CN109460660A - A kind of mobile device safety management system - Google Patents

Abstract

The present invention relates to a kind of mobile device safety management systems, including mobile terminal and server end pipe platform, the mobile terminal manages platform communication connection by internet and server end, it includes mobile terminal intimidation defense management module that server end, which manages platform, corporate mobile devices management module, pushing module, the present invention can be realized entirety management of the platform to mobile device, platform includes mobile terminal intimidation defense management module, corporate mobile devices management module, pushing module, it is killed virus by mobile terminal intimidation defense management module to mobile device, and setting safety permission plan is got over, and security sandbox module guarantees the safety of mobile device, in addition corporate mobile devices management module can guarantee mobile device, and the application program of mobile device, the safety of document, and in the feelings that mobile device is lost Under condition, by deleting the file of mobile device or modifying the login password of mobile device, it is further ensured that the safety of enterprise's confidential document.

Description

A kind of mobile device safety management system

Technical field

The present invention relates to a kind of technical field of network security, especially a kind of mobile device safety management system.

Background technique

With the rapid development of mobile device product, the application of smart phone, tablet computer commercially has become one Kind development trend.How mobile device is managed concentratedly and controlled, has become an important key of business administration Point.

The smart phone and tablet computer for being originally used for individual consumer's design are constantly by enterprise for carrying crucial industry Business and core application, employee can also give enterprise's band although improving office efficiency using mobile device access company information Carry out many security risks, often occur fund steal, information leakage the problems such as, tracing it to its cause is exactly because of mobile terminal device The safety of access information can not be screened when accessing other systems, it is likely that it is hidden that the mobile terminal of employee has existed safety Suffer from, is peeped since virus, wooden horse, rogue program are implanted the data in mobile terminal or in mobile terminal；Mobile terminal The problems such as communicating data of carrying, note data, network data are maliciously obtained causes the safety of mobile terminal that cannot protect Barrier；In addition, the problem of prior art is also lost together there is also secret data in enterprise after mobile device loss.Therefore, there is an urgent need for A kind of safety management system can guarantee the safety of system data.

Summary of the invention

In view of the deficiencies of the prior art, the present invention provides a kind of mobile device safety management system, which can guarantee The safety of mobile device can position mobile device, and by deleting file data or can repair when mobile device is lost The safety for changing mobile device cryptographic assurance data further improves the safety of system.

The technical solution of the present invention is as follows: a kind of mobile device safety management system, including mobile terminal and server end pipe Platform, the mobile terminal manage platform communication connection, the server end management by internet and server end Platform includes mobile terminal intimidation defense management module, corporate mobile devices management module, pushing module；

The mobile terminal intimidation defense management module is used for security threat and safety problem to mobile terminal device Carry out integral protection；

The corporate mobile devices management module is used for the mobile terminal device of trustship and the mobile device of trustship Data file in the application program and mobile device terminal and server end pipe platform of the middle installation of terminal is integrated Management；

The pushing module manages platform to mobile terminal PUSH message for server end.

Further, the mobile terminal intimidation defense management module include mobile antivirus module, safety permission module, Application scan module, safe state of affairs sensing module, using package module, security sandbox module；

The mobile antivirus module is used for using virus killing technology with double engines to mobile terminal device and its using journey Sequence carries out virus, wooden horse and malicious code killing, prevents the application program of user installation safety difference, and be used for system into Row checking and killing virus, vulnerability scanning and patch reparation；

The safety permission module is used to audit to the mobile terminal device of server end management platform trustship, leads to A variety of detection projects are crossed, time fence and geography fence strategy is cooperated to control mobile terminal device access, and to separated The mobile terminal device of rule carries out fine-grained policy control, prevents dangerous mobile terminal device from running on server end management flat On platform；

The application scan module, can for application program for preceding progress security sweep online to application program Can occur application program virus infection wooden horse, application program access right tracking, application program without secure digital signature, Application code is detected without processing relevant issues are obscured, and guarantees that application program is uploaded to server end management platform Application shop safety, prevent because the modes such as decompiling or code injection carry out malice transformation to application program；

The safe state of affairs sensing module is used for the operation conditions of mobile terminal device, network behavior and user's row Big data analysis is carried out for Multiple factors, current state and variation are carried out to all devices in current mobile terminal device network Trend carries out activity-summary, and data structure is shown by patterned mode, checks for user, when first Between prejudge safety problem, check security risk, prevent bigger security incident；

Described is used to the application program installation kit for having developed completion carrying out code injection and envelope using package module Dress saves development cost and maintenance cost it is not necessary to modify the code of existing mobile terminal application, and has following function:

1) unified approach pressure, unified identity authentication: is carried out by the user identity of user name, password and certificate to application Certification；

2), unified single-sign-on: all mobile applications is forced to have secure access to based on the single-sign-on of time and application level；

3), permission grant: allowing or is forbidden to use application program, offline use is applied or stored data into equipment；

4) it, automatically configures: automatically configuring user name, the address Server and the relevant personal settings information of self-defining data, Need not move through user interactive operation；

5), automatic encryption: ensure that each application program storage all passes through encryption to all data of equipment；

6), DLP data are leakage-preventing: forbidding/allow enterprise using functions such as interior text copy/pastes；

7), dynamic strategy: dynamic updates application strategy；

8), statistical report: statistics is respectively using the information such as the frequency, time, duration and unified displaying；

9), optional erasing: Remote Selection wipes certain applications data, without influencing users personal data；

The security sandbox module is used for the safety of safeguards system data, by establishing DSA data isolation region, DSA data isolation area is high strength encrypting, DSA by it is automatic carry out data break up and encipherment protection, external program can not obtain Any data details of DSA, DSA include that disk partition information, file directory table, key safety cabinet region and encryption file are deposited Storage area, by DSA storage file all be using one-time pad random key and AES256 Encryption Algorithm protected, and with Secret key, which then passes through PKI public key, to carry out being stored encrypted in safe key safety cabinet region, to further ensure system number According to safety.

Further, the corporate mobile devices management module includes mobile terminal device management module, mobile terminal Appliance applications management module, document management module；

The mobile terminal device management module is used to carry out integrated management to mobile terminal device in trust；

The mobile terminal device application management module is used for the application journey installed in the mobile device of trustship Sequence carries out monitor closely, supports black/white list strategy, all rogue programs in filtering black list, and system can be carried Application shop carries out the setting of permission, allows or forbids installing application program from application shop, blocks the source of rogue program, protect Demonstrate,prove application program it is legal with it is controllable；

The document management module is used to carry out enterprise document centrally stored, examination & approval, publication, long-range push, document Retrieval management realizes the safety browsing ensured to mobile device Content Management enterprises document on the mobile apparatus and document The update of content；The distribution of realization enterprise document and priority assignation and management.

The mobile terminal device management module include device management module, safety management module, user management module, Plan gets over management module, and the device management module includes mobile terminal device status monitoring and data capture unit, and movement is eventually End equipment rights management unit, mobile terminal device configuration management element；

The safety management module includes that mobile device loses positioning unit, mobile device lost contact detection unit, equipment Lose data protection unit, network security control unit, system log management unit；

The user management module includes authentication and user's Life cycle control unit；

It includes equipment/user grouping policy management element that the plan, which gets over management module, and cross-platform multiple device binding is single Member；

The mobile terminal device status monitoring and data capture unit be used for the hardware information to mobile terminal device, Application information, security information carry out detailed track record and early warning, realize system to the thin of mobile terminal device information Granularity control；

The mobile terminal device rights management unit be used for the function privilege to the mobile terminal device of designated user, Application program permission, safety and privacy authority are configured and are managed, and are specifically included that

1) camera, is limited, records, make a phone call, receiving and dispatching short message；

2) WiFi access style and SSID, are limited；

3), limitation uses application shop, limitation installation application；

4), limitation is used using data line；

5) WIFI, is limited, Bluetooth function uses；

6), limitation uses browser, and limitation uses Javascript；

The mobile terminal device configuration management element is used to utilize the long-range management of user account configuration information and OTA The mode of push establishes various configurations strategy, is mainly used for matching for WiFi, VPN, LDAP, Exchange, POP3, IMAP, APN It sets, consistency operation can also be passed through by administrative staff and is pushed directly to designated user's terminal, avoid user from voluntarily inputting, separately WiFi, VPN Account Type are configured outside, system automatic push simultaneously configure account, and user can be in the feelings without knowing password It is connected to wireless network and Virtual Private Network under condition, that is, realizes secure accessing, while user being avoided to reveal account information；

In addition, wireless push can also be all made of according to the customized mobile device permission of different user, all configuration informations Mode real time down can be issued as what the various dimensions of the overall situation, group, permission, user, equipment were configured；

The mobile device loses positioning unit and is used to remotely determine to mobile device by GPRS, 3G, 4G, WiFi Position, and intelligent Drawing is carried out to the movement track of mobile device, the accurate personnel's for grasping mobile device and using mobile device Movement track；

The mobile device lost contact detection unit is used to carry out lost contact policy control to the mobile device of loss, in movement Device losses or in the state of can not networking, execute corresponding equipment lost contact strategy automatically, clash to mobile device specified Data, remove mobile device information, lock mobile device operation, guarantee mobile device lost contact after under suspension state data pacify Entirely；

The device losses data protection unit is used to carry out remote password setting to loss mobile device, locking is moved Equipment, erasing system application, erasing system application data, erasing individual privacy data, safeguards system data safety, lose in equipment The data that the first time of mistake saves mobile device carry out security management and control；

The network security control unit supports mobile device WIFI black and white lists, for the peace to WIFI wireless network Full access carries out control limitation, prevents mobile setting from accessing unsafe WIFI wireless network, passes through what is surfed the Internet to mobile device URL carries out tracking and monitoring and judges the internet behavior of mobile terminal by the record analysis to URL, so that it is guaranteed that mobile device Internet Security；

The authentication and user's Life cycle control unit is used in accessing user's network, and system is to user Corresponding certificate is produced, which can guarantee the authentication between user and server end management platform, and the certificate With settable life cycle, the permission time limit of user can be set, since registering and completing, which starts to connect By the comprehensive management of system, system is to status information all in the whole life cycle of user equipment access corporate environment, behaviour Strict monitoring and unified configuration management are carried out as behavior；

The equipment/user grouping policy management element is used to carry out certainly equipment according to the different attribute of mobile device Dynamic to sort out, different type equipment and different user devices freely establish group；

And the user management mechanism using based role, user's progress position, department, group are grouped at many levels, it is more Angle is managed user；Enterprise is facilitated to carry out centralized and unified management, the settable difference of distinct device enterprise to mobile device Administrator managed respectively；

The cross-platform multiple device binding unit is used for different mobile devices, Mobile operating system platform, single Body user can bind with multiple platforms/version/operating system equipment, realize the unification of user's multiple device, concentrate Management；

The system log management unit was used for user journal, device log, system alarm log, application program day Will, System Operation Log, application program installation log, equipment operation log are managed, and user is facilitated to consult journal file It determines that system current state, observation user using relevant data, and understand the service condition of system, and settable deletes automatically Except log strategy.

The mobile terminal device application management module includes independent enterprise's application shop, application program remote point Hair installs statistic unit, application program list application mould with erasing unit, application program black/white list monitoring unit, application program Formula unit；

Upload, downloading, update of the independent enterprise's application shop for the application program of user, the restocking of program, Undercarriage mechanism establishes the application shop of user oneself, is detached from distribution and management that third-party application shop is applied；

The described application program remote distribution and erasing unit are used for the batch distribution of application program, Remote Installation, far Journey is removed, is remotely updated, remote wipe operates, and is avoided complicated cumbersome installation process, has been greatly improved batch deployment process In working efficiency, in addition, system can be realized to mobile device remote unloading and data erasing, prevent from answering mobile device it is stolen, It is unexpected to lose, cause user's confidential information to be revealed；

The application program black/white list monitoring unit is used for limiting in mobile device using installation, if It was found that mobile device installs illegal application, system will inform the user that or forced unloading, to guarantee the safety of mobile device；

The application program installation statistic unit is for carrying out installation statistics, Yong Huke to the application program that enterprise pushes Check push record, the installation situation, the relevant information for pushing situation of each application program；To not by regulation installation must answer It is alerted with the mobile device of program, and carries out secondary push automatically；

The application program list application model unit is used to mobile device being locked in a certain application program, this applies journey Sequence automatically turns on, and user can not exit, and user is not available the application program in addition to single application model program.

The document management module include mobile device enterprise's cloud storage unit, mobile device private cloud storage unit, Document security administrative unit, document management unit, document policies administrative unit；

The mobile device enterprise's cloud storage unit is used to carry out storage and management on the mobile apparatus to enterprise document, By downloading, realizing the publication of enterprise document and sharing to the synchronous of enterprise's cloud storage unit；

The mobile device private cloud storage unit is for the upload, downloading, storage to privately owned document；

The document security administrative unit is used for mobile device enterprise's cloud storage unit, mobile device private cloud storage The file stored in unit is managed, and realizes the unified management of enterprise document and personal document, and ensure business data and The physical isolation of personal data, and document is transmitted through upper in transmission process, carries out file encryption using high strength encrypting algorithm, Prevention and control document leaks risk, system integration file browser, supports Word, PPT, PDF, JPG, TXT, MP4, MP3, AVI format, The document being uploaded in system can not open leakage of content after preventing document to be lost by third party's browser；

The document management unit is used for the file distributing in enterprise's cloud to the mobile terminal of specified target user On, realization enterprise document uniformly issues and file-sharing, and can checking to the file issued；

The document policies administrative unit is used to carry out tactical management to enterprise document, to document sharing, copy function Corresponding management strategy is set, enterprise is facilitated to be managed document.

The pushing module includes mobile e-mail push administrative unit, mobile notice push administrative unit；

The mobile e-mail push administrative unit is used to ensure the safety of delivery email content and Email attachment, and Support following mail protocol: IMAP, Exchange, POP3, and can be to mail security channel and mail text during push Part is encrypted, and guarantees the safety of transmission Mail Contents and attachment；

The mobile notice administrative unit manages platform for server end and issues to the notice of mobile terminal, including enterprise The transmitting and receiving of the publication of industry notification message, file and content；And support text, picture, video, Word, PPT matchmaker more than more kinds The file of physique formula, and in transmission, it can be achieved that being encrypted to file transmission channel and being carried out to file data itself Encryption.

Further, the mobile terminal includes user log-in block, security centre's management module, equipment information management Module, memory management unit, application management unit, application shop, message center unit, documentation center administrative unit, mail pipe Manage module；

The user log-in block logs in mobile terminal for user, realizes and connects with the communication of server end management platform It connects, user pushes the circular mail registered address URL that administrative unit pushes by mobile e-mail, then according to the user name of registration It is logged in password, user can also push the two dimensional code that administrative unit is sent according to mobile e-mail and log in；

Security centre's management module is used for the safety monitoring of mobile device, and to virus, wooden horse, malicious code Comprehensive killing and quick killing vulnerability scanning and patch reparation are carried out, guarantees the safety of mobile device；

The equipment information management module is used to check essential information, the detailed hardware information, CPU information of mobile device And hardware characteristic information；

The memory management unit can check current residual memory, sheet for being managed to the memory of mobile device Machine memory, using committed memory, system committed memory and free memory information, and internally deposit and be purged or optimize；

The application management unit is for being managed the application program of mobile device；

The application shop is used to download the application program and third-party application program of enterprise's publication；

The message center unit is for checking enterprise message and attachment content that enterprise pushes to user, when receiving pipe After the information that reason personnel push to mobile terminal, preset information will disappear while show the new information received；

The documentation center administrative unit is effective user-isolated public and private for managing enterprise document and personal document Document, protects the personal document of user, at the same enterprise document is downloaded and enterprise document localization management；

The mail management module is used for the delivery email that management server end pipe platform is sent, and checks service The delivery email that device end pipe platform is sent.

Further, security centre's management module includes quick killing unit, comprehensive killing unit, real time monitoring Unit threatens reminding unit, operation note unit, virus base upgrade unit；

The quick killing unit is used to carry out quick killing to mobile device virus；

Comprehensive killing is used to the storage of mobile device and SD card, storage catalogue carrying out comprehensive killing, entirely Face killing system All Files can be carried out to binary system killing and intellectual analysis threatens, after the completion of killing, if it find that viral Or threaten, checking and killing virus can be recorded and be saved by system, and user can click the text that details check Virus Type, virus infection Part attribute information, and corresponding processing mode can be taken virus；

The real time monitoring unit is for monitoring mobile device in real time, to guarantee the safety of running environment；

Threat of the threat reminding unit for reminding user's mobile device to be subject in time, to ensure that user locates in time Reason threatens；

The operation note unit is used to record the relevant scanning information of virus of institute's killing, is conveniently used for subsequent look into It sees；

The virus base upgrade unit is used to carry out online upgrading to virus base, to ensure the safety of running environment.

Further, a variety of detection projects include: whether mobile terminal device proposes power detection, whether installs in violation of rules and regulations Whether application program detection, operating system version close rule detection, whether application version closes rule detection, whether SIM card is to award Whether the detection of power SIM card meets the detection of geography fence strategy, whether meets the detection of time ring fence.

Further, the time ring fence refers to that by setting certain use time range, controlling movement sets It is standby, this system cannot be used beyond the time range；The geography fence strategy, which refers to through geographic latitude, controls shifting Dynamic equipment, will be unable to use this system beyond this range.

Further, the mobile terminal is suitable for the mobile terminal device of Android platform and iOS platform.

The invention has the benefit that

1, present system is equipped with mobile terminal, server end manages platform；Mobile terminal client terminal by internet with Server end manages platform connection, realizes entirety management of the platform to mobile device, and platform includes that mobile terminal threat is anti- Imperial management module, corporate mobile devices management module, pushing module set movement by mobile terminal intimidation defense management module It is standby to be killed virus and be arranged that safety permission plan is got over and security sandbox module guarantees the safety of mobile device, in addition enterprise's shifting Dynamic device management module can guarantee the safety of the application program of mobile device and mobile device, document, and in movement In the case where device losses, by deleting the file of mobile device or modifying the login password of mobile device, it is further ensured that enterprise The safety of industry confidential document, in addition, the system can also position the shifting lost the position of mobile device and can describe mobile device Dynamic rail mark；User can guarantee mobile device, enterprise according to setting such as time ring fence, geography fence strategy security strategy The safety of industry file；

2, system can send file to enterprise staff in the form of mail and notice pushing module, and due to browsing File is to use built-in browser, and by encrypting to the channel and file attachment of starting file, further protect The safety of pushing files is demonstrate,proved；

3, by setting enterprise's cloud storage unit and private cloud storage unit, each humanity of enterprise document has been spaced further apart it It is part, practical, convenient for unified management；

4, only independent in system to use shop, and safety monitoring is carried out to it before application program restocking, guarantee The safety of application program；

5, mobile terminal is provided with security centre and documentation center administrative unit, mail management module, is further ensured that The safety of mobile terminal document is moved, with good application prospect.

Detailed description of the invention

Fig. 1 is structural framing figure of the invention.

Specific embodiment

Specific embodiments of the present invention will be further explained with reference to the accompanying drawing:

As shown in Figure 1, a kind of mobile device safety management system, including mobile terminal and server end pipe platform, institute The mobile terminal stated manages platform communication connection by internet and server end, and the server end management platform includes moving Dynamic terminal intimidation defense management module, corporate mobile devices management module, pushing module, before use, user is logged in by account Server end management platform is managed collectively mobile terminal；

The mobile terminal intimidation defense management module is used for security threat and safety problem to mobile terminal device Carry out integral protection；

The corporate mobile devices management module is used for the mobile terminal device of trustship and the mobile device of trustship Data file in the application program and mobile device terminal and server end pipe platform of the middle installation of terminal is integrated Management；

The pushing module manages platform to mobile terminal PUSH message for server end.

Further, the mobile terminal intimidation defense management module include mobile antivirus module, safety permission module, Application scan module, safe state of affairs sensing module, using package module, security sandbox module.

The mobile antivirus module is used for using virus killing technology with double engines to mobile terminal device and its using journey Sequence carries out virus, wooden horse and malicious code killing, prevents the application program of user installation safety difference, and be used for system into Row checking and killing virus, vulnerability scanning and patch reparation.

The safety permission module is used to audit to the mobile terminal device of server end management platform trustship, leads to A variety of detection projects are crossed, time fence and geography fence strategy is cooperated to control mobile terminal device access, and to separated The mobile terminal device of rule carries out fine-grained policy control, prevents dangerous mobile terminal device from running on server end management flat On platform, wherein a variety of detection projects include: whether mobile terminal device proposes power detection, whether installs and apply in violation of rules and regulations Whether Programmable detection, operating system version close rule detection, whether application version closes rule detection, whether SIM card is authorization SIM Whether card detection meets the detection of geography fence strategy, whether meets the detection of time ring fence.

The time ring fence, which refers to, controls mobile device by setting certain use time range, and exceeding should Time range cannot use this system；The geography fence strategy, which refers to through geographic latitude, controls mobile device, surpasses This range will be unable to use this system out.

The application scan module, can for application program for preceding progress security sweep online to application program Can occur application program virus infection wooden horse, application program access right tracking, application program without secure digital signature, Application code is detected without processing relevant issues are obscured, and guarantees that application program is uploaded to server end management platform Application shop safety, prevent because the modes such as decompiling or code injection carry out malice transformation to application program.

The safe state of affairs sensing module is used for the operation conditions of mobile terminal device, network behavior and user's row Big data analysis is carried out for Multiple factors, current state and variation are carried out to all devices in current mobile terminal device network Trend carries out activity-summary, and data structure is shown by patterned mode, checks for user, when first Between prejudge safety problem, check security risk, prevent bigger security incident.

Described is used to the application program installation kit for having developed completion carrying out code injection and envelope using package module Dress saves development cost and maintenance cost it is not necessary to modify the code of existing mobile terminal application, and has following function:

1) unified approach pressure, unified identity authentication: is carried out by the user identity of user name, password and certificate to application Certification；

2), unified single-sign-on: all mobile applications is forced to have secure access to based on the single-sign-on of time and application level；

3), permission grant: allowing or is forbidden to use application program, offline use is applied or stored data into equipment；

4) it, automatically configures: automatically configuring user name, the address Server and the relevant personal settings information of self-defining data, Need not move through user interactive operation；

5), automatic encryption: ensure that each application program storage all passes through encryption to all data of equipment；

6), DLP data are leakage-preventing: forbidding/allow enterprise using functions such as interior text copy/pastes；

7), dynamic strategy: dynamic updates application strategy；

8), statistical report: statistics is respectively using the information such as the frequency, time, duration and unified displaying；

9), optional erasing: Remote Selection wipes certain applications data, without influencing users personal data.

The security sandbox module is used for the safety of safeguards system data, by establishing DSA data isolation region, DSA data isolation area is high strength encrypting, DSA by it is automatic carry out data break up and encipherment protection, external program can not obtain Any data details of DSA, DSA include that disk partition information, file directory table, key safety cabinet region and encryption file are deposited Storage area, by DSA storage file all be using one-time pad random key and AES256 Encryption Algorithm protected, and with Secret key, which then passes through PKI public key, to carry out being stored encrypted in safe key safety cabinet region, to further ensure system number According to safety.

The corporate mobile devices management module includes mobile terminal device management module, mobile terminal device application journey Sequence management module, document management module；The mobile terminal device management module is used for mobile terminal device in trust Carry out integrated management；The mobile terminal device application management module is for answering what is installed in the mobile device of trustship Carry out monitor closely with program, support black/white list strategy, all rogue programs in filtering black list, and can to system from The application shop of band carries out the setting of permission, allows or forbids installing application program from application shop, blocks coming for rogue program Source, guarantee application program it is legal with it is controllable；The document management module is used to carry out enterprise document centrally stored, careful It criticizes, publication, long-range push, document retrieval management, realizes that, to mobile device Content Management, guarantee enterprises document is set in movement The update of standby upper safety browsing and document content；The distribution of realization enterprise document and priority assignation and management.

The mobile terminal device management module include device management module, safety management module, user management module, Plan gets over management module, and the device management module includes mobile terminal device status monitoring and data capture unit, and movement is eventually End equipment rights management unit, mobile terminal device configuration management element；

The safety management module includes that mobile device loses positioning unit, mobile device lost contact detection unit, equipment Lose data protection unit, network security control unit, system log management unit；

The user management module includes authentication and user's Life cycle control unit；

It includes equipment/user grouping policy management element that the plan, which gets over management module, and cross-platform multiple device binding is single Member；

The mobile terminal device status monitoring and data capture unit be used for the hardware information to mobile terminal device, Application information, security information carry out detailed track record and early warning, realize system to the thin of mobile terminal device information Granularity control；

The mobile terminal device rights management unit be used for the function privilege to the mobile terminal device of designated user, Application program permission, safety and privacy authority are configured and are managed, and are specifically included that

1) camera, is limited, records, make a phone call, receiving and dispatching short message；

2) WiFi access style and SSID, are limited；

3), limitation uses application shop, limitation installation application；

4), limitation is used using data line；

5) WIFI, is limited, Bluetooth function uses；

6), limitation uses browser, and limitation uses Javascript；

The mobile terminal device configuration management element is used to utilize the long-range management of user account configuration information and OTA The mode of push establishes various configurations strategy, is mainly used for matching for WiFi, VPN, LDAP, Exchange, POP3, IMAP, APN It sets, consistency operation can also be passed through by administrative staff and is pushed directly to designated user's terminal, avoid user from voluntarily inputting, separately WiFi, VPN Account Type are configured outside, system automatic push simultaneously configure account, and user can be in the feelings without knowing password It is connected to wireless network and Virtual Private Network under condition, that is, realizes secure accessing, while user being avoided to reveal account information；

In addition, wireless push can also be all made of according to the customized mobile device permission of different user, all configuration informations Mode real time down can be issued as what the various dimensions of the overall situation, group, permission, user, equipment were configured；

The mobile device loses positioning unit and is used to remotely determine to mobile device by GPRS, 3G, 4G, WiFi Position, and intelligent Drawing is carried out to the movement track of mobile device, the accurate personnel's for grasping mobile device and using mobile device Movement track；

The mobile device lost contact detection unit is used to carry out lost contact policy control to the mobile device of loss, in movement Device losses or in the state of can not networking, execute corresponding equipment lost contact strategy automatically, clash to mobile device specified Data, remove mobile device information, lock mobile device operation, guarantee mobile device lost contact after under suspension state data pacify Entirely；

The device losses data protection unit is used to carry out remote password setting to loss mobile device, locking is moved Equipment, erasing system application, erasing system application data, erasing individual privacy data, safeguards system data safety, lose in equipment The data that the first time of mistake saves mobile device carry out security management and control；

The network security control unit supports mobile device WIFI black and white lists, for the peace to WIFI wireless network Full access carries out control limitation, prevents mobile setting from accessing unsafe WIFI wireless network, passes through what is surfed the Internet to mobile device URL carries out tracking and monitoring and judges the internet behavior of mobile terminal by the record analysis to URL, so that it is guaranteed that mobile device Internet Security；

The authentication and user's Life cycle control unit is used in accessing user's network, and system is to user Corresponding certificate is produced, which can guarantee the authentication between user and server end management platform, and the certificate With settable life cycle, the permission time limit of user can be set, since registering and completing, which starts to connect By the comprehensive management of system, system is to status information all in the whole life cycle of user equipment access corporate environment, behaviour Strict monitoring and unified configuration management are carried out as behavior；

The equipment/user grouping policy management element is used to carry out certainly equipment according to the different attribute of mobile device Dynamic to sort out, different type equipment and different user devices freely establish group；And the user management mechanism using based role, User's progress position, department, group are grouped at many levels, multi-angle is managed user；Facilitate enterprise to mobile device into Row centralized and unified management, the settable different administrator of distinct device enterprise are managed respectively；

The cross-platform multiple device binding unit is used for different mobile devices, Mobile operating system platform, single Body user can bind with multiple platforms/version/operating system equipment, realize the unification of user's multiple device, concentrate Management；

The system log management unit was used for user journal, device log, system alarm log, application program day Will, System Operation Log, application program installation log, equipment operation log are managed, and user is facilitated to consult journal file It determines that system current state, observation user using relevant data, and understand the service condition of system, and settable deletes automatically Except log strategy.

The mobile terminal device application management module includes independent enterprise's application shop, application program remote point Hair installs statistic unit, application program list application mould with erasing unit, application program black/white list monitoring unit, application program Formula unit；

Upload, downloading, update of the independent enterprise's application shop for the application program of user, the restocking of program, Undercarriage mechanism establishes the application shop of user oneself, is detached from distribution and management that third-party application shop is applied；

The described application program remote distribution and erasing unit are used for the batch distribution of application program, Remote Installation, far Journey is removed, is remotely updated, remote wipe operates, and is avoided complicated cumbersome installation process, has been greatly improved batch deployment process In working efficiency, in addition, system can be realized to mobile device remote unloading and data erasing, prevent from answering mobile device it is stolen, It is unexpected to lose, cause user's confidential information to be revealed；

The application program black/white list monitoring unit is used for limiting in mobile device using installation, if It was found that mobile device installs illegal application, system will inform the user that or forced unloading, to guarantee the safety of mobile device；

The application program installation statistic unit is for carrying out installation statistics, Yong Huke to the application program that enterprise pushes Check push record, the installation situation, the relevant information for pushing situation of each application program；To not by regulation installation must answer It is alerted with the mobile device of program, and carries out secondary push automatically；

The application program list application model unit is used to mobile device being locked in a certain application program, this applies journey Sequence automatically turns on, and user can not exit, and user is not available the application program in addition to single application model program.

The document management module include mobile device enterprise's cloud storage unit, mobile device private cloud storage unit, Document security administrative unit, document management unit, document policies administrative unit；

The mobile device enterprise's cloud storage unit is used to carry out storage and management on the mobile apparatus to enterprise document, By downloading, realizing the publication of enterprise document and sharing to the synchronous of enterprise's cloud storage unit；

The mobile device private cloud storage unit is for the upload, downloading, storage to privately owned document；

The document security administrative unit is used for mobile device enterprise's cloud storage unit, mobile device private cloud storage The file stored in unit is managed, and realizes the unified management of enterprise document and personal document, and ensure business data and The physical isolation of personal data, and document is transmitted through upper in transmission process, carries out file encryption using high strength encrypting algorithm, Prevention and control document leaks risk, system integration file browser, supports Word, PPT, PDF, JPG, TXT, MP4, MP3, AVI format, The document being uploaded in system can not open leakage of content after preventing document to be lost by third party's browser；

The document management unit is used for the file distributing in enterprise's cloud to the mobile terminal of specified target user On, realization enterprise document uniformly issues and file-sharing, and can checking to the file issued；

The document policies administrative unit is used to carry out tactical management to enterprise document, to document sharing, copy function Corresponding management strategy is set, enterprise is facilitated to be managed document.

The pushing module includes mobile e-mail push administrative unit, mobile notice push administrative unit；The shifting Dynamic mail push administrative unit is used to ensure the safety of delivery email content and Email attachment, and following mail is supported to assist View: IMAP, Exchange, POP3, and mail security channel and mail document can be encrypted during push, guarantee Transmit the safety of Mail Contents and attachment；

The mobile notice administrative unit manages platform for server end and issues to the notice of mobile terminal, including enterprise The transmitting and receiving of the publication of industry notification message, file and content；And support text, picture, video, Word, PPT matchmaker more than more kinds The file of physique formula, and in transmission, it can be achieved that being encrypted to file transmission channel and being carried out to file data itself Encryption.

The mobile terminal is suitable for the mobile terminal device of Android platform and iOS platform, the mobile terminal Including user log-in block, security centre's management module, equipment information management module, memory management unit, application management unit, Application shop, message center unit, documentation center administrative unit, mail management module；

The user log-in block logs in mobile terminal for user, realizes and connects with the communication of server end management platform It connects, user pushes the circular mail registered address URL that administrative unit pushes by mobile e-mail, then according to the user name of registration It is logged in password, user can also push the two dimensional code that administrative unit is sent according to mobile e-mail and log in；

Security centre's management module is used for the safety monitoring of mobile device, and to virus, wooden horse, malicious code Comprehensive killing and quick killing vulnerability scanning and patch reparation are carried out, guarantees the safety of mobile device；

The equipment information management module is used to check essential information, the detailed hardware information, CPU information of mobile device And hardware characteristic information；

The memory management unit can check current residual memory, sheet for being managed to the memory of mobile device Machine memory, using committed memory, system committed memory and free memory information, and internally deposit and be purged or optimize；

The application management unit is for being managed the application program of mobile device；

The application shop is used to download the application program and third-party application program of enterprise's publication；

The message center unit is for checking enterprise message and attachment content that enterprise pushes to user, when receiving pipe After the information that reason personnel push to mobile terminal, preset information will disappear while show the new information received；

The documentation center administrative unit is effective user-isolated public and private for managing enterprise document and personal document Document, protects the personal document of user, at the same enterprise document is downloaded and enterprise document localization management；

The mail management module is used for the delivery email that management server end pipe platform is sent, and checks service The delivery email that device end pipe platform is sent.

Security centre's management module includes quick killing unit, comprehensive killing unit, real time monitoring unit, threatens Reminding unit, operation note unit, virus base upgrade unit；

The quick killing unit is used to carry out quick killing to mobile device virus；

Comprehensive killing is used to the storage of mobile device and SD card, storage catalogue carrying out comprehensive killing, entirely Face killing system All Files can be carried out to binary system killing and intellectual analysis threatens, after the completion of killing, if it find that viral Or threaten, checking and killing virus can be recorded and be saved by system, and user can click the text that details check Virus Type, virus infection Part attribute information, and corresponding processing mode can be taken virus；

The real time monitoring unit is for monitoring mobile device in real time, to guarantee the safety of running environment；

Threat of the threat reminding unit for reminding user's mobile device to be subject in time, to ensure that user locates in time Reason threatens；

The operation note unit is used to record the relevant scanning information of virus of institute's killing, is conveniently used for subsequent look into It sees；

The virus base upgrade unit is used to carry out online upgrading to virus base, to ensure the safety of running environment.

The above embodiments and description only illustrate the principle of the present invention and most preferred embodiment, is not departing from this Under the premise of spirit and range, various changes and improvements may be made to the invention, these changes and improvements both fall within requirement and protect In the scope of the invention of shield.

Claims (10)

1. a kind of mobile device safety management system, it is characterised in that: described including mobile terminal and server end pipe platform Mobile terminal platform communication connection is managed by internet and server end, the server end management platform includes movement Terminal intimidation defense management module, corporate mobile devices management module, pushing module；

The mobile terminal intimidation defense management module is used to carry out the security threat and safety problem of mobile terminal device Integral protection；

The corporate mobile devices management module is used for the mobile terminal device of trustship and the mobile device terminal of trustship Middle installation application program and data file in mobile device terminal and server end pipe platform carry out integrated pipe Reason；

The pushing module manages platform to mobile terminal PUSH message for server end.

2. a kind of mobile device safety management system according to claim 1, it is characterised in that: the mobile terminal prestige Side of body defence management module perceives mould including mobile antivirus module, safety permission module, application scan module, the safe state of affairs Block, using package module, security sandbox module；

The mobile antivirus module be used for using virus killing technology with double engines to mobile terminal device and its application program into Row virus, wooden horse and malicious code killing prevent the application program of user installation safety difference, and for carrying out disease to system Malicious killing, vulnerability scanning and patch reparation；

The safety permission module is used to audit to the mobile terminal device of server end management platform trustship, by more Kind detection project, cooperates time fence and geography fence strategy to control mobile terminal device access, and to violation Mobile terminal device carries out fine-grained policy control, prevent dangerous mobile terminal device run on server end management platform it On；

The application scan module may go out for preceding progress security sweep online to application program for application program Existing application program virus infection wooden horse, the tracking of application program access right, application program are without secure digital signature, application Program code is detected without processing relevant issues are obscured, and guarantees that application program is uploaded to answering for server end management platform With the safety in shop, prevent because the modes such as decompiling or code injection carry out malice transformation to application program；

The safe state of affairs sensing module is for more to the operation conditions of mobile terminal device, network behavior and user behavior A factor carries out big data analysis, carries out current state and variation tendency to all devices in current mobile terminal device network Activity-summary is carried out, and data structure is shown by patterned mode, is checked for user, it is pre- at the first time Sentence safety problem, checks security risk, prevent bigger security incident；

Described is used to the application program installation kit for having developed completion carrying out code injection and encapsulation, nothing using package module The code of existing mobile terminal application need to be modified, and realizes following setting:

1), unified identity authentication: unified approach pressure is carried out by the user identity of user name, password and certificate to application and is recognized Card；

2), unified single-sign-on: all mobile applications is forced to have secure access to based on the single-sign-on of time and application level；

3), permission grant: allowing or is forbidden to use application program, offline use is applied or stored data into equipment；

4) it, automatically configures: automatically configuring user name, the address Server and the relevant personal settings information of self-defining data, be not necessarily to By user interactive operation；

5), automatic encryption: ensure that each application program storage all passes through encryption to all data of equipment；

6), DLP data are leakage-preventing: forbidding/allow enterprise using functions such as interior text copy/pastes；

7), dynamic strategy: dynamic updates application strategy；

8), statistical report: statistics is respectively using the information such as the frequency, time, duration and unified displaying；

9), optional erasing: Remote Selection wipes certain applications data, without influencing users personal data；

The security sandbox module is used for the safety of safeguards system data, by establishing DSA data isolation region, DSA number High strength encrypting according to isolated area, DSA by it is automatic carry out data break up and encipherment protection, external program can not obtain DSA's Any data details, DSA include disk partition information, file directory table, key safety cabinet region and encrypt file storage area, File by DSA storage is protected using the random key and AES256 Encryption Algorithm of one-time pad, and with secret Key, which then passes through PKI public key, to carry out being stored encrypted in safe key safety cabinet region, to further ensure system data Safety.

3. a kind of mobile device safety management system according to claim 1, it is characterised in that: the Enterprise Mobile is set Standby management module includes mobile terminal device management module, mobile terminal device application management module, document management module；

The mobile terminal device management module is used to carry out integrated management to mobile terminal device in trust；

The mobile terminal device application management module be used for the application program installed in the mobile device of trustship into Row monitor closely supports black/white list strategy, all rogue programs in filtering black list, and the application that can be carried to system Shop carries out the setting of permission, allows or forbids installing application program from application shop, blocks the source of rogue program, guarantee to answer With program it is legal with it is controllable；

The document management module is used for, examination & approval centrally stored to enterprise document progress, publication, long-range push, document recycling The safety browsing ensured to mobile device Content Management enterprises document on the mobile apparatus and document content are realized in management Update；The distribution of realization enterprise document and priority assignation and management.

4. a kind of mobile device safety management system according to claim 3, it is characterised in that: the mobile terminal is set Standby management module includes that device management module, safety management module, user management module, plan get over management module, the equipment Management module includes mobile terminal device status monitoring and data capture unit, and mobile terminal device rights management unit is mobile Terminal equipment configuration administrative unit；

The safety management module includes that mobile device loses positioning unit, mobile device lost contact detection unit, device losses Data protection unit, network security control unit, system log management unit；

The user management module includes authentication and user's Life cycle control unit；

It includes equipment/user grouping policy management element, cross-platform multiple device binding unit that the plan, which gets over management module,；

The mobile terminal device status monitoring and data capture unit are used for the hardware information to mobile terminal device, application Program information, security information carry out detailed track record and early warning, realize system to the fine granularity of mobile terminal device information Control；

The mobile terminal device rights management unit is used for the function privilege to the mobile terminal device of designated user, application Program authority, safety and privacy authority are configured and are managed, and are specifically included that

1) camera, is limited, records, make a phone call, receiving and dispatching short message；

2) WiFi access style and SSID, are limited；

3), limitation uses application shop, limitation installation application；

4), limitation is used using data line；

5) WIFI, is limited, Bluetooth function uses；

6), limitation uses browser, and limitation uses Javascript；

The mobile terminal device configuration management element is used to push using the long-range management of user account configuration information with OTA Mode establish various configurations strategy, be mainly used for the configuration of WiFi, VPN, LDAP, Exchange, POP3, IMAP, APN, Consistency operation can also be passed through by administrative staff and be pushed directly to designated user's terminal, avoid user from voluntarily inputting, in addition WiFi, VPN Account Type are configured, system automatic push simultaneously configure account, and user can be without the case where knowing password Under be connected to wireless network and Virtual Private Network, that is, realize secure accessing, at the same avoid user reveal account information；

In addition, wireless push mode can also be all made of according to the customized mobile device permission of different user, all configuration informations Real time down can be issued as what the various dimensions of the overall situation, group, permission, user, equipment were configured；

The mobile device loses positioning unit and is used to be remotely located mobile device by GPRS, 3G, 4G, WiFi, And intelligent Drawing, the accurate action for grasping mobile device and the personnel using mobile device are carried out to the movement track of mobile device Track；

The mobile device lost contact detection unit is used to carry out lost contact policy control to the mobile device of loss, in mobile device In the state of losing or can not networking, corresponding equipment lost contact strategy is executed automatically, mobile device is carried out to clash specified data, Remove mobile device information, lock mobile device operation, guarantee mobile device lost contact after under suspension state data safety；

The device losses data protection unit is used to carry out remote password setting to loss mobile device, locking movement is set Standby, erasing system application, erasing system application data, erasing individual privacy data, safeguards system data safety, in device losses First time data that mobile device is saved carry out security management and control；

The network security control unit supports mobile device WIFI black and white lists, visits for the safety to WIFI wireless network Ask and carry out control limitation, prevent mobile setting from accessing unsafe WIFI wireless network, by the URL that surfs the Internet to mobile device into Line trace monitoring, by the record analysis to URL, judges the internet behavior of mobile terminal, so that it is guaranteed that the online of mobile device Safety；

The authentication and user's Life cycle control unit is used in accessing user's network, and system is produced to user Corresponding certificate, which can guarantee the authentication between user and server end management platform, and the certificate has Settable life cycle can set the permission time limit of user, and since registering and completing, which starts to receive system The comprehensive management of system, system go to status information all in the whole life cycle of user equipment access corporate environment, operation To carry out strict monitoring and unified configuration management；

The equipment/user grouping policy management element for returning equipment according to the different attribute of mobile device automatically Class, different type equipment and different user devices freely establish group；

And the user management mechanism using based role, user's progress position, department, group are grouped at many levels, multi-angle User is managed；Enterprise is facilitated to carry out centralized and unified management, the settable different pipe of distinct device enterprise to mobile device Reason person is managed respectively；

The cross-platform multiple device binding unit is used for different mobile devices, Mobile operating system platform, and monomer is used Family can be bound with multiple platforms/version/operating system equipment, realize unification, the centralized management of user's multiple device；

The system log management unit be used for user journal, device log, system alarm log, application log, System Operation Log, application program installation log, equipment operation log are managed, and user is facilitated to consult journal file to determine System current state, observation user use relevant data, and understand the service condition of system, and settable be automatically deleted day Will strategy.

5. a kind of mobile device safety management system according to claim 3, it is characterised in that: the mobile terminal is set Standby application management module include independent enterprise's application shop, application program remote distribution and erasing unit, application program it is black/ White list monitoring unit, application program install statistic unit, application program list application model unit；

Upload, downloading, update of the independent enterprise's application shop for the application program of user, the restocking of program, undercarriage Mechanism establishes the application shop of user oneself, is detached from distribution and management that third-party application shop is applied；

The application program remote, which is distributed, to be used for erasing unit to the batch distribution of application program, Remote Installation, long-range shifting It removes, remotely update, remote wipe operation, avoiding complicated cumbersome installation process, greatly improved during disposing in batches Working efficiency prevents from answering mobile device stolen, unexpected in addition, system can be realized to mobile device remote unloading and data erasing It loses, user's confidential information is caused to be revealed；

The application program black/white list monitoring unit is used for limiting in mobile device using installation, if discovery Mobile device installs illegal application, and system will inform the user that or forced unloading, to guarantee the safety of mobile device；

For carrying out installation statistics to the application program that enterprise pushes, user can check the application program installation statistic unit The push record of each application program, installation situation, the relevant information for pushing situation；Journey must be applied by regulation installation to no The mobile device of sequence is alerted, and carries out secondary push automatically；

The application program list application model unit is used to mobile device being locked in a certain application program, and the application program is certainly It is dynamic to open, and user can not exit, and user is not available the application program in addition to single application model program.

6. a kind of mobile device safety management system according to claim 3, it is characterised in that: the document management mould Block includes mobile device enterprise's cloud storage unit, mobile device private cloud storage unit, document security administrative unit, document management Unit, document policies administrative unit；

The mobile device enterprise's cloud storage unit passes through for carrying out storage and management on the mobile apparatus to enterprise document Synchronous downloading to enterprise's cloud storage unit is realized the publication of enterprise document and is shared；

The mobile device private cloud storage unit is for the upload, downloading, storage to privately owned document；

The document security administrative unit is used for mobile device enterprise's cloud storage unit, mobile device private cloud storage unit The file of middle storage is managed, and realizes the unified management of enterprise document and personal document, and ensures business data and number According to physical isolation, and document it is upper be transmitted through in transmission process, using high strength encrypting algorithm carry out file encryption, prevention and control Document leaks risk, system integration file browser, supports Word, PPT, PDF, JPG, TXT, MP4, MP3, AVI format, uploads Document into system can not open leakage of content after preventing document to be lost by third party's browser；

The document management unit is used for the file distributing in enterprise's cloud to the mobile terminal of specified target user, real Existing enterprise document uniformly issues and file-sharing, and can checking to the file issued；

The document policies administrative unit is used to carry out tactical management to enterprise document, and document sharing, copy function are arranged Corresponding management strategy, facilitates enterprise to be managed document.

7. a kind of mobile device safety management system according to claim 1, it is characterised in that: the pushing module packet Include mobile e-mail push administrative unit, mobile notice push administrative unit；

The mobile e-mail push administrative unit is used to ensure the safety of delivery email content and Email attachment, and supports Following mail protocol: IMAP, Exchange, POP3, and during push can to mail security channel and mail document into Row encryption, guarantees the safety of transmission Mail Contents and attachment；

The mobile notice administrative unit manages platform for server end and issues to the notice of mobile terminal, including enterprise is logical Know the publication of message, the transmitting and receiving of file and content；And support more kinds of text, picture, video, Word, PPT multimedia lattice The file of formula, and in transmission, it can be achieved that being encrypted to file transmission channel and being encrypted to file data itself Processing.

8. a kind of mobile device safety management system according to claim 1, it is characterised in that: the mobile terminal visitor Family end includes user log-in block, security centre's management module, equipment information management module, memory management unit, application management Unit, application shop, message center unit, documentation center administrative unit, mail management module；

The user log-in block logs in mobile terminal for user, realizes the communication connection with server end management platform, User pushes the circular mail registered address URL of administrative unit push by mobile e-mail, then according to the user name of registration and Password is logged in, and user can also push the two dimensional code that administrative unit is sent according to mobile e-mail and log in；

Security centre's management module is used for the safety monitoring of mobile device, and carries out to virus, wooden horse, malicious code Comprehensive killing and quick killing vulnerability scanning and patch reparation, guarantee the safety of mobile device；

The equipment information management module be used to check the essential information of mobile device, detailed hardware information, CPU information and Hardware characteristic information；

The memory management unit can check current residual memory, in the machine for being managed to the memory of mobile device It deposits, using committed memory, system committed memory and free memory information, and internally deposits and be purged or optimize；

The application management unit is for being managed the application program of mobile device；

The application shop is used to download the application program and third-party application program of enterprise's publication；

The message center unit is for checking enterprise message and attachment content that enterprise pushes to user, when receiving administrator After the information that member pushes to mobile terminal, preset information will disappear while show the new information received；

The documentation center administrative unit is for managing enterprise document and personal document, effective user-isolated public and private text Shelves, protect the personal document of user, while enterprise document is downloaded and enterprise document localization management；

The mail management module is used for the delivery email that management server end pipe platform is sent, and checks server end Manage the delivery email that platform is sent.

9. a kind of mobile device safety management system according to claim 4, it is characterised in that: a variety of detections Mesh include: mobile terminal device whether mention power detection, whether install violation application program detection, operating system version whether close rule Whether detection, application version close rule detection, whether SIM card is the detection of authorization SIM card, whether meets the inspection of geography fence strategy It surveys, whether meet the detection of time ring fence.

10. a kind of mobile device safety management system according to claim 8, it is characterised in that: the security centre Management module include quick killing unit, comprehensive killing unit, real time monitoring unit, threaten reminding unit, operation note unit, Virus base upgrade unit；

The quick killing unit is used to carry out quick killing to mobile device virus；

Comprehensive killing is used to the storage of mobile device and SD card, storage catalogue carrying out comprehensive killing, Quan Miancha Binary system killing and intellectual analysis can be carried out for system All Files by, which killing, threatens, after the completion of killing, if it find that virus or It threatens, checking and killing virus can be recorded and be saved by system, and user can click the file category that details check Virus Type, virus infection Property information, and corresponding processing mode can be taken virus；

The real time monitoring unit is for monitoring mobile device in real time, to guarantee the safety of running environment；

Threat of the threat reminding unit for reminding user's mobile device to be subject in time, to ensure that user handles prestige in time The side of body；

The operation note unit is used to record the relevant scanning information of virus of institute's killing, is conveniently used for subsequent check；

The virus base upgrade unit is used to carry out online upgrading to virus base, to ensure the safety of running environment.