CN103259707B - A kind of method and apparatus that connection data is separated by circumference type - Google Patents
A kind of method and apparatus that connection data is separated by circumference type Download PDFInfo
- Publication number
- CN103259707B CN103259707B CN201310111446.7A CN201310111446A CN103259707B CN 103259707 B CN103259707 B CN 103259707B CN 201310111446 A CN201310111446 A CN 201310111446A CN 103259707 B CN103259707 B CN 103259707B
- Authority
- CN
- China
- Prior art keywords
- network connection
- interface
- network
- operator scheme
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Mobile Radio Communication Systems (AREA)
Abstract
A kind of method and a kind of mobile device with multiple operator schemes, one of each connecting interface on this mobile device and multiple patterns are associated by the method;And the application subset only based on the pattern related to configuration file will be limited to the access of each the connecting interface configuration file on mobile device.
Description
Technical field
The present invention relates to mobile link, and more particularly to the data cube computation between equipment and network.
Background technology
In some cases, the one or more application programs on mobile device may be wanted to set up net with network element once in a while
Network/data cube computation.This network connection may include Virtual Private Network (VPN), and VPN is for being protected on public access network
The dedicated network of close communication.VPN messaging service can be carried on standard agreement top public network infrastructure (for example, because
Special the Internet) on.VPN is used for for example enabling employee to be safely connected with corporate networks.In other cases, network connection can
To be the connection by WiFi interface and WiFi network.
Because various network interfaces and VPN connection are incompatible, the standard routing rule for network connection is not suitable for VPN
Connect.For example, particular cellular network includes non-Internet Protocol (IP) interface.In other cases, network interface can be empty
Intend and be not useable for VPN connect.
Additionally, the interface of mobile link may not be permanent.Specifically, interface can be added or interface periodically becomes
Obtain unavailable.Can be affected with being changed into the VPN that disabled interface is connected.Additionally, for VPN, new interface may ratio be worked as
The interface of front use is more preferable.
Brief description
Refer to the attached drawing will be better understood the disclosure, in the accompanying drawings:
Fig. 1 shows the example block diagram of Example Computing Device;
Fig. 2 shows the block diagram that example distinguishes the Interface status list of priority;
Fig. 3 shows and carries out, by being prioritized connection, the flow chart that the example of Virtual Private Network (VPN) connects;
The flow chart that Fig. 4 shows the example of Interface status list update;
The flow chart that Fig. 5 shows the example of Interface status list maintenance;
Fig. 6 is the block diagram of the example of the list being associated network connection with VPN connection profile;
Fig. 7 shows same related network and connects and the priority interface status list of VPN connection profile
The block diagram of example;
Fig. 8 shows the flow chart that the example of the Interface status list of association VPN configuration file is safeguarded;
Fig. 9 shows the block diagram of example application data memorizer on mobile device;
Figure 10 shows the block diagram of the signal that corporate device is connected with personal device;
Figure 11 shows the example application on mobile device being connected by physical layer with corporate networks or the Internet
Block diagram;
Figure 12 shows the side of the example application corporate networks on mobile device or the Internet being connected by bridge
Block diagram;
The flow chart that Figure 13 shows the example that configuration file is assigned to circumference;
Figure 14 is the example system architecture figure for mobile device;And
Figure 15 shows the block diagram of the example mobile device that can be used in the disclosure.
Specific embodiment
The disclosure provide a kind of mobile device, this mobile device have one or more applications, multiple operator scheme and
One or more network connections, one of each network connection and one or more network connection profiles are associated, and
And each application is associated with one of multiple operator schemes, the method includes:One or more network connections are configured literary composition
At least one of each in part and multiple operator schemes are associated;And by each in one or more network connections
Access restriction be the network connection profile identical operator scheme that is only associated with network connection be associated those should
With.
The disclosure additionally provides a kind of user equipment, including:Processor;And communication subsystem, wherein user equipment quilt
It is configured to:One of each network connection and one or more network connection profiles are associated, and should by each
With being associated with one or more of multiple operator schemes;By the network connection set up on mobile device and multiple operation moulds
At least one of formula is associated;And the access restriction of each in one or more network connections is only with network even
Connect those applications that associated network connection profile identical operator scheme is associated.
The disclosure is for mobile device, but is not limited to any specific mobile device.The example of mobile device is permissible
Including, for example, smart mobile phone, personal digital assistant, the cell phone possessing data function, tablet PC etc..
With reference to Fig. 1, Fig. 1 shows the simplified exemplary diagram of computing device 100.Computing device 100 can include putting down
Plate computer, mobile device, personal computer, notebook etc..However, the embodiment of Fig. 1 is not intended to be to limit
Property and can also be using other equipment.
Computing device 100 generally includes processor 138, the integrated operation of processor 138 control device.Processor 138 with
Equipment subsystem (such as display 122, memorizer 124, auxiliary input/output (I/O) subsystem 128, serial ports 130, one or
More keyboards or keypad 132, wherein keyboard or keypad 132 may include physical keyboard, dummy keyboard or both, one or
More speakers 134, mike 136, other communication subsystems 140 (for example include bluetooth and the short distance of near-field communication are led to
Letter subsystem), and any other equipment subsystem being typically expressed as 142) interaction.Serial ports 130 may include USB port or its
His port.
Memorizer 124 is divided into various operator schemes, also sometimes referred to as circumference (perimeter), as described below.This
Plant and separate but physics or logic.The operating system software that processor 138 uses can be stored in memorizer 124.Operation
System, specific device applications or its part can be temporarily loaded into volatile memory, such as RAM126.
In some cases, application can be installed on equipment and associate with operator scheme (also referred to as " circumference ").At some
In embodiment, this application can be stored in memorizer with application data and associate with circumference.For example, in certain embodiments,
In memorizer, detached region can be used to store the application of each circumference or data.In other embodiments, can be with being associated with
The key encryption application of circumference or data, the application of therefore multiple circumferences or data can store together.Other options are also can
Can.
In certain embodiments, computing device 100 selectively includes the communicator that energy data access point is communicated
System 111.Such data access point may include Cellular Networks or Wi-Fi or WiMAX network etc..In further embodiment
In, computing device 100 can carry out voice communication.
The various embodiments of the disclosure are related to the network connection of such as Virtual Private Network.Network connection used herein is net
Link between unit and mobile device, the data exchange between network element and mobile device for convenience.This link can be passed through
Private privileges (for example in the LAN of company) are it is also possible to through public network infrastructure.Network connection example includes VPN
Connect, connected by the WiFi of WiFi interface etc..
As described above, VPN is a kind of dedicated communications network, for secret communication is carried out by public access network.VPN
Messaging service can be carried on the public network infrastructure (for example, the Internet) on standard agreement top.VPN is used for, for example, make
Employee Security ground accesses corporate networks.The example of VPN agreement, for example may include that internet engineering task group (IETF) defines because
Special fidonetFido safety (IPSec) standard, Layer 2 Tunneling Protocol (L2TP) or SSL (SSL) VPN, point-to-point passage association
View (PPTP) etc..
An embodiment according to the disclosure, there is provided one kind is for automatic for network connection (such as VPN connection)
The method or apparatus that interface selects.Although following description refers specifically to connect for VPN, it will be appreciated by those skilled in the art that other
The network connection of type is within the scope of this disclosure.As mentioned above, because various network interface and VPN connection are simultaneous
Hold, the standard routing rule in network connection may not be suitable for specific network connection (such as VPN).For example, cellular-specific
Network includes non-Internet Protocol (IP) interface.In other cases, network interface can be virtual, and does not expect by virtual
Network interface is set up VPN and is connected.
Additionally, the interface of mobile link may not be permanent.Specifically, interface can be added or interface periodically becomes
Unavailable.
Some embodiments according to the disclosure, there is provided Interface status list.Can read by the core network on equipment
The state that assembly provides, and VPN usable interface and non-usable interface can be distinguished by the processor on equipment.Specifically, reference
Table 1 below.
Table 1:Example interface status list standard
As shown in the example of table 1 above, there is provided the interface of three types.For virtual interface, because undesirable pass through
This interface sets up VPN, so the interface behavior that in example, VPN connects is to ignore this interface type.
Second interface type includes interface physics, that non-VPN is friendly.As described above, this may include has non-IP limit
The cellular connection of system.In this example, equally ignore this interface type.The third interface type is physics, friendly the connecing of VPN
Mouthful.For these interfaces, interface can be available can also be disabled.If interface can use, as chart 1 secondary series institute
Show, then equipment can monitor and use this interface to log in for VPN.If on the contrary, interface is unavailable, then mobile device can
Continue monitoring interface, in case it becomes available for VPN logging in.If VPN can be set up by interface connected, then this interface is
Available.
For each usable interface of equipment, by interface type by interface class, and listed in Interface status list
In (such as table 1 above).Once establishing this Interface status list, the change that can monitor interface is to detect when interface enables
Or stop.Interface status list can be used for assuming the presence or absence of of VPN usable interface.If interface enables, if this connects
The interface type of mouth is that the VPN of physics is friendly, then this interface can become the candidate of VPN connection.In this case, such as
Fruit request VPN logs in but does not have clear and definite specified interface, then will make and automatically selecting.
Similarly, if when being used for VPN session, interface stops, then the detection that interface stops can be used to clear up VPN
The internal state of process.
Available interface can be stored based on priority orders.Specifically, with reference now to showing this priority orders
The table 2 of example.
VPN close friend's interface, according to priority |
Wired |
Wi-Fi |
Honeycomb (IP enables interface) |
BluetoothTM(shared (tethering)) |
Table 2:Interface priority example
As shown in Table 2 above, whether can be wired, Wi-Fi, honeycomb or bluetooth based on interface, storage VPN friend
Good interface.However, the sequence of table 2 is not restricted, it is only an example.Additionally, connection type is not restricted,
Other network connection types (such as WiMAX, IrDA, near-field communication etc.) are also possible.
In the example of table 2, equipment is believed that wireline interface has highest priority, because this interface is the fastest and may be used
Lean on.Similarly, in some cases, because Wi-Fi connection can transmit more data volumes, therefore Wi-FI interface may compare
Mobile interface is more desirable.
Finally, blue tooth interface can have lowest priority, because the data throughout of this interface is minimum.
In other embodiments, can based on other standards (inclusion need the application of this interface, interface security and other because
Element) determine interface priority, as described below.
According to above, when computing device needs to set up network connection (such as VPN connection), equipment can consult present available
Inner interface state list in the priority list of the possible interface setting up VPN connection.Interface status list can provide quickly
Consult to determine which interface can provide VPN to connect.The presence of Interface status list can provide extraction from other sources
Interface message information simultaneously filters other unwanted interface status information.
For example, with reference now to Fig. 2.Fig. 2 shows the Interface status list example of an embodiment according to the disclosure.Tool
Body ground, in fig. 2, establishes sorted lists 200 based on the principle of table 1 above and table 2, sorted lists according to priority sequentially illustrate
Currently available interface and other interfaces being currently unavailable.
In fig. 2, the first row 210 of interface list provides the family's Wi-Fi interface being currently available for VPN connection.
Similarly, the row 212 showing first mobile interface and the row 214 showing second mobile interface, show
This two interfaces all can access from mobile device, and is used equally to VPN connection.Equally, mobile device is shared, and VPN also can use
Shared interface, as shown in row 216.
Based on above, in the figure 2 example, row 210,212,214 and 216 provide equipment can be used for the interface of VPN with
And interface sequence.
In certain embodiments, when setting up connection by interface for the first time, this interface is added in list 200.Then
Can determine that whether this interface can be used for VPN.Thus, for example, providing work Wi-Fi (row 220) in list 200.However, work
It is not currently available for mobile device (for example, mobile device may be outside the scope of work Wi-Fi interface) as Wi-Fi interface,
Therefore show that availability is "No" in list 200.
Similarly, if user goes to school once in a while, and it is connected to the Wi-Fi network of school, the Wi-Fi network of school is (such as
Shown in row 222) sometimes can also be used for VPN connection.Similarly, in the figure 2 example, this network is unavailable at that time.
In certain embodiments, the interface in list 200 will maintain a period of time.For example, if user has a moonset
It is connected to certain network interface, then this will can be removed from interface list.
Therefore, according to Fig. 2, equipment can safeguard that priority list is used for VPN and connects.
With reference now to Fig. 3, Fig. 3 shows the exemplary process schematic diagram that VPN connects.Specifically, the process of Fig. 3 is from step
300 beginnings, and proceed to the step 310 starting that VPN connects.For example when equipment starts and other initialize, can be based on and pass through
The VPN of user interface connects selection and connects initialization come the VPN to carry out or automatically to carry out step 310,.
Step 310 initialization it is assumed that be not VPN connect specify network interface.In this case, process then
Proceed to step 312, in step 312, in usable interface from interface selective listing 200 for the equipment, select that to have highest preferential
The interface of level.
Then, step process proceeds to step 314, in a step 314, sets up VPN by the interface selecting in step 312
Connect.Then, process proceeds to step 320 and terminates.
In an alternative embodiment, it is not the interface selecting to have limit priority in step 312, but provide user to connect
Mouthful, this user interface provides the sorted lists of the interface that can be used for VPN connection.In this case, can provide a user with for
The prompting of selection interface to be used, in one example, the interface with limit priority is default interface.
The interface list of Fig. 2 can be updated by checking whether each interface is that VPN is friendly.Specifically, with reference to figure
4.
The process of accompanying drawing 4 starts from step 400 and proceeds to the step 410 selecting next interface.In step 410
In one example, have selected first interface.
Once have selected interface, processing and proceeding to step 412, being checked in step 412 to determine that interface is new
Or it is processed before.If interface is not new, the processing returns to step 410 to select next interface.
If interface is new, processes and proceed to step 422 from step 412, carry out in step 422 checking determination interface
Whether it is that VPN is friendly.As described above, for example, this is can to comprise it is ensured that interface is not virtual and can support that IP connects.
If it is friendly that interface is not VPN, process and go to select next interface from step 422 return to step 410.
If it is friendly that interface is VPN, process and proceed to step 424 from step 422, interface is added in step 424
To in interface table.Then, process and return to step 410.
Furthermore, it is possible to determine whether interface has turned on, stops or maintain the availability of oneself by checking various interfaces
Fig. 2 interface list is remained up-to-date by state.Specifically, with reference to Fig. 5.
The process of Fig. 5 starts to then proceed to step 510 from step 500.In step 510, process in interface list
Or in table, select next interface.In first example of step 510, first interface can be selected.
Then, process proceeds to step 512, with determine when with interface before epidemic situation comparison when, whether the interface of selection
It is changed into available.As can use, process proceeds to and is changed into connecting available step 520 for VPN by interface.
If interface is unavailable in the recent period, processes and proceed to, from step 512, the step carrying out checking whether determination interface stops
Rapid 530.Without stopping, processing and return the step 510 selecting next interface.
If interface stops, process proceeds to step 540, and once whether detection in step 540 determine on this interface
There is effective VPN to connect.If it did not, process proceeding to step 544 from step 540, in step 544, interface is changed into right
VPN connection is unavailable, then, proceeds to step 510 to select next usable interface.
From step 540, if it is effective that VPN is connected on no longer available interface, process proceeds to step 542,
In step 542, VPN state is eliminated.In this case.VPN connects and can go offline, and the VPN state of inside can correspondingly be adjusted
Whole.
Process and proceed to step 510 from step 542, select next interface in step 510.
In step 510, if not having more interfaces can use in table, process can select first interface again and repeat
Process.
Based on the process schematic diagram of Fig. 4 and Fig. 5, the availability that connects of maintenance interface state and VPN Interface status can be used for
List.
In addition to the embodiment of Fig. 2 to Fig. 5 above, in certain embodiments, network connection can be configured with network connection
File is associated.Interface can be associated with one or more network connection profiles.As used herein, network connection configuration
Document definition many kinds of parameters, these parameters can be used to connect network element, and may include, for example, connected mode, interface, user
Certificate, network element server name and allow mobile device client or application be attached with network element and certification other are detailed
Any combinations of information.
Specifically although the list 200 in Fig. 2 provides interface and can these interfaces be used for VPN and connect, specific net
Network connection profile can limit spendable interface type.For example, VPN can have regulation and must be built by mobile interface
The vertical network connection profile connecting.In other examples, VPN connection can have network connection file, and this network is even
Connect file and indicate that this connection using trust interface, and can only provide the particular subset trusting interface.
With reference to Fig. 6, Fig. 6 shows there is showing of interface and the instruction of network connection profile that is associated with this interface
Example property list 600.
Especially, three exemplary network connection profiles are provided in the example of fig. 6.First network connection is joined
Put file " A " and can be used to set up and the application of specific enterprise is connected to network connection on enterprise VPN server.Second network
Connection profile " B " can be used to establish a connection to the network connection of the home network vpn server of user.Network connection configures
File " C " can be used to set up the vpn server that the one or more applications on mobile device are connected to different enterprise networks
Network connection.
In the example of fig. 6, as indicated at row 610, home Wi-Fi network can only be used to and network connection profile B phase
The network connection of association.As shown in row 612, intercell interference 1 can be used for the network being associated with network profile A, B, C even
Connect.As shown in row 614, intercell interference 2 can be used for the network connection being associated with network profile A or B.To with particular configuration
Restriction on interface for the network connection that file is associated is likely to be dependent on the network connection being associated with network profile
Property.For example, family's Wi-Fi interface is not safe possibly for enterprise, therefore, is not allowed for being connected to enterprise VPN service
Above-mentioned configuration file A and C of device uses family's Wi-Fi interface.
Additionally, as shown in row 616, shared interface can use to VPN configuration file B.As shown in row 618, work WiFi interface
VPN configuration file A and C be can use, and as shown in row 620, school's Wi-Fi network only can use to VPN configuration file B.
Thus, for example, when application attempts to set up new VPN connection, can set up for the net connecting for VPN
Network configuration file is it is possible to select suitable interface from the interface list optimizing.For example, in one embodiment, movement sets
Standby upper application can be VPN client, and when client terminal start-up, it can attempt connecting network element to set up VPN connection.This should
With the network connection configuration literary composition that can provide information (as information such as client certificate, the address of vpn server, interfaces) will be accessed
Part, to realize this connection request.Then it was authenticated on vpn server before mobile device and network element transmission data.Net
Network connection profile can be used for determining the interface suitable for setting up VPN connection.
List in Fig. 2 and Fig. 6 can be utilized separately for determining interface to be used.In other embodiments, list also may be used
To combine.With reference to Fig. 7, Fig. 7 illustrates the exemplary table including interface, VPN configuration file and interface availability.This
In the case of, according to interface type and availability, list 700 can be ranked up.
Specifically, the combination of Fig. 2 and Fig. 6 provides interface list 700, is expert in 710 and only provides home Wi-Fi network
The network connection being associated with network connection profile B be can use.Similarly, row 712 provide the first cellular network pair with
The network connection that network configuration threaded file A, B or C are associated can use.Additionally, row 714 provides the second cellular network pair and net
Network configures the associated network connection of threaded file A or B and can use.
Row 716 provides only available to VPN configuration file B shared.
Other networks, the work Wi-Fi network as shown in row 718, unavailable at this moment, but when it is made available by, with
The network connection that network connection profile A or C is associated can be attached by it.Similarly, the school as shown in row 720
Wi-Fi network network is now unavailable, but if it is made available by, it can be used for the network being associated with network configuration B even
Connect.
With reference now to Fig. 8, Fig. 8 illustrate to know clearly the exemplary process that network connection profile and interface are associated and
Some embodiments according to the disclosure are further it is shown that be connected to the exemplary process of the usable interface with limit priority.Tool
Body ground, processes from the beginning of step 800, proceeds to step 810, and in step 810, the application on mobile device is attempted setting up network
Connect.Attempt the connecting of step 810 being potentially based on VPN login attempt from user interface, automatic VPN logs in (for example, when setting
Standby when opening) etc. other logging request.This network profile (the such as VPN configuration connecting trial and this network connection
File) it is associated.
Process and proceed to step 812 from step 810, checked in step 812 and attempt being associated to determine and to connect
Network connection profile whether specify interface.If it is, process proceeds to step 820, memory interface in step 820
Associate with configuration file.
Then, process and proceed to step 822 from step 820, in step 822, have selected and there is the civilian with configuration of storage
The highest priority interface of part association.For example, in certain embodiments, connection before may have been utilized in configuration file relatively
Association between the interface of high priority, and meeting memory interface and configuration file becomes unavailable until interface.Therefore, no matter
Specified which interface in the connection of step 810 is attempted, all select to have being associated with network connection profile of storage
There is highest priority interface.
If there is no specified interface with being connected in the configuration file attempting association, processing and proceeding to step from step 812
Rapid 830, in step 830, select the usable interface of limit priority to be used for VPN and connect.
Then, process and proceed to step 840 from step 822 or step 830, in step 840, checked to determine
Whether the network connection of configuration file has been existed on the interface selecting.If it is not necessary to reconnect, as shown in step 852.
If however, on the interface selecting, not existing for the network connection of configuration file, then process proceeds to step 850,
In step 850, using network connection profile, connection is set up on interface.
Process and proceed to step 860 from step 850 and step 852 and terminate.
It is based on above, for example, the conversion of VPN connection whenever adding or delete interface it is provided that between interface.At certain
In a little embodiments, the traceable VPN configuration file previously used of interface conjunctionn of storage, and start or pass interface is detected
After closing, conversion can be triggered.VPN can be connected switching and provides and arrives higher priority interface by this, and if higher priority
Interface is closed, and VPN can re-establish connection on the interface of lower priority.
In certain embodiments, if interface can use and is not aware that whether interface supports that VPN connects, if this interface is
The priority interface higher than the interface being currently used in VPN connection, then attempt setting up VPN connection over that interface.With this
Mode, can check new, higher priority interface to determine whether to set up on the interface of those higher priority
VPN connects.
On other occasions, mobile device there may be two or more operator schemes, mobile device is in a part
Run specific program and access specific data, and this program can not be run in the second part or access this data.So
Operational mode here be described as circumference.For example, work circumference can be used for enterprise's application data, and personal circumference can be used for
Personal application data.As described below, want which network connection configuration the circumference carrying out the application of network connection can determine
File and accordingly which interface can be used for setting up VPN connection.
With reference now to Fig. 9, Fig. 9 shows the example block diagram of the memorizer 910 of mobile device.Memorizer is configured to
Storage application and application data, the combination of the application data of this storage is referred to herein as application space.Memorizer 910 physics
Or logic be divided into two circumferences, in the example of figure 9, this two circumferences represent personal circumference 920 and company's circumference 930.
Company's circumference 930 can be made up of a part of memorizer of mobile device, isolate this partial memory and be used for data, answer
With or both, and think that it set to business, company and enterprise, government, non-profit organization, the user of equipment or for computing device
Other entities any that confidence ceases technical tactic are secret.Personal circumference 920 may include has isolated individual application data
A part of memorizer, wherein individual application or data are considered to divide outside information technology strategy or with information technology strategy
Open.
In personal circumference 920, multiple applications 922 can be communicated with the data 924 being considered as personal data.
Similarly, in company's circumference 930, multiple companies application 932 can be communicated with company data 934.
By isolating company's application from the individual application data that is mutually related, can be company data on equipment
Realize corporate IT policies thus protecting data, and still allow for the individual application on equipment and personal data.This can carry for user
For more motilities and more preferable Consumer's Experience.
As described in more detail below, operating system 940 executes the separation of data.
Each application can be specified in many ways to be individual application or company's application.In one embodiment, permissible
Setting corporate IT policies are used for loading an application into equipment, and wherein IT strategy specifies the specific application specified to apply for company.
The other application programs in company's list of application are not defaulted as individual application.In other embodiments, user, manager,
Carrier or other entities can be using the various applications on configurator or guide entity (applied program ignitor) designated equipment
Program is applied for individual or company.Additionally, the signature for application can also be used for specifying.To this area using disclosure advantage
Technical staff for, it is obvious in the disclosure, application being designated as company or individual's other examples.
In a further embodiment, can replicate between company's circumference 930 and personal circumference 920 have company and
The mixing application of people's purposes.So, if user wants to apply using specific because of personal reason, user can beat in personal circumference
Open application 922.In turn, if user wants to apply using identical because of company's reason, user can open in company's circumference 930
Application 932.
Thus, for example, both can providing in personal space and Document To Go being provided in company spaceTMDocument is compiled
Collect device, thus not only allowing to edit personal document but also allowing editor's corporate document, maintain the safety of company data simultaneously.
In one embodiment, company's application 932 can provide extra safety to individual application.For example, apply in company
Before 932 start, user needs to input password.Furthermore, it is possible to realize inertia timer, with company's application for a period of time not
After activity, locking can be executed to company's application, and not lock individual application.The application of locking needs user's initial input password to go
Unblock is applied and is interacted with the application and access application data.
Specifying of application also can limit the data that application can access.Thus, for example, company application can with themselves
Mode operation, wherein individual application can not access any data of company's application write.Described restriction can be individual application 922
Company data 934, company's application nor write personal data 924 can not be read.
Similarly, individual application may not write company data 934.In certain embodiments, company's application 932 may
Personal data 924 can not be read.In other embodiments, company's application 932 can read personal data 924.
For safety, company data 934 can be encrypted.Benefit from the art technology technical staff of the disclosure it will be appreciated that this
Plant encryption and the storage of key.
The deletion strategy time limit of company data also can come into force on the mobile apparatus.Therefore, if do not visited within certain time
Ask company data, then can be removed according to the company data reservation time limit.For example, if within seven day time, do not visit
Ask data in mobile device or computing device, then data can be deleted from mobile device.If mobile device needs this number
According to then user needs to re-download this data.This can be realized by the label related to this data or tables of data.
Operating system 940 can realize the distinguishing rule between enterprise's circumference 930 and personal circumference 920.For example, operation system
System 940 922 and 932 can realize data access for various applications, and wherein every kind of application is endowed group license (and UNIX
Group license is similar).In other examples, it is possible to use other users license or other licensing systems.Can also be by data
Specify and allow in the file accessing in specific group.Therefore, operating system 940 can only allow to have and access the group of this data and permitted
Can application 932 access business data 934.Similarly, the group based on the application 922 with regard to data 924 is permitted, personal data
924 can only be read or write by application 922.However, in one embodiment, operating system 940 given application 932 does not have write
The group license of data 924.
For preventing from accessing company data under personality frame, the access to data can be maintained for other data functions.
For example, it is possible to manage the duplication between personality frame and company mode and shearing function.Potentially, in company's operator scheme
Under, company's application 932 does not allow to replicate and shears.
In other embodiments, can allow to shear between company applies and replicate but attempt viscous beyond company mode
Patch is restricted.It will be understood that, this can also be managed by the group license type pattern of UNIX using operating system 940.When
When shearing and the various texts of duplication, image or other data, create new data file, this data file is restricted to be allowed at which
In paste this file group license.Therefore, when using individual application, attempt to pasting business data, mistake will be returned, or
Person pastes inoperative.
In one embodiment, company data 934 can be provided based on the secure connection with corporate networks to equipment.Example
As this can be realized by Virtual Private Network or with other secure connection of enterprise servers.
Additionally, in one embodiment, memorizer 910 can be located on mobile device.In this case, mobile device can
There is the secure connection pre-building with enterprise servers.
In certain embodiments, specific equipment is considered as unsafe, but may be connected to (the IT trust of a safety
) equipment.With reference now to Figure 10,.
In Fig. 10, the equipment of safety is mobile device 1005.However, this is only example, other of safety equipment may
Property there is also.
Unsafe computing device is computing device 1000.
In order to run company data in computing device 1000, client can be provided in computing device 1000
1010.Server 1020 in client 1010 and safety moving equipment 1005 communicates to obtain company data.
Additionally, computing device 1000 may include memorizer 1030, it has public affairs in computing device 1000 for the storage running
The company space 1034 of department's application.Computing device 1000 also has personal circumference 1032 in memorizer 1030.
As shown in the example of fig. 10, personal circumference comprises to may have access to the application 1032 of data 1036.However, in some enforcements
In example, similar data is there is no company's application 1034.
In an alternative embodiment, company's circumference 1034 can have a data 1038, data 1038 and mobile device 1005
Data 1048 is the same to be managed by identical company strategy.Therefore, data 1038 is accessed by company's application and refuse collection
The restriction limit, replicating or shearing and other restrictions mentioned above.Client 1010 can provide this function.
Separate pattern is similarly provided on mobile device 1005.Specifically, memorizer 1040 comprises individual application 1042
Apply 1044 with company.This is similar with the above-described embodiment with regard to Fig. 9.
Each individual application circumference 1032 and company's application circumference 1034 have to detached data field (i.e. individual application
1042 data 1046 and company application 1044 data 1048) access.So, individual application 1042 can not access data
1048.
In an alternative embodiment, mobile device 1005 is considered as a corporate device.In this case, apply circumference
1040 can only have company's application 1044 and company data 1048.Therefore, all information being stored on mobile device 1005 will
It is considered as company data, and only can be by company's application 1034 access.
In order to ensure safety, the user of computing device 1005 can start application and apply 1034 as company.As described above,
Starting such application needs password.
Client 1010 discovery company application 1034 is currently running and can be communicated with server 1020 can provide public affairs to indicate
Department's data.So, server 1020 is able to access that the company data in data storage 1048, or obtains from enterprise servers
The company data obtaining.
Additionally, company's application 1044 need not be 1034 the same with company application.For example, there is the computing device of bigger display
1054 variants being able to carry out different applications or application 1044.Company data 1048 between two groups of applications can be identical,
But user can be shown to or with the data 1048 that will use on mobile device 1010 differently by company's application 1034 use.
It is then possible to provide company data by the connection 1060 between mobile device 1005 and computing device 1000.Even
Connect the 1060 wired or wireless connections that may include any short distance or distance, and the example of this connection includes bluetoothTM、USB、
Infrared data tissue (IrDA), Wi-Fi, RF identification (RFID), near-field communication (NFC) connection etc..
Communication by link 1060 is safe.That is, it is possible to use computing device 1000 and mobile device 1005
The company data that the key encryption both knowing about is sent to computing device 1000 or returns mobile device 1005.
Additionally, in one embodiment, the data of any storage is all encryption.In this case, data storage
Encryption key can be stored on mobile device 1005 it is therefore desirable to connect to decipher the data in computing device 1000.
Additionally, not storing data in computing device 1000 can be a strategy.Therefore, except some possible delaying
Deposit outer, company data will not be stored on equipment 1000.Additionally, client 1010 can ensure that caching can be applied in company closing
Before be cleared.
Although the foregoing describing with regard to company (enterprise) circumference and personal circumference, the pattern of application can be improved further
Or the quantity in space.For example, company may think that sale and other information are more secret than employee information.In this case, sell
Species detached from employee information can be endowed with other information it is possible to carrying out different data storages and isolation, being fortune
The different passwords of application settings of row and display sales information, etc. other factors.In this case, there are Three models one
Individual, enterprise staff and enterprise marketing.
Additionally, above description can be extended to multiple different modes or application space, wherein each is detached, and can
Access by each in multiple application spaces of operating system management and its related data.The disclosure is not limited to any specific quantity
Pattern.
In an embodiment of the disclosure, it is also possible to separate connection profile number in addition to mask data and application
According to.With reference now to Figure 11,.
Figure 11 shows the equipment 1110 with personal circumference space 1120 and work (enterprise) circumference space 1130.Figure 11's
Example is merely meant to an example, and other classification or different circumferences are also possible.
In personal circumference 1120, individual application 1122 is currently running.Individual application 1122 can be by using personal route
The IP stack 1124 in domain 1126 obtains the access to the Internet.
Then access the Internet 1180 using physical interface 1160.According to the above, physical interface 1160 can be Wi-
Fi, Cellular Networks, shared network etc..
Similarly, work circumference 1130 includes being linked into the job applications of corporate networks 1170 by one of two routers
1132.In the first router, Network access control can be utilized by mobile data service 1134.Mobile data service
(MDS) 1134 HTML (Hypertext Markup Language) or Secure Hypertext Transfer Protocol (HTTP/HTTPS) is not only provided to connect, also for expanding
The application of exhibition enterprise and intranet standard provide open, extendible and safe interface.
MDS1134 (or alternatively network application 1132) can access VPN1136.VPN (is specifically existed using IP stack 1124
In Work route domain 1138), it is linked in corporate networks 1170 using physical interface 1160.
In an alternative embodiment, the Internet or corporate networks are indirectly accessed not by physical interface, but in equipment
Set up bridge and second equipment between, wherein, second equipment can be stated with regard in Figure 10 Ru above-mentioned with access network.
With reference now to Figure 12, wherein equipment 1210 includes personal circumference 1220 and work circumference 1230.
In personal circumference 1220, individual application 1222 access network service bridge 1224 is with access network.Specifically, net
Network is serviced bridge 1224 and is provided the connection of network by shared equipment.
The IP stack 1226 that network service bridge 1224 passes through to include personal routed domain 1228 is communicated.IP stack is using inclusion
Share to the physical interface 1240 of equipment.Shared permissible, for example, (such as USB) is connected by wired serial, or can be by having
Line short distance connects (as bluetooth, infrared data organize (IrDA), near-field communication (NFC) etc.) and realizes.
Then, physical interface 1240 can be used for accessing the Internet 1260.
Similarly, in work circumference 1230, job applications 1232 are passed through bridge (being represented by reference 1234) and are accessed
Enterprises service.
Enterprises service bridge 1234 access IP stack and specifically Work route domain 1236, then can pass through physical interface
1240 are connected to corporate networks 1270.
According to above, can be separated based on operation (circumference) mode type and apply data circumference.In this case,
The profile data (including Wi-Fi or VPN) of network connection can be processed based on operator scheme type respectively.
According to an embodiment of the disclosure, heterogeneous networks are connected and is designated as belonging to operator scheme, therefore, network connection
Corresponding configuration file is stored and protected in suitable operator scheme file system location.
For example, when using the personal operator scheme discussing with reference to figure 11 above and Figure 12 and enterprise operations pattern, can be by
Various Wi-Fi or VPN connections classify as individual or company Wi-Fi or VPN and connect.Specifying of connecting can be realized on equipment.
For example, if user is configured with connection it is believed that this is personal connection by creating connection profile.On the other hand, if
Connection is allocated to by equipment based on the information technology strategy on enterprise servers, such as by providing configuration file to equipment, that
It is considered that this is enterprise connecting.In some cases, by communicating with enterprise servers, personal connection can be converted into enterprise
Industry connects.Other are also possible by connecting the mode being appointed as personal connection or enterprise's connection.
Connect or personal connection once connecting and being designated as enterprise, the data for this connection (can be included connection to join
Put file) and certificate in some cases or certification be stored in suitable file system.Therefore, with reference to figure 9 above, permissible
The data division connecting for enterprise is stored in data storage 934.It is likewise possible to personal configuration file data is stored
To in data division 924.
Then, separate with the network connection of enterprise with individual and the type based on data or application can be used for data or application
Access.Therefore, enterprise's application can run and need this connection by being appointed as the connection of enterprise's connection.This makes work industry
Business reaches highest security settings.On the contrary, in some examples, personal business can be connected using personal.In some cases, both
So work connects and has the required higher safety of ratio, and personal business is possible with work and connects accessing the Internet.However, because
Do not reach the grade required for job applications for personal connection safety, job applications generally will not be public by personal connected reference
Department's network.
In a further embodiment, the removing of network profile be also based on network connection specified completing.
For example, as shown in figure 12, if enterprise servers bridge 1234 is lost, then can remove enterprise from caching and connect.This can be with base
To assist realization in the position of connection profile storage.Therefore, if there is net between second equipment and first equipment
Bridge, connection profile just exists.
In some cases, user interface (physical interface particularly presenting to user selects) can be subject to network connection
The impact of configuration file.For example, when user attempts to set up VPN and connect in work or enterprise's circumference, give to user and only show
The physical interface of the physical interface of businesses trust selects.In other examples, if physical interface can not to enterprise servers
With the various physical interfaces then displaying to the user that may be graying.There is also other possible.
For the data associating with work circumference it is also possible to limiting backup and recovering function.Specifically, in some situations
Under, it is not backed up or store operational data.Do so for security reason, the configuration file classification therefore connecting as enterprise will hinder
The generation only backed up or recover.
For example, it is possible to completing backup based on file system, recovering or remove function, the configuration file that wherein enterprise connects is put
Put under enterprise's subdirectory, the configuration file that nonbusiness connects is placed in personal directory.In one embodiment, when send out
During raw backup/restoration function, the subdirectory that enterprise specifies can be skipped.
With reference now to Figure 13,.The process of Figure 13 starts from step 1300 and proceeds to step 1310.In step 1310, net
Network connection profile is at least associated with a kind of operator scheme.Therefore for example, specific VPN configuration file is (for example above
VPN configuration file " A " and " C ") can be considered as enterprise VPN configuration file and be stored in work circumference.Similarly, other
Configuration file (VPN configuration file " B " for example above) is regarded as personal configuration file and is stored in personal circumference.Its
His example is also possible.
From step 1310, process proceeds to step 1312, wherein, the access restriction of each network connection is had for those
The application of the network connection profile same operation pattern being associated with network connection.Therefore, as described above, implementing at one
In example, job applications can only access the configuration file of businesses trust.Other examples are also possible.
Process and proceed to step 1320 from step 1312 and terminate.
Show the example system architecture that can be used in foregoing embodiments with reference to Figure 14.However, the framework of Figure 14 it is not intended that
It is restricted for, and other system framework is also possible.
With reference now to Figure 14, Figure 14 shows the block diagram of the example wireless data network according to the disclosure, is shown using this
Example radio data network, immediately the various embodiments of disclosed method can cooperate.Figure 14 shows mobile device 1410, code division
Multiple access accesses (CDMA) 1x network example 1420, example only has EVDO data (EVDO) network 1430, public switch telephone network
(PSTN) the 1435, block diagram of data network 1440, radio network gateway 1442 and enterprise servers 1444.This is only shown as example,
And other network architectures following are also possible:For example, global system for mobile communications (GSM), gsm wireless Packet Service
(GPRS), UMTS (UMTS), Long Term Evolution (LTE), enhancement mode LTE (LTE-A), high-speed slender body theory
(HSDPA), Wi-Fi, WiMAX etc..
Mobile device 1410 can comprise the bi-directional communication device with its communication ability and voice communication capability.Figure 14 is also
Show and be connected the access point 1470 that (such as Wi-Fi or WiMAX connection) is used together with alternate data.
Cdma network 1420 is made up of base transceiver station (BTS) 1422 and base station controller (BSC) 1424.Base station controller
1424 and mobile switching centre 1426 is communicated it will be appreciated that mobile switching centre is the pure electricity being communicated with PSTN1435
Road exchanges assembly.Base station controller 1424 is also entered with the packet data serving node (PDSN) 1428 as pure packet switch part
Row communication.PDSN1428 is also communicated with IP network 1440.
EVDO network 1430 comprises the EVDO sector 1432 being communicated with access node (AN) 1434.Because EVDO network
1430 is data-only network, and therefore access point 1434 is only communicated with PDSN1428, and other circuit-switched components of getting along well
Communicated.
Certification, mandate, charging node 1436 and AN1434 are associated, and similar node 1429 is related with PDSN1428
Connection.
Operationally say, mobile device 1410 is carried out wirelessly with cdma network 1420 by using BTS1422 and BSC1424
Communication, thus access CDMA1x network.
Mobile device 1410 is by cdma network 1420 transceiving data and speech business until the connection with EVDO network is built
Erect, now, data can be transmitted by EVDO network connection.
Additionally, mobile device 1410 can be connected with computing device 1454 (as panel computer) because of many reasons, some
Reason has already mentioned above.Can be attached by various means, for example, USB (universal serial bus) (USB), other serial line interfaces,
Or by the short haul connection with computing device 1454.Then, computing device 1454 can pass through EVDO with mobile device 1410
Network 1430 or cdma network 1420 access data network 1440 and business network servers 1444.In other embodiments, count
Calculation equipment 1454 also can be directly accessed network 1420,1430 or 1470.
Mobile device 1410 also can have the ability being communicated by access point 1470 using such as Wi-Fi.Access point
1470 are connected with data network 1440, and therefore may have access to radio network gateway 1442 and enterprise servers by access point 1470
1444.
In one embodiment, enterprise servers 1444 both can for mobile device 1410 provide IT strategy or
The offer that permanently stores of the company data that mobile device 1410 can access accesses.
The embodiment of Figure 14 is only example, and mobile device 1410 can use the others network architecture to be connected to enterprise servers
1444.The embodiment of Figure 14 is not limited to any specific network architecture.
Additionally, mobile device 1410 may not be dual-mode equipment or the multimode device allowing attachment to Wi-Fi.In this feelings
Under condition, the Wi-Fi connection to access point 1470 will be removed from the embodiment of Figure 14, and can by base station 1422 or
1432 cellular network carries out all of communication.In other embodiments, mobile device 1410 only can be connect by access point 1470
Enter, therefore will remove cellular network from Figure 14.Other probabilities are come for the those skilled in the art benefiting from the present invention
Say to be also obvious.In certain embodiments, computing device 1454 can include personal computing devices.For example, calculating sets
Standby 1454 can include tablet PC.User still wants to for computing device 1454 to be used for company's function.Since however, computing device
1454 is personal device it is contemplated that security reason, and corporate IT department not will be considered that computing device 1454 is safe data purpose
Ground.
The equipment of Fig. 1 can be mobile device.A this example mobile device is shown below with reference to Figure 15.So
And, the mobile device of Figure 15 is not restricted, it is possible to use other mobile devices.
Mobile device 1500 may include has speech capability, its communication ability or the double-direction radio of any one in the two
Communication equipment.Mobile device 1500 typically has the ability with other equipment or computer system communication.According to the tool being provided
Body function, mobile device is referred to alternatively as such as data messaging device, two-way pager, wireless e-mail devices, has data
The cell phone of informational function, wireless the Internet appliance, wireless device, user equipment, tablet PC or data communications equipment
Deng.
The mobile device 1500 that two-way communication can be carried out can comprise communication subsystem 1511, including receiver 1512, sends out
Penetrate machine 1514 and other associated components (for example one or more antenna elements 1516 and 1518, local oscillator (LO) 1513
And processing module (such as digital signal processor (DSP) 1520)).The communications field it is obvious to the skilled person that logical
The specific design of letter subsystem 1511 will depend upon equipment communication network to be run.
Depending on the type of network 1519, network insertion demand also will change.Within some network, network insertion and movement
The subscriber of equipment 1500 or user are associated.In order to operate on network, mobile device needs removable user identity modules
(RUIM) card or subscriber identity module (SIM) card.SIM/RUIM interface 1544 be also similar to that may be inserted into SIM/RUIM card and
Can as disk or pcmcia card ejection draw-in groove.SIM/RUIM card have memorizer and preserve many key configuration 1551 and its
His information 1553 (for example, identity and the related information of subscriber).
When required network registry or activation process complete, mobile device 1500 can by network 1519 send and
Receive signal of communication.As shown in figure 15, include can be with multiple base stations of mobile device communication for network 1519.For example, in mixing
In CDMA1x EVDO system, cdma base station and EVDO base station are communicated with movement station, and mobile device can simultaneously with cdma base station and
EVDO base station is connected.In other system (as Long Term Evolution (LTE) or enhancement mode Long Term Evolution (LTE-A)), can connect multiple
Base station is to increase data throughout.For example, GSM, GPRS, UMTS, HSDPA etc. are also possible to other system, and the disclosure
It is not limited to any specific cellular technology.
Receiver 1512 is imported into by the signal that antenna 1516 receives by communication network 1519, receiver 1512 is permissible
Execution for example, the general purpose receiver function such as signal amplification, down coversion, filtering, Channel assignment, and in showing as shown in Figure 15
Modulus (A/D) conversion of example system.The A/D conversion of receipt signal allows more complicated communication function, for example, hold in DSP1520
The demodulation and decoding of row.In a similar manner, the signal that will send is processed, including for example being carried out by DSP1520
Modulate and encode, and input transmitter 1514 and carry out digital-to-analogue conversion, up-conversion, filtering, amplification, then pass through via antenna 1518
Communication network 1519 sends.DSP1520 not only processes signal of communication, and provides Receiver And Transmitter control.For example, it is possible to
Communication in receiver 1512 and transmitter 1514 is adaptively controlled by the automatic gaining controling algorithm realized in DSP1520
The gain of signal.
Mobile device 1500 generally includes the processor 1538 of control device integrated operation.Communication subsystem can be passed through
1511 execution communication functions (including data communication and voice communication).Processor 1538 also can be with further communication equipment subsystem
System (for example, display 1522, flash memory 1524, random access memory (RAM) 1526, auxiliary input/output (I/O) subsystem
1528th, serial ports 1530, one or more keyboard or keypad 1532, speaker 1534, mike 1456, other subsystems that communicate
System 1540 (for example, short-range communication subsystem) and any other equipment subsystem that unifying identifier is 1542) interaction.Serial ports
1530 may include USB interface or those skilled in the art in benefit of this disclosure's other interfaces known.
Some subsystems shown in Figure 15 realize communication-related functions, and other subsystems are provided on " resident " or equipment
Function.Especially, some subsystems (such as keyboard 1532 and display 1522) both can be used for communication-related functions and (for example inputted
For the text message that sent by communication network it is also possible to (such as computer or task list etc. should for equipment resident function
With).
The operating system software that processor 1538 uses can be stored in long-time memory (such as flash memory 1524), and this is held
Memorizer can also be read only memory (ROM) or similar memory element (not shown) long.Those skilled in the art can manage
Solve this operating system, specific device applications or part thereof can be temporarily loaded in volatile memory (such as RAM1526).Connect
The signal of communication received may be alternatively stored in RAM1526.
As illustrated, flash memory 1524 may be logically divided into zones of different storing for computer program 1558 and routine data
1550th, 1552,1554 and 1556.These different storage classes show that each program can be the data storage of themselves
Need distribution portion flash memory 1524.Can the classification according to pattern or belonging to them apply to separate.Locked if there are some applications
Fixed and other no lockings, memorizer 1524 can be also that company data provides safety.
Except its operation system function, processor 1538 can make the software application on mobile device be able to carry out.Control
The predetermined set of application (including such as data communication applications or voice communications applications) of basic operation and certification predetermined set)
Typically just it is installed on mobile device 1500 when producing.Other applications can subsequently or dynamically be installed.
Application and software (for example going up those described applications and software) are storable in any computer-readable storage medium
In matter.Computer-readable recording medium is tangible or lasting medium (for example optical (for example, CD, DVD etc.), magnetic
(for example, tape) or other storages well known by persons skilled in the art).
The example of one software application is personal information manager (PIM) application, and this personal information manager application has
The organization and management data items related to mobile device user (such as, but not limited to Email, schedule, voice mail,
Reservation and task items) function.Further application (including but not limited to media player, video camera, communication, mail, day
Go through, address book, browser, social networkies, game, E-book reader, map or other application) also can by network 1519,
Auxiliary I/O subsystem 1528, serial ports 1530, short-range communication subsystem 1540 or other suitable subsystems 1542 load movement
Equipment 1500, and can be used for by processor 1538 in RAM1526 or nonvolatile memory (not shown) by user installation
Execution.The motility that this application is installed enhances the feature of equipment and can provide function, communication on enhanced equipment
Correlation function or both.For example, secure communication applications are so that e-business capability can be executed using mobile device 1500
With other such financial transactions.
In data communication mode, the signal (webpage of such as text message or download) of reception will be by communication subsystem
1511 process, and input processor 1538, the signal that processor 1538 can process reception further is used for output to display
1522 or alternatively export auxiliary I/O equipment 1528.
The user of mobile device 1500 can also using keyboard 1532 (can comprise virtual keyboard or physics keyboard or
Both, and complete alphanumeric keyboard or telephone style keypad etc. can be included) combine display 1522 and possible auxiliary
I/O equipment 1528 is helped to write data items (such as Email Information).It is then possible to by communication subsystem 1511 logical
This data items write are sent on communication network.
To voice communication, the integrated operation of mobile device 1500 is similar, except generally arriving the signal output of reception
One or more speakers 1534, and the signal for sending is produced by mike 1536.Also can be in mobile device
Alternative voice I/O subsystem or video i/o subsystem (as voicemail logging subsystem) is realized on 1500.Although mainly leading to
Cross one or more speakers 1534 to complete sound or audio signal output, it is possible to use display 1522 is providing:
For example, the information of the identity instruction, voice call duration or other voice calls correlation of MPTY.
Serial ports 1530 in fig .15 is generally realized on personal digital assistant (PDA) type of mobile device, its expectation and
The desktop computer (not shown) of user is synchronous, but this serial ports is a selectable apparatus assembly.This serial ports 1530 can
Allow the user to arrange preference by outside equipment and software application, also can by mobile device 1500 provide information or
Software download rather than the ability to extend mobile device 1500 by way of cordless communication network.For example, alternatively download road
Footpath can be used for by direct thus reliable and trusty connect encryption key loading equipment with so that it is guaranteed that safety equipment
Communication.It will be understood by those skilled in the art that serial ports 1530 can be also used for for mobile device being connected to computer to serve as modulation
Demodulator.
Other communication subsystems 1540 (such as short-range communication subsystem) are to provide mobile device 100 and different be
System or the further alternative assembly of communication between devices, its equipment that need not be similar to.For example, subsystem 1540 may include red
External equipment and interlock circuit and assembly, near-field communication (NFC) or bluetoothTMCommunication module is to provide and similar enabled system
Communication with equipment.
Embodiment described herein is structure, system or the method with the corresponding key element of present techniques key element
Example.These written descriptions can enable those skilled in the art to manufacture and using the technology essential factor pair having with the application
The embodiment of the alternative elements answered.Therefore, the technology expectation scope of the application includes the technology phase with the application described herein
Other structures together, system or method, and also include other knots with the technology no essence difference of the application described herein
Structure, system or method.
Claims (16)
1. a kind of method realized on the mobile apparatus, described mobile device has one or more applications, multiple operation mould
Formula and one or more network connection, one of each network connection and one or more network connection profiles are related
Join, and each application is associated with the only one in the plurality of operator scheme, methods described includes:
By at least one of each in one or more network connection profiles and the plurality of operator scheme
Associated;And
To be the institute only associating with described network connection to the access restriction of each in one or more network connections
State those applications that network connection profile identical operator scheme is associated.
2. method according to claim 1, wherein, the plurality of operator scheme includes personality frame and enterprise model.
3. method according to claim 1, wherein, described by one or more network connection profiles
Each be associated at least one of with the plurality of operator scheme including:Each network connection profile is stored correlation
In the file system of operator scheme of connection.
4. method according to claim 1, being additionally included at least one of the plurality of operator scheme prevents each
The backup of network connection profile or recovery.
5. method according to claim 1, wherein, described network connection is that VPN (virtual private network) connects.
6. method according to claim 1, wherein, described network connection is that Wi-Fi network connects.
7. method according to claim 1, wherein, described by one or more network connection profiles
Each is associated net at least one of with the plurality of operator scheme using the information technology strategy for described equipment
At least one of network connection profile and the plurality of operator scheme are mated.
8. method according to claim 1, wherein, described by one or more network connection profiles
Each is associated the source using the configuration information for each network connection at least one of with the plurality of operator scheme
At least one of each network connection profile and the plurality of operator scheme are mated.
9. a kind of user equipment, including:
Processor;And
Communication subsystem,
Wherein, described user equipment is configured to:
One of each network connection and one or more network connection profiles are associated, and by each application with multiple
Only one in operator scheme is associated;
At least one of network connection and multiple operator schemes of being used for setting up on described user equipment are associated;With
And
To be the institute only associating with described network connection to the access restriction of each in one or more network connections
State those applications that network connection profile identical operator scheme is associated.
10. user equipment according to claim 9, wherein, the plurality of operator scheme includes personality frame and enterprise's mould
Formula.
11. user equipmenies according to claim 9, wherein, the one or more network connection profiles of described association
In each include by each network connection profile store for association operator scheme file system in.
12. user equipmenies according to claim 9, being additionally included at least one of the plurality of operator scheme prevents
The backup of each network connection profile or recovery.
13. user equipmenies according to claim 9, wherein, described network connection is that VPN (virtual private network) connects.
14. user equipmenies according to claim 9, wherein, described network connection is that Wi-Fi network connects.
15. user equipmenies according to claim 9, wherein, described user equipment is configured to:By using for described
The information technology strategy of equipment associating, by network connection profile and at least one of the plurality of operator scheme phase
Coupling.
16. user equipmenies according to claim 9, wherein, described user equipment is configured to:By using for each
The source of the configuration information of network connection associating each in one or more network connection profiles, by each net
At least one of network connection profile and the plurality of operator scheme match.
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US201261599465P | 2012-02-16 | 2012-02-16 | |
US61/599,465 | 2012-02-16 | ||
US13/717,219 | 2012-12-17 | ||
US13/717,219 US9306948B2 (en) | 2012-02-16 | 2012-12-17 | Method and apparatus for separation of connection data by perimeter type |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103259707A CN103259707A (en) | 2013-08-21 |
CN103259707B true CN103259707B (en) | 2017-03-01 |
Family
ID=48963420
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310111446.7A Active CN103259707B (en) | 2012-02-16 | 2013-02-16 | A kind of method and apparatus that connection data is separated by circumference type |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN103259707B (en) |
CA (1) | CA2805235C (en) |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103646198A (en) * | 2013-12-24 | 2014-03-19 | 北京奇虎科技有限公司 | Method, system and device for locking working region of mobile terminal |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102316093A (en) * | 2010-06-30 | 2012-01-11 | 丛林网络公司 | The double mode many service VPN networking clients that are used for mobile device |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080081609A1 (en) * | 2006-09-29 | 2008-04-03 | Motorola, Inc. | Method and system for associating a user profile to a sim card |
US20090165145A1 (en) * | 2007-12-21 | 2009-06-25 | Nokia Corporation | Changing modes in a device |
-
2013
- 2013-02-07 CA CA2805235A patent/CA2805235C/en active Active
- 2013-02-16 CN CN201310111446.7A patent/CN103259707B/en active Active
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102316093A (en) * | 2010-06-30 | 2012-01-11 | 丛林网络公司 | The double mode many service VPN networking clients that are used for mobile device |
Also Published As
Publication number | Publication date |
---|---|
CA2805235A1 (en) | 2013-08-16 |
CN103259707A (en) | 2013-08-21 |
CA2805235C (en) | 2017-01-17 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP2629478B1 (en) | Method and apparatus for separation of connection data by perimeter type | |
US10735964B2 (en) | Associating services to perimeters | |
US9015809B2 (en) | Establishing connectivity between an enterprise security perimeter of a device and an enterprise | |
EP2629570B1 (en) | Method and apparatus for automatic vpn login and interface selection | |
CA2792772C (en) | Dynamically generating perimeters | |
CN107005442B (en) | Method and apparatus for remote access | |
CN103929748B (en) | A kind of Internet of Things wireless terminal and its collocation method and wireless network access point | |
US9426182B1 (en) | Context-based authentication of mobile devices | |
CN103379109B (en) | Method and control device, the network equipment and the communications platform of the network equipment are set | |
CN104221414A (en) | Secure and automatic connection to wireless network | |
CN104702608A (en) | WiFi sharing system | |
CN105898747A (en) | Wireless network security authentication method and device and wireless network access method and device | |
US20160302132A1 (en) | Routing communications traffic | |
CN103778379A (en) | Managing application execution and data access on a device | |
JP4987006B2 (en) | Method and apparatus for deferring access to a service | |
CN103259707B (en) | A kind of method and apparatus that connection data is separated by circumference type | |
KR101365889B1 (en) | Control method of connecting to mobile-network for smart phone, the system and the computer readable medium able running the program thereof | |
Kravets et al. | Mobile corporate networks security control | |
US8477747B1 (en) | Automatic capture of wireless endpoints for connection enforcement | |
CA2804732C (en) | Method and apparatus for automatic vpn login on interface selection | |
Batalla et al. | Multi-Layer Security Assurance of the 5G Automotive System Based on Multi-Criteria Decision Making | |
CN110062440A (en) | WLAN connection control method, electronic equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information |
Address after: Voight, Ontario, Canada Applicant after: Blackberry Ltd. Address before: Voight, Ontario, Canada Applicant before: Research In Motion Ltd. |
|
COR | Change of bibliographic data | ||
GR01 | Patent grant | ||
GR01 | Patent grant |