CN103646198A

CN103646198A - Method, system and device for locking working region of mobile terminal

Info

Publication number: CN103646198A
Application number: CN201310722226.8A
Authority: CN
Inventors: 苏云琳; 张晨; 刘伟; 鹿亮
Original assignee: Beijing Qihoo Technology Co Ltd; Qizhi Software Beijing Co Ltd
Current assignee: Beijing Qihoo Technology Co Ltd; Qizhi Software Beijing Co Ltd
Priority date: 2013-12-24
Filing date: 2013-12-24
Publication date: 2014-03-19

Abstract

The invention provides a method for locking a working region of a mobile terminal, which is used for guaranteeing the information safety of the working region. According to the method, a server determines whether an enterprise management client is a compliant client according to a compliance detection rule stored by the server after receiving login information transmitted by the enterprise management client on the mobile terminal, and controls the enterprise management client to lock the working region when determining that the enterprise management client is non-compliant client. The embodiment of the invention also provides a corresponding device and system. In the embodiment of the invention, when the enterprise management client logins in every time, the server detects whether the enterprise management client is the compliant client, so that illegal users can be prohibited from entering the working region, uploading, sharing and leakage of data of the working region under the illegal condition can be avoided, and the safety of enterprise information is effectively protected.

Description

A kind of method, system and device that lock mobile terminal workspace

Technical field

The present invention relates to networking technology area, relate in particular to a kind of method, system and device that lock mobile terminal workspace.

Background technology

Along with the maturation of mobile terminal is with universal, the individual mobile terminal equipment that smart mobile phone, panel computer be representative of take progresses into enterprise field.According to the Gartner of internal authority consulting firm prediction, to the enterprises of 2014 90%, will support employee on individual mobile terminal equipment, to move enterprise's office application program, employee uses the office of individual mobile terminal equipment to become a kind of trend that cannot reverse.

In BYOD, on same mobile terminal, existing individual application program and data, also have enterprise application and data, and enterprise application is arranged in business administration client, and the data of enterprise application are also kept in business administration client.In order to distinguish, the region at individual application program and data place is called as individual district, the region at enterprise application and data place, i.e. and the region that business administration client creates is called as workspace.

This class is called as BYOD(Bring Your Own Device, from carrying device office) phenomenon be that enterprise information security has brought new challenge:

1, enterprise network border thickens, and original border system of defense cannot effectively be protected enterprise information security

The mobile terminal of enterprise staff can access mobile Internet or the public/Wi-Fi of family network at any time and any place; business data in mobile terminal also can be exposed under the attack from internet; BYOD has broken original enterprise network border; the ambiguity on this border makes BYOD become the weak link of enterprise information security system just, needs new method protection enterprise information security.

2, loss or stolen mobile terminal, Hui Gei enterprise brings the hidden danger of divulging a secret

Mobile terminal is easily lost, and therefore the business data of preserving in mobile terminal also faces the risk of divulging a secret, and device losses not only means leakage and the loss of responsive company information, and the equipment of losing also may become the springboard of attacking enterprise network.

As can be seen here, the information security issue that BYOD brings to enterprise becomes technical matters urgently to be resolved hurrily in prior art.

Summary of the invention

In view of the above problems, the present invention has been proposed to a kind of a kind of method, system and device that lock mobile terminal workspace that overcome the problems referred to above or address the above problem are at least in part provided.

The embodiment of the present invention provides a kind of method that locks mobile terminal workspace, and the method comprises:

The log-on message that business administration client on server mobile terminal receive sends;

The compliance of preserving according to self detects rule, determines that whether described business administration client is for closing rule client;

When definite described business administration client is non-ly to close rule during client, control described business administration client locking workspace, otherwise, allow user to enter the workspace of described business administration client.

Preferably, in order to realize accurately the control to business administration client, guarantee the safety of mobile terminal workspace, whether described definite described business administration client comprises for closing rule client:

According to the identification information of the described mobile terminal carrying in described log-on message, and the corresponding relation of the identification information of the user who self preserves and mobile terminal, determine the user that described business administration client belongs to;

The user who comprises according to each user's group of preserving, and each user organizes corresponding compliance and detects rule, determines that compliance corresponding to described user detects rule;

The compliance corresponding according to described user detects rule, determines that whether the business administration client that belongs to described user is for closing rule client.

Preferably, in order to realize accurately the control to business administration client, guarantee the safety of mobile terminal workspace, described definite described business administration client is that the non-rule client of closing comprises:

Described server, according to the information of the described mobile terminal of record, judges whether described mobile terminal has root authority;

When described mobile terminal does not have root authority, determine that the business administration client in this mobile terminal is the non-rule client of closing.

Described server is for each mobile terminal, records this mobile terminal time of interconnection network not;

When this mobile terminal is not when the time of interconnection network is greater than the not networking time threshold of setting, determine that this business administration client is the non-rule client of closing.

Preferably, in order to realize accurately the control to business administration client, guarantee the safety of mobile terminal workspace, the workspace of the described business administration client of described locking comprises:

Described server sends the control information of locking workspace to described business administration client;

Described business administration client is resolved described control information, obtains the control field of carrying in described control information;

Described business administration client, according to the corresponding relation of each control field of making an appointment with server steering order corresponding with it, locks workspace.

The embodiment of the present invention provides a kind of system that locks mobile terminal workspace, and described system comprises the business administration client on server and mobile terminal;

Business administration client, for sending log-on message to server, according to the control locking workspace of described server, or allows user to enter workspace;

Server, for receiving described log-on message, the compliance of preserving according to self detects rule, determines that whether described business administration client is for closing rule client; When definite described business administration client is non-ly to close rule during client, control described business administration client locking workspace, otherwise, allow user to enter the workspace of described business administration client.

Preferably, in order to realize accurately the control to business administration client, guarantee the safety of mobile terminal workspace, described server, specifically for according to the identification information of the described mobile terminal carrying in described log-on message, and the corresponding relation of the identification information of the user who self preserves and mobile terminal, determine the user that described business administration client belongs to; The user who comprises according to each user's group of preserving, and each user organizes corresponding compliance and detects rule, determines that compliance corresponding to described user detects rule; The compliance corresponding according to described user detects rule, determines that whether the business administration client that belongs to described user is for closing rule client.

Preferably, in order to realize accurately the control to business administration client, guarantee the safety of mobile terminal workspace, server, specifically for according to the information of the described mobile terminal of record, judges whether described mobile terminal has root authority; When described mobile terminal does not have root authority, determine that the business administration client in this mobile terminal is the non-rule client of closing.

Preferably, in order to realize accurately the control to business administration client, guarantee the safety of mobile terminal workspace, server, specifically for for each mobile terminal, records this mobile terminal time of interconnection network not; When this mobile terminal is not when the time of interconnection network is greater than the not networking time threshold of setting, determine that this business administration client is the non-rule client of closing.

Preferably, described server, specifically for determining that described business administration client is non-while closing rule client, sends the control information of locking workspace to described business administration client;

Described business administration client, specifically for resolving described control information, obtains the control field of carrying in described control information; According to the corresponding relation of each control field of making an appointment with server steering order corresponding with it, locking workspace.

The embodiment of the present invention provides a kind of method that locks mobile terminal workspace, and described method comprises:

The operation information of business administration client user to the application program in workspace;

The compliance of preserving according to self detects rule, judges whether the current operation in workspace of user closes rule;

When the current operation in workspace of definite user does not conform to rule, locking workspace, otherwise, the operation that allows user to carry out in described workspace.

Preferably, in order to realize accurately the control to business administration client, guarantee the safety of mobile terminal workspace, preserve described compliance detection rule and comprise:

Described business administration client sends the status information of self to server according to the time interval of setting, the compliance that comprises self current preservation in wherein said status information detects regular version number;

When described server determines that the compliance of the non-latest edition this shop of the current preservation of described business administration client detects rule, the compliance of the latest edition this shop that described in described business administration client, server issues detects rule, and the compliance that adopts the compliance of the described latest edition this shop receiving to detect the local current preservation of Policy Updates detects rule.

Preferably, in order to realize accurately the control to business administration client, guarantee the safety of mobile terminal workspace, whether the current operation of the described user of judgement closes rule comprises:

Whether described business administration client search operation system records order corresponding to root authority;

When not finding order corresponding to root authority, determine that this mobile terminal does not have root authority, determine that the operation of user in workspace do not conform to rule.

The time that described business administration client disconnects according to self and server of record, whether the time disconnecting described in judgement is greater than the offline access threshold value of setting;

When the time disconnecting described in determining is greater than the offline access threshold value of setting, determine that the operation of user in workspace do not conform to rule.

Described business administration client detects the current whether interconnection network of mobile terminal;

When interconnection network not, determine that the operation of user in workspace do not conform to rule.

The embodiment of the present invention provides a kind of business administration client, and described business administration client comprises:

Receiver module, for receiving the operation information of user to the application program of workspace;

Judge module, detects rule for the compliance of preserving according to self, judges whether the current operation in workspace of user closes rule;

Control module, for determining that when judge module the current operation in workspace of user does not conform to when rule, locking workspace, otherwise, the operation that allows user to carry out in described workspace.

Preferably, in order to realize accurately the control to business administration client, guarantee the safety of mobile terminal workspace, described business administration client also comprises:

Sending module, sends the status information of self to server for the time interval according to setting, the compliance that comprises self current preservation in wherein said status information detects regular version number;

Described receiver module, also when determining that when described server the non-latest edition this shop of the current preservation of described business administration client obtains compliance and detects rule, the compliance that receives the latest edition this shop that described server issues detects rule, and the compliance that adopts the compliance of the described latest edition this shop receiving to detect the local current preservation of Policy Updates detects rule.

Preferably, in order to realize accurately the control to business administration client, guarantee the safety of mobile terminal workspace, whether described judge module, record order corresponding to root authority specifically for search operation system; When not finding order corresponding to root authority, determine that this mobile terminal does not have root authority, determine that the operation of user in workspace do not conform to rule.

Preferably, in order to realize accurately the control to business administration client, guarantee the safety of mobile terminal workspace, described judge module, specifically for the time disconnecting according to self and server of record, whether the time disconnecting described in judgement is greater than the offline access threshold value of setting; When the time disconnecting described in determining is greater than the offline access threshold value of setting, determine that the operation of user in workspace do not conform to rule.

Preferably, in order to realize accurately the control to business administration client, guarantee the safety of mobile terminal workspace, described judge module, specifically for detecting the current whether interconnection network of mobile terminal; When interconnection network not, determine that the operation of user in workspace do not conform to rule.

The embodiment of the present invention provides a kind of system that locks mobile terminal workspace, and described system comprises: above-mentioned business administration client, and detect regular server to described business administration client transmission compliance.

Preferably, in order to realize accurately the control to business administration client, guarantee the safety of mobile terminal workspace, described business administration client, specifically for the time interval according to setting, to server, send the status information of self, the compliance that comprises self current preservation in wherein said status information detects regular version number; And the compliance that the compliance of the described latest edition this shop adopt receiving detects the local current preservation of Policy Updates detects rule;

Whether server, be latest edition this shop specifically for judging that the current compliance of business administration client detects regular version number, and when non-latest edition this shop of definite this version number, the compliance that issues latest edition this shop to described business administration client detects rule.

Preferably, described business administration client, sends the status information of self to server specifically for the time interval according to setting, and the compliance that comprises self current preservation in wherein said status information detects regular version number; Receive described server transmission compliance and detect regular latest edition this shop, Jiang Gai latest edition this shop, the compliance of having downloaded with this locality detects regular version number and compares, when inconsistent, to described server, send download latest edition this shop compliance and detect regular request, the compliance that receives the latest edition this shop that described server issues detects rule, and the compliance that adopts the compliance of the described latest edition this shop receiving to detect the local current preservation of Policy Updates detects rule;

Described server, the status information sending specifically for receiving described business administration client, detects regular latest edition this shop by the compliance to should business administration client of preserving and sends to described business administration client; Receive the request of described business administration client, and detect rule to the compliance that issues latest edition number.

The embodiment of the present invention provides a kind of method, system and device that lock mobile terminal workspace, after the log-on message that in the method, server sends in the business administration client receiving on mobile terminal, the compliance of preserving according to self detects rule, determine that whether this business administration client is for closing rule client, and be non-ly to close rule during client in definite this business administration client, control business administration client locking workspace.Because server is in embodiments of the present invention when business administration client is logined at every turn; whether detect it for closing rule client; and forbid that disabled user enters workspace; and can avoid the data of workspace to upload, share and leak in illegal situation, effectively protect the safety of company information.

Above-mentioned explanation is only the general introduction of technical solution of the present invention, in order to better understand technological means of the present invention, and can be implemented according to the content of instructions, and for above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the specific embodiment of the present invention.

Accompanying drawing explanation

By reading below detailed description of the preferred embodiment, various other advantage and benefits will become cheer and bright for those of ordinary skills.Accompanying drawing is only for the object of preferred implementation is shown, and do not think limitation of the present invention.And in whole accompanying drawing, by identical reference symbol, represent identical parts.In the accompanying drawings:

The configuration diagram of the business administration end place system of the mobile terminal that Fig. 1 provides for the embodiment of the present invention;

A kind of procedure chart that locks mobile terminal workspace that Fig. 2 provides for the embodiment of the present invention;

A kind of procedure chart that locks mobile terminal workspace that Fig. 3 provides for the embodiment of the present invention one;

The another kind that Fig. 4 A provides for the embodiment of the present invention locks the procedure chart of mobile terminal workspace;

The Key-Value schematic diagram that Fig. 4 B provides for the embodiment of the present invention;

A kind of procedure chart that locks mobile terminal workspace that Fig. 5 provides for the embodiment of the present invention two;

A kind of system architecture schematic diagram that locks mobile terminal workspace that Fig. 6 provides for the embodiment of the present invention;

The structural representation of a kind of business administration client that Fig. 7 provides for the embodiment of the present invention.

Embodiment

In order effectively to guarantee the safety of company information, the embodiment of the present invention provides a kind of method, system and device that lock mobile terminal workspace.

Exemplary embodiment of the present disclosure is described below with reference to accompanying drawings in more detail.Although shown exemplary embodiment of the present disclosure in accompanying drawing, yet should be appreciated that and can realize the disclosure and the embodiment that should do not set forth limits here with various forms.On the contrary, it is in order more thoroughly to understand the disclosure that these embodiment are provided, and can by the scope of the present disclosure complete convey to those skilled in the art.

Below in conjunction with Figure of description, the embodiment of the present invention is elaborated.

The system architecture of the enterprise management system of the mobile terminal first, the embodiment of the present invention being provided describes.As shown in Figure 1, the enterprise management system of the mobile terminal that the embodiment of the present invention provides is enterprise-oriented mobile terminal enterprise management platform, comprise and be deployed in the service end of corporate intranet and be arranged on the client on the mobile terminal that need to be managed, in the embodiment of the present invention, the service end that is deployed in corporate intranet is called to server, and the client being arranged on the mobile terminal that need to be managed is called business administration client.Wherein:

The major function of server comprises: manage, issue the application of corporate intranet, and manage, issue security strategy etc., service for business management device also provides abundant mobile terminal Commitment, Accounting and Management of Unit Supply instrument, enterprise administrator can check by server the details of the mobile terminal that each need to be managed, comprise: terminal models, system version, IMEI(International Mobile Equipment Identification Number, international mobile equipment identification number), sequence number, MSISDN(mobile station identity number, be commonly called as phone number), off-line whether, Root(power user whether), change the password time, whether fail-safe software is installed, power information, radio network information etc.The major function of business administration client comprises: data are anti-divulges a secret, and carries out security strategy etc., and anti-the divulging a secret of data comprises data encryption, data isolation etc., and the data of encryption can relate to the data in system file; Or the selected financial sffairs paper of user, produce the data in file, sale file, market file, human resources file etc.; Can also be the data of individual subscriber file, such as: photo, video, daily record etc.

The enterprise management system of the mobile terminal that the embodiment of the present invention provides; the anti-mechanism of divulging a secret of data based on business administration client; do not affecting on the enterprise staff basis that use is experienced to individual application; a safety, workspace memory headroom independently on mobile terminal, have been set up; workspace memory headroom (abbreviation workspace) refers to the memory headroom of distributing to business administration client, and all enterprise's application and data are stored in shielded workspace.Accordingly, memory headroom in the memory headroom of mobile terminal outside the memory headroom of workspace is called individual district memory headroom (being called for short individual district), all individual applications and data are stored in individual district, individual application cannot be accessed business data, thereby avoids business data by individual application unauthorized access, access.The enterprise management system of the mobile terminal that the embodiment of the present invention provides; not only business data and personal data are isolated completely; protect better enterprise's application and data, also for enterprise staff provides indiscriminate individual application, experience, reached the effect of " dual-use ".

Service for business management device provides two kinds of application programs to issue mode: freely install and solar obligation.The application program issuing by free mounting means, freely selects to download and install for enterprise customer; The application program issuing by solar obligation mode, enterprise customer could normally use workspace after this application program need be installed.In concrete enforcement, the enterprise's application in workspace, generally adopts solar obligation mode; For the individual application in individual district, generally adopt free mounting means., can certainly adopt free mounting means to the enterprise's application in workspace.

A kind of procedure chart that locks mobile terminal workspace that Fig. 2 provides for the embodiment of the present invention, this process comprises the following steps:

S201: the log-on message that the business administration client on server mobile terminal receive sends.

In order effectively to guarantee the information security of workspace in mobile terminal, when each user opens business administration client, this business administration user end to server sends log-on message.Wherein in this log-on message, carry the identification information of this mobile terminal, wherein the identification information of this mobile terminal can be International Mobile Equipment Identity code (the International Mobile Equipment Identity of mobile terminal, IMEI) information, so that server according to the information of carrying in this log-on message, judges that whether this business administration client is for closing rule client.

Business administration client is when sending to log-on message to server, can send by the unified passage of the foundation between server and business administration client, or also can adopt other forms to send, as long as can, when user opens this business administration client, send log-on message to server.

S202: the compliance of preserving according to self detects rule, judges that whether described business administration client is for closing rule client, when judgment result is that while being, carries out step S203, otherwise, carry out step S204.

Server is in order effectively to control the information security of workspace in each mobile terminal, can its corresponding compliance be set for each business administration client and detect rule, or for each user, its corresponding compliance is set and detects rule, and it is a plurality of to be that the mobile terminal of each user assignment may comprise, this compliance detects rule and can be arranged in configuration file.When server receives the log-on message of business administration client transmission, call the configuration file arranging for this business administration client, according to the compliance in this configuration file, detect rule, determine that whether this business administration client is for closing rule client.

Or server, according to the functional department at the user place of mobile terminal ownership, is divided into user's group by the user of unified functional department, it is identical that compliance corresponding to business administration client in this user's group on each user's mobile terminal detects rule.In server, can preserve the information of each user's group, and the compliance detection rule for this user's group is arranged on to configuration file, during the log-on message of the business administration client of the user in detecting this user's group, the compliance of organizing in corresponding configuration file according to this user detects rule, determines that whether this business administration client is for closing rule client.

S203: allow user to enter the workspace of described business administration client.

When server detects rule according to the compliance of preserving, detect this business administration client when closing rule client, permission user enters the workspace of this business administration client.Concrete, server can send control information to business administration client, carries the control field that allows user to enter workspace in this control information, when business administration client and resolve after this control information, allows user to enter workspace.

Or, server and business administration client can be made an appointment, when server is surveyed this business administration client for closing rule during client, can to business administration client, not send control information, in the time span of setting, when business administration client does not receive the control information of server transmission, allow user to enter workspace.

S204: control described business administration client locking workspace.

When server detects rule according to the compliance of preserving, detecting this business administration client is non-closing while advising client, does not allow user to enter the workspace of this business administration client.Concrete, server can send control information to business administration client, carries and forbid that user enters the control field of workspace in this control information, when business administration client and resolve after this control information, forbids that user enters workspace.Concrete business administration client can lock workspace, makes user cannot enter workspace.

Because server is in embodiments of the present invention when business administration client is logined at every turn; whether detect it for closing rule client; and forbid that disabled user enters workspace; and can avoid the data of workspace to upload, share and leak in illegal situation, effectively protect the safety of company information.

Server can arrange its corresponding compliance for each user's group and detect rule in embodiments of the present invention, also can its corresponding compliance be set for each user and detect rule, when same user has a plurality of business administration client, can its corresponding compliance be set for each business administration client and detect rule.Each compliance of Servers installed detects rule and can be saved in configuration file.

Whether for example, server arranges its corresponding compliance for each user's group and detects rule, in definite described business administration client, comprise for closing rule client:

The compliance corresponding according to described user detects rule, determines that whether this business administration client that belongs to described user is for closing rule client.

Due to being set for each user's group, its corresponding compliance detects rule, in server, preserve the user's that each user's group comprises information, and for the ease of server, determine the user of each mobile terminal ownership, in server, also preserve the corresponding relation of the identification information of each user and mobile terminal thereof.When server receives the log-on message of business administration client transmission, according to the identification information of the mobile terminal carrying in this log-on message, and the corresponding relation of the identification information of each user who preserves and mobile terminal thereof, determine the user of this mobile terminal ownership, the user's who comprises according to each user's group of preserving information, determine user's group of this user attaching, according to the compliance of organizing setting for each user, detect rule, determine that this user organizes corresponding compliance and detects rule, thereby can determine that compliance corresponding to this user detects rule, adopt this compliance to detect rule, whether detection belongs to this user's business administration client for closing rule client.

Also can arrange for each user carrying out when compliance detects arranging of rule, in server, for each user, preserve its corresponding compliance and detect rule.When receiving the log-on message of business administration client transmission, according to the identification information of the described mobile terminal carrying in log-on message, and the corresponding relation of the identification information of the user who self preserves and mobile terminal, determine the user of described business administration client ownership, according to the compliance of preserving for this user, detect rule, determine that whether this business administration client is for closing rule client.

A kind of procedure chart that locks mobile terminal workspace that Fig. 3 provides for the embodiment of the present invention one, this process comprises the following steps:

S301: the log-on message that the business administration client on server mobile terminal receive sends.

S302: according to the identification information of the described mobile terminal carrying in log-on message, and the corresponding relation of the identification information of the user who self preserves and mobile terminal, determine the user that this business administration client belongs to.

S303: the user's who comprises according to each user's group of preserving information, determine user's group of this user attaching.

S304: detect rule according to the compliance of organizing setting for each user, determine that this user organizes corresponding compliance and detects rule.

S305: according to this compliance, detect rule, judge that whether described business administration client is for closing rule client, when judgment result is that while being, carry out step S306, otherwise, carry out step S307.

S306: allow user to enter the workspace of described business administration client.

S307: control described business administration client locking workspace.

Determined that corresponding compliance detects after rule, according to this compliance, detected rule and determine that whether business administration client is for closing rule client, when definite this business administration client is non-while closing rule client, controlled business administration client and lock workspace.

Server is detecting rule for compliance, determine that business administration client is whether when closing rule client, and whether the mobile terminal that first detects this business administration client place has root authority.This is because server detects rule by regular modification compliance as required, when this compliance detection rule is handed down to business administration client, in order to guarantee mobile terminal, can identify and monitor corresponding event, this mobile terminal need to have root authority, otherwise, cannot complete compliance and detect regular renewal.Therefore whether described definite described business administration client comprises for closing rule client:

Described server, according to the information of the described mobile terminal of record, judges whether described mobile terminal has root authority; When described mobile terminal does not have root authority, determine that the business administration client in this mobile terminal is the non-rule client of closing.

Business administration client detects mobile terminal according to the time interval of setting and whether has root authority, concrete business administration client can arrive under common catalogue and detect and whether have root authority identification document, thereby detect mobile terminal, whether has root authority.For example, for the mobile terminal of Android system, under can the arrive/catalogues such as system/bin/system/sbin/system/xbin of business administration client, detect whether there is SU file, detect mobile terminal and whether there is root authority.For the mobile terminal of IOS system, under can arrive/Applications of business administration client catalogue, detect and whether have the file that conventionally there is no authority access, detect mobile terminal and whether there is root authority.Business administration client detects after the information whether mobile terminal have root authority, by this information reporting, the information that server reports according to business administration client, preserves mobile terminal and whether has root authority, so that follow-up, business administration client is carried out to compliance judgement.

Server detects rule according to compliance, and the information of this mobile terminal of record, judge whether this mobile terminal has root authority, when this mobile terminal does not have root authority, determine that the business administration client in this mobile terminal is the non-rule client of closing, server sends the control information of controlling this business administration client locking workspace to this business administration client; When this mobile terminal has root authority, determine that business administration client in this mobile terminal is for closing rule client, allow user to enter the workspace of this business administration client.

Server is detecting rule according to compliance in embodiments of the present invention, determines that this business administration client whether when closing rule client, also comprises:

Described server is according to this mobile terminal time of interconnection network not of record, judges whether the time of interconnection network is not greater than the not networking time threshold of setting to this mobile terminal;

Server has this mobile terminal time of interconnection network not in this locality for each mobile terminal records.Server, obtaining each mobile terminal not during time of interconnection network, can adopt heartbeat detection mechanism to determine.Server can set in advance corresponding strategy with business administration client, server sends heartbeat detection packet according to the time interval of setting to business administration client, whether judgement receives the feedback data packet that business administration client sends in the time span of setting, when not receiving the feedback data packet of business administration client, determine not interconnection network of this mobile terminal, server starts timing, and this mobile terminal is the time of interconnection network not; And while arriving at next setting-up time interval, continuation sends heartbeat detection packet to business administration client, if receive the feedback data packet of business administration client, timing finishes, and server is by the time zero clearing of the not interconnection network for this mobile terminal records; If still do not receive the feedback data packet of business administration client, server continues timing.When server receives the log-on message of this business administration client transmission, according to its time of interconnection network not for this mobile terminal records of current preservation, judge whether this time is greater than the not networking time threshold of setting, when this time is greater than the not networking time threshold of setting, determine that this business administration client is the non-rule client of closing.

Server determines that business administration client is non-ly to close rule during client, sends the control information of locking workspace to this business administration client, described business administration client is resolved and lock the workspace of self after described control information.

Concrete, the control information that server sends to business administration client is an order line, in this order line, comprise a lot of character strings, server and business administration client have been arranged the implication of every section of character string representative, and in the appointed position of this order line, carry the control field of sign locking workspace.Business administration client, according to the agreement with server, after receiving this control information, is resolved this control information, in appointed position, obtains control field, carries out the control strategy of locking workspace according to this control field.

In order line, the character string of sign locking workspace can be Value value, and business administration client has been preserved information corresponding to various Value values in advance, and for example 1 represents locking workspace, and-1 represents release workspace etc.This character string can adopt Protobuf method to generate.This is that this has benefited from the method for Encoding very cleverly that Protobuf adopts because the binary message generating after Protobuf serializing is very compact.This Protobuf method adopts Varint coding, and Varint is a kind of numeral method of compactness.It represents a numeral by one or more bytes, is worth the less fewer byte number of use of numerals, and this can reduce for numeral byte number.Therefore, while representing less digital of the character string adopted value of control field when this control information in, can effectively reduce the data volume of this control information, saving bandwidth resources.

The another kind that Fig. 4 A provides for the embodiment of the present invention locks the procedure chart of mobile terminal workspace, and this process comprises the following steps:

S401: the operation information of business administration client user to the application program in workspace.

S402: the compliance of preserving according to self detects rule, judges whether the current operation in workspace of user closes rule, when judgment result is that while being, carries out step S403, otherwise, carry out step S404.

Concrete, can in business administration client, configure in advance corresponding compliance and detect rule, business administration client also can be downloaded corresponding compliance from server end and detect rule.

S403: the operation that business administration client allows user to carry out in described workspace.

S404: business administration client locking workspace.

The compliance of preserving in business administration client detects rule and can from server, download.In order to guarantee that the compliance of server and the current preservation of business administration client detects regular consistance, realize compliance is detected to regular renewal, preserve in embodiments of the present invention described compliance detection rule and comprise:

Compliance in server detects rule and can adopt the mode of configuration file to issue, in configuration file, comprise key-value (Key-Value), business administration client-side has been preserved the value of Key and the Value of various Different Strategies in advance, receive after configuration file, resolve the value of Key and Value in this configuration file and can understand the concrete meaning of the security strategy that server issues, such mode, the flow expending when mutual between business administration client and server can be reduced on the one hand, efficiency and the reliability of data transmission can be improved on the other hand.

Concrete, Varint coding, for the numeral of int32 type, generally needs 4 byte to represent.But adopt Varint, for the numeral of very little int32 type, can represent with 1 byte.Certainly everything has had also bad one side, employing Varint representation, and large numeral needs 5 byte to represent.From the angle of statistics, the numeral in general message that can be not all is all large number, therefore in most cases, adopts after Varint, can carry out with byte number still less representative digit information.

The most significant digit bit of each byte in Varint has special implication, if this position is 1, represents that follow-up byte is also this digital part, if this position is 0, finishes.Other 7 bit are used for representative digit.Therefore being less than 128 numeral can represent with a byte.Be greater than 128 numeral, such as 300, can represent by two bytes: 1010110000000010.When Google Protocol Buffer resolves this two bytes, first of first byte is 1, represents that next byte is also used for representing this numeral, and first of second byte is 0, represents last byte that this byte is this numeral.Identify (0101100 and 0000010) after two bytes, first, the position of two byte is exchanged once mutually, afterwards for (0000010 and 0101100) after exchange, obtain representing this digital information 100101100, this numerical information is transformed, be converted into (256+32+8+4) 300.The position of two byte exchanges once mutually, and this is because Google Protocol Buffer syllable sequence adopts the mode of little-endian.

Configuration file can become a binary data stream after serializing, and the data in this stream are a series of Key-Value couple, Key-Value schematic diagram as shown in Figure 4 B, and this data stream comprises N Field.Adopt this structure without adopting separator to cut apart different region Field, for optional Field, if there is no this field, this field not in final data stream so, these characteristics all contribute to save the size of the configuration file of server and the transmission of business administration client extremity piece itself.

The message Test1 that hypotheses creation is following:

Test1.id=10;

Test1.str=“hello”;

In final configuration file, there are two Key-Value couple, the id in a corresponding message; Another corresponding str.

Key is used for identifying concrete field, and when unpacking, Protocol Buffer just can know according to Key corresponding Value should corresponding to which field in message.Key is defined as follows:

(field?number<<3)|wire?type

Can see that Key is comprised of two parts.First is field_number, such as the field_number of field id in message lm.helloworld is 1.Second portion is wire_type.The transport-type that represents Value.

Business administration client-side has been preserved the value of Key and the Value of various Different Strategies in advance, receives after configuration file, resolves the concrete meaning that the value of Key and Value in this configuration file can be understood the security strategy that server issues.

Business administration client, when Download Server includes compliance and detects regular configuration file, realizes by the unified passage between business administration client and server.Business administration client is after this configuration file, the information of carrying in this configuration file is resolved, for example business administration client can adopt MDM command generator parsing module, the information of carrying in this configuration file is resolved, obtain the value of corresponding Key and Value.

Business administration client is resolved and is obtained compliance and detects after rule, this compliance detection rule that parsing can be obtained is arranged in another configuration file and is saved in this locality, and each compliance of obtaining from server is detected to regular version number, in configuration file, record corresponding compliance and detect regular version number.Or, for the ease of operation, reduce time and flow that server and business administration client are carried out information interaction, server is when upgrading each compliance detection rule, unified each compliance detects regular version number, compliance is detected to regular version number and write configuration file.Business administration client, resolve and obtain each compliance and detect after rule, in local configuration file, preserve this each compliance and detect rule, and each compliance is detected to regular version number write configuration file.Service for business management device comprises to server transmission each compliance writing in this configuration information according to the time interval of setting and detects regular version number, server detects the up-to-date version number of regular unification according to each compliance of preserving, judge whether that each compliance detection rule to preserving in this business administration client is upgraded.

Or, business administration client sends the status information of self to server according to the time interval of setting, the compliance that comprises self current preservation in wherein said status information detects regular version number, server receives after the status information of enterprise client transmission, according to the user of this business administration client ownership, and the user's that comprises of each user's group information, determine user's group of this user attaching, this user who preserves is organized to corresponding compliance and detect regular latest edition this shop and be carried at and in response message, send to described business administration client.

After the response message that business administration client sends to server, extract latest edition this shop wherein, regular version number's comparison detects with the local compliance of having downloaded in Jiang Gai latest edition this shop, whether unanimously judge that this latest edition this shop and the local compliance of having downloaded detect regular version number, when inconsistent, business administration user end to server sends download latest edition this shop compliance and detects regular request, the compliance that server issues latest edition this shop to business administration client detects rule, the compliance of the latest edition this shop that described in described business administration client, server issues detects rule, and the compliance that the compliance of the described latest edition this shop adopt receiving detects the local current preservation of Policy Updates detects rule, when this latest edition this shop of judgement and the local compliance of having downloaded detect regular version number when consistent, determine that the current compliance of self having downloaded detects the compliance that rule is latest edition this shop and detects rule, this compliance detection rule of following adopted detects.

The compliance of preserving by business administration client self detects rule, and the corresponding operating to user in workspace is monitored, thus the problem that does not conform to the workspace information leakage that rule operation causes that can avoid that user carries out in workspace.

Business administration client has also been preserved each compliance and has been detected after rule, according to this compliance, detects rule, judges whether the current operation of active user closes rule, thereby determines whether user can operate accordingly in workspace.First business administration client detects mobile terminal and whether has root authority.This is to detect rule because business administration client will be obtained compliance from server, and in order to guarantee that mobile terminal can identify and monitor corresponding event, this mobile terminal need to have root authority, otherwise, cannot complete compliance and detect regular renewal.Therefore whether the concrete current operation of the described user of judgement is closed to advise and is comprised:

Business administration client detects and upgrades mobile terminal whether have root authority according to the time interval of setting, concrete business administration client can arrive under common catalogue and detect and whether have root authority identification document, thereby detect mobile terminal, whether has root authority.Such as detecting whether there is SU file under can the arrive/catalogues such as system/bin/system/sbin/system/xbin of business administration client, detect mobile terminal and whether there is root authority.The information whether business administration client has root authority by the mobile terminal detecting is preserved, to use when follow-up judgement.

Business administration client arrives user when the operation information of workspace application programs, according to the compliance of preserving, detect rule, whether the mobile terminal that extracts current preservation has the information of root authority, when this mobile terminal has root authority, the operation that allows user to carry out in described workspace, when this mobile terminal does not have root authority, determine that the current operation in workspace of user does not conform to rule, locking workspace.

In embodiments of the present invention, whether the current operation of the concrete described user of judgement is closed rule and is also comprised:

A kind of procedure chart that locks mobile terminal workspace that Fig. 5 provides for the embodiment of the present invention two, this process comprises the following steps:

S501: whether business administration client is connected with server according to self, when disconnecting with server, the time that record and server disconnect.

S502: in the time that business administration client and server disconnect, receive the operation information of user to the application program in workspace.

S503: the time that business administration client disconnects according to self and server of record, whether the time disconnecting is greater than the offline access threshold value of setting, when judgment result is that while being, carries out step S504, otherwise, carry out step S505.

S504: determine that the current operation in workspace of user does not conform to rule, locking workspace.

S505: determine that the current operation in workspace of user closes rule, the operation that allows user to carry out in described workspace.

Business administration client is when disconnecting with server, the time that record and server disconnect, and regularly according to whether being connected with server, the time disconnecting with server to current record upgrades, when detecting while being connected with server, by the time zero clearing disconnecting with server of current record, when detecting while not still being connected with server, the time that this and server are disconnected upgrades.

Business administration client is within the time disconnecting with server, receive user in workspace during to the operation information of corresponding application programs, the offline access threshold value that whether is greater than setting according to the time disconnecting with server of current record, determines whether to allow user to operate accordingly in workspace.The method is monitored by business administration client self, when the time that business administration client and server disconnect surpasses offline access threshold value, the corresponding operating of user in workspace do not conform to rule, the workspace information leakage that operation causes is advised in not conforming to of carrying out in workspace for fear of user, business administration client locking workspace.

In order further to guarantee the safety of information in workspace, whether the current operation of the described user of judgement closes rule comprises:

Business administration client detects whether interconnection network of mobile terminal in real time, when the current not interconnection network of mobile terminal being detected, record move terminal is the time of interconnection network not, and regularly according to mobile terminal interconnection network whether, to the mobile terminal of current record, the time of interconnection network does not upgrade, when mobile terminal interconnection network being detected, by the not time zero clearing of interconnection network of the mobile terminal of current record, when mobile terminal being detected still not during interconnection network, to this mobile terminal, the time of interconnection network upgrades.

Business administration client is at mobile terminal not in time of interconnection network, receive user in workspace during to the operation information of corresponding application programs, in order to guarantee the information security in workspace, determine that the operation of user in workspace do not conform to rule, do not allow user to operate accordingly in workspace.The method is by business administration client self monitoring, and when mobile terminal and network disconnect, that for fear of user, in workspace, carries out does not conform to the workspace information leakage that rule operation causes, and business administration client locks workspace.

A kind of system architecture schematic diagram that locks mobile terminal workspace that Fig. 6 provides for the embodiment of the present invention, described system comprises the business administration client 62 on server 61 and mobile terminal;

Business administration client 61, for sending log-on message to server, according to the control locking workspace of described server, or allows user to enter workspace;

Server 62, for receiving described log-on message, the compliance of preserving according to self detects rule, determines that whether described business administration client is for closing rule client; When definite described business administration client is non-ly to close rule during client, control described business administration client locking workspace, otherwise, allow user to enter the workspace of described business administration client.

Described server 62, specifically for according to the identification information of the described mobile terminal carrying in described log-on message, and the corresponding relation of the identification information of the user who self preserves and mobile terminal, determines the user of described business administration client ownership; The compliance of preserving according to self detects rule, determines that whether described user is for closing rule user; According to described user, whether for closing rule user, determine that whether described business administration client is for closing rule client.

Described server 62, specifically for according to the information of the described mobile terminal of record, judges whether described mobile terminal has root authority; When described mobile terminal does not have root authority, determine that the business administration client in this mobile terminal is the non-rule client of closing.

Described server 62, specifically for for each mobile terminal, records this mobile terminal time of interconnection network not; When this mobile terminal is not when the time of interconnection network is greater than the not networking time threshold of setting, determine that this business administration client is the non-rule client of closing.

Described server 62, specifically for determining that described business administration client is non-while closing rule client, sends the control information of locking workspace to described business administration client;

Described business administration client 61, specifically for resolving described control information, obtains the control field of carrying in described control information; According to the corresponding relation of each control field of making an appointment with server steering order corresponding with it, locking workspace.

The structural representation of a kind of business administration client that Fig. 7 provides for the embodiment of the present invention, described business administration client comprises:

Receiver module 71, for receiving the operation information of user to the application program of workspace;

Judge module 72, detects rule for the compliance of preserving according to self, judges whether the current operation in workspace of user closes rule;

Control module 73, for determining that when judge module the current operation in workspace of user does not conform to when rule, locking workspace, otherwise, the operation that allows user to carry out in described workspace.

Described business administration client also comprises:

Sending module 74, sends the status information of self to server for the time interval according to setting, the compliance that comprises self current preservation in wherein said status information detects regular version number;

Described receiver module 71, also when determining that when described server the non-latest edition this shop of the current preservation of described business administration client obtains compliance and detects rule, the compliance that receives the latest edition this shop that described server issues detects rule, and the compliance that adopts the compliance of the described latest edition this shop receiving to detect the local current preservation of Policy Updates detects rule.

Whether described judge module 72, record order corresponding to root authority specifically for search operation system; When not finding order corresponding to root authority, determine that this mobile terminal does not have root authority, determine that the operation of user in workspace do not conform to rule.

Described judge module 72, specifically for the time disconnecting according to self and server of record, whether the time disconnecting described in judgement is greater than the offline access threshold value of setting; When the time disconnecting described in determining is greater than the offline access threshold value of setting, determine that the operation of user in workspace do not conform to rule.

Described judge module 72, specifically for detecting the current whether interconnection network of mobile terminal; When interconnection network not, determine that the operation of user in workspace do not conform to rule.

The embodiment of the present invention provides a kind of system that locks mobile terminal workspace, system architecture as shown in Figure 6, and described system comprises: the business administration client 61 described in Fig. 7, and detect regular server 62 to described business administration client transmission compliance.

Described business administration client 61, sends the status information of self to server specifically for the time interval according to setting, the compliance that comprises self current preservation in wherein said status information detects regular version number; And the compliance that the compliance of the described latest edition this shop adopt receiving detects the local current preservation of Policy Updates detects rule;

Server 62, specifically for judging that the current compliance of business administration client detects regular version number, whether be latest edition this shop, when non-latest edition this shop of definite this version number, the compliance that issues latest edition this shop to described business administration client detects rule.

Described business administration client 61, sends the status information of self to server specifically for the time interval according to setting, the compliance that comprises self current preservation in wherein said status information detects regular version number; Receive described server transmission compliance and detect regular latest edition this shop, Jiang Gai latest edition this shop, the compliance of having downloaded with this locality detects regular version number and compares, when inconsistent, to described server, send download latest edition this shop compliance and detect regular request, the compliance that receives the latest edition this shop that described server issues detects rule, and the compliance that adopts the compliance of the described latest edition this shop receiving to detect the local current preservation of Policy Updates detects rule;

Described server 62, the status information sending specifically for receiving described business administration client, detects regular latest edition this shop by the compliance to should business administration client of preserving and sends to described business administration client; Receive the request of described business administration client, and detect rule to the compliance that issues latest edition number.

It should be noted that, the equipment in the embodiment of the present invention can comprise the various devices such as computer equipment, mobile device.Wherein, mobile device can be the various mobile devices such as game console, laptop computer, portable electronic device, board type computer, flat computer, PDA, mobile computer and mobile phone, and the embodiment of the present invention is not restricted this.

The algorithm providing at this is intrinsic not relevant to any certain computer, virtual system or miscellaneous equipment with demonstration.Various general-purpose systems also can with based on using together with this teaching.According to description above, it is apparent constructing the desired structure of this type systematic.In addition, the present invention is not also for any certain programmed language.It should be understood that and can utilize various programming languages to realize content of the present invention described here, and the description of above language-specific being done is in order to disclose preferred forms of the present invention.

In the instructions that provided herein, a large amount of details have been described.Yet, can understand, embodiments of the invention can not put into practice in the situation that there is no these details.In some instances, be not shown specifically known method, structure and technology, so that not fuzzy understanding of this description.

Similarly, be to be understood that, in order to simplify the disclosure and to help to understand one or more in each inventive aspect, in the above in the description of exemplary embodiment of the present invention, each feature of the present invention is grouped together into single embodiment, figure or sometimes in its description.Yet, the method for the disclosure should be construed to the following intention of reflection: the present invention for required protection requires than the more feature of feature of clearly recording in each claim.Or rather, as reflected in claims below, inventive aspect is to be less than all features of disclosed single embodiment above.Therefore, claims of following embodiment are incorporated to this embodiment thus clearly, and wherein each claim itself is as independent embodiment of the present invention.

Those skilled in the art are appreciated that and can the module in the equipment in embodiment are adaptively changed and they are arranged in one or more equipment different from this embodiment.Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and can put them into a plurality of submodules or subelement or sub-component in addition.At least some in such feature and/or process or unit are mutually repelling, and can adopt any combination to combine all processes or the unit of disclosed all features in this instructions (comprising claim, summary and the accompanying drawing followed) and disclosed any method like this or equipment.Unless clearly statement in addition, in this instructions (comprising claim, summary and the accompanying drawing followed) disclosed each feature can be by providing identical, be equal to or the alternative features of similar object replaces.

In addition, those skilled in the art can understand, although embodiment more described herein comprise some feature rather than further feature included in other embodiment, the combination of the feature of different embodiment means within scope of the present invention and forms different embodiment.For example, in the following claims, the one of any of embodiment required for protection can be used with array mode arbitrarily.

All parts embodiment of the present invention can realize with hardware, or realizes with the software module moved on one or more processor, or realizes with their combination.It will be understood by those of skill in the art that the some or all functions that can use in practice microprocessor or digital signal processor (DSP) to realize the some or all parts in server, business administration client and the system according to the embodiment of the present invention.The present invention for example can also be embodied as, for carrying out part or all equipment or device program (, computer program and computer program) of method as described herein.Realizing program of the present invention and can be stored on computer-readable medium like this, or can there is the form of one or more signal.Such signal can be downloaded and obtain from internet website, or provides on carrier signal, or provides with any other form.

It should be noted above-described embodiment the present invention will be described rather than limit the invention, and those skilled in the art can design alternative embodiment in the situation that do not depart from the scope of claims.In the claims, any reference symbol between bracket should be configured to limitations on claims.Word " comprises " not to be got rid of existence and is not listed as element or step in the claims.Being positioned at word " " before element or " one " does not get rid of and has a plurality of such elements.The present invention can be by means of including the hardware of some different elements and realizing by means of the computing machine of suitably programming.In having enumerated the unit claim of some devices, several in these devices can be to carry out imbody by same hardware branch.The use of word first, second and C grade does not represent any order.Can be title by these word explanations.

Obviously, those skilled in the art can carry out various changes and modification and not depart from the spirit and scope of the present invention the present invention.Like this, if within of the present invention these are revised and modification belongs to the scope of the claims in the present invention and equivalent technologies thereof, the present invention is also intended to comprise these changes and modification interior.

Claims

1. a method that locks mobile terminal workspace, is characterized in that, the method comprises:

2. the method for claim 1, is characterized in that, whether described definite described business administration client comprises for closing rule client:

3. method as claimed in claim 1 or 2, is characterized in that, described definite described business administration client is that the non-rule client of closing comprises:

4. a system that locks mobile terminal workspace, is characterized in that, described system comprises the business administration client on server and mobile terminal;

5. a method that locks mobile terminal workspace, is characterized in that, described method comprises:

6. method as claimed in claim 5, is characterized in that, preserves described compliance detection rule and comprises:

7. the method as described in claim 5 or 6, is characterized in that, whether the current operation of the described user of judgement closes rule comprises:

8. method as claimed in claim 7, is characterized in that, whether the current operation of the described user of judgement closes rule comprises:

9. a business administration client, is characterized in that, described business administration client comprises:

10. a system that locks mobile terminal workspace, is characterized in that, described system comprises: business administration client as claimed in claim 9, and detect regular server to described business administration client transmission compliance.