client Network ability and computer platform and application are supported.Cloud system can be additionally configured to provide various specific Service, it includes security system, development environment, user interface etc..

Specific client 411-414 can be relevant, such as, creates the different visitor of virtual machine Family end computer, represents identical terminal use or is attached to the different use of identical company or tissue Family.In other example, specific client 411-414 can be incoherent, is such as attached to Different companies or the user of tissue.For incoherent client, about the void of any one user The information of plan machine or bin can be hiding to other user.

With reference now to the physical hardware layer of cloud computing environment, Free Region 401-402 (or region) can To refer to one group of physical computing resources arranged side by side.Region can with calculate resource whole clouds in its Its region separates geographically.Such as, region 401 can be in first cloud in Jia Lifoniya state Data center, and region 402 can be in the second cloud data center of Florida State.Management clothes Business device 410 may be located at in Free Region or single position.Each region can be wrapped Include by gateway interior with what the equipment of the outside in this region (such as, management server 410) connected Portion's network.Terminal use's (such as, client 411-414) of cloud may or may not know region Between difference.Such as, terminal use can ask have amount of storage, disposal ability and the net specified The establishment of the virtual machine of network ability.Management server 410 can be in response to the request of user and permissible Without user, Resources allocation knows whether that use is from region 401 or region 402 to create virtual machine Resource create virtual machine.In other example, cloud system can allow end-user request virtual Allocated specific resources 403-405 in a particular area or in region of machine (or other cloud resource) On.

In this example, each region 401-402 can include various physical hardware components (or calculate Resource) 403-405 (such as, physics trustship resource (or processing resource), physical network resource, thing Manage storage resources, switch and may be used for providing to client the additional hardware resource of cloud computing service) Layout.Physics trustship resource in the 401-402 of territory, cloud sector can include one or more computer Server 403, all virtualized servers 301 as described above, its can be configured to create and Hosts virtual machine example.Physical network resource in territory, cloud sector 401 or 402 can include one or many Individual network element 405 (such as, Internet Service Provider), it includes being configured to provide to cloud client The hardware of network service and/or software, such as fire wall, network address translater, load equalizer, VPN (virtual private network) (VPN) gateway, DHCP (DHCP) router etc.. Storage resources in the 401-402 of territory, cloud sector can include stored disk (such as, solid-state drive (SSD), magnetic hard-disk etc.) and other storage facilities.

The example cloud computing environment that figure 4 illustrates can also include having additional hardware and/or soft The virtualization layer (such as, as shown in fig. 1-3) of part resource, additional hardware and/or software Resource is configured to create and manage virtual machine and use the physical resource in cloud to provide it to client Its service.Virtualization layer can include that the Hypervisor as described in the most in figure 3 is together with other assembly To provide network virtualization, Storage Virtualization etc..Virtualization layer can separate as with physical resource layer Layer, or some in identical hardware and/or software resource or complete can be shared with physical resource layer Portion.Such as, virtualization layer can include being arranged on the virtualized server 403 with physical computing resources Each in Hypervisor.Known cloud system can be used alternatively, such as, WINDOWS AZURE (Microsoft of Redmond, Washington), AMAZON EC2 (China Contain the Amazon.com company of time Seattle, state), IBM BLUE CLOUD (Armonk, New The IBM Corporation of York) or other.

Enterprise Mobile management framework

Fig. 5 represents the Enterprise Mobile Technical Architecture 500 for using in BYOD environment.Framework makes The user obtaining mobile device 502 can access enterprise or individual's resource and use from mobile device 502 Mobile device 502 is for personal use.User can use mobile device 502 that user bought or Person enterprise is supplied to the mobile device 502 of user to access this type of ERM 504 or enterprises service 508.User can utilize mobile device 502 to be only used for commercial use or to use for business and individual On the way.Mobile device can run iOS operating system, Android operation system and/or similar.Enterprise Implementation strategy can be selected to manage mobile device 504.Strategy can pass through fire wall or gateway to move Dynamic equipment can be identified, protect or safety verification and provide the selectivity to ERM or completely The mode accessed is implanted.Strategy can be mobile device management strategy, Mobile solution management strategy, Some combinations in mobile data management strategy or mobile device, application and data management policies.Logical The mobile device 504 of the application management crossing mobile device management strategy is referred to alternatively as registering apparatus or managed Equipment.

In some embodiments, the operating system of mobile device is divided into managed subregion 510 and non-is subject to Pipe subregion 512.Managed subregion 510 can have be applied to its with protection on managed subregion run Apply and the strategy of the data of storage in managed subregion.In other embodiments, all of should With performing according to the one or more strategy files separating a group received with application, and when this application On equipment perform time, its define one or more security parameters, feature, resource limit and/or its The access that it is performed by mobile device management system controls.Entered by the strategy file according to each of which Row operation, each application can be allowed to or limit and one or more other application and/or communications of resource, Thus create virtual partition.Therefore, as used herein, subregion can refer to the Physical Extents part of memorizer The logical partition part (logical partition) of (Physical Extents), memorizer and/or conduct are as the most described herein The one or more strategies across multiple application and/or strategy file perform result created virtual Subregion (virtual partition).In other words, by implementation strategy in managed application, those application can It is only limited to other managed application and trustworthy ERM communication, thus to create unmanaged Application and the inaccessiable virtual partition of equipment.

The application run on managed subregion can be safety applications.Safety applications can be Email Application, network browsing are applied, software i.e. services (SaaS) access application, Windows applies access Application etc..Safety applications can be safe the machine application 514, be held by safety applications trigger 518 The virtualization applications 526 etc. that the safety long-distance of row is applied 522, performed by safety applications trigger 518 Deng.Safe the machine application 514 can be encapsulated by safety applications wrapper 520.Safety applications encapsulates Device 520 can include performing on the device when safe the machine is applied and performed in mobile device 502 Integrated Strategy.Safety applications wrapper 520 can include the peace will run in mobile device 502 Complete edition machine application 514 sensing metadata of the resource of trustship at enterprise, safe the machine application 514 can To have needed being asked when performing safe the machine and applying 514 of task.By safety applications trigger The safety long-distance application 522 that 518 perform can be performed in safety applications launcher application 518. The virtualization applications 526 performed by safety applications trigger 518 can utilize in mobile device 502, Resource at ERM 504 etc..By the virtualization performed by safety applications trigger 518 The resource that application 526 uses in mobile device 502 can include user's mutual resource, process resource Etc..User's mutual resource may be used for collecting and transmit input through keyboard, mouse inputs, video camera is defeated Enter, sense of touch input, audio frequency input, vision input, gesture input etc..Process resource may be used for Present user interface, process from data of ERM 504 reception etc..By being opened by safety applications The resource that the virtualization applications 526 that dynamic device 518 performs uses at ERM 504 can include using Interface, family generates resource, processes resource etc..User interface generates resource and may be used for assembling user circle Face, amendment user interface, refreshes user interface etc..Process resource and may be used for establishment information, reading Win the confidence breath, more fresh information, deletion information etc..Such as, virtualization applications can record and GUI phase The user of association is mutual and transmits them to server application, and wherein use is used by server application Family interaction data is as the input to the application run on the server.In this arrangement, enterprise is permissible Select to keep application and the data being associated with this application, file etc. on the server side.Although Enterprise can select according to herein principle by protect some should for " transfer " they for Dispose on the mobile apparatus, but this layout could be selected for application-specific.Such as, although Some application can be safe for use on the mobile apparatus, but other application may be not ready to Or it is unsuitable for disposing on the mobile apparatus, therefore enterprise is optional is provided inaccurate by Intel Virtualization Technology The mobile subscriber of the application got ready accesses.As another example, enterprise can have with answering greatly The large complicated application (such as, material resources planning application) of miscellaneous data set, wherein for movement Device customizing application will be extremely difficult or the most less desirable, and therefore enterprise can select by void Planization technology provides the access to application.As another example, enterprise can have holding high safety The application of data (such as, human resource data, customer data, project data), high safety Data can be considered as being excessively sensitive even for the mobile environment of safety by enterprise, therefore, enterprise Industry can select to use Intel Virtualization Technology to allow such application and the mobile access of data.Enterprise Can select to provide on the mobile apparatus the application of overall safety and the application of consummating function with And virtualization applications is to allow being considered to be more suitable for the access of application that runs on the server side.? In embodiment, virtualization applications can be deposited on the mobile phone in secure memory location Store up some data, file etc..Such as, enterprise can select to allow specific information to be stored in Do not allow out of Memory to be stored on phone on phone simultaneously.

In conjunction with virtualization applications as described herein, mobile device can have and is designed to present GUI And the then mutual virtualization applications of record user and GUI.User can be passed on by application alternately To server side, for server side application coming alternately as user and application.As response, Application on server side can pass new GUI back to mobile device.Such as, new GUI can be Static page, dynamic page, animation etc..

Safety applications can access the secure data container in the managed subregion 510 being stored in mobile device Data in 528.In secure data container, protected data can be by the application of secure package 514, the application that performed by safety applications trigger 518, performed by safety applications trigger 518 Virtualization applications 526 etc. accesses.It is stored in the data in secure data container 528 can include File, data base etc..It is stored in the data in secure data container 528 and can include being limited to specific Safety applications 530, the data etc. shared between safety applications 532.It is limited to safety applications Data can include safety general data 534 and high safety data 538.Safety general data are permissible Use strong encryption form (such as AES 128 bit encryption etc.), and high safety data 538 are permissible Use the strongest encrypted form (such as AES 256 bit encryption).Receiving from equipment control After the order of device 524, being stored in the data in secure data container 528 can be deleted from equipment. Safety applications can have double mode option 540.Double mode option 540 can present to user with non- The option of Safe Mode Operation safety applications.In non-security mode, safety applications can access storage The data in non-secure data container 542 on the unmanaged subregion 512 of mobile device 502.Storage There are the data in non-secure data container can be personal data 544.It is stored in non-secure data to hold Data in device 542 can also be by the non-peace run on the unmanaged subregion 512 of mobile device 502 Full application 548 accesses.When the data being stored in secure data container 528 are from mobile device 502 In be deleted time, the data being stored in non-secure data container 542 may remain in mobile device 502 On.Enterprise may wish to delete that select from mobile device or all of had by enterprise, specially permit or control System data, file and/or application (business data), stay simultaneously or otherwise retain by with Personal data, file and/or the application (personal data) that family has, speciallys permit or controls.This operation can To be referred to as selective erasing.For the business data arranged according to aspects described herein and individual Data, enterprise can perform selective erasing.

Mobile device may be coupled to the ERM 504 at enterprise and enterprises service 508, connects To public internet 548 etc..Mobile device can be connected by VPN (virtual private network) and be connected to enterprise Resource 504 and enterprises service 508.Virtual private networks connects (the most micro-VPN or application specific VPN) application-specific 550 that can be specific in mobile device, particular device, particular safety district Territory, etc. (such as, 552).Such as, each in the application of the encapsulation in the safety zone of phone ERM can be accessed by applying specific VPN to the access of VPN will based on should Authorize with the attribute (may be in conjunction with user or device attribute information) being associated.VPN (virtual private network) Connection can deliver microsoft exchange (Microsoft Exchange) flow, Microsoft Active Directory (Microsoft Active Directory) flow, HTTP flow, HTTPS flow, application management Flow etc..VPN (virtual private network) connects can support and realize single sign-on authentication process 554.Single Point login process can allow user to provide the single set of Service Ticket, and it is then by authentication service 558 verify.Authentication service 558 can then authorized user's visit to multiple ERMs 504 Ask, provide the Service Ticket to each single ERM 504 without user.

VPN (virtual private network) connects can be set up by accessing gateway 560 and manage.Access gateway 560 Management can be included, accelerate and improve the ERM 504 performance increasing to the transmission of mobile device 502 Strong feature.Access gateway can also re-route from mobile device 502 to the stream of public internet 548 Amount so that mobile device 502 is able to access that on public internet 548 the publicly available and non-of operation The application of safety.Mobile device can be connected to access gateway via transmission network 562.Transmission network 562 can be cable network, wireless network, cloud network, LAN, MAN, wide area network Network, public network, dedicated network etc..

ERM 504 can include e-mail server, file-sharing server, SaaS application, Network application server, Windows application server etc..E-mail server can include handing over Change server, Lotus Notes server etc..File-sharing server can include ShareFile Server etc..SaaS application can include Salesforce etc..Windows application server can To include being constructed to provide any of application being intended in local Windows operating system run to answer With server etc..ERM 504 can be in-building type resource, resource based on cloud etc..Enterprise Industry resource 504 can directly be accessed by mobile device 502 or access by accessing gateway 560.Enterprise Industry resource 504 can be accessed via transmission network 562 by mobile device 502.Transmission network 562 Can be cable network, wireless network, cloud network, LAN, MAN, Wide Area Network, Public network, dedicated network etc..

Enterprises service 508 can include authentication service 558, threat detection service 564, equipment control Device service 524, file-sharing service 568, policy manager service 570, social integrated service 572, Application controller service 574 etc..Authentication service 558 can include that user authentication service, equipment are recognized Card service, application authorization service, data authentication service etc..Authentication service 558 can use certificate. Certificate can be stored in mobile device 502 by ERM 504 etc..It is stored in mobile device 502 On certificate can be stored in the encrypted location in mobile device, certificate can be temporarily stored in For use etc. when certification in mobile device 502.Threat detection service 564 can include into Invade detection service, unwarranted access attempts detection service etc..Unwarranted access attempts inspection Survey service can include attempting access equipment, application, data etc. without permission.Equipment control services 524 can include configuration, offer, safety, service of supporting, monitor, report and decommission.Literary composition Part shares service 568 can include file-management services, file storage service, file collaboration services etc. Deng.Policy manager service 570 can include the service of equipment strategy manager, application strategy manager Service, data policy manager service etc..Social integrated service 572 can include that contact person integrates Service, collaboration services and social networks (such as, Facebook, Twitter and LinkedIn) Integrate etc..Application controller service 574 can include management service, provide service, deployment services, Distribution services, cancels service, packing service etc..

Enterprise Mobile Technical Architecture 500 can include applying shop 578.Application shop 578 can be wrapped Include unencapsulated application 580, pre-packaged application 582 etc..Application can be by application controller 574 It is filled in application shop 578.Application shop 578 can be by mobile device 502 by accessing net Close 560, accessed by public internet 548 etc..Application shop can be provided with the most also Wieldy user interface.Application shop 578 can provide the visit to SDK 584 Ask.SDK 584 can by encapsulation as previous the most in this description described in should be for giving User provides the ability protecting the application selected by user.Use SDK 584 envelope The application of dress can be then by using application controller 574 to be filled with in application shop 578 Can be used for mobile device 502.

Enterprise mobility Technical Architecture 500 can include management and analysis ability.Management and analysis ability can There is provided and how to use resource, how long use the inferior relevant information of resource one.Resource can include setting Standby, application, data etc..How to use resource can include which device downloads which application, which A little application access which data etc..How long use resource once can include how long downloading once application, Specific set of data has also been employed that access how many times etc..

Fig. 6 is that another illustrative Enterprise Mobile manages system 600.For simplicity, above It is omitted about some assemblies in the assembly of the mobile management system 500 of Fig. 5 description.At figure The framework of the system 600 described in 6 is similar to the system 500 described above with respect to Fig. 5 at a lot of aspects Framework and the above additional feature do not mentioned can be included.

In this case, left-hand side represents the registration with Client Agent 604/managed mobile device 602, it is mutual to visit with gateway server 606 (it includes accessing gateway and application controller function) Ask various ERM 608 and service 609, such as, Exchange as shown in above right-hand side, Sharepoint, PKI resource, Kerberos resource and certificate issuing service.Although the most specifically showing Go out, but mobile device 602 also can select for application alternately with application shop and download.

Client Agent 604 serves as UI (user interface) medium, for holding in the palm in enterprise data center Windows application/the desktop of pipe, it uses display remote protocol to access, such as, but not limited to ICA Agreement.Client Agent 604 also supports installation and the management that the machine in mobile device 602 applies, Such as the machine iOS or Android are applied.Such as, the managed application 610 shown in the figures above (Email, browser, package application) is entirely the machine application locally executed on equipment. The application management framework (AMF) of Client Agent 604 and this framework is used for providing policy-driven pipe Reason ability and feature, such as connectivity and the SSO (single-sign-on) to ERM/service 608. Client Agent 604 processes the primary user's certification to enterprise, generally to having to other gateway server The certification of the access gateway (AG) of the SSO of assembly.Client Agent 604 is from gateway server 606 Acquisition strategy, to control the behavior of the managed application of AMF 610 in mobile device 602.

Safe IPC link 612 expression management between the machine application 610 and Client Agent 604 is logical Road, it allows Client Agent supply will be held by application management framework 614 " encapsulation " each application The strategy of row.IPC channel 612 also allows for Client Agent 604 supply and is capable of ERM The connection of 608 and the voucher of SSO and authentication information.Finally, IPC channel 612 allows application management Framework 614 calls the user interface capabilities implemented by Client Agent 604, such as on-line authentication and Offline authentication.

Communication between Client Agent 604 and gateway server 606 is substantially each from encapsulation The extension of the management passage of the application management framework 614 of the managed application of the machine 610.Application management framework 614 transfer from gateway server from Client Agent 604 request strategy information, Client Agent 604 606 ask this policy information.Application management framework 614 asks certification, and Client Agent 604 Log into the gateway service part (also referred to as NetScaler accesses gateway) of gateway server 606. Client Agent 604 may call upon the support service on gateway server 606, and it can produce Obtain the input material of encryption key for local data warehouse 616, or provide to KPI Locked resource can the client certificate of direct certification, will be explained more fully as following.

In more detail, each managed application 610 of application management framework 614 " encapsulation ".This can be through It is incorporated to by clear and definite construction step or via building post-processing step.Application management framework 614 can be Start when applying 610 first and Client Agent 604 " pairing ", to initialize safe IPC channel also Obtain the strategy for this application.Application management framework 614 can perform the phase of locally applied strategy Closing part, how dependence and restriction that such as Client Agent logs in can use local OS service Or local OS service can be the most mutual with application 610 contain in strategies some.

Application management framework 614 can use Client Agent 604 institute on safe IPC channel 612 The service provided is to promote that certification and internal network access.Private and shared data warehouse 616 (is held Device) key management also can be by the suitable friendship between managed application 610 and Client Agent 604 It is managed mutually.Warehouse 616 can be only available after on-line authentication, or can be at off-line It is available (if strategy allows) after certification.The use first in warehouse 616 may require that On-line authentication, and offline access can be limited at most strategy before on-line authentication is again required Refresh cycle.

Network access to internal resource can be by accessing gateway 606 from independent managed application 610 Directly occur.Application management framework 614 is responsible for the elaborately planned network representing each application 610 Access.By providing the right times obtained after on-line authentication to limit secondary voucher, client generation Reason 604 can promote that these networks connect.Multiple patterns that network connects can be used, the most instead Connect and end-to-end VPN formula tunnel 618 to different web agent.

Mail and the managed application of browser 610 have special state and can use typically may need not Facility in any package application.Such as, mail applications can use special background network access mechanism, It allows it to access Exchange within the time period extended and log in without complete AD.Browser should With multiple exclusive data warehouse can be used to separate different types of data.

This framework supports being incorporated to of other security features various.Such as, in some cases, gateway clothes Business device 606 (including its gateway service) will need not verify AD password.Enterprise can be given sentence Determine whether to be used as AD password about the authentication factor of some users under certain situation.If user is Online or (that is, be connected to network or be not attached to network) of off-line, then can use different recognizing Card method.

Adding strong authentication is feature, and wherein gateway server 606 can identify through allowing to have needs Managed the machine application 610 of the access right of the height confidential data (classified data) of strong authentication, and And guarantee these access applied only are allowed to, even if this means after performing suitable certification After previous more weak rank logs in, user needs certification again.

Another security feature of this solution is that the data warehouse 616 in mobile device 602 (holds Device) encryption.Warehouse 616 can be encrypted so that and include all of file, data base and configuration On equipment, data are protected.For online warehouse, key is storable in server (gateway server 606) On, and for off-line warehouse, the local replica of key can be protected by user cipher.When data are in this locality When being stored on the equipment 602 in safety container 616, it is preferred to use minimum AES's 256 AES.

Other safety container feature can also be implemented.Such as, log feature can be included, wherein, The all security incidents occurred in application 610 are recorded and report to rear end.Data erasing is permissible Be supported, if such as application 610 detects distort, then the encryption key being associated can be with random Data cover, and do not leave the clue that user data is destroyed in file system.Screenshot capture is protected Being another feature, wherein application can stop any data to be stored in screenshot capture.Such as, The hiding attribute of key window can be configured so that YES.This is so that whatsoever content currently quilt Display, on the screen that will be hidden, all can produce any of which content by the blank screen of normal presence Curtain sectional drawing.

Local data transfer can be prevented from, such as by preventing any data by local transmission to application Outside container, such as, by replicated or send out send them to applications.Keyboard cache feature is permissible Run with the zero offset capability of the sensitive the text field of disabling.SSL certificate checking can be operable to, Therefore apply especially authentication server SSL certificate to replace it to be stored in key chain.Encrypt close Key generates feature and can be used so that use customer-furnished password (if needing offline access) Generate the key for encryption data on equipment.If need not offline access, then it can be with Stochastic generation and storage another key on the server side carry out XOR.Key export function can be grasped Make so that the key generated by user cipher uses KDF (key export function, especially PBKDF2) Rather than create its cryptographic hash (cryptographic hash).Cryptographic hash makes key easily by violence Crack or the impact of dictionary attack.

Additionally, one or more initialization vectors can be used in encryption method.Initialization vector will The multiple copies making the data of identical encryption produce different ciphertext output, prevent Replay Attack and password Both analytical attacks.If the specific initialization vector for encryption data is unknown, then this goes back Any data are deciphered even with stolen encryption key by stoping assailant.In addition it is possible to use Certification is followed by deciphered, and wherein application data are only decrypted after user is certified in application. Another feature can relate to the sensitive data in memorizer, only can be protected when it is required Shi Qicai Hold (and not in disk) in memory.Such as, logging on authentication can be after the login from depositing Reservoir is wiped free of, and other data in encryption key and objective-C instance variable are not deposited Storage, this is owing to they can easily be quoted.On the contrary, memorizer can by manual allocation with In these functions.

Idle time-out can be performed, wherein after the idle period of policy definition, and user conversation quilt Terminate.

Can otherwise stop the leaking data of application management framework 614.Such as, when application 610 When being placed in the background, memorizer can be removed after predetermined (configurable) time period.When By during as backstage, the snapshot of the screen that can take the last display of application enters to accelerate foregrounding Journey.Screenshot capture can comprise confidential data and therefore should be eliminated.

Another security feature is directed to use with OTP (disposal password) 620, and does not use access one Individual or AD (Active Directory) 622 password of multiple application.In some cases, some users do not know Their AD password of road (or be not permitted know), therefore these users can use OTP 620 Being authenticated, (OTP can also be by be such as similar to the hardware OTP system of SecurID by use Different suppliers provides, such as Entrust or Gemalto).In some cases, user After using ID to be authenticated, text is sent to the user with OTP 620.At some In the case of, this can be only for making for performing online, and wherein prompting is single field.

Offline cryptogram can be implemented to these application 610 offline authentication, for application 610 from Line uses and can be allowed to via business strategy.Such as, enterprise may want to enterprise's application shop with this Mode is accessed.In the case, Client Agent 604 may require that user setup self-defining from Line password, and do not use AD password.Gateway server 606 can provide strategy to control and to hold Row is about minimum length, character type composition and the password standard of service life of password, such as by mark Described by quasi-Windows server password complexity requires, but these requirements can be modified.

Another feature relates to the client-side certificates as the second voucher of some application 610 Enable (for accessing the purpose of the shielded Internet resources of PKI via micro-VPN feature).Such as, E-mail applications may utilize this certificate.In this case, can support to use ActiveSync association The certification based on certificate of view, wherein the certificate from Client Agent 604 can be by gateway server 606 Retrieval, and use in key chain.Each managed application can have a client certificate being associated, By identifying at the label defined in gateway server 606.

Gateway server 606 can interact with enterprise private service, to support that client is demonstrate,proved The issue of book, to allow relevant managed application to be authenticated internal PKI locked resource.

Client Agent 604 and application management framework 614 can be enhanced to support to obtain and use visitor Family end certificate, is authenticated for internal PKI protected network resource.Can support more than one Individual certificate, such as to mate safety and/or the separation requirement of various grades.This certificate can be by mail Application managed with browser uses, and the application finally arbitrarily encapsulated uses and (assumes that those application make With the communication pattern of Cyber-service Patterns, wherein for reconciling the application management framework of HTTPS request It is rational).

Client certificate support on iOS can rely on PKCS 12BLOB (binary large object) Import in the iOS key chain in each managed application, for the use in each cycle.Client Certificate support can use the HTTPS embodiment with key storage in privately owned memorizer.Client Certificate will occur in iOS key chain and never except may be " the most online " protected by force To be not preserved beyond in data value.

Mutually SSL can also be performed with by requiring that enterprise is authenticated carrying by mobile device 602 For additional safety, and vice versa.Can also implement for gateway server 606 certification Virtual smart card.

Limited He complete Kerberos supports that both can be additional feature.Complete supported feature It is directed to use with AD password or trust client certificate and AD 622 is performed complete Kerberos login And obtain Kerberos service ticket and consult the ability of authentication challenge to respond HTTP.Limited props up Holding the constrained delegation that feature relates in AGEE, wherein AFEE supports that calling Kerberos agreement turns Change, therefore its may be in response to HTTP consult authentication challenge obtain and use Kerberos service ticket (being directed to constrained delegation).This mechanism under reverse network agent (also known as CVPN) pattern, with And work time proxied under HTTP (rather than HTTPS) is connected to VPN and micro-VPN pattern.

Another feature relates to application container locking and erasing, and it can be escaped from prison detecting or obtain pipe Automatically occur during reason person's authority, and occur as the propelling movement order carrying out Self management control station, and Even can also include remote wipe function when application 610 does not runs.

Can support enterprise application shop and the multi-site framework of application controller or configuration, its permission is going out In the case of existing fault, user is serviced by several diverse locations.

In some cases, managed application 610 can be allowed to via API (example OpenSSL) Access certificate and private cipher key.The managed application 610 of the trust of enterprise can be allowed to utilize application Client certificate and private cipher key perform specific public-key cryptography operation.Such as when application behavior class Like browser and when need not certificate access, when the certificate for " Who Am I " is read in application, When application use certificate build secured session token time, and when application use private cipher key for The digital signature of significant data (such as, transaction journal) or when ephemeral data is encrypted, various makes Can be identified and correspondingly process by situation.

Enterprise mobility equipment control feature

Fig. 7 is that another illustrative enterprise mobility manages system 700.For simplicity, with On about Fig. 5 and Fig. 6 describe mobility management systems 500 and the group of mobility management systems 600 Some assemblies in part have been omitted.In Fig. 7 describe system 700 framework in many aspects with The system 500 described above with reference to Fig. 5 with Fig. 6 is similar with the framework of system 600, and can include The further feature that face is not mentioned.

In this example, enterprise mobility management system 700 can include cloud computing environment 702, its By the physical mobile device 724 of communication network 710 with end subscriber 726, (such as, physical terminal is used Family equipment) and mobile device management (MDM) service provider 712,718 in one or more Interact.Communication network 710 can enable two or more multiple stage calculate equipment and use WLAN (WLAN) interface and/or signal, handset port and/or signal, blue tooth interface and/or signal, and/ Or any other communication interface and/or signal communicate.

Cloud computing environment 702 can include that one or more mobile device management service based on cloud provides Business's server 704.Server 704 can be computer, thin-client, cutter server and/or Other calculating equipment.In mobile device management service provider server 704 based on cloud at least The pseudo-device 706 of one physical mobile device 724 that can include GC group connector user 726.Cloud meter Calculate environment can also include fire wall 708 or gateway, with promote by MDM service provider 712, Any one in one or more and physical mobile device 724 in 718 and pseudo-device 706 Secure communication and the selective access to pseudo-device 706.In some embodiments, cloud computing environment 702 can be the part of in MDM service provider 712,718.Some embodiment party In case, in MDM service provider 712,718 can provide enterprise's premise to dispose to control The physical mobile device 726 conversion between one or more MDM service providers 712,718. Such as, registration can be transferred to home server by MDM service provider 712,718, and it is then Can work together with they existing providers and the new supplier with preference, configuration file exists In new supplier be while activity strategy be transferred (or in advance do so with isolation supply in future Business changes).

According to one or more aspects, pseudo-device 706 can move with the physics of GC group connector user 726 Equipment 724.Specifically, pseudo-device 706 can serve as about physical mobile device 724 (the most also Be referred to as physical terminal subscriber equipment) agency.Additionally or alternatively, pseudo-device 706 can be thing The logical expressions of reason mobile device 724.Just because of this, pseudo-device can utilize server 704 Processor and memorizer are to perform task and storage information respectively.In some embodiments, pseudo-device 706 can include computer program, and its execution interacts with MDM service provider 712,718 Required agreement.Additionally or alternatively, in some embodiments, pseudo-device 706 can show It is similar to physical mobile device 724, except pseudo-device can be carried out to multiple MDM service providers Registration.Additionally or alternatively, in some embodiments, pseudo-device 706 can emulate and/or simulate Physical mobile device 724 so that pseudo-device 706 can be to MDM service provider 712,718 table It it is now actual physical mobile device 724.Such as, in emulation and/or analog physical mobile device 724 In, the pseudo-device 706 representing physical mobile device 724 can be to MDM service provider 712 He 718 certifications, from MDM service provider 712 and 718 receive one or more orders and/or other Communication and/or to MDM service provider 712 and 718 send one or more message and/or its He communicates, just as pseudo-device 706 is physical mobile device 724.As result, MDM service carries Pseudo-device 706 can be processed for business 712,718 or otherwise interact with pseudo-device 706, They interact with actual physical mobile device 724 seemingly.Therefore, above with reference to Fig. 5 and Tu 6 features relevant with mobile device described and/or assembly can realize with pseudo-device 706.

Such as, pseudo-device 706 will can take to a MDM with wherein typical physical mobile device The same way that business provider 712 carries out registering is registered to a MDM service provider 712 (such as, by MDM service provider 712 certification, by servicing from a MDM Provider 712 asks one or more strategy and/or configuration file, etc.).By this way, pseudo- Equipment 706 can be arranged for being used together (such as, with a MDM service provider 712 It is similar to how to provide traditional physical mobile device to make for together with MDM service provider With).Such as, in registering to MDM service provider 712, pseudo-device 706 can be to first MDM service provider 712 sends registration request.Subsequently, pseudo-device 706 can be from a MDM Service provider 712 receives the strategy execution configuration file 716 of a MDM service provider 712 (such as, certificate).Pseudo-device 706 then can be by the plan of a MDM service provider 712 Slightly perform configuration file 716 to be stored in the memorizer being associated of server 704.

Strategy execution configuration file 716 can promote pseudo-device 706 and a MDM service provider The identification of 712, and promote the peace between pseudo-device 706 and a MDM service provider 712 Full communication.Once pseudo-device 706 is arranged for together with a MDM service provider 712 making With, pseudo-device 706 can access the various ERMs 714 of a MDM service provider 712 And/or otherwise various ERMs 714 with a MDM service provider 712 are handed over Mutually.The pseudo-device 706 representing physical mobile device 724 can be configured to from one or more MDM Service provider 712,718 receives one or more orders, so that MDM service provider 712, 718 can manage physical mobile device 724 via pseudo-device 706.

Similarly, pseudo-device 706 can be so that wherein typical physical mobile device will be to the 2nd MDM The same way that service provider 718 carries out registering is stepped on to the 2nd MDM service provider 718 Note.Specifically, pseudo-device 706 can be arranged for and the 2nd MDM service provider 718 1 Rise and use.Step on more specifically, pseudo-device 706 can send to the 2nd MDM service provider 718 Note request.Subsequently, pseudo-device can receive the 2nd MDM from the 2nd MDM service provider 718 The strategy execution configuration file 722 (such as, certificate) of service provider 718.Pseudo-device 706 is permissible The strategy execution configuration file 722 of the 2nd MDM service provider 718 is stored in server 704 The memorizer being associated in.The strategy execution configuration file 716 of the oneth MDM service provider 712 Clothes can be stored concurrently in the strategy execution configuration file 722 of the 2nd MDM service provider 718 At pseudo-device 706 in the memorizer being associated of business device 704.

Strategy execution configuration file 722 can promote pseudo-device 706 and the 2nd MDM service provider The identification of 718, and promote the peace between pseudo-device 706 and the 2nd MDM service provider 718 Full communication.Once pseudo-device 706 is arranged for together with the 2nd MDM service provider 718 making With, pseudo-device 706 can access the various ERMs 720 of the 2nd MDM service provider 718 And/or otherwise various ERMs 720 with the 2nd MDM service provider 718 are handed over Mutually.The pseudo-device 706 representing physical mobile device 724 can be configured to from one or more MDM Service provider 712,718 receives one or more order to manage physical mobile device 724.

As it has been described above, pseudo-device 706 can be carried out with the physical mobile device 724 of terminal use 726 Communication.Once pseudo-device 706 is arranged for being used together with a MDM service provider 712, Strategy execution configuration file 716 can be disposed (such as, sending) from pseudo-device 706 by pseudo-device 706 To physical mobile device 724.Strategy execution configuration file 716 can promote that a MDM service carries The execution at physical mobile device 724 of the strategy of confession business 712 (such as, is held by MDM strategy Row agency, such as may operate on physical mobile device 724 and can be configured to receive and subsequently Perform the MDM cloud agency of this strategy).

Because physical mobile device 724 is allowed to take via pseudo-device 706 and the first and second MDM Business provider 712,718 work together, so when physical mobile device 724 such as from a MDM Service provider 712 works when moving to work together with the 2nd MDM service provider 718 together, Physical mobile device 724 need not release registration (un-enroll) and/or re-register.Such as, thing Reason mobile device 724 need not to unload the configuration file of a MDM service provider 712 and again Register the configuration file of the 2nd MDM service provider to access the 2nd MDM service provider 718 ERM.It addition, user be not required to have more than one physical mobile device with MDM Each in service provider 712,718 is used together.

In communicating with physical mobile device 724, it is right that pseudo-device 706 can be disposed and/or enable The access of ERM 714, this ERM 714 such as include enterprise application, application data and / or as can be allowed by the strategy execution configuration file 716 of a MDM service provider 712 its His information.Pseudo-device 706 can also move to physics when communicating with physical mobile device 724 Equipment 724 sends order.In some instances, pseudo-device 706 can move to physics independently and set Standby 724 send order, and without being pointed out by a MDM service provider 712 and/or without receiving Any order from a MDM service provider 712.In other example, in response to reception From one or more orders of a MDM service provider 712, pseudo-device 706 can be to thing Reason mobile device 724 sends order.In some instances, send to physics from pseudo-device 706 and move The order of equipment 724 can be different from pseudo-device 706 and connect from a MDM service provider 712 One or more orders of the order received.Such as, in some instances, pseudo-device 706 can be revised Those orders received from MDM service provider, and send to physical mobile device 724 with rear The order revised.Order that is one or more different and/or that revised can be based at least partially on The order received from a MDM service provider 712 at pseudo-device 706.Pseudo-device 706 can To generate the one or more different and/or order revised and can be to physical mobile device 724 Send those orders.Additionally or alternatively, pseudo-device 706 can receive from a MDM service Provider 712 orders and sends the order received to physical mobile device 724.

Pseudo-device 706 can send order to perform and MDM clothes to physical mobile device 724 The strategy that business provider 712 is associated.Such as, this order can make one or more previous deployment (such as, it can include the application of one or more enterprise, apply data, by plan ERM 714 Slightly perform data or other information that configuration file 716 allows) recall from physical mobile device 724. This can be referred to as " recalling (retraction) " in the following discussion.Make one or more first front portion During the ERM 714 of administration is recalled from physical mobile device 724, order can make by with first The data of physical mobile device 724 generation that MDM service provider 712 is relevant move from physics and set Remove in standby 724.In some instances, from pseudo-device 706, recall ERM and/or other letters Breath can include that revocation policies performs configuration file 716.

Performing from the countermand that pseudo-device 706 receives, physical mobile device 724 can be to puppet Equipment 706 sends ERM 714, the data generated at physical mobile device 724 and/or plan Slightly perform in configuration file 716 is one or more.Subsequently, physical mobile device 724 can perform Selective erasing with remove/delete ERM 714, at physical mobile device 724 generate data, And/or one or more from the strategy execution configuration file 716 of physical mobile device 724.? In these examples, individual application and personal data are (such as, with MDM service provider 712,718 Unconnected data) during the selective erasing of physical mobile device 724 by physical mobile device 724 maintain.In other words, it is stored in the individual application on physical mobile device 724 and personal data can Can be removed recalling period and/or be deleted during selective erasing.

In some embodiments, pseudo-device 706 can to physical mobile device 724 send one or Multiple orders, it can make physical mobile device 724 to ERM 714, at physical mobile device The data generated at 724 and/or strategy execution configuration file 716 one or more carry out this locality Subregion and/or otherwise divide and arrange so that (such as, terminal use 726 can not access Be prevented from access) ERM 714, at physical mobile device 724 generate data and/or plan Slightly perform in configuration file 716 is one or more.

In some embodiments, pseudo-device 706 can correspond directly to from a MDM service The order of provider 712 and/or the 2nd MDM service provider 718 (such as, does not has physics to move The participation of equipment 724).Specifically, pseudo-device 706 can receive and take from one or more MDM One or more orders of business provider 712,718.Pseudo-device 706 may determine whether to set from puppet Standby 706 send order to physical mobile device 724.Can make decision based on several factors, such as, This factor include whether to need the unknown message from physical mobile device 724 with in response to from one or The one or more orders sent in multiple MDM service providers 712,718；With from one or The strategy that the one or more orders received in multiple MDM service providers 712,718 are associated Whether work as in its MDM service provider 712,718 registered of forward direction with pseudo-device 706 Another individual or multiple policy conflict；And/or one or more other factors.In response to not to thing Reason mobile device 724 sends the decision of one or more order, and pseudo-device 706 can be to one or many Individual MDM service provider 712,718 send to from one or more MDM service providers 712, The response of the 718 one or more orders received.Such as, if had been carried out from MDM clothes Intended or the desired result of one or more orders that business provider 712 receives, and not to thing Reason mobile device 724 sends any order, then this response can be sent to a MDM service Provider 712.This response can include having been completed to be provided with from one or more MDM service The instruction of the operation that one or more orders that business 712,718 receives are associated.In some instances, This response can include instruction or some other instructions not completing operation.

In some embodiments, physical mobile device 724 will not may not represent that physics moves In the case of the participation of the pseudo-device 706 of equipment 724 with in MDM service provider 712,718 One or more communicate.In other embodiments, physical mobile device 724 can have Or do not represent physical mobile device 724 pseudo-device 706 participation in the case of with MDM service One or more in provider 712,718 communicate.

In some embodiments, the user 726 of physical mobile device 724 can register and/or register Participate in the cloud service being associated with cloud computing environment 702, and install about physical mobile device 724 On the configuration file certificate of cloud service.When user 726 is desirable for a MDM service provider 712 the oneth MDM service time, pseudo-device 706 can be established in cloud computing environment 702 and It is arranged for as discussed herein being used together with a MDM service provider 712.Equally Ground, when user 726 is desirable for the 2nd MDM service of the 2nd MDM service provider 718, Pseudo-device 706 can be arranged for and the 2nd MDM service provider 718 as discussed herein It is used together.Pseudo-device 706 can receive message from other MDM service provider and make this disappearing Breath is ranked or replys this message potentially (such as, by response sends back respective MDM Service provider).Thing is not had in response to a MDM service provider 712 at pseudo-device 706 In the example of the participation (such as, the message of prevention) of reason mobile device 724, pseudo-device 706 is permissible The instruction of message is sent to physical mobile device 724, and as response, physical mobile device 724 The user 726 of the message of any prevention can be notified.Physical mobile device 724 can receive indicant Reason mobile device 724 shows user's input of message.Then physical mobile device 724 can transmit and refer to Order is to pseudo-device 706, and as response, can receive message for display.

In some embodiments, user 726 and the cloud service being associated with cloud computing environment 702 can To sign a contract.User can regulation cloud service be allowed to move at physics at physical mobile device 724 Any action is performed on dynamic equipment 724.Physical mobile device 724 can transmit these regulations to cloud meter Calculate environment 702.Such as, user 726 can specify that cloud service should not try to physical mobile device The native bank of 724 performs any action.In cloud service (and/or pseudo-device 706) physics moved and set Before standby 724 send any message such as representing a MDM service provider 712, cloud service (and/or pseudo-device 706) can explain the contract provision of instruction in contract.Such as, pseudo-device can To operate according to the contract.

Although the only the oneth MDM service provider 712 and the 2nd MDM service provider 718 exist Shown in Fig. 7 and be discussed above, but more than two mobile device management service can be had to provide Business.Pseudo-device 706 can interact with any additional MDM service provider and/or with other Mode performs the identical function described above with respect to any additional MDM service provider.

Carry although example discussed above relates to being provided with several MDM service via pseudo-device 706 For the single physical mobile device 724 of business 712,718, but which provide another (such as, Second) layout of physical mobile device (not shown) is intended.In these are arranged, second is pseudo- Equipment can be established in cloud computing environment 702.Second pseudo-device can represent that the second physics moves Equipment.Second pseudo-device can be arranged for one or more MDM service providers 712, 718 are used together.Second pseudo-device can perform the function similar to pseudo-device discussed above, removes This operation is by relevant with the second physical mobile device rather than physical mobile device described above. Additional physical mobile device and corresponding pseudo-device can be provided similarly in other is arranged.

Fig. 8 is that another illustrative enterprise mobility manages system 800.For simplicity, with On about Fig. 5 and Fig. 6 describe mobility management systems 500 and the group of mobility management systems 600 Some assemblies in part have been omitted.The framework of the system 800 that Fig. 8 is described in many aspects with The system 500 described above with reference to Fig. 5 with Fig. 6 is similar with the framework of system 600, and can include The supplementary features that face is not mentioned.

It addition, the framework of system 800 is similar to the framework of system 700 at a lot of aspects, and can wrap Include the supplementary features do not mentioned above.Specifically, in the layout shown in Fig. 8, enterprise mobility pipe Reason system 800 can include cloud computing environment 802, and it passes through communication network 810 with one or more The physical mobile device 824 of MDM service provider 812,818 and terminal use 826 is (such as, Physical terminal subscriber equipment) interact.Communication network 810 can make two or more calculating set For using WLAN interface and/or signal, handset port and/or signal, blue tooth interface and/or letter Number and/or other communication interface any and/or signal communicate.

Cloud computing environment 802 can include that one or more mobile device management service based on cloud provides Business's server 804.Server 804 can be computer, thin-client, cutter server and/or Other calculates equipment.In mobile device management service provider server 804 based on cloud at least one The individual multiple pseudo-devices 806,828 that can include representing the physical mobile device 824 of terminal use 826. Cloud computing environment 802 can also include fire wall 808 or gateway with by MDM service provider 812, Any one in one or more and physical mobile device 824 in 818 promotes and pseudo-device 806, the secure communication of 828 and selective access to pseudo-device 806,828.

As it has been described above, within server 804, multiple pseudo-devices 806,828 can be in cloud computing It is established in environment 802.Each in pseudo-device 806,828 can represent physical mobile device 824.Represent that each in the pseudo-device 806,828 of physical mobile device 824 can be set use It is used together in the MDM service provider with MDM service provider 812,818.Such as, First pseudo-device 806 can be arranged for being used together with a MDM service provider 812. Second pseudo-device 828 can be arranged for being used together with the 2nd MDM service provider 818. First and second pseudo-devices 806,828 can include computer program with each of which, and its realization is wanted Seek the agreement that the MDM service provider 812,818 with each of which interacts.

Specifically, the first pseudo-device 806 and a MDM service provider 812 can communicate with one another To provide the first pseudo-device 806 for being used together with a MDM service provider 812.First Pseudo-device 806 can be by sending to a MDM service provider 812 from the first pseudo-device 806 First registration request starts setting.As response, the first pseudo-device 806 can be from a MDM Service provider 812 receives the first strategy execution configuration file 816, and can be at the first pseudo-device At 806, first strategy execution configuration file 816 is stored in and depositing that the first pseudo-device 806 is associated In reservoir.Second pseudo-device 828 for being used together with the 2nd MDM service provider 818 Setting may include that and sends second from the second pseudo-device 828 to the 2nd MDM service provider 818 Registration request；The second plan is received from the 2nd MDM service provider 818 at the second pseudo-device 828 Slightly perform configuration file 822.Second strategy execution configuration file 822 can be differently configured from the first strategy and holds Row configuration file 816.Second strategy execution configuration file 822 can be stored by the second pseudo-device 828 In the memorizer being associated with the second pseudo-device 828.

Once the first pseudo-device 806 is set, and the first pseudo-device 806 can be configured to represent physics Mobile device 824 receives one or more order from a MDM service provider 812.Similarly, Once the second pseudo-device 828 is set, and the second pseudo-device 828 can be configured to represent physics and move Equipment 824 receives one or more order from the 2nd MDM service provider 818.

Therefore, the first pseudo-device 806 can receive the first life from a MDM service provider 812 Order.As response, the first pseudo-device 806 can send the second order to physical mobile device 824. Similarly, the second pseudo-device can connect in an identical manner about the 2nd MDM service provider 818 Receive order and send order.

Once the first pseudo-device 806 receives the first order from a MDM service provider 812, the One pseudo-device 806 may determine whether to send the second order to physical mobile device 824.This decision can With based on one or more factors.Such as, whether this decision can have based on the first pseudo-device 806 Enough information is with in response to the first order.The second order is sent in response to physical mobile device 824 Decision, the first pseudo-device 806 can send the second order to physical mobile device 824.In response to Do not send the decision of the second order to physical mobile device 824, the first pseudo-device 806 can be to first MDM service provider 812 sends the response of the first order.This response can be sent and not from Any participation of physical mobile device 824.For example, it is possible to send this response and do not move to physics Equipment 824 sends order and receives response from physical mobile device 824.Carry to a MDM service The response sent for business 812 can include being complete and the first instruction ordering the operation being associated. Such as, this instruction may indicate that execution selective erasing at physical mobile device 824.

First pseudo-device 806 can receive ERM (example from a MDM service provider 812 As, resource data 814).The strategy execution configuration literary composition of the 2nd MDM service provider 818 wherein Part 822 is currently movable (in such as, the being used by) time period at physical mobile device 824 Period is maybe when not have strategy execution configuration file be currently movable at physical mobile device 824 (such as, in being used by), the first pseudo-device 806 can receive resource data 814.In this reality In example, the first pseudo-device 806 can cache or otherwise store resource data 814, until the The strategy execution configuration file 816 of one MDM service provider 812 is at physical mobile device 824 Become activity.When strategy execution configuration file 816 is currently movable on physical mobile device 824 Time, the first pseudo-device 806 then can from the first pseudo-device 806 to physical mobile device push money Source data 814.Therefore, physical mobile device 824 has the access right to resource data 814 now And/or can otherwise interact with resource data 814.Second pseudo-device 828 can be with class Similarly perform like mode.Such as, current at physical mobile device when strategy execution configuration file 816 When being movable at 824, the second pseudo-device 828 can receive and cache from the 2nd MDM service The resource data 820 of provider 818.Set when strategy execution configuration file 822 currently moves at physics When being movable at standby 824, then the second pseudo-device 828 can push to physical mobile device 824 Resource data 820.

In some embodiments, the first pseudo-device 806 can be from a MDM service provider 812 Receive the first order.Then first pseudo-device 806 can send order to physical mobile device 824 Revise order before.First pseudo-device 806 can revise at the first pseudo-device 806 storage based on The status information of equipment of order.First order can the 2nd MDM service provider 818 wherein Received during the time period that strategy execution configuration file 822 is activity on physical mobile device 824.

In some embodiments, the first pseudo-device 806 can send choosing to physical mobile device 824 The erasing order of selecting property.Selective erasing order can be configured to make and a MDM service provider Subset and the data being associated with the subset of application of 812 application being associated are deleted.Selectivity is wiped Except order can be additionally configured to make individual application and the data being associated with individual application and with the The strategy execution configuration file 816 that one MDM service provider 812 is associated is maintained.Such as, Selective erasing order can make physical mobile device 824 delete at physical mobile device 824 and the Any data that one MDM service provider 812 is associated, and do not delete any personal data and / or independent of the data of a MDM service provider 812.

In some embodiments, MDM cloud agency may be mounted on physical mobile device 824. MDM agency can be configured to monitor the status information of equipment of physical mobile device and determine this Change in status information of equipment.MDM agency can be configured to perform MDM service provider 812,818 strategy and/or respectively to first or second pseudo-device 806,828 report device states letter Change in breath.

In some embodiments, the first pseudo-device 806 can receive from physical mobile device 824 and ask Asking, this request is positioned at a MDM service provider based on user's input or physical mobile device 806 An initiation in instruction in first geography fence of 812.As response, the first pseudo-device 806 Can dispose from the first pseudo-device 806 and (such as, send ERM, such as resource data, application Data, application and/or strategy execution configuration file 816) to physical mobile device 824.In response to Receive and be no longer in the first geography fence based on another user input or physical mobile device 824 Another request of an initiation in instruction, the first pseudo-device 806 can be from physical mobile device 824 Recall the strategy execution configuration file 816 of a MDM service provider 812, and/or resource data 814, such as, such as, apply, apply its of data and/or a MDM service provider 812 Its data.

In response to receiving the new request from physical mobile device 824 at the second pseudo-device 828, This request is positioned at the 2nd MDM service provider based on new user's input or physical mobile device 824 An initiation in instruction in second geography fence of 818, the second pseudo-device 828 can be to physics Mobile device 824 dispose the 2nd MDM service provider 818 the second strategy execution configuration file 822, Application, application data and/or other data of the 2nd MDM service provider 818.

In some embodiments, the first pseudo-device 806 can identify provides in a MDM service Conflict between strategy and the strategy of the 2nd MDM service provider 818 of business 812.First puppet sets Standby 806 solutions that can be determined from the KBS Knowledge Based System of cloud computing environment 802 by application Solve conflict.First pseudo-device 806 can solve by sending warning to physical mobile device 824 Certainly conflict.Such as, warning can include the one or more at user option life for solving conflict Order.Additionally or alternatively, the first pseudo-device 806 can be by sending to physical mobile device 824 Miniature erasing (mini-wipe) order solves conflict.Additionally or alternatively, miniature erasing order can To be configured at least make to cause the subset of the data of conflict to be deleted.

Second pseudo-device 828 is about the 2nd MDM service provider 818 and physical mobile device 824 The function similar to the first pseudo-device 806 can be performed.Additionally, the first pseudo-device 806 and/or second Pseudo-device 828 can perform any function being associated with other pseudo-device described herein.Therefore, First pseudo-device 806 and/or the second pseudo-device 828 can perform to be discussed below in relation to Fig. 9-16 One or more in function.Although the function of Fig. 9-16 manages system 700 visual angle from enterprise mobility Write, but this function is also applied to system 800.When the function of Fig. 9-16 is applied to system 800 Time, it is noted that, it not to have to be arranged for together with the first and second MDM service providers making Pseudo-device, but the first pseudo-device is arranged for together with a MDM service provider making With and the second pseudo-device be arranged for being used together with the 2nd MDM service provider.

In some embodiments, the 3rd pseudo-device and the 4th pseudo-device can be at cloud computing environments 802 In be established.3rd pseudo-device and the 4th pseudo-device can represent the second physical mobile device with each. 3rd pseudo-device can be arranged for being used together with a MDM service provider 812 and Four pseudo-devices can be arranged for being used together with the 2nd MDM service provider 818.These are pseudo- Equipment can perform any function being associated with other pseudo-device described herein.

Mobile device management feature

Computing architecture and the enterprise of the various aspects that can be used for providing and/or realizing the disclosure are discussed Several examples of industry mobile management framework, will be discussed in many embodiments now.Specifically Ground, and as described above, and some aspects of the disclosure relate generally to provide mobile device management Function.In the following description, discussion is illustrated mobile device management function can how according to one or The various examples that multiple embodiments are provided.

Fig. 9 depicts and illustrates via pseudo-device according to one or more illustrative aspects discussed in this article One or more mobile device management strategies are applied to the flow process of the method for physical terminal subscriber equipment Figure.In one or more embodiments, can be by calculating equipment (such as, universal computing device 201) Perform method and/or the one or more step of Fig. 9.In other embodiments, Fig. 9 shows The method and/or the one or more step that go out can be embodied as in computer executable instructions, this meter Calculation machine executable instruction is stored in the computer-readable of such as non-transitory computer-readable memory and is situated between In matter.

Such as finding in fig .9, method can be from the beginning of step 905, and wherein pseudo-device is at cloud computing environment In be established.Such as, in step 905, cloud computing environment (such as, one or more servers, Cutter point server, thin-client, computer, tablet PC, laptop computer or other type Calculating equipment) can set up in the server of cloud expression physical terminal subscriber equipment (such as, move Dynamic calculating equipment, such as, laptop computer, tablet PC, smart mobile phone or other type of Physical mobile device) pseudo-device.

Represent that the pseudo-device of physical terminal subscriber equipment can be to the physical terminal subscriber equipment being associated Send one will be mounted thereon MDM cloud agency.In one or more are arranged, MDM Cloud agency can be application, service or process, and it is configured on physical terminal subscriber equipment run And also be configured to collect and/or otherwise obtain the information about equipment, including about physics The information of the current state of end user device.Such as, MDM cloud agency can be configured to collect and/ Or safeguard device level status information, such as, instruction stores on physical terminal subscriber equipment and/or runs Operating system and/or the status information of application, instruction to physical terminal subscriber equipment can with and/or quilt Physical terminal subscriber equipment use network connect status information, and/or instruction equipment be placed and/ Or used (such as, according to geographical coordinate；According to semantic label, such as " family ", " work ", " visitor Family end station point "；Deng) the status information of current location.In some instances, although these types Status information be listed as the type that can be collected by MDM cloud agency and/or be safeguarded herein The example of device level status information, but in other example, additionally and/or the status information of optional type By collecting as MDM cloud proxy class and/or can safeguard.

In addition to collecting and safeguarding various types of status information, physical terminal subscriber equipment runs MDM cloud agency be also configured to assessment, analyze and/or otherwise monitoring collected by each The status information of type.Such as, MDM cloud agency can be configured to periodically determine that physical terminal is used The status information of family equipment is the most altered and/or performs based on the change of detection in status information One or more actions.Such as, the status information of physical terminal subscriber equipment (is also referred to as herein Device level status information) can include mounted about what application and/or operate in physical terminal user On equipment, where physical terminal subscriber equipment is positioned in, what physical terminal subscriber equipment is connected to The information of network, and/or the consideration of miscellaneous equipment level.In some instances, MDM cloud agency can be to one Individual or multiple other is applied, is serviced and/or process offer status information.Such as, be discussed below In a little examples, the MDM cloud on physical terminal subscriber equipment is acted on behalf of and/or one or more other is applied, Service and/or process can be analyzed and/or otherwise reason MDM agency in place's is performing mobile device Management strategy and/or combine in other action of mobile device management strategy execution collected status information. Such as, based on the different set of circumstances that the status information of equipment collected by MDM agency can be used to assess, Function that is that some mobile device management strategies can limit license and/or that forbid and/or application.At these And/or in alternate manner, status information can be used for the behavior limit performing in various functions and/or application System.

In some embodiments, physical terminal subscriber equipment and/or operate in physical terminal subscriber equipment On MDM cloud agency can to set up at cloud computing environment, (such as, it can affect the shape of equipment State) one or more policy management servers in pseudo-device information is provided, and/or can receive From one or more orders of this pseudo-device.Such as, to the one or more strategies at cloud computing environment Management server in carry out logical partition pseudo-device provide information time, physical terminal subscriber equipment and/ Or on physical terminal subscriber equipment run MDM cloud agency can send status information (such as, its Various types of status information of equipment as discussed in this article can be included) to pseudo-device, such as, it is permissible It is configured to analyze this information and order and/or out of Memory are provided back to physical terminal subscriber equipment And/or the MDM cloud of operation is acted on behalf of on physical terminal subscriber equipment.It addition, receiving from cloud meter When calculating the order of pseudo-device of environment, physical terminal subscriber equipment and/or on physical terminal subscriber equipment The MDM cloud agency run can receive new and/or strategy that is that update and/or other policy information, remote Journey analysis and/or the physical terminal user equipment status information that otherwise processes (such as, puppet sets Standby can remote analysis and/or otherwise place's reason physical terminal subscriber equipment collect, from physics eventually That end user device obtains and/or relevant with physical terminal subscriber equipment status information, and then should It is provided back to physical terminal subscriber equipment through that analyze and/or treated status information), and/or other Information.

Represent that the pseudo-device of physical terminal subscriber equipment can be in one or more plans of cloud computing environment Slightly it is established in management server.Pseudo-device can be for being used together with MDM service provider Pseudo-device settling period between receive the MDM that is associated with this MDM service provider and act on behalf of.Cause This, multiple MDM agency can be maintained in the memorizer being associated with pseudo-device by pseudo-device.Pseudo- Equipment can communicate with the MDM cloud agency run on physical terminal subscriber equipment so that MDM cloud agency can perform the one or more different MDM at physical terminal subscriber equipment The function of agency.MDM cloud agency can perform the function of one or more MDM agency, simultaneously Show as the single MDM cloud agency on physical terminal subscriber equipment.Such as, physical terminal is operated in MDM cloud agency on subscriber equipment can hand over from the different MDM agency being stored at pseudo-device Change data and/or receive order from the different MDM agency being stored at pseudo-device.Therefore, MDM Cloud agency can realize the function of the one or more MDM agency at physical terminal subscriber equipment, and Physical terminal subscriber equipment need not be revised to include each received from MDM service provider MDM acts on behalf of.

In step 910, pseudo-device can be arranged for providing with one or more MDM service Business is used together.Such as, in step 910, pseudo-device can be to each MDM service provider Send or provide registration request, and as response, can receive from each MDM service provider Strategy execution configuration file, it authorizes the access of the ERM to each of which.Such as, enterprise can To require that in carrying device (BYOD) scheme its employee some or all of and/or other users exist In their respective mobile device, mounting strategy execution configuration file is to reduce enterprise security risk, and Such enterprise can be passed through in step 910 by the strategy execution configuration file that pseudo-device receives Industry limits and/or to be otherwise associated with such enterprise.Additionally or alternatively, when not by physics When end user device uses, strategy execution configuration file can be stored in depositing of being associated with pseudo-device In reservoir.Additionally, the memorizer being associated with pseudo-device can also store from each MDM simultaneously The strategy execution configuration file of service provider, arranges pseudo-device with this MDM service provider.Cause It is established in one or more policy management servers of cloud computing environment for pseudo-device, so puppet sets Standby not by physical terminal subscriber equipment about the parallel storage of multiple strategy execution configuration files and/or Any physical constraint of out of Memory (such as, such as, apply, apply data etc.) limits.Example As, except storage the 2nd MDM service provider strategy execution configuration file, its be associated should With and/or application data outside, pseudo-device can store the strategy execution of a MDM service provider and join Put file, its application being associated and/or application data.In such an example, except the 2nd MDM Outside the strategy execution configuration file of service provider, its application being associated and/or application data, physics End user device can have insufficient memory space and/or disposal ability to maintain and to store simultaneously The strategy execution configuration file of the oneth MDM service provider, its application being associated and/or application number According to.Additionally or alternatively, physical terminal subscriber equipment may not store two configuration files simultaneously, This is because each configuration file be likely to be of require respective configuration file to be mounted in, be stored in, Or otherwise maintain the rule of the most special configuration file on physical terminal subscriber equipment. Additionally or alternatively, physical terminal subscriber equipment may not provide to two MDM services simultaneously Business registers, this is because the operating system of physical terminal subscriber equipment may only support single configuration File.

In step 915, once pseudo-device is arranged for providing with one or more MDM service Business is used together, and the pseudo-device representing physical terminal subscriber equipment can be configured to from one or more MDM service provider receives one or more order.Such as, in step 915, pseudo-device can With from a MDM service provider and/or represent the entity of a MDM service provider and receive the One order.Oneth MDM service provider and/or represent the entity of a MDM service provider can To actively generate the first order (such as, be not based on the data-triggered event received from pseudo-device), And the first order is pushed to pseudo-device.Additionally or alternatively, in response to from pseudo-device and/or from thing The status information of equipment of (such as, extracting) the physics end user device received in reason end user device In change, a MDM service provider or entity can generate the first order.Equipment state is believed Change in breath such as can be included in the change in the application occurred at physical terminal subscriber equipment Instruction, network connect in the instruction of change, physical terminal subscriber equipment position in change instruction And/or other change any at physical terminal subscriber equipment.Such as, at physical terminal subscriber equipment The instruction of the change in the application occurred can be included in the application occurred at physical terminal subscriber equipment List and the status information being associated about each in the application listed can be included.Example Whether be mounted in current system as, state can include applying, open, this application is the most local Or be remotely performed, and/or out of Memory.

In some instances, the first order can be configured to as the first order will be sent to physics End user device.Such as, when pseudo-device analog physical end user device, MDM service carries May not realize that the first order will be sent to pseudo-device rather than be sent to physical terminal for business Subscriber equipment.In such instances, the first order can be configured to carry according to a MDM service Strategy for business manages physical terminal subscriber equipment.

First order can include management information, such as one or more by MDM cloud agent application Policy update.First order can be configured to the specific user for physical terminal subscriber equipment and/ Or (such as, strategy can be applied to for anyone role using physical terminal subscriber equipment There is specific role or the user of position of such as sale, accounting, consulting, law etc.).

In some embodiments, the first order can be the current shape of request physical terminal subscriber equipment The inquiry of state information.In this case, MDM service provider can receive physics from pseudo-device The status information of equipment of end user device.In some instances, pseudo-device can be by this inquiry It is transferred to physical terminal subscriber equipment and receives status information of equipment from physical terminal subscriber equipment.Additionally Or alternatively, pseudo-device may not send inquiry to physical terminal subscriber equipment, and on the contrary can be to Oneth MDM service provider sends and is stored in the equipment state in the memorizer being associated with pseudo-device Information.

In some embodiments, the first order can be configured to make MDM cloud agency and/or physics End user device performs the one or more behaviors at physical terminal subscriber equipment and limits.Some strategies And/or behavior limits and the first order can be caused to be configured to perform recalling and/or selectivity wiping of resource Remove.Such as, first the strategy execution that could be for recalling a MDM service provider is ordered to be joined Put file and number that application that a MDM service provider is associated is associated with this application According to, the ERM of a MDM service provider, relevant to a MDM service provider One or more and/or the life of out of Memory in the data generated at the physical terminal subscriber equipment of connection Order.In some instances, the first order can be selective erasing order, and it is configured to delete the Strategy execution configuration file and a MDM service provider of one MDM service provider are associated Application be associated with this application data, the ERM of a MDM service provider, In the data generated at the physical terminal subscriber equipment being associated with a MDM service provider One or more and/or out of Memory.In some embodiments, (such as, selective erasing keeps Do not delete) the strategy execution configuration file of a MDM service provider, individual application and individual Personal data.

In some embodiments, according to one or more strategies, the first order can be configured to award Power pseudo-device and/or physical terminal subscriber equipment are to some ERMs and/or the access of service, simultaneously Limit and/or prevent the access to other ERM and/or service.In other embodiments, One order can be configured to prevent physical terminal subscriber equipment from sending ERM to another equipment Or other data being associated with the MDM service provider from physical terminal subscriber equipment. Additionally or alternatively, the first order can be configured to allow physical terminal subscriber equipment to send out to pseudo-device Send data ERM or other data of being associated with a MDM service provider for subsequently Retrieval (such as, is positioned at the geographical position of a MDM service provider when physical terminal subscriber equipment Time interior).

In some embodiments, according to some strategies, the first order can be configured to prevent by puppet The amendment of the ERM of equipment and/or physical terminal user equipment access (such as, read-only).It addition, First order can be configured at pseudo-device and/or physical terminal subscriber equipment reconfigure software Or data.It addition, the first order can be configured to make MDM agency and/or physical terminal user set For preventing application to be opened or be otherwise performed, and if it being currently physical terminal user It is carrying out (such as, run) at equipment, then can close application.

In some embodiments, the first order can be by being configured to selective enabling and/or disabling One or more functions (such as, one or more functions of operating system) of physical terminal subscriber equipment, Application, to this locality at physical terminal subscriber equipment and/or on one or more networks remote accessible Data or the access of resource performs some strategies and/or behavior limits.Limit physical terminal user The access of one or more resources that equipment is local can include stoping, limit and/or otherwise Control to the resource of physical terminal subscriber equipment (such as, such as, camera-enabled, SMS, Other function any of Bluetooth function, locally applied function and/or physical terminal subscriber equipment) visit Ask.Limit the access to one or more Internet resources can include stoping to some website, physics eventually End user device is not authorized to the visit of the resource of ERM or other long range positioning any accessed Ask.

Alternatively, or in addition, in some embodiments, a MDM service provider can know Road pseudo-device.Therefore, the first order can be configured to instruct puppet to set by a MDM service provider For how managing physical terminal subscriber equipment.In such embodiments, the first order can be joined It is set to manage physical terminal subscriber equipment and/or the strategy according to a MDM service provider is managed The management of the pseudo-device of reason physical terminal subscriber equipment.Specifically, the first order can be configured to lead Cause via pseudo-device at physical terminal subscriber equipment strategy execution.Such as, the first order is permissible It is designed to have the result identical from any different configurations of the first order discussed above.

In addition to receiving order from the enterprise servers of a MDM service provider, pseudo-device is permissible Receive new and/or strategy that is that update and/or other policy information, remotely analysis and/or with other side Formula processing device status information (such as, can remotely analyze and/or otherwise by enterprise servers Place's reason physical terminal subscriber equipment is collected, is obtained and/or the shape relevant with physical terminal subscriber equipment State information, and then status information that is this that analyzed and/or that process is provided back to physical terminal Subscriber equipment), and/or out of Memory.In some embodiments, pseudo-device can be to a MDM Service provider forwards the status information of equipment received from physical terminal subscriber equipment.This embodiment party In case, a MDM service provider can be with analytical equipment status information and make this analysis and pseudo-device It is associated.Pseudo-device then can by this that analyzed and/or process status information of equipment, other Information and/or strategy are provided back to physical terminal subscriber equipment.Additionally or alternatively, to physical terminal Subscriber equipment provides before this status information of equipment analyzed, pseudo-device can process further from The status information of equipment analyzed that oneth MDM service provider receives.

In some embodiments, pseudo-device may determine that the first order or at physical terminal subscriber equipment Place realize the first order after the state that predicts the outcome of physical terminal subscriber equipment whether will violate or Otherwise create conflicting of any strategy of MDM service provider of being registered with pseudo-device. If there is no violating or conflict, as described below, pseudo-device can send to physical terminal subscriber equipment Order.If having violation or conflict, pseudo-device can be according to Figure 16 action discussed below.

In step 920, pseudo-device can send from the one of pseudo-device to physical terminal subscriber equipment Individual or multiple orders.Such as, in step 920, pseudo-device can be sent out to physical terminal subscriber equipment Send the second order from pseudo-device here.Pseudo-device can receive based on from a MDM service provider The first order generate the second order and/or can be additionally relevant to a MDM service provider Connection.Such as, in response to receiving the first order, pseudo-device can generate and send the second order to physics End user device.Second order can be configured to perform to order, with first, the strategy being associated.The Two orders can be different from the first order received from a MDM service provider.At some examples In, the second order can be identical with the first order received from a MDM service provider.At this In kind of embodiment, the second order need not to be generated at pseudo-device and can use and received First order retransfers.

In some embodiments, pseudo-device can have independently produced the second order.Such as, pseudo-device The second order can be generated and there is no the participation of a MDM service provider and do not receive the first life Order.Therefore, pseudo-device can manage and perform the plan of a MDM service provider the most independently Slightly.Such as, if lost with the connection of a MDM service provider, then pseudo-device may need Management and the strategy of execution the oneth MDM service provider.

Second order can configure similar in appearance to any configuration of the first order discussed herein.Such as, Second order can be configured to make MDM cloud act on behalf of and/or the execution of physical terminal subscriber equipment is recalled, Deployment, selective erasing, restriction to the access of ERM, authorize the access to ERM, limit Make the access of function, reconfigure function, prevent the amendment to ERM, prevent ERM From transmission or other configuration any of order discussed herein of physical terminal subscriber equipment.

When receiving the first and/or second order from pseudo-device, MDM cloud agency and/or physical terminal are used Family equipment can perform the first and/or second order so that the strategy being associated with this order is satisfied. Such as, physical terminal subscriber equipment can perform to be stored in the choosing of the data at physical terminal subscriber equipment Selecting property is wiped.Such as, physical terminal subscriber equipment can limit the access to function, prevent enterprise The amendment of resource and/or otherwise realize any configuration special by the first and/or second order. This order execution at physical terminal subscriber equipment can affect the equipment of physical terminal subscriber equipment Status information.Therefore, it can provide status information of equipment to pseudo-device.

In some embodiments, the change in status information of equipment can make MDM cloud agency and/ Or physical terminal subscriber equipment performs management operation to perform one or more MDM service providers' Strategy.Such as, change based on geographical position, MDM cloud agency can limit a MDM The access of some ERM of service provider.

According to the strategy such as performed by MDM cloud agency and order, physical terminal subscriber equipment also may be used To access the ERM of one or more MDM service providers.Such as, physical terminal user sets The standby ERM being provided to pseudo-device that can access a MDM service provider.Additionally or Alternatively, physical terminal subscriber equipment directly can access enterprise's money from a MDM service provider Source and there is no the participation of pseudo-device.Physical terminal subscriber equipment can store, edit and/or other root Interact with ERM according to the strategy of a MDM service provider.

In some embodiments, MDM cloud agency, physical terminal subscriber equipment and/or pseudo-device Can determine whether to have violated one or more MDM service provider's based on status information of equipment One or more strategies.In response to having violated tactful determination, physical terminal subscriber equipment can be adopted Take correct action.Physical terminal subscriber equipment can also send, to pseudo-device, the report violated.Pseudo-device Then may determine that correct action and send the order produced to physical terminal subscriber equipment.Real at some Executing in scheme, pseudo-device can send the report of report or amendment and carry to the MDM service violating strategy For business.In response to not violating tactful determination, continue to manage operation normally.

In step 925, pseudo-device can receive the second order from physical terminal subscriber equipment Response.Such as, in step 925, pseudo-device may determine that whether this response is sufficient for from The first order that one MDM service provider receives.It is to be insufficient for the first life in response to this response (such as, after utility command, the expectation of physical terminal subscriber equipment produces for order and/or the second order State not do not realize) determination, pseudo-device can send order to physical terminal subscriber equipment, Its state being configured to correct physical terminal subscriber equipment so that from physical terminal subscriber equipment Second response can be sufficient for the first order and/or second order (such as, after utility command, Have been carried out the state that the expectation of physical terminal subscriber equipment produces).

In some embodiments, the change during pseudo-device may determine that the state of physical terminal subscriber equipment Change other policy conflict any of any MDM service whether registered with pseudo-device.In response to this Response and the determination of another policy conflict, pseudo-device can move according to Figure 16 discussed below Make.

In step 930, it is sufficient for the first order and/or the determination of the second order in response to this response, Pseudo-device can be to the one or more transmissions in MDM service provider from the response of pseudo-device. Such as, in step 930, pseudo-device can send second received from physical terminal subscriber equipment That orders is responsive to a MDM service provider.This response can include physical terminal subscriber equipment Status information of equipment, so the such as the oneth MDM service provider can verify and the first order phase The operation of association is properly completed by physical terminal subscriber equipment.Such as, response can include with The finger that the data that oneth MDM service provider is associated have removed from physical terminal subscriber equipment Show.

In some embodiments, pseudo-device can be based on to received from physical terminal subscriber equipment The response of two orders generates new response.New response can be sufficient for from a MDM service The first order that provider receives.In some instances, response can include being associated with the first order The instruction that is done of operation or some other instruction of being associated with the first order.Such as, new sound Should include that the data being associated with a MDM service provider are deployed to from pseudo-device The instruction of physical terminal subscriber equipment, or alternatively, be associated with a MDM service provider Data from physical terminal subscriber equipment, be retracted into the instruction of pseudo-device.

In some embodiments, such as, pseudo-device can provide information to one or more MDM The enterprise servers of service provider.Such as, the enterprise of MDM service provider is being provided information to In server, pseudo-device can send from the status information of physical terminal subscriber equipment reception to MDM The enterprise servers of service provider, it such as can be configured to analyze such information and provide life Order and/or out of Memory return to pseudo-device, and then it can relay or generate and will set to physical terminal user The standby order provided.

In some embodiments, pseudo-device can receive the 3rd life from the 2nd MDM service provider Order.3rd order can be configured to make the 2nd MDM service at physical terminal subscriber equipment carry Execution for the strategy of business.3rd order can as above with respect to the first order configuration but about the What two MDM service providers rather than a MDM service provider were discussed configures.Such as, 3rd order could be for recalling the 2nd MDM service provider strategy execution configuration file and Data that the application that 2nd MDM service provider is associated is associated with this application, second The ERM of MDM service provider, at the physics being associated with the 2nd MDM service provider One or more and/or out of Memory in the data generated at end user device.In some instances, 3rd order can be selective erasing order, and it is configured to delete the 2nd MDM service provider Strategy execution configuration file and the application that is associated of the 2nd MDM service provider and this should With the data being associated, the ERM of the 2nd MDM service provider, taking with the 2nd MDM One or more in the data generated at the physical terminal subscriber equipment that is associated of business provider and/or Out of Memory.In some embodiments, selective erasing order keeps (such as, not deleting) The strategy execution configuration file of the 2nd MDM service provider.

In some embodiments, pseudo-device may determine that the 3rd strategy ordered or realizing the 3rd life Whether the result phase of the prediction of the physical terminal subscriber equipment after the strategy of order is violated or with other Any policy conflict of the MDM service provider that mode and pseudo-device are registered.Without violation Or conflict, as described below, pseudo-device can send order to physical terminal subscriber equipment.If against Anti-or conflict, pseudo-device can be according to Figure 16 action discussed below.

In some embodiments, pseudo-device can send one or more orders to physics from pseudo-device End user device.Such as, pseudo-device can send the 4th order to physical terminal user from pseudo-device Equipment.Pseudo-device can generate the based on the 3rd order received from the 2nd MDM service provider Four orders.In response to receiving the 3rd order, pseudo-device can generate and send the 4th order to physics eventually End user device.4th order can with the 3rd order received from the 2nd MDM service provider not With.In some instances, the 4th order can be with the 3rd received from the 2nd MDM service provider Order identical.In such instances, the 4th order need not be generated at pseudo-device and can make Retransfer with the 3rd order received.

4th order can be configured to the strategy performing to be associated with the 3rd order.4th order is permissible If the configuration above with respect to the second order is still about the 2nd MDM service provider rather than first What MDM service provider was discussed configures.Such as, the 4th order can be configured to make MDM Cloud agency and/or physical terminal subscriber equipment perform to recall, dispose, selective erasing, restriction is to enterprise The access of resource, authorize the access to ERM, limit the access to function, reconfigure function, Prevent the amendment to ERM, prevent ERM from the transmission of physical terminal subscriber equipment or basis Other configuration any of the order that literary composition is discussed.

In some embodiments, pseudo-device can generate the 4th order.Such as, pseudo-device can be only On the spot generate the 4th order and there is no the participation of the 2nd MDM service provider.Specifically, pseudo-device The 4th order can be generated and do not receive the 3rd order from the 2nd MDM service provider.

In some embodiments, pseudo-device can receive from the 4th of physical terminal subscriber equipment The response of order.Such as, pseudo-device may determine that whether this response is sufficient for from the 2nd MDM clothes The 3rd order that business provider receives.The determination of the 3rd order it is insufficient in response to this response, pseudo- Equipment can send order to physical terminal subscriber equipment, and it is configured to correct physical terminal user and sets Standby state so that the second response from physical terminal subscriber equipment can be sufficient for the 3rd order.

In some embodiments, it is sufficient for the determination of the 3rd and/or the 4th order in response to this response, Pseudo-device can be to the one or more transmissions in MDM service provider from the response of pseudo-device. Such as, pseudo-device can send and the 4th order received from physical terminal subscriber equipment is responsive to the Two MDM service providers.In some instances, pseudo-device can be based on to from physical terminal user The response of the 4th order that equipment receives generates new response.New response can be sufficient for from second The 3rd order that MDM service provider receives.In some instances, response can include and the 3rd Order the instruction that the operation being associated is done or some other instructions being associated with the 3rd order.

In some embodiments, cloud computing environment can be set up in the server of cloud and represent another Physical terminal subscriber equipment (such as, is different from the second physical terminal of the first physical terminal subscriber equipment Subscriber equipment) the second pseudo-device.Represent that the second pseudo-device of the second physical terminal subscriber equipment is permissible It is arranged for being used together with one or more MDM service providers.Second pseudo-device can be The first order is received from MDM service provider at pseudo-device.Second pseudo-device can set from the second puppet Preparation send the second order or another is ordered to the second physical terminal subscriber equipment as discussed in this article.The Two pseudo-devices can receive response from physical terminal subscriber equipment.Second pseudo-device can send this response Or amendment be responsive to MDM service provider as discussed in this article.Although having discussed table respectively Show only two pseudo-devices of two physical terminal subscriber equipmenies, but the pseudo-device of more than two and physics End user device is expected.

Figure 10 depicts and illustrates that arranging puppet sets according to one or more illustrative aspects discussed in this article It is ready for use on the flow chart of the method being used together with one or more mobile device management service providers. In one or more embodiments, the method for Figure 10 and/or one or more step can be by meters Calculation equipment (such as, universal computing device 201) performs.In other embodiments, Tu10Zhong The method and/or the one or more step that illustrate can be embodied in computer executable instructions, this meter Calculation machine executable instruction is stored in the computer-readable of such as non-transitory computer-readable memory and is situated between In matter.

Such as finding in Fig. 10, method can be from the beginning of step 1005 place, and wherein pseudo-device can be set Put for being used together with a MDM service provider.Such as, in step 1005, permissible One or more set by such as perform in step 1010,1015 and 1020 discussed herein Put pseudo-device to be used together for a MDM service provider.Pseudo-device can be to first MDM service provider shows as the physical terminal subscriber equipment that pseudo-device represents.Such as, pseudo-device Can emulate and/or simulate the physical terminal subscriber equipment that pseudo-device represents, and therefore, pseudo-device can To show as the physical terminal subscriber equipment of reality to a MDM service provider.Such as, imitative In true and/or analog physical end user device, the pseudo-device representing physical terminal subscriber equipment can be to Oneth MDM service provider certification, receive from or many of a MDM service provider Individual order and/or communication and/or to a MDM service provider send one or more message and/ Or other communication, just look like pseudo-device be physical terminal subscriber equipment.Pseudo-device can with typically Physical mobile device by the identical mode that carries out registering to a MDM service provider to first MDM service provider registers.In some instances, pseudo-device can be to MDM clothes Business provider shows as being different from physical terminal subscriber equipment but is associated with physical terminal subscriber equipment Equipment.

In step 1010, pseudo-device can send the first registration request and takes to one or more MDM Oneth MDM service provider of business provider.Such as, in step 1010, can set from puppet For sending the first registration request to a MDM service provider.In some instances, pseudo-device can So that another equipment represents pseudo-device and sends the first registration request.Registration request can include for setting Put any information including that such as security credence, identity documents etc. are necessary.

As response, in step 1015, pseudo-device can receive to be provided with a MDM service The first strategy execution configuration file that business is associated.Such as, in step 1015, pseudo-device is permissible The first strategy execution configuration file is received from a MDM service provider.In some instances, pseudo- Equipment can receive the first strategy execution from another entity representing a MDM service provider and join Put file.First strategy execution configuration file can be configured to promote pseudo-device and/or a MDM The identification of service provider.First strategy execution configuration file can promote pseudo-device and a MDM Secure communication between service provider.Strategy execution configuration file can be configured to identify first One or more strategies of MDM service provider, it will be held at physical terminal subscriber equipment The capable access as the ERM to a MDM service provider and/or the condition of registration.

In step 1020, pseudo-device can store and be associated with a MDM service provider First strategy execution configuration file.Such as, in step 1020, pseudo-device can be by the first strategy Perform the memorizer being associated that configuration file is stored in one or more servers of cloud computing environment In.Once pseudo-device is arranged for being used together with a MDM service provider, and pseudo-device can To access a MDM service provider's according to the strategy proposed by a MDM service provider ERM.Pseudo-device can receive order from a MDM service provider and as above be begged for management The physical terminal subscriber equipment of opinion.Such as, such order can include disposing as discussed in this article, Recall and/or in selective erasing one.

In step 1025, execution step 1030 the most discussed herein, 1035 and can be passed through One or more pseudo-devices that arrange in 1040 make for together with the 2nd MDM service provider With.Pseudo-device can show as the physical terminal use that pseudo-device represents to the 2nd MDM service provider Family equipment.Such as, pseudo-device can simulate the physical terminal subscriber equipment that pseudo-device represents.Pseudo-device Can be with the identical side that will carry out registering to the 2nd MDM service provider with typical mobile device Formula is registered to the 2nd MDM service provider.In some instances, pseudo-device can be to second MDM service provider show as being different from physical terminal subscriber equipment but with physical terminal subscriber equipment The equipment being associated.

In step 1030, pseudo-device can send the second registration request and take to one or more MDM 2nd MDM service provider of business provider.Such as, in step 1030, the second registration please Ask and can send from pseudo-device.In some instances, pseudo-device can make another equipment represent puppet to set Preparation send the second registration request.Registration request can include including such as security credence, body for setting Necessary any information such as part voucher.

As response, in step 1035, pseudo-device can receive to be provided with the 2nd MDM service The second strategy execution configuration file that business is associated.Such as, in step 1035, pseudo-device is permissible The second strategy execution configuration file is received from the 2nd MDM service provider.In some instances, pseudo- Equipment can receive the second strategy execution from another entity representing the 2nd MDM service provider and join Put file.Second strategy execution configuration file can be configured to promote pseudo-device and/or the 2nd MDM The identification of service provider.Second strategy execution configuration file can be configured to promote pseudo-device and the Secure communication between two MDM service providers.Strategy execution configuration file can be configured to know One or more strategies of other 2nd MDM service provider, it will be at physical terminal subscriber equipment Place be implemented as the access of the ERM to the 2nd MDM service provider and/or registration article Part.

In step 1040, pseudo-device can store and be associated with the 2nd MDM service provider Second strategy execution configuration file.Such as, in step 1040, pseudo-device can be by the second strategy Perform the memorizer being associated that configuration file is stored in one or more servers of cloud computing environment In.Once pseudo-device is arranged for being used together with second service provider, and pseudo-device can access The ERM of the 2nd MDM service provider.Pseudo-device can be from the 2nd MDM service provider Receive order to manage physical terminal subscriber equipment.Such order can include portion as discussed in this article Administration, recall and/or in selective erasing one.

In some embodiments, with the puppet being positioned at one or more servers of cloud computing environment The memorizer that equipment is associated can store first be associated with a MDM service provider simultaneously Strategy execution configuration file and the second strategy execution being associated with the 2nd MDM service provider are joined Put file.In some embodiments, physical terminal subscriber equipment can not have enough resources with simultaneously The first strategy execution configuration file that storage and/or realization are associated with a MDM service provider And the second strategy execution configuration file being associated with the 2nd MDM service provider.

In some embodiments, represent that the second pseudo-device of the second physical terminal subscriber equipment can be by It is provided for being used together with one or more MDM service providers.Such as, the second pseudo-device can To send the first registration request to a MDM service provider from the second pseudo-device, and as ringing Should, strategy execution configuration file can be received from a MDM service provider.Second pseudo-device can So that strategy execution configuration file is stored in the memorizer being associated with the second pseudo-device.Once puppet sets Standby being arranged for being used together with a MDM service provider, the second pseudo-device can access the The ERM of one MDM service provider.Second pseudo-device can send second from the second pseudo-device Registration request is to the 2nd MDM service provider, and as response, can take from the 2nd MDM Business provider receives strategy execution configuration file.Strategy execution configuration file can be deposited by the second pseudo-device Storage is in the memorizer being associated with the second pseudo-device.Once pseudo-device is arranged for and second MDM service provider is used together, and the second pseudo-device can access the 2nd MDM service provider ERM.

In some embodiments, multiple pseudo-devices can be associated with identical user.Pseudo-device can To be established in cloud computing environment.Such as, the first pseudo-device can represent be associated with user One physical terminal subscriber equipment.Second pseudo-device can represent the second physics being associated with same subscriber End user device.Second physical terminal subscriber equipment can be differently configured from the first physical terminal subscriber equipment. In this illustration, the first and second pseudo-devices can be arranged for carrying with identical MDM service It is used together for business and/or different MDM service providers.

Figure 11 depicts and illustrates in response to coming according to one or more illustrative aspects discussed in this article Flow chart from the method for the order of mobile device management service provider.One or more embodiment party In case, the method for Figure 11 and/or one or more step can be (such as, general by calculating equipment Calculating equipment 201) perform.In other embodiments, the method shown in Figure 11 and/or its One or more steps can be embodied in computer executable instructions, and this computer executable instructions is deposited Storage is in the computer-readable medium of such as non-transitory computer-readable memory.

Such as finding in fig. 11, method can be from the beginning of step 1105, and wherein pseudo-device can receive one Individual or multiple orders.Such as, in step 1105, pseudo-device can provide from a MDM service Business receives the first order.In some instances, the first order can provide from a MDM service The separate entity of business or equipment receive, but can represent a MDM service provider and be issued.

First order can be such as configuring of being discussed above in association with Fig. 9.Such as, the first order is permissible It is configured to make to operate in the MDM cloud agency of physical terminal subscriber equipment and/or physical terminal user Equipment perform with the recalling of ERM, the deployment of ERM, the selective erasing of ERM, Limit the access of ERM, authorize the access to ERM, limit the access to function, weight Newly configured function, prevent the amendment to ERM, prevent ERM from physical terminal subscriber equipment Transmission or any other of order discussed herein configure the operation that is associated.

In step 1110, pseudo-device may determine that and send order and/or message to whom.Such as, In step 1110, pseudo-device may determine whether to physical terminal subscriber equipment and/or a MDM Service provider sends the second order.This determines can be based on one or more factors.Such as, factor May include whether to need from physical terminal subscriber equipment the information at pseudo-device of not appearing in In response to the one or more orders received from one or more MDM service providers.Such as, because of Element can include relevant to the one or more orders received from one or more MDM service providers The strategy of connection whether with another policy conflict of one or more MDM service providers.

In some embodiments, pseudo-device can generate and send a query to physical terminal subscriber equipment. This inquiry can ask the status information of physical terminal subscriber equipment.As response, physical terminal user Equipment may determine that and send its status information to pseudo-device.Then pseudo-device may determine that and to be received It is desired whether the status information of physical terminal subscriber equipment mates about physical terminal subscriber equipment Status information.Pseudo-device may determine that desired status information is based at least partially on from a MDM The first order that service provider receives.If the status information received does not mates desired state Information, then pseudo-device may decide that transmission second orders physical terminal subscriber equipment to reach expectation State.If the status information received mates desired status information, then pseudo-device can be determined Determine not send the second order to physical terminal subscriber equipment.Because the status information coupling expectation received Status information and because can based on the first order received from a MDM service provider really Fixed desired status information, so pseudo-device may decide that does not sends the second order to physical terminal user Equipment, this is owing to being physical terminal subscriber equipment with the first desired state of being associated of order State.Additionally or alternatively, in some embodiments, inquiry need not be sent to physics eventually End user device.Such as, physical terminal subscriber equipment can periodically and/or occur at thing when state changes Time within reason end user device, send the status information updated to pseudo-device.Therefore, pseudo-device can To keep the record of the status information of the current and past of physical terminal subscriber equipment.Because physical terminal The current state information of subscriber equipment occurs at pseudo-device, so pseudo-device may determine that physical terminal The status information of subscriber equipment whether mate desired status information and without sending a query to physics eventually End user device.

In step 1115, in response to sending second order decision to physical terminal subscriber equipment, pseudo- Equipment can send the second order to physical terminal subscriber equipment from pseudo-device.Second order can be joined It is set to perform the strategy of one or more MDM service provider.Second order can as above in association with What Fig. 9 was discussed configures.Such as, the second order can be configured to make to operate in physical terminal use MDM cloud agency on the equipment of family and/or physical terminal subscriber equipment perform with the recalling of ERM, The deployment of ERM, the selective erasing of ERM, limit the access of ERM, mandate To the access of ERM, limit the access to function, reconfigure function, prevent ERM Amendment, prevent the ERM transmission from physical terminal subscriber equipment or order discussed herein Any other configures the operation being associated.

In step 1120, pseudo-device can receive response from physical terminal subscriber equipment.Such as, exist In step 1120, pseudo-device can receive what the operation being associated with the second order sent was done Instruction.This response can be included in before or after ordering the operation being associated to be done with second The status information of equipment of physical terminal subscriber equipment.Such as, response can include with one or more Application, application data and/or other data that MDM service provider is associated are from physics eventually The instruction deleted in end user device.This response can include that individual application and personal data are by thing Reason end user device keeps the instruction of (such as, not being deleted).Can be similar to discussed herein Other response configure this response.

In some embodiments, pseudo-device may determine that the response from physical terminal subscriber equipment is (such as, physical terminal user sets in no satisfied the first order from MDM service provider's reception Standby state mates desired state).If pseudo-device determines response and is unsatisfactory for this response, then pseudo- Equipment can send the 3rd order to physical terminal subscriber equipment.3rd order can be configured to behaviour The expected result obtaining the first order is caused on work.Subsequently, pseudo-device can set from physical terminal user Another response of standby reception.

In step 1125, pseudo-device can send a response to one or more MDM service provider. Such as, in step 1125, pseudo-device can send and the first order is responsive to MDM clothes Business provider.If pseudo-device determines that this response is sufficient for the first order, then can send this sound Should.In some instances, pseudo-device can be based on the response next life received from physical terminal subscriber equipment Become the response of amendment.Amendment response be also based on other factors, such as, such as, with add with The instruction that the operation that first order is associated is done.What pseudo-device can send amendment is responsive to first MDM service provider.This response can be similar to any response discussed herein configure and because of This, such as can include the status information of equipment about a MDM service provider with analyze and It may be responded.

In step 1130, pseudo-device may not send the second order to physical terminal subscriber equipment.Example As, in step 1130, pseudo-device may be in response to determine and do not sends the second order to physical terminal user Equipment is locally generated the response to the first order sent from a MDM service provider.One In a little examples, pseudo-device can receive response from the equipment or entity that are different from physical terminal subscriber equipment So that in being incorporated into the response to the first order.The sound to the first order that is that generate and/or that received Such as should can include the information that stored by pseudo-device or any out of Memory.This response can include with The instruction that the operation that first order is associated is done.Such as, this response can include selective erasing The instruction completed at physical terminal subscriber equipment.

In step 1135, pseudo-device can send a response to one or more MDM clothes from pseudo-device Business provider.Such as, in step 1135, pseudo-device can send the first order from pseudo-device What this locality generated is responsive to a MDM service provider.This response can be sent to a MDM Service provider and do not send any order (such as, the first order and/or the second order) to physics End user device.Therefore, this response can represent physical terminal subscriber equipment and sent and do not have thing Any participation of reason end user device.Such as, pseudo-device can be independent of physical terminal subscriber equipment Any operation receive first order and send a response to a MDM service provider.

In some embodiments, represent that the second pseudo-device of the second physical terminal subscriber equipment can be from MDM service provider receives the first order.Second pseudo-device can based on discussed herein any because of Element determines whether that the second physical terminal subscriber equipment sends the second order.In response to determining to the second thing Reason end user device sends the second order, and the second pseudo-device can send the second life from the second pseudo-device Order is to the second physical terminal subscriber equipment.Then second pseudo-device can set from the second physical terminal user Standby reception responds.Then second pseudo-device can send the MDM service that is responsive to of response or amendment and carry For business.Any order, the second pseudo-device is not sent to the second physical terminal subscriber equipment in response to determining Can generate the response to the first order, such as, this first order includes being associated with the first order The instruction that operation is done.Pseudo-device can send a response to MDM service provider.

Figure 12 depicts and illustrates number of resources according to one or more illustrative aspects discussed in this article Flow chart according to the method being pushed to physical terminal subscriber equipment.In one or more embodiments, The method of Figure 12 and/or one or more step can (such as, general-purpose computations sets by calculating equipment Standby 201) perform.In other embodiments, the method shown in Figure 12 and/or one or Multiple steps can be embodied in computer executable instructions, and this computer executable instructions is stored in all In the computer-readable medium of non-transitory computer-readable memory.

Such as finding in fig. 12, method can be from the beginning of step 1205 place, and wherein pseudo-device can receive One or more ERMs (such as, resource data).Such as, in step 1205, pseudo-device The resource data of a MDM service provider can be received from a MDM service provider.Money Source data can include document, chart, software, apply, apply data or with the oneth MDM clothes Other data any that business provider is associated.Can the second different MDM service provide wherein The strategy execution configuration file of business is phase time period that is movable or that used by physical terminal subscriber equipment Between receive resource data.Such as, pseudo-device can receive application from a MDM service provider, Its strategy execution configuration file only working as a MDM service provider is movable or whole by physics When end user device uses, can be used at physical terminal subscriber equipment.But, as a MDM The strategy execution configuration file of service provider is inactive or not by physical terminal subscriber equipment During use, this application can be received by pseudo-device.

Similarly, (the MDM service that is different from carries with the 2nd MDM service provider wherein For business) the strategy execution configuration file that is associated or is movable on physical terminal subscriber equipment at which Time period during, pseudo-device can receive the first order from a MDM service provider.Such as, When the strategy execution configuration file of a MDM service provider is in inactive or by physical terminal When subscriber equipment uses and/or when the strategy execution configuration file of the 2nd MDM service provider is alive Dynamic or when being used by physical terminal subscriber equipment, pseudo-device can be from a MDM service provider Receive the first order.

In some embodiments, there is no the strategy execution configuration literary composition of MDM service provider wherein Part is on physical terminal subscriber equipment or during being the movable time period at which, and pseudo-device can be from the One MDM service provider receives resource data and/or the first order.

In some embodiments, the reception of resource data can be in response to by physical terminal subscriber equipment The request for resource data initiated.Such as, physical terminal subscriber equipment can be used from physical terminal Request about resource data is sent directly to a MDM service provider by family equipment, and does not has The participation of pseudo-device.In some instances, physical terminal subscriber equipment can be by for a MDM The request of the resource data of service provider is sent to pseudo-device.Then pseudo-device can send this request To a MDM service provider.In some instances, sending out to a MDM service provider Before giving this request, pseudo-device can revise this request.In some embodiments, in response to by puppet Equipment is initiated and is sent to the request of a MDM service provider, and physical terminal subscriber equipment can To receive resource data.

In step 1210, pseudo-device may determine that what configuration file is currently movable on pseudo-device. Such as, in step 1210, pseudo-device can be made the strategy of a MDM service provider and holds Whether row configuration file is currently movable determination on physical terminal subscriber equipment.In some instances, Pseudo-device can send order to physical terminal subscriber equipment, inquires about or ask, and it asks physical terminal Subscriber equipment (and/or the MDM cloud agency being arranged on physical terminal subscriber equipment) is by physical terminal The current status information of equipment of subscriber equipment is sent to pseudo-device.Current status information of equipment is such as Can include which strategy execution configuration file currently on physical terminal subscriber equipment use instruction, The instruction of current enterprise resource that used by physical terminal subscriber equipment, the ground of physical terminal subscriber equipment Whether reason position, physical terminal subscriber equipment are positioned at by a setting in MDM service provider Instruction in geography fence or any out of Memory.As response, physical terminal subscriber equipment (with/ Or the MDM cloud agency being arranged on physical terminal subscriber equipment) may determine that physical terminal user sets Standby current status information of equipment and send current status information to pseudo-device.

In some embodiments, pseudo-device can be made the strategy of a MDM service provider and holds Whether row configuration file is currently movable determination on physical terminal subscriber equipment, and not to physics End user device sends request.Physical terminal subscriber equipment (and/or MDM cloud agency) can determine Phase ground and/or the result as the change being sent to before in the current state information of pseudo-device send Current status information.Such as, during the change in determining status information of equipment has been detected, MDM cloud agency and/or physical terminal subscriber equipment can such as determine that new application is the most pacified Being contained in and/or be added on physical terminal subscriber equipment, application the most sets from physical terminal user Being deleted in Bei, the network that physical terminal subscriber equipment uses connects the most altered, physical terminal The geographical position that subscriber equipment is being located therein is changed the most, and/or equipment shape discussed herein Other change any in state information.Once the change in status information of equipment has been detected, MDM (such as, the information being associated with this change can be sent by cloud agency and/or physical terminal subscriber equipment Push) to pseudo-device so that pseudo-device can keep the current and past of physical terminal subscriber equipment The record of status information of equipment.

In step 1215, resource data can be pushed to physical terminal subscriber equipment by pseudo-device. Such as, in step 1215, join in response to the strategy execution determining a MDM service provider Putting file is currently movable (such as, by physical terminal subscriber equipment at physical terminal subscriber equipment Use), the resource data of a MDM service provider can be sent to by pseudo-device from pseudo-device Physical terminal subscriber equipment.Therefore, use by physical terminal subscriber equipment when strategy execution configuration file Time, physical terminal subscriber equipment can access and/or receive the number of resources of a MDM service provider According to.

In some embodiments, physical terminal subscriber equipment can be initiated for a MDM service Another request (such as, the second request) of the more resource data of provider.Physical terminal is used Family equipment can send the second request to pseudo-device.Then pseudo-device can send for more resource Second request of data is to a MDM service provider.As response, a MDM service carries Then more resource data can be sent to pseudo-device for business.When a MDM service provider's When strategy execution configuration file is used by physical terminal subscriber equipment, pseudo-device then can be by such Resource data is sent to physical terminal subscriber equipment.

In some embodiments, once pseudo-device it has been determined that strategy execution configuration file at physics eventually Using at end user device, the instruction that this determines can be sent to a MDM service and carry by pseudo-device For business.Then resource data can be transmitted directly to physical terminal and use by the oneth MDM service provider Family equipment (such as, does not has the further participation of pseudo-device).In some embodiments, permissible Subsequent request for resource data is sent directly to MDM clothes from physical terminal subscriber equipment Business provider (such as, not having the participation of pseudo-device).

In step 1220, pseudo-device can be by resource data store depositing of being associated with pseudo-device In reservoir.Such as, in step 1220, in response to the plan determining a MDM service provider Slightly performing configuration file is currently inactive (such as, not by thing at physical terminal subscriber equipment Reason end user device uses), pseudo-device can cache or otherwise storage the oneth MDM takes The resource data of business provider is until the strategy execution configuration file of a MDM service provider is at thing Activity is become at reason end user device.Pseudo-device can be by sending the most as discussed herein Request for the current state of physical terminal subscriber equipment determines that a MDM service carries again The strategy execution configuration file supplying business is the most movable at physical terminal subscriber equipment.Once or when puppet set For determining that the strategy execution configuration file of a MDM service provider currently sets physical terminal user During standby place's activity, (such as, resource data can be pushed by pseudo-device from the caching being associated with pseudo-device Automatically send) to physical terminal subscriber equipment.In some embodiments, once pseudo-device determines The strategy execution configuration file of the oneth MDM service provider is movable at physical terminal subscriber equipment, Pseudo-device can allow to extract treating (such as, in response to physics eventually from the caching being associated with pseudo-device The request of end user device and send) resource data is to physical terminal subscriber equipment.

In some embodiments, represent that the second pseudo-device of the second physical terminal subscriber equipment can be from Oneth MDM service provider receives the resource data and/or the of the such as the oneth MDM service provider One order.2nd MDM service provider (being different from a MDM service provider) wherein Strategy execution configuration file on the second physical terminal subscriber equipment, be the movable time period during, can To receive resource data and/or the first order.When the strategy execution of a MDM service provider configures File is currently on the second physical terminal subscriber equipment during inertia, and the second pseudo-device can be by first The resource data of MDM service provider is buffered in the memorizer being associated with the second pseudo-device.When The strategy execution configuration file of the oneth MDM service provider is currently at the second physical terminal subscriber equipment During upper activity, the second pseudo-device can push the resource data of a MDM service provider.

Figure 13 depicts and illustrates that amendment puppet sets according to one or more illustrative aspects discussed in this article The flow chart of the method for the order at standby place.In one or more embodiments, the method for Figure 13 and/ Or one or more step can perform by calculating equipment (such as, universal computing device 201). In other embodiments, the method shown in Figure 13 and/or one or more step can embody In computer executable instructions, this computer executable instructions is stored in such as non-transitory and calculates In the computer-readable medium of machine readable memory.

Such as finding in fig. 13, method can be from the beginning of step 1305 place, and wherein pseudo-device can be from one Individual or multiple MDM service providers receive one or more order.Such as, in step 1305, Pseudo-device can receive the first order from a MDM service provider.This order can be to beg for herein Any order of opinion, it includes such as selective erasing order, countermand and/or deployment order.

In step 1310 place, pseudo-device can revise one or more order.Such as, in step 1310 In, pseudo-device can revise the first received order to produce the order of amendment.This amendment can be with base In one or more strategy execution configuration files, the strategy of one or more MDM service provider, The current state of physical terminal subscriber equipment and/or any other factors.The order of amendment can be joined It is set to, once order and received by physical terminal subscriber equipment, perform behaviour at physical terminal subscriber equipment Make.Such as, the order of amendment can be configured to from pseudo-device, resource data is deployed to physical terminal Subscriber equipment, from physical terminal subscriber equipment revoke resources data to pseudo-device, perform selective erasing, The order being associated with solution conflict, and/or perform other operation any discussed herein.

In step 1315 place, pseudo-device can send one or more lives to physical terminal subscriber equipment Order.Such as, in step 1315, pseudo-device can send the order of amendment to physics from pseudo-device End user device.Therefore, physical terminal subscriber equipment can perform the operation of the order of amendment, its Can include such as deleting the data being associated with one or more MDM service providers or begging for herein Other operation any of opinion.Perform this operation can cause by operating on physical terminal subscriber equipment Change in the status information of equipment that MDM cloud agency is monitored, can become the equipment state produced Change and be sent to pseudo-device from physical terminal subscriber equipment so that pseudo-device can continue executing with MDM clothes The strategy of business provider.

In some embodiments, represent that the second pseudo-device of the second physical terminal subscriber equipment can be from MDM service provider receives order.Second pseudo-device can revise order to produce the order of amendment. Then second pseudo-device can send the order of amendment to the second physical terminal user from the second pseudo-device Equipment.Then second physical terminal subscriber equipment can perform operation and the transmission being associated with this order Produce in status information of equipment changes to the second pseudo-device.

In some embodiments, sending to physical terminal subscriber equipment based on one or more factors Before the order of amendment, pseudo-device can revise the order received from MDM service provider.Such as, Pseudo-device can revise order so that physical terminal subscriber equipment can process (such as, understanding) amendment Order.Specifically, the order received from MDM service provider can set with physical terminal user Standby agreement or the standard that may not process and/or otherwise understand is associated.Pseudo-device can be repaiied Change received order so that the order of amendment can be able to process with physical terminal subscriber equipment And/or different agreement or the standard otherwise understood is associated.

Figure 14 depicts and illustrates that application selects according to one or more illustrative aspects discussed in this article Property erasing order the flow chart of method.In one or more embodiments, the method for Figure 14 and/ Or one or more step can perform by calculating equipment (such as, universal computing device 201). In other embodiments, the method shown in Figure 14 and/or one or more step can embody In computer executable instructions, this computer executable instructions is stored in such as non-transitory computer In the computer-readable medium of readable memory.

Such as finding in fig. 14, method can be from the beginning of step 1405 place, and wherein physical terminal user sets Standby can erasing from pseudo-device receiver selectivity is ordered.Such as, in step 1405, in response to from Oneth MDM service provider's receiver selectivity erasing order, pseudo-device can be to physical terminal user Equipment sends selective erasing order.In some embodiments, pseudo-device can generate selectivity wiping Except order.Selective erasing order can be configured to make ERM (such as, resource data) exist It is deleted at physical terminal subscriber equipment.Such as, selective erasing order can be configured to make and the The data that the subset of the application that one MDM service provider is associated and the subset with application are associated It is deleted at physical terminal subscriber equipment.Selective erasing order can be configured to keep individual's letter Breath.Such as, selective erasing order can keep (not deleting) individual application and answer with individual By the data being associated, and the strategy execution configuration file of a MDM service provider alternatively.

In step 1410, in response to receiver selectivity erasing order, physical terminal subscriber equipment is deleted Except resource data.Such as, in step 1410, physical terminal subscriber equipment can be deleted and first The subset of the application that MDM service provider is associated with application subset be associated data, by Physical terminal subscriber equipment use a MDM service provider resource data generate data, And/or other data being associated with a MDM service provider.

In step 1415, physical terminal subscriber equipment can keep personal information.Such as, in step In rapid 1415, physical terminal subscriber equipment can keep individual application to be associated with individual application The strategy execution configuration that data, personal data are associated with one or more MDM service providers File and/or independent of other data any associated with a MDM service provider.At this In the example of sample, the information kept is deleted by physical terminal subscriber equipment, and therefore continues Stored by physical terminal subscriber equipment.In some embodiments, MDM clothes are not deleted The strategy execution configuration file of business provider.

In some example embodiments, act on behalf of to pseudo-device and/or first based on by MDM cloud The status information of equipment that MDM service provider provides, the change in status information of equipment can be by MDM cloud agency, pseudo-device and/or a MDM service provider detect.MDM cloud generation One or more in reason, pseudo-device and/or a MDM service provider may decide that selectivity Ground erasing physics end user device.Such as, a MDM service provider can send out to pseudo-device Send selective erasing order.Then pseudo-device can send selective erasing to physical terminal subscriber equipment Order.In some instances, pseudo-device can generate and send selectivity to physical terminal subscriber equipment Erasing order.In response to receiver selectivity erasing order or on determining based on this locality, MDM cloud generation Reason and/or physical terminal subscriber equipment can wipe the money being associated with a MDM service provider Source, leaves personal data and/or with the incoherent data of MDM service provider (such as, simultaneously The data being associated with another MDM service provider).

In some embodiments, selective erasing can only be wiped or delete and be set by physical terminal user The subset of the standby ERM used.In some embodiments, selective erasing can only delete with The data that a MDM service provider is associated it are accessed within some time period.

In some embodiments, the second physical terminal subscriber equipment can be from representing the second physical terminal Second pseudo-device receiver selectivity erasing order of subscriber equipment.Second physical terminal subscriber equipment is permissible Deleting the subset of resource data, it includes the son of the application being such as associated with MDM service provider The data that are associated of subset of collection and application and/or be associated with MDM service provider other Data.Second physical terminal subscriber equipment can keep personal information, it include such as individual application, The data being associated with individual application and/or other personal data.Second physical terminal subscriber equipment is also The strategy execution configuration file of MDM service provider can be kept.

Figure 15 depicts and illustrates information portion according to one or more illustrative aspects discussed in this article Be deployed to physical terminal subscriber equipment and from physical terminal subscriber equipment the flow process of the method for revocation information Figure.In one or more embodiments, method and/or the one or more step of Figure 15 can be led to Cross calculating equipment (such as, universal computing device 201) to perform.In other embodiments, figure Method shown in 15 and/or one or more step can be embodied in computer executable instructions, This computer executable instructions is stored in the computer of such as non-transitory computer-readable memory can Read in medium.

Such as finding in fig .15, method can be from the beginning of step 1505 place, and wherein physical terminal user sets For initiating one for the resource data from one or more MDM service providers or many Individual request.Such as, in step 1505, based on user's input or when physical terminal subscriber equipment position Time in first geography fence of a MDM service provider, physical terminal subscriber equipment can be sent out Play the first request.Specifically, user can initiate to take for one or more MDM at any time The request of the resource data of business provider.Additionally or alternatively, thing is determined when physical terminal subscriber equipment Reason end user device is positioned at the one or more geography pre-seted by a MDM service provider and encloses Time in hurdle, such as, physical terminal subscriber equipment automatically (can not have the participation of user) initiate right Request in the resource data of the such as the oneth MDM service provider.Such as, physical terminal user sets For including by the global location of the MDM cloud agent monitors operated on physical terminal subscriber equipment System (GPS).When MDM cloud agency determines that physical terminal subscriber equipment is positioned at and MDM clothes Within the geography fence that one or more buildings of business provider or the geographical position in campus are associated Time, MDM cloud agency can generate request.In some embodiments, geography fence can be with thing The geographical position of the house of the user of reason end user device is associated.Additionally or alternatively, geography encloses Hurdle can be associated with other region any limited by a MDM service provider.

In step 1510 place, pseudo-device can receive one or more asking from physical terminal subscriber equipment Ask.Such as, in step 1510, pseudo-device can receive first from physical terminal subscriber equipment please Ask.This request can include instruction or the physical terminal subscriber equipment initiating request based on user's input It is positioned at the instruction of the request of first geography fence of a MDM service provider.

In step 1515, pseudo-device can be disposed (such as, sending) MDM service and carry Data for business.Such as, in step 1515, pseudo-device can be disposed a MDM service and carry For the strategy execution configuration file of business, the application data of a MDM service provider, as tied herein What conjunction Figure 12 was discussed is stored in first in the caching or other memorizer being associated with pseudo-device The resource data of MDM service provider and/or with being associated of a MDM service provider Other data any.Therefore, physical terminal subscriber equipment can utilize provides with a MDM service Resource data that business is associated and/or interact with this resource data.In some embodiments, One MDM service provider can receive request from pseudo-device and can send number of resources to pseudo-device According to this for the deployment to physical terminal subscriber equipment.

In step 1520, physical terminal subscriber equipment can initiate the second request to pseudo-device.Example As, in step 1520, based on user's input or it is no longer at based on when physical terminal subscriber equipment Time within first geography fence of the oneth MDM service provider, physical terminal subscriber equipment can be sent out Play the second request.Specifically, user can initiate user at any time and is no longer necessary to one or more The request of the resource data of MDM service provider.Additionally or alternatively, physical terminal subscriber equipment Automatically (such as, there is no the participation of user) request can be initiated, when physical terminal subscriber equipment is true Earnest reason end user device is no longer at or many pre-seted by a MDM service provider Time within individual geography fence, physical terminal subscriber equipment can not recycle a MDM service and provide The resource data of business.

In step 1525, pseudo-device can receive the second request from physical terminal subscriber equipment.The Two requests can include that user is no longer necessary to the access of the resource data to a MDM service provider Instruction.Second request can include that physical terminal subscriber equipment is no longer at a MDM service and carries For business the first geography fence within instruction and/or physical terminal subscriber equipment can not in use by or There is the instruction of the access of resource data to a MDM service provider.

In step 1530, in response to receiving the second request, pseudo-device can be recalled one or more One or more strategy execution configuration files of MDM service provider and/or one or more MDM The resource data of service provider.Such as, in step 1530, pseudo-device can be from physical terminal Subscriber equipment recall the such as the oneth MDM service provider application, these application application data, The document of the oneth MDM service provider, serviced based on a MDM by physical terminal subscriber equipment The data of resource data generation of provider and/or appointing of being associated with a MDM service provider What its data.Therefore, this above-mentioned resource is removed from physical terminal subscriber equipment and is sent out Deliver to pseudo-device.In some embodiments, the strategy execution configuration of a MDM service provider File and/or selection resource data can be kept (such as, not being deleted) and set physical terminal user Standby place.

In step 1535, physical terminal subscriber equipment can initiate to take for one or more MDM 3rd request of the resource data of business provider.Such as, in step 1535, input based on user Or when physical terminal subscriber equipment is positioned within second geography fence of the 2nd MDM service provider, Physical terminal subscriber equipment can initiate the 3rd of the resource data for the 2nd MDM service provider Request.Specifically, user can initiate to provide for one or more MDM service at any time The request of the resource data of business.When physical terminal subscriber equipment determine physical terminal subscriber equipment be positioned at by Time within one or more geography fence that 2nd MDM service provider pre-sets, physical terminal is used Such as, family equipment automatically (can also not have the participation of user) initiates for the such as the 2nd MDM The request of the resource data of service provider.Such as, geography fence can carry with the 2nd MDM service It is associated for one or more buildings of business or the geographical position in campus.Geography fence can be with physics The geographical position of the house of the user of end user device is associated.Geography fence can with by second Other region any that MDM service provider limits is associated.

In step 1540, pseudo-device can receive one or more asking from physical terminal subscriber equipment Ask.Such as, in step 1540, pseudo-device can receive the 3rd from physical terminal subscriber equipment please Ask.This request can include instruction or the physical terminal subscriber equipment position inputting the request of initiation based on user The instruction of the request within second geography fence of the 2nd MDM service provider.

In step 1545, pseudo-device can be disposed (such as, sending) the 2nd MDM service and carry Data for business.Such as, in step 1545, pseudo-device can be disposed the 2nd MDM service and carry For the strategy execution configuration file of business, the application data of the 2nd MDM service provider, as tied herein What conjunction Figure 12 was discussed is stored in second in the caching or other memorizer being associated with pseudo-device The resource data of MDM service provider and/or appointing of being associated with the 2nd MDM service provider What its data.Therefore, physical terminal subscriber equipment can utilize and the 2nd MDM service provider The resource data that is associated and/or interact with this resource data.

In some embodiments, based on user's input or when the second physical terminal subscriber equipment is positioned at the Time within the geography fence of one MDM service provider, the second physical terminal subscriber equipment can be initiated First request.Represent that the second pseudo-device of the second physical terminal subscriber equipment can be from the second physical terminal Subscriber equipment receives the first request.As response, the second pseudo-device can dispose a MDM service In the strategy execution configuration file of provider and the resource data of a MDM service provider one Or multiple, this resource data include the such as the oneth MDM service provider application, these application Application data and/or other data being associated with a MDM service provider.Defeated based on user Enter or when the second physical terminal subscriber equipment is no longer at the geography fence of a MDM service provider Time, the second physical terminal subscriber equipment can initiate the second request.Second pseudo-device can be from the second thing Reason end user device receives request.As response, the second pseudo-device can be used from the second physical terminal Family equipment is recalled in resource data and the strategy execution configuration file of a MDM service provider One or more (such as, from the second physical terminal subscriber equipment, remove resource and send them to Second pseudo-device).Based on user's input or when physical terminal subscriber equipment is positioned at the 2nd MDM service Time within the geography fence of provider, the second physical terminal subscriber equipment can initiate the 3rd request.The Two pseudo-devices can receive the second request from the second physical terminal subscriber equipment.Then second pseudo-device may be used So that the strategy execution configuration file of the 2nd MDM service provider and/or the 2nd MDM service are provided One or more in the resource data of business are deployed to the second physical terminal subscriber equipment, this resource data Including the application of the such as the 2nd MDM service provider, application data of these application and/or with the Other data any that two MDM service providers are associated.

Figure 16 depicts and illustrates solution difference according to one or more illustrative aspects discussed in this article The flow chart of the method for the conflict between the strategy of MDM service provider.In one or more enforcements In scheme, the method for Figure 16 and/or one or more step can be (such as, logical by calculating equipment With calculating equipment 201) perform.In other embodiments, the method shown in Figure 16 and/or One or more step can be embodied in computer executable instructions, this computer executable instructions It is stored in the computer-readable medium of such as non-transitory computer-readable memory.

Such as finding in figure 16, method can wherein represent that physical terminal is used from the beginning of step 1605 place The pseudo-device of family equipment can identify the conflict in the strategy of one or more MDM service provider. Such as, in step 1605, pseudo-device can identify one of a MDM service provider or Conflict between one or more strategies of multiple strategies and the 2nd MDM service provider.At some In embodiment, pseudo-device can identify first strategy and first of a MDM service provider Conflict between second strategy of MDM service provider.Similarly, pseudo-device can identify second Between first strategy and second strategy of the 2nd MDM service provider of MDM service provider Conflict.

When one be associated with the execution of the strategy execution configuration file of a MDM service provider Or multiple operation and the execution with the strategy execution configuration file of the 2nd MDM service provider are associated One or more operations when having conflict, when one or many received from a MDM service provider When individual order and the one or more orders from the 2nd MDM service provider's reception have conflict, or its Any combination, based on the inconsistent operation such as performed by strategy execution configuration file, from a MDM Service provider receive inconsistent order, from the 2nd MDM service provider receive differ fatal Order, pseudo-device can be with the conflict between recognition strategy.

In step 1610, pseudo-device can solve the one of one or more MDM service provider The conflict identified between individual or multiple strategy.Such as, in step 1610, pseudo-device is permissible By performing step 1615, one or more in 1620 and/or 1625 solve conflict.Work as punching When dashing forward identified, pseudo-device can solve this conflict.In some instances, set as physical terminal user For when attempting to obtain the ERM that can initiate conflict, pseudo-device can solve this conflict.

In step 1615, the solution that pseudo-device can be determined from KBS Knowledge Based System by application Scheme solves this conflict.Such as, in step 1615, pseudo-device can be applied from cloud computing ring The solution that the KBS Knowledge Based System in border determines.KBS Knowledge Based System can include rule, plan Omiting and/or data base of other order, it can work as these rules, strategy and/or the bar of order It is employed when part is satisfied.Data base can receive to the existing rule being stored in data base, strategy, And/or the renewal of order.Data base can receive new rule, strategy and/or order to solve punching Prominent.

Pseudo-device can apply rule that (such as, utilize) be stored in data base, strategy and/ Or order.Such as, once pseudo-device has identified conflict, and pseudo-device can be inquired about or search and institute Rule, strategy and/or the order that the conflict identified is associated.As response, pseudo-device can receive Rule, strategy and/or the order being associated with the conflict identified.Pseudo-device may then pass through example Realize or perform such rule, plan as sent one or more orders to physical terminal subscriber equipment Omit and/or order.This order can be configured to the rule performing such as to receive from data base.Additionally Or alternatively, it is one or more that pseudo-device can be inquired about in MDM service provider.Pseudo-device can To receive response from one or more MDM service providers, it includes to physical terminal subscriber equipment The one or more orders sent.Then pseudo-device can send this order to physical terminal subscriber equipment. In response to receiving order, physical terminal subscriber equipment can send and one or more orders to pseudo-device The instruction that the operation being associated is done.

In step 1620, pseudo-device can be by being sent to physical terminal subscriber equipment by warning Solve conflict.Such as, in step 1620, pseudo-device can transmit alerts to physical terminal user Equipment.This warning can include that one or more at user option order is to solve conflict.Such as, Physical terminal subscriber equipment can display to the user that warning.Physical terminal subscriber equipment can receive by showing Show the selection in warning of the user to one or more orders of user.Physical terminal subscriber equipment is right After can apply the order of one or more selection solve conflict.In some embodiments, based on One or more selected orders, physical terminal subscriber equipment can send order or message sets to puppet One or more in standby and/or MDM service provider.As response, physical terminal subscriber equipment One or more order can be received from pseudo-device and/or one or more MDM service provider, its In such order can be configured once with the operation that is associated of order by physical terminal subscriber equipment Application then solves conflict.

In step 1625, pseudo-device can be by sending miniature erasing to physical terminal subscriber equipment Order solves conflict.Such as, in step 1625, pseudo-device can set to physical terminal user Preparation send miniature erasing order, and the most miniature erasing order can be configured to the data making to lead to a conflict At least one subset be deleted.Such as, based on the miniature erasing order received, physical terminal is used Family equipment can be deleted and apply the data being associated with application, one or more MDM to service offer The resource data of business or cause other data any of conflict.

In some embodiments, deleted data can be sent to pseudo-device to back up Or be stored in the memorizer being associated with pseudo-device.When data can be pushed or be sent to physics End user device and when not re-creating conflict, pseudo-device can be sent out to physical terminal subscriber equipment Send at least some in the Backup Data initially deleted by physical terminal subscriber equipment.

In some embodiments, once or beg for herein when physical terminal subscriber equipment performs to be used for solution (such as, of the step of 1615,1620 and/or 1625 in the option of the conflict of opinion Or multiple) time, pseudo-device can verify that identified conflict is solved.Such as, pseudo-device can be to Physical terminal subscriber equipment sends request and receives about rushing of being identified from physical terminal subscriber equipment The current device status information of prominent physical terminal subscriber equipment.Pseudo-device may then based on and currently sets Standby status information determines whether conflict is solved.If conflict is not solved, then pseudo-device is permissible Again performing to solve any method of conflict, it includes, such as, 1615,1620 and 1625 Step one or more.

In some embodiments, represent that the second pseudo-device of the second physical terminal subscriber equipment can be known The not conflict between strategy.Such as, the second pseudo-device can identify a MDM service provider's Conflict between strategy and the strategy of the 2nd MDM service provider.Second pseudo-device can identify Conflict Strategies from identical MDM service provider.Second pseudo-device can be following dynamic by performing One or more solution in work is conflicted: the second pseudo-device can be applied from KBS Knowledge Based System true Fixed solution, the second pseudo-device can send the warning including at user option order to solve Conflict, and/or the second pseudo-device can to second physical terminal subscriber equipment send miniature erasing order with Just the second physical terminal subscriber equipment can delete the subset of the data causing this conflict.Second pseudo-device Then can verify that this conflict has been solved.

In some embodiments, each only one of which configuration file is at physical terminal subscriber equipment Movable.Additionally or alternatively, multiple configuration files can be at physical terminal subscriber equipment simultaneously Movable.In such example, the method for Figure 16 may apply at physical terminal subscriber equipment The conflict produced between multiple configuration files that place is the most movable.For example, it is possible to about simultaneously at physics Two or more configuration files movable at end user device perform for identifying and solving punching Any step of prominent 1605-1625.

In one or more embodiments, multiple pseudo-device can be set up in cloud computing environment.? Each in the pseudo-device of first group of pseudo-device represents the first identical physical terminal subscriber equipment.Table Show that each in the pseudo-device of the first physical terminal subscriber equipment can be arranged for each MDM service provider is used together.Such as, the first puppet of the first physical terminal subscriber equipment is represented Equipment can be arranged for being used together with a MDM service provider.Represent that the first physics is eventually Second pseudo-device of end user device can be arranged for (different from the 2nd MDM service provider In a MDM service provider) it is used together.First pseudo-device can be configured to represent first Physical terminal subscriber equipment receives one or more order from a MDM service provider.Second is pseudo- Equipment can be configured to represent the first physical terminal subscriber equipment and connect from the 2nd MDM service provider Receive one or more order.

In some embodiments, the first pseudo-device can receive from a MDM service provider One order.First pseudo-device can send the first order received to the first physical terminal subscriber equipment Or the second different order based on the first order.First pseudo-device then can from the first physics eventually End user device receives response.First pseudo-device can send response or amendment be responsive to first MDM service provider.

Similarly, in some embodiments, the second pseudo-device can provide from the 2nd MDM service Business receives the 3rd order.Second pseudo-device can be received to the first physical terminal subscriber equipment transmission 3rd order or the 4th different order based on the 3rd order.Second pseudo-device then can be from One physical terminal subscriber equipment receives response.Second pseudo-device can send response or amendment be responsive to 2nd MDM service provider.

In some embodiments, the 3rd pseudo-device and the 4th pseudo-device can in cloud computing environment quilt Set up and represent the second physical terminal subscriber equipment.Represent the pseudo-device of the second physical terminal subscriber equipment In each can be arranged for being used together with each MDM service provider.Such as, table Show that the 3rd pseudo-device of the second physical terminal subscriber equipment can be arranged for and a MDM service Provider is used together.Represent that the 4th pseudo-device of the second physical terminal subscriber equipment can be set use In being used together with the 2nd MDM service provider.3rd pseudo-device can be configured to represent second Physical terminal subscriber equipment receives one or more order from a MDM service provider.4th is pseudo- Equipment can be configured to represent the second physical terminal subscriber equipment and connect from the 2nd MDM service provider Receive one or more order.3rd pseudo-device and the 4th pseudo-device can receive life as discussed herein Make, send order, receive response and/or send response.

In some embodiments, the first pseudo-device can be arranged for carrying with a MDM service It is used together for business.Specifically, represent that the first pseudo-device of the first physical terminal subscriber equipment can be sent out Send the first registration request to a MDM service provider.First pseudo-device can be from a MDM Service provider receives the strategy execution configuration file of a MDM service provider.First pseudo-device Then the strategy execution configuration file of a MDM service provider can be stored in and set with the first puppet In the standby memorizer being associated.Once it is arranged for being used together with a MDM service provider, First pseudo-device can access the ERM of a MDM service provider.First pseudo-device also may be used To receive one or more order to manage the first physical terminal user from a MDM service provider Equipment.

In some embodiments, the second pseudo-device can be arranged for carrying with the 2nd MDM service It is used together for business.Specifically, represent that the second pseudo-device of the first physical terminal subscriber equipment can be sent out Send the second registration request to the 2nd MDM service provider.Second pseudo-device can be from the 2nd MDM Service provider receives the strategy execution configuration file of the 2nd MDM service provider.Second pseudo-device Then the strategy execution configuration file of the 2nd MDM service provider can be stored in and set with the second puppet In the standby memorizer being associated.Once it is arranged for being used together with the 2nd MDM service provider, Second pseudo-device can access the ERM of the 2nd MDM service provider.Second pseudo-device is permissible Order is received to manage the first physical terminal subscriber equipment from the 2nd MDM service provider.At some In embodiment, represent that the 3rd pseudo-device of the second physical terminal subscriber equipment can be in a similar manner It is set.In some embodiments, represent that the 4th pseudo-device of the second physical terminal subscriber equipment can To be set in a similar manner.

In some embodiments, represent that the first pseudo-device of the first physical terminal subscriber equipment can be from Oneth MDM service provider receives the first order.As response, the first pseudo-device can be determined that No transmission to the first physical terminal subscriber equipment orders (such as, the second order).In response to sending the The determination of two orders, the first pseudo-device can send the second order to the first physical terminal subscriber equipment. First pseudo-device can receive response from the first physical terminal subscriber equipment.First pseudo-device can send Response or amendment be responsive to a MDM service provider.This response can include and the first order The instruction that the operation being associated is done.

As explained above, the various aspects of the disclosure relate to providing mobile device management function.So And, in other embodiments, concepts discussed herein can what other type of calculating equipment in office (e.g., desk computer, server, control station, Set Top Box etc.) realize.Therefore, although Through describing this theme with the language for architectural feature and/or method behavior it should be understood that, Theme defined in the appended claims is not necessarily limited to above-described specific features or step.On the contrary, Above-mentioned specific characteristic and behavior are described as some example of following claims and implement.

Claims (21)

1. a method, including:

The pseudo-device representing physical terminal subscriber equipment is set up in cloud computing environment；And

Supply described pseudo-device to carry for one or more mobile device managements (MDM) service It is used together for business,

Wherein, described pseudo-device is configured to once be supplied, and represents described physical terminal subscriber equipment Receive the one or more orders from the one or more MDM service provider.

Method the most according to claim 1, also includes:

Receive from the first of the one or more MDM service provider at described pseudo-device First order of MDM service provider；And

Second is sent from described pseudo-device to described physical terminal subscriber equipment based on described first order Order, described second order is different from described first order.

Method the most according to claim 1,

Wherein, supply described pseudo-device for the one or more MDM service provider one Play use to include:

From described pseudo-device to the first of the one or more MDM service provider MDM service provider sends the first registration request；

The first plan from a described MDM service provider is received at described pseudo-device Slightly perform configuration file；

Storing described first strategy execution configuration file at described pseudo-device, described method is also Including:

Supply described pseudo-device for another MDM with the one or more service provider Service provider is used together, including:

From described pseudo-device to the second of the one or more MDM service provider MDM service provider sends the second registration request, described 2nd MDM service provider It is different from a described MDM service provider；

The second plan from described 2nd MDM service provider is received at described pseudo-device Slightly performing configuration file, described second strategy execution configuration file is different from described first strategy Perform configuration file；And

Described second strategy execution configuration file is stored at described pseudo-device.

Method the most according to claim 1, also includes:

Receive from the first of the one or more MDM service provider at described pseudo-device First order of MDM service provider；

Determine whether that described physical terminal subscriber equipment sends the second order；And

Determination in response to not sending from described second order to described physical terminal subscriber equipment:

Send described first life to a described MDM service provider from described pseudo-device The response of order and not do not send described first order and institute to described physical terminal subscriber equipment Stating the second order, wherein, the response to described first order includes and described first order phase The instruction that the operation of association is done.

Method the most according to claim 4, where it is determined whether use to described physical terminal Family equipment sends the second order and also includes:

Inquiry is sent, physical terminal user described in described inquiry request to described physical terminal subscriber equipment The status information of equipment；

Determine whether the described status information of described physical terminal subscriber equipment mates desired state letter Breath；And

Described status information in response to described physical terminal subscriber equipment mates described desired state The determination of information, generates the determination not sending described second order to described physical terminal subscriber equipment.

Method the most according to claim 1, also includes:

Receive from the first of the one or more MDM service provider at described pseudo-device First order of MDM service provider,

Wherein, described first order wherein with the second of the one or more service provider The strategy execution configuration file that MDM service provider is associated is on described physical terminal subscriber equipment Being to be received during the movable time period, described 2nd MDM service provider is different from described first MDM service provider.

Method the most according to claim 1, also includes:

The MDM clothes with the one or more MDM service provider are received at described pseudo-device The resource data that business provider is associated；

When the strategy execution configuration file being associated with described resource data is currently at described physical terminal On subscriber equipment during inertia, at described pseudo-device, cache described resource data；And

When described strategy execution configuration file is currently on described physical terminal subscriber equipment activity, Described resource data is pushed from described pseudo-device.

Method the most according to claim 1, also includes:

Receive from the first of the one or more MDM service provider at described pseudo-device First order of MDM service provider；

Revise described first order to produce the order of amendment；And

From described pseudo-device, the order of described amendment is sent to described physical terminal subscriber equipment.

Method the most according to claim 1, also includes:

From described pseudo-device, selective erasing order is sent to described physical terminal subscriber equipment,

Wherein, described selective erasing order is configured to make to service with the one or more MDM The subset of the application that the oneth MDM service provider of provider is associated and the described son with application At least one in the data that collection is associated is deleted, and

Wherein, described selective erasing order be configured to make individual application and with described individual application phase The data of association, and the strategy execution configuration literary composition being associated with a described MDM service provider Part is kept.

Method the most according to claim 1, also includes:

In response to receive at described pseudo-device from described physical terminal subscriber equipment, based on Family input or described physical terminal subscriber equipment are positioned at by the one or more MDM service provider The first geography fence of limiting of a MDM service provider in instruction in one initiate Request, by the first strategy execution configuration file and described first of a described MDM service provider The application data of MDM service provider are deployed to described physical terminal subscriber equipment from described pseudo-device；

In response to receiving based on another user input or described physical terminal subscriber equipment no longer position Another request that in described first geography fence one in instruction initiates, from described physics End user device recalls the described first strategy execution configuration literary composition of a described MDM service provider Part and the described application data of a described MDM service provider；And

In response to receive at described pseudo-device from described physical terminal subscriber equipment, based on newly User input or described physical terminal subscriber equipment be positioned at by the one or more service provider The second geography fence of limiting of the 2nd MDM service provider in instruction in one initiate New request, by the second strategy execution configuration file of described 2nd MDM service provider and described The application data of the 2nd MDM service provider are deployed to described physical terminal user from described pseudo-device Equipment.

11. methods according to claim 10, also include:

Identify the plan of a MDM service provider of the one or more MDM service provider Slightly and the one or more MDM service provider the 2nd MDM service provider strategy it Between conflict；

By perform following in one solve described conflict:

Apply the solution that the KBS Knowledge Based System from described cloud computing environment determines；

Sending warning to described physical terminal subscriber equipment, described warning includes one or more At user option order is to solve described conflict；And

Miniature erasing order, wherein said miniature wiping is sent to described physical terminal subscriber equipment Except order is configured at least make the subset causing the data of described conflict be deleted.

12. 1 kinds of methods, including:

Setting up multiple pseudo-device within cloud computing environment, each pseudo-device represents that physical terminal user sets Standby；

Supply the first pseudo-device in the plurality of pseudo-device for the first mobile device management (MDM) service provider is used together；And

Supply the second pseudo-device in the plurality of pseudo-device for be different from a described MDM The 2nd MDM service provider of service provider is used together,

Wherein, described first pseudo-device be configured to represent described physical terminal subscriber equipment receive from One or more orders of a described MDM service provider, and

Wherein, described second pseudo-device be configured to represent described physical terminal subscriber equipment receive from One or more orders of described 2nd MDM service provider.

13. methods according to claim 12, also include:

The first order from a MDM service provider is received at described first pseudo-device；With And

Second is sent from described pseudo-device to described physical terminal subscriber equipment based on described first order Order, described second order is different from described first order.

14. methods according to claim 12,

Wherein, described first pseudo-device in the plurality of pseudo-device is supplied for described first MDM service provider is used together and includes:

The first registration is sent to a described MDM service provider from pseudo-device described in first Request；

The from a described MDM service provider is received at described first pseudo-device One strategy execution configuration file；

Described first strategy execution configuration file is stored at described first pseudo-device,

Wherein, supply described second pseudo-device in the plurality of pseudo-device for the 2nd MDM Service provider is used together and includes:

The second registration is sent to described 2nd MDM service provider from described second pseudo-device Request；

The from described 2nd MDM service provider is received at described second pseudo-device Two strategy execution configuration files, described second strategy execution configuration file is different from described first Strategy execution configuration file；And

Described second strategy execution configuration file is stored at described second pseudo-device.

15. methods according to claim 12, also include:

The first order from a described MDM service provider is received at described first pseudo-device；

Determine whether that described physical terminal subscriber equipment sends the second order；And

In response to determining that not sending described second to described physical terminal subscriber equipment orders:

Send described the to a described MDM service provider from described first pseudo-device One order response, and not to described physical terminal subscriber equipment send described first order and Described second order,

Wherein, the described response to described first order includes being associated with described first order The instruction that is done of operation.

16. methods according to claim 12, also include:

The resource being associated with a described MDM service provider is received at described first pseudo-device Data；

When the strategy execution configuration file being associated with described resource data is currently at described physical terminal On subscriber equipment during inertia, at described first pseudo-device, cache described resource data；And

When the currently activity on described physical terminal subscriber equipment of described strategy execution configuration file, from Described first pseudo-device pushes described resource data.

17. 1 kinds of non-transitory storage medium, it stores machine-executable instruction, when described machine can Perform when instruction is performed, to make the following operation of calculating equipment execution:

Set up in the cloud computing environment including described calculating equipment and represent physical terminal subscriber equipment Pseudo-device；And

Supply described pseudo-device to carry for one or more mobile device managements (MDM) service It is used together for business,

Wherein, described pseudo-device is configured to once be supplied, and represents described physical terminal subscriber equipment Receive the one or more orders from the one or more MDM service provider.

18. non-transitory storage medium according to claim 17, wherein, when described machine Below described calculating equipment execution is made to operate when executable instruction is performed:

Receive from the first of the one or more MDM service provider at described pseudo-device First order of MDM service provider；And

Second is sent from described pseudo-device to described physical terminal subscriber equipment based on described first order Order, described second order is different from described first order.

19. non-transitory storage medium according to claim 17, wherein:

Make upon being performed pseudo-device described in described calculating supply of equipment for one or many The described machine-executable instruction that individual MDM service provider is used together also makes described calculating equipment hold The following operation of row:

From described pseudo-device to the first of the one or more MDM service provider MDM service provider sends the first registration request；

The first plan from a described MDM service provider is received at described pseudo-device Slightly perform configuration file；

Described first strategy execution configuration file is stored at described pseudo-device,

Wherein, described calculating equipment is also made when described machine-executable instruction is performed:

Supply by making described calculating equipment perform following operation further described pseudo-device for It is used together with another MDM service provider of the one or more service provider:

From described pseudo-device to the second of the one or more MDM service provider MDM service provider sends the second registration request, described 2nd MDM service provider It is different from a described MDM service provider；

The second plan from described 2nd MDM service provider is received at described pseudo-device Slightly performing configuration file, described second strategy execution configuration file is different from described first strategy Perform configuration file；And

Described second strategy execution configuration file is stored at described pseudo-device.

20. non-transitory storage medium according to claim 17, wherein, when described machine Below described calculating equipment execution is also made to operate when executable instruction is performed:

Receive from the first of the one or more MDM service provider at described pseudo-device First order of MDM service provider；

Determine whether that described physical terminal subscriber equipment sends the second order；And

In response to determining that not sending described second to described physical terminal subscriber equipment orders:

Send described first life to a described MDM service provider from described pseudo-device The response of order, and do not send described first order with described to described physical terminal subscriber equipment Second order.

21. non-transitory storage medium according to claim 17, wherein, described pseudo-device It is the first pseudo-device and described physical terminal subscriber equipment is the first physical terminal being associated with user Subscriber equipment,

Wherein, when described machine-executable instruction is performed, also make described calculating equipment:

Set up in the described cloud computing environment including described calculating equipment and represent relevant to described user Second pseudo-device of the second physical terminal subscriber equipment of connection.