CN109842600A - A kind of method that realizing mobile office, terminal device and MDM equipment - Google Patents
A kind of method that realizing mobile office, terminal device and MDM equipment Download PDFInfo
- Publication number
- CN109842600A CN109842600A CN201711226652.7A CN201711226652A CN109842600A CN 109842600 A CN109842600 A CN 109842600A CN 201711226652 A CN201711226652 A CN 201711226652A CN 109842600 A CN109842600 A CN 109842600A
- Authority
- CN
- China
- Prior art keywords
- log
- terminal device
- mdm
- message
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The embodiment of the present invention provides a kind of method for realizing mobile office, terminal device and MDM equipment, to solve to exist in the prior art the lower technical problem of safety when realizing mobile office.When detecting log-on message of the terminal user for MDM module progress register, the hardware identification information of log-on message and terminal device is sent to MDM equipment, log-on message is determined by the subscriber identity information of terminal user;It receives MDM equipment and carries out the check results after proof of identity to terminal user based on log-on message and hardware identification information;If check results show that the proof of identity of terminal user passes through, complete to log in and based on sim module starting VPN unit to realize mobile office.
Description
Technical field
The present invention relates to field of computer technology more particularly to a kind of methods for realizing mobile office, terminal device and MDM
Equipment.
Background technique
With the continuous development of science and technology, people's office is also more and more convenient.Using the mobile information software of mobile phone,
Can establish mobile phone and enterprise software application system that computer interconnects, allow office worker at any time, it is any
Place handles anything relevant to business, and then the company management that can be changed with oneself at any time and communication, realizes movement
Office.
In the prior art, usually Virtual Private Network (Virtual Private is installed in face on mobile terminals
Network, VPN) client and Policies of Office Automation In Enterprises (Office Automation, OA) client.It is looked forward to when needing to log in
It when industry OA client, needs first to open VPN client, by way of username and password, logging in VPN client, verifying is led to
Later, it can be successfully connected to vpn server;Then, enterprise's OA client is opened, is stepped on by way of username and password
After record, the content of accessible OA client realizes the function of mobile office.
And above scheme in the prior art has following defects that
One, the mobile development of teleworking, government system data are presented on mobile intelligent terminal.Compared in data
Heart safety protection level, the defence of mobile terminal universal security are horizontal lower.Mobile intelligent terminal is easy to carry about with one, is easily lost, meeting
The leakage for leading to sensitive information constitutes great threat to data safety.In addition, mobile terminal produces easily by other people unauthorized uses
Raw copy, downloading or the risk for printing internal sensitive data.In addition, the user of some access units makes except special equipment is allotted
The reliability of system is greatly reduced, safety wind is introduced due to office and individual application mixing with free equipment accessing external network
Danger causes loss of data or functions of the equipments to fail.When outer net operation system is accessed in user by way of remotely accessing, hold
It easily leads to significant data artificially or unintentionally leaks, there are great information security hidden danger.
Two, outer net accessing user passes through Wireless Fidelity (WIreless-Fidelity, WIFI), 3G/4G, access point
(Access Point Name, APN) network, from the operation system of internet environment access government affairs outer net, transmission channel is public
Internet security is low, and there are data to be trapped, attacks and distorts, and causes access channel safety risk.Equipment and application are used as industry
It is engaged in display carrier, it, may will be viral in equipment and application access procedure if equipment and application carry virus or wooden horse etc.
Or wooden horse automatic spread constitutes great threat to outer net network security, it is also possible to will cause leaking data risk to outer net network.
Three, current mobile office client passes through username and password mostly by installing individual VPN client
Mode open VPN connection, once username and password leakage or be stolen, there are problems that unauthorized user malicious access.
And user can carry out long-range VPN access by the username and password in the terminal for being arbitrarily mounted with VPN client,
Great security risk is caused to entire mobile office system.
In summary, the lower technical problem of safety when realizing mobile office exists in the prior art.
Summary of the invention
The embodiment of the present invention provides a kind of method for realizing mobile office, terminal device and MDM equipment, existing to solve
In the presence of the technical problem that safety when realizing mobile office is lower in technology.
First aspect
The embodiment of the present invention provides a kind of method for realizing mobile office, is applied to terminal device, the terminal device packet
Mobile terminal administration MDM module and user identity identification sim module are included, it is mono- that the MDM module is integrated with Virtual Private Network VPN
Member, the terminal device are communicated to connect by the MDM module and MDM equipment, which comprises
When detecting log-on message of the terminal user for MDM module progress register, Xiang Suoshu MDM equipment
Send the hardware identification information of the log-on message and the terminal device, the log-on message by the terminal user user
Identity information determines;
It receives the MDM equipment and is based on the log-on message and the hardware identification information to terminal user progress body
Check results after part verification;
If the check results show that the proof of identity of the terminal user passes through, complete to log in and based on the SIM
Module starts the VPN unit to realize mobile office.
In one possible implementation, the log-on message and the terminal device are being sent to the MDM equipment
Hardware identification information before, the method also includes:
Obtain the digital certificate of terminal user's application, the digital certificate for establish the VPN unit and VPN platform it
Between the channel VPN;
The digital certificate is written in the sim module.
In one possible implementation, described to include: based on the sim module starting VPN unit
Data packet is obtained from the VPN platform by the VPN unit;
It wraps based on the data and determines authentication data from the sim module, and send the certification to the VPN platform
Data, the authentication data include the digital certificate;
Receive the response results that the VPN platform verifies the authentication data;
Start the VPN unit based on the response results.
It is in one possible implementation, described after completing to log in and start VPN unit to realize mobile office,
The method also includes:
Determine the operation log of the MDM module, wherein the operation log includes the terminal user for described
The a plurality of business operation of MDM module records, and every business operation record includes factory mark, the terminal of the terminal device
One of the user name of user and operating time or any combination;
Based on predetermined period, Xiang Suoshu MDM equipment sends the operation log.
Second aspect
The embodiment of the present invention provides another method for realizing mobile office, is applied to MDM equipment, the MDM equipment with
Terminal equipment in communication connection, which comprises
Receive the hardware identification information of log-on message and the terminal device that the terminal device is sent, the login letter
Breath is determined by the subscriber identity information of terminal user;
The log-on message and the hardware identification information are verified based on default corresponding relationship, determine the terminal
User identity, and obtain check results, wherein the default corresponding relationship is used to indicate the log-on message and hardware identification is believed
One-to-one relationship between breath;
The check results are sent to the terminal device, so that the terminal device is based on check results completion and steps on
It records and starts VPN and realize mobile office.
In one possible implementation, default corresponding relationship is being based on to the log-on message and the hardware identification
Information is verified, before determining the terminal user ID, the method also includes:
Obtain the subscriber identity information of terminal user's typing;
Generate and store the log-on message based on the subscriber identity information, and by the log-on message and the terminal
The hardware identification information of the terminal device of user is bound, with the determination default corresponding relationship.
In one possible implementation, described that the log-on message and the hardware are known based on default corresponding relationship
Other information is verified, and determines the terminal user ID, and obtain check results, comprising:
It based on default corresponding relationship, determines whether the log-on message matches with the hardware identification information, is verified
As a result, the proof of identity that the check results are used to indicate the terminal user passes through or failure.
In one possible implementation, if the frequency of failure of proof of identity failure is greater than default verification number,
The method also includes:
Lock instruction is sent to the terminal device, so that the terminal device executes after receiving the lock instruction
The lock instruction locks the terminal device.
In one possible implementation, after sending the check results to the terminal device, the method
Further include:
Obtain and store the operation log that the terminal device is sent, wherein the operation log includes that the terminal is used
Family is recorded for a plurality of business operation of the MDM module, and every business operation record includes the emblem mark out of the terminal device
One of knowledge, the user name of the terminal user and operating time or any combination;
When detecting the inquiry operation for being used to indicate inquiry target service record, the inquiry operation is based on from the behaviour
Make to determine business operation record corresponding with the inquiry operation in log, and is fed back.
The third aspect
The embodiment of the present invention provides a kind of terminal device, and the terminal device and MDM equipment communicate to connect, and the terminal is set
It is standby to include:
MDM module is integrated with Virtual Private Network VPN unit, detects terminal user for the MDM module for working as
When carrying out the log-on message of register, Xiang Suoshu MDM equipment sends the log-on message and the hardware of the terminal device is known
Other information, the log-on message are determined by the subscriber identity information of the terminal user;
Receiving module is based on the log-on message and the hardware identification information to described for receiving the MDM equipment
Terminal user carries out the check results after proof of identity;
Processing module is completed to log in if showing that the proof of identity of the terminal user passes through for the check results
And the VPN unit is started to realize mobile office based on sim module.
In one possible implementation, the MDM module is also used to:
Before sending the hardware identification information of the log-on message and the terminal device to the MDM equipment, obtain
The digital certificate of terminal user's application, the digital certificate is for establishing the channel VPN between the VPN unit and VPN platform;
The digital certificate is written in the sim module.
In one possible implementation, the processing module is used for:
Data packet is obtained from the VPN platform by the VPN unit;
It wraps based on the data and determines authentication data from the sim module, and send the certification to the VPN platform
Data, the authentication data include the digital certificate;
Receive the response results that the VPN platform verifies the authentication data;
Start the VPN unit based on the response results.
In one possible implementation, the processing module is also used to:
After completing to log in and start VPN unit to realize mobile office, the operation log of the MDM module is determined,
Wherein, the operation log includes that the terminal user records for a plurality of business operation of the MDM module, every business behaviour
One of the factory mark including the terminal device, the user name of the terminal user and operating time of noting down are appointed
Meaning combination;
Based on predetermined period, Xiang Suoshu MDM equipment sends the operation log.
Fourth aspect
The embodiment of the present invention provides a kind of MDM equipment, and the MDM equipment is connect with terminal equipment in communication, the MDM equipment
Include:
Receiving module, for receiving the hardware identification letter of log-on message and the terminal device that the terminal device is sent
Breath, the log-on message are determined by the subscriber identity information of terminal user;
Processing module, for carrying out school to the log-on message and the hardware identification information based on default corresponding relationship
It tests, determines the terminal user ID, and obtain check results, wherein the default corresponding relationship is used to indicate the login
One-to-one relationship between information and hardware identification information;
Sending module, for sending the check results to the terminal device, so that the terminal device is based on described
Check results are completed to log in and start VPN realization mobile office.
In one possible implementation, the processing module is also used to:
The log-on message and the hardware identification information are verified based on default corresponding relationship, determine the end
Before end subscriber identity, the subscriber identity information of terminal user's typing is obtained;
Generate and store the log-on message based on the subscriber identity information, and by the log-on message and the terminal
The hardware identification information of the terminal device of user is bound, with the determination default corresponding relationship.
In one possible implementation, the processing module is also used to:
It based on default corresponding relationship, determines whether the log-on message matches with the hardware identification information, is verified
As a result, the proof of identity that the check results are used to indicate the terminal user passes through or failure.
In one possible implementation, the sending module is also used to:
If the frequency of failure of the proof of identity failure is greater than default verification number, Xiang Suoshu terminal device sends locking and refers to
It enables, so that the terminal device executes the lock instruction after receiving the lock instruction and locks to the terminal device
It is fixed.
In one possible implementation, the receiving module is also used to:
After sending the check results to the terminal device, the operation that the terminal device is sent is obtained and stored
Log, wherein the operation log includes that the terminal user records for a plurality of business operation of the MDM module, and every
Business operation record includes one of factory mark, the user name of the terminal user and operating time of the terminal device
Or any combination;
When detecting the inquiry operation for being used to indicate inquiry target service record, the inquiry operation is based on from the behaviour
Make to determine business operation record corresponding with the inquiry operation in log, and is fed back.
5th aspect
The embodiment of the present invention provides a kind of computer installation, and the computer installation includes:
At least one processor, and
The memory that is connect at least one described processor communication, communication interface;
Wherein, the memory is stored with the instruction that can be executed by least one described processor, described at least one
The instruction that device is stored by executing the memory is managed, is executed as described in first aspect or second aspect using the communication interface
Method.
6th aspect
A kind of computer readable storage medium is provided in the embodiment of the present invention, the computer-readable recording medium storage has
Computer instruction, when the computer instruction is run on computers, so that computer executes such as first aspect or second party
Method described in face.
One or more technical solutions in above-mentioned technical proposal, have at least the following technical effects or advantages:
The first, the method for the realization mobile office of the embodiment of the present invention, is applied to terminal device, when detecting in this method
When terminal user carries out the log-on message of register for MDM module, log-on message and terminal device are sent to MDM equipment
Then hardware identification information receives MDM equipment and is based on log-on message and hardware identification information to terminal user's progress proof of identity
Check results afterwards are completed to log in and be started based on sim module if check results show that the proof of identity of terminal user passes through
VPN unit realizes mobile office, and the lower technology of safety when solving realization mobile office existing in the prior art is asked
Topic improves safety when terminal device carries out mobile office.
The second, since in the embodiment of the present invention, MDM equipment is set in the log-on message and terminal for receiving terminal device transmission
When standby hardware identification information, log-on message and hardware identification information can be verified based on default corresponding relationship, with determination
Terminal user ID obtains check results, then sends check results to terminal device, so that terminal device is based on check results
It completes to log in and start VPN realization mobile office, improves the safety of terminal device logs.
Detailed description of the invention
In order to illustrate the technical solution of the embodiments of the present invention more clearly, will make below to required in the embodiment of the present invention
Attached drawing is briefly described, it should be apparent that, attached drawing described below is only some embodiments of the present invention, for
For those of ordinary skill in the art, without creative efforts, it can also be obtained according to these attached drawings other
Attached drawing.
Fig. 1 is the general technological system figure of design scheme in the embodiment of the present invention;
Fig. 2 is a kind of flow diagram for the method for realizing mobile office in the embodiment of the present invention;
Fig. 3 is the flow diagram for starting VPN unit in the embodiment of the present invention based on sim module;
Fig. 4 is the flow diagram of another method for realizing mobile office in the embodiment of the present invention;
Fig. 5 is the module diagram of terminal device in the embodiment of the present invention;
Fig. 6 is the module diagram of MDM equipment in the embodiment of the present invention;
Fig. 7 is the module diagram of computer installation in the embodiment of the present invention.
Specific embodiment
In order to keep the purposes, technical schemes and advantages of the embodiment of the present invention clearer, implement below in conjunction with the present invention
Attached drawing in example, technical scheme in the embodiment of the invention is clearly and completely described.
Mobile terminal administration (Mobile Device Management, MDM) module can be passed through in the embodiment of the present invention
The mode of integrated VPN unit, OA office application can push installation in such a way that safety management platform issues, provide safely, can
The mobile oa platform leaned on.
In the following, the part term in the embodiment of the present invention is introduced first, so as to those skilled in the art understand that.
Mobile office: electronics mobile office system (Mobile E-government System), it can using terminal device
To access the application system that office system carries out online working by wireless network whenever and wherever possible.
MDM equipment: can provide from registration, activation for terminal device, use the management to the Life cycle such as discarded,
Configuration management, safety management and the asset management of such as terminal device.
VPN: Virtual Private Network, it can be by the communications protocol of special encryption in the two or more enterprises for being located at different places
A proprietary communication line is established between industry intranet.VPN in the embodiment of the present invention can meet layer (Secure for safety belt
Sockets Layer, SSL) VPN etc..
Then, the general technological system of the design scheme in the embodiment of the present invention is simply described below.
It referring to Figure 1, is the general technological system figure of the design scheme in the embodiment of the present invention.In Fig. 1, terminal device can
To be communicatively coupled by the channel VPN with government network, wherein terminal device may include MDM module and sim module, and
MDM module can integrate VPN unit, mobile application management (Mobile Application Management, MAM) unit, shifting
In one identity identification may be implemented, data are deposited in dynamic Content Management (Mobile Content Management, MAM) unit etc.
The functions such as storage, security protection and running environment isolation.
And government network may include MDM equipment, MDM equipment can integrate the function of MAM platform and MCM platform in one
Access authentication gateway may be implemented, using the functions such as preposition in body.
Terminal device can be the equipment such as mobile phone, laptop, plate;The communication network in the channel VPN can be honeycomb
Network, internet or dedicated network, local area network, WIFI and WLAN authentication and privacy infrastructure (Wireless
LAN Authentication and Privacy Infrastructure, WAPI) etc.;It may include fire prevention under government network
Wall, access authentication, using the modules such as preposition and mobile application system and Government Affair System etc..
Based on above-mentioned overall framework, the embodiment of the invention provides a kind of method for realizing mobile office, when detecting end
When end subscriber carries out the log-on message of register for MDM module, the hard of log-on message and terminal device is sent to MDM equipment
Part identification information, after then reception MDM equipment is based on log-on message and hardware identification information to terminal user's progress proof of identity
Check results, if check results show that the proof of identity of terminal user passes through, complete log in and based on sim module start
VPN unit realizes mobile office, and the lower technology of safety when solving realization mobile office existing in the prior art is asked
Topic improves safety when terminal device carries out mobile office.
The preferred embodiment of the invention is described in detail with reference to the accompanying drawing.
Embodiment one
Fig. 2 is referred to, the embodiment of the present invention provides a kind of method for realizing mobile office, can be applied to terminal device,
Wherein, the realization process of method can be described as follows:
S201: it when detecting log-on message of the terminal user for MDM module progress register, is sent out to MDM equipment
The hardware identification information of log-on message and terminal device is sent, log-on message is determined by the subscriber identity information of terminal user;
S202: after reception MDM equipment carries out proof of identity to terminal user based on log-on message and hardware identification information
Check results;
S203: it if check results show that the proof of identity of terminal user passes through, completes to log in and be started based on sim module
VPN unit is to realize mobile office.
In the embodiment of the present invention, the digital certificate of terminal device available terminal user application is simultaneously deposited into terminal and sets
Standby specified directory, instruction catalog can carry out customized setting by terminal user.Then, terminal device can pass through MDM mould
The certificate write-in functions of block, digital certificate is written in the sim module of terminal device.
Specifically, using the digital certificate technique stored based on SIM shield, SIM shield application load is in SIM/USIM (following letter
Claim SIM) in module, it is provided out safe storage capacity and calculation processing power, it can be reserved for private key for user and user certificate letter
The operation such as public and private key generation, the operation of RSA encryption and decryption, signature/sign test, Hash operation can be performed in breath.Government affairs user needs to pass through head
First downloadable authentication is to being locally stored;When the starting of government affairs terminal, SIM shield application write-in certificate can be called to local sim module
In, realize the kept secure of certificate.
Due to using MDM module, so that terminal device has mobile terminal device management function, in MDM equipment side
Remote controlled terminal device, realize as positioning terminal equipment, application, message, file issue function and teledata erasing,
The functions such as equipment and user's binding.
Terminal user can open an account in MDM equipment side, typing subscriber identity information, such as ID card No., phone number
Code and personal related data etc..MDM equipment can be created according to subscriber identity information can be used for logging in MDM in terminal equipment side
The log-on message of module, such as username and password information.Then, MDM equipment can will be logged in by modes such as short message, mails
Information is issued to terminal device.
In turn, S201 can be entered, i.e., when terminal device detects that terminal user carries out register for MDM module
When log-on message, the hardware identification information of log-on message and terminal device can be sent to MDM equipment, wherein hardware identification letter
Breath can be include International Mobile Equipment Identity (International Mobile Equipment Identity, IMEI) code,
International mobile subscriber identifies (International Mobile Subscriber Identification, IMSI) code etc..
IMEI: " the electronics string number " being made of 15 bit digitals, it and each terminal equipment correspond, and the code is complete
The world is unique.Each terminal equipment will all be endowed a globally unique sets of numbers after finishing assembly, this number is from life
Producing to be delivered for use will all be recorded by the manufacturer of manufacture production.
IMSI: distinguishing the mark of terminal user, be stored in sim module, can be used for distinguishing effective letter of terminal user
Breath.
After sending log-on message and hardware identification information to MDM equipment, into S302, receive what MDM equipment was sent
Check results after being verified based on log-on message and hardware identification information to terminal user, i.e. MDM equipment can be according to ends
The log-on message and hardware identification information that end equipment reports verify the legitimacy of terminal user, and at the same time terminal can be bound
The hardware identification information of equipment and the relationship of terminal user.
It, can be with if the check results that terminal device receives show that the proof of identity of terminal user passes through in S203
The login to MDM module is completed, and VPN unit is started based on sim module, to realize mobile office.
In one possible implementation, Fig. 3 is referred to, the process based on sim module starting VPN unit can describe
It is as follows:
S301: data packet is obtained from VPN platform by VPN unit, wherein data packet may include request connection certification
Interaction data;Then, into S302;
S302: authentication data is determined from sim module based on data packet, and sends authentication data to VPN platform, authenticates number
According to including digital certificate;
S303: the response results that VPN platform verifies authentication data are received;
S304: the channel VPN is established to start VPN unit based on response results.
Since in the embodiment of the present invention, MDM module is integrated with VPN unit, number is stored by the way of based on sim module
Word certificate, and VPN module establishes secure connection with long-range server by the way of certificate verification, it is ensured that financial level is other
Authentication security, security level are much higher than traditional identification authentication mode based on username and password.And it is based on SIM mould
The VPN unit starting scheme of block simplifies the operation that terminal user establishes VPN, improves the ease for use and safety of VPN.
In one possible implementation, after completing to log in and start VPN unit to realize mobile office, terminal
Equipment can determine the operation log of MDM module, wherein operation log includes a plurality of business that terminal user is directed to MDM module
Operation note, every business operation record include that the factory of terminal device identifies, in the user name and operating time of terminal user
One or any combination;
Based on predetermined period, operation log is sent to MDM equipment.
I.e. all business operations record of terminal equipment side all can be sent to by complete record and periodically MDM
Equipment is stored, and enterprise administrator can take precautions against wind according to the access situation of operation log track terminal equipment side at any time
Danger.
In conclusion one or more technical solution of the embodiment of the present invention, at least have the following technical effect that or
Advantage:
The first, the method for the realization mobile office of the embodiment of the present invention, is applied to terminal device, when detecting in this method
When terminal user carries out the log-on message of register for MDM module, log-on message and terminal device are sent to MDM equipment
Then hardware identification information receives MDM equipment and is based on log-on message and hardware identification information to terminal user's progress proof of identity
Check results afterwards are completed to log in and be started based on sim module if check results show that the proof of identity of terminal user passes through
VPN unit realizes mobile office, and the lower technology of safety when solving realization mobile office existing in the prior art is asked
Topic improves safety when terminal device carries out mobile office.
The second, since terminal device includes MDM module, so that terminal device has mobile terminal device management function,
In the remote controlled terminal device in MDM equipment side, realize that such as positioning terminal equipment, application, message, file issue function and remote
Number of passes is according to functions such as erasing, equipment and user bindings.
Third, VPN secure accessing be based on sim module storage digital certificate building the channel VPN carry out, it is ensured that
Transmission safety of the terminal device from public wireless net access government network.
4th, since terminal equipment side is in the log-on message for detecting terminal user, log-on message and terminal can be set
Standby hardware identification information is sent to MDM equipment and carries out user identity authentication, to be verified just to allow to log in by rear, i.e., only allows
Specified terminal user carries out the login of MDM module on the currently active terminal device, prohibits different-place login or mostly whole
End equipment logs in simultaneously, improves the safety of login.
Embodiment two
Fig. 4 is referred to, another method for realizing mobile office of the embodiment of the present invention can be applied to MDM equipment,
In, MDM equipment can be communicated to connect with terminal device.Since terminal device can be communicated by MDM module with MDM equipment
Connection, therefore, MDM equipment can remotely control terminal device, and can execute equipment with remote control terminal device
Locking, unlock, equipment positioning, equipment ring, erasing data, factory reset, the sim module binding for releasing terminal device etc.
Function.
Wherein, the realization process of method can be described as follows:
S401: the hardware identification information of log-on message and terminal device that receiving terminal apparatus is sent, log-on message is by end
The subscriber identity information of end subscriber determines;
S402: verifying log-on message and hardware identification information based on default corresponding relationship, determines terminal user's body
Part, and obtaining check results, wherein default corresponding relationship is used to indicate a pair between log-on message and hardware identification information
It should be related to;
S403: sending check results to terminal device, so that terminal device is based on check results and completes to log in and start VPN
Realize mobile office.
The subscriber identity information of approach when the available terminal user of MDM equipment opens an account, such as ID card No., phone
Number and personal related data etc..MDM equipment can be created according to subscriber identity information can be used for logging in terminal equipment side
The log-on message of MDM module, such as username and password information.Then, MDM equipment can be incited somebody to action by modes such as short message, mails
Log-on message is issued to terminal device.
Meanwhile MDM equipment can store log-on message, and by the log-on message of terminal user and terminal device
Hardware identification information is bound, to determine default corresponding relationship.
In S401, MDM equipment can receive the log-on message of terminal device transmission and the hardware identification letter of terminal device
Breath, subsequently into S402.
MDM equipment can verify log-on message and hardware identification information according to default corresponding relationship, determine terminal
User identity, and obtain check results, wherein default corresponding relationship is used to indicate between log-on message and hardware identification information
One-to-one relationship.
In one possible implementation, MDM equipment can determine log-on message and hardware according to default corresponding relationship
Whether identification information matches, and obtains check results, the proof of identity that check results are used to indicate terminal user passes through or failure.
Then, into S403, i.e. check results can be fed back to terminal device by MDM equipment, so that terminal device can
To complete the login of MDM module according to check results and realize mobile office based on sim module starting VPN unit.
In one possible implementation, for avoid the problem that terminal device lose caused by loss of data, MDM equipment
If it is determined that the frequency of failure of the proof of identity failure of terminal user is greater than default verification number, then it can send and lock to terminal device
Fixed instruction, so that terminal device executes lock instruction after receiving the lock instruction and locks to terminal device.
In one possible implementation, after sending check results to terminal device, method can also include: to obtain
Take the operation log that simultaneously storage terminal device is sent, wherein operation log includes a plurality of business that terminal user is directed to MDM module
Operation note, every business operation record include that the factory of terminal device identifies, in the user name and operating time of terminal user
One or any combination;
When detecting the inquiry operation for being used to indicate inquiry target service record, based on inquiry operation from operation log
It determines business operation record corresponding with inquiry operation, and is fed back.
In practical applications, MDM equipment can obtain the operation log sent by terminal device with the period or regularly, so
These operation logs are saved afterwards.
When MDM equipment detects inquiry operation, such as the end of enterprise administrator input terminal user in MDM equipment
End equipment ID or the user name of terminal user etc., MDM equipment can be according to these inquiry operations from the operation log of storage
The middle corresponding business operation record of determination, the display unit that may then pass through MDM equipment is shown, so that user checks,
It can also be either sent to by way of short message or mail on the corresponding terminal device of inquiry operation.
MDM equipment can issue installation kit to terminal device by the channel VPN of foundation by way of push OA application
In, and MDM equipment with solar obligation or can unload specified OA application, and then avoid OA using carrying out by other channels
Disclosure risk when distribution or downloading.
In conclusion one or more technical solution of the embodiment of the present invention, at least have the following technical effect that or
Advantage:
The first, since in the embodiment of the present invention, MDM equipment is set in the log-on message and terminal for receiving terminal device transmission
When standby hardware identification information, log-on message and hardware identification information can be verified based on default corresponding relationship, with determination
Terminal user ID obtains check results, then sends check results to terminal device, so that terminal device is based on check results
It completes to log in and start VPN realization mobile office, improves the safety of terminal device logs.
The second, for avoid the problem that terminal device lose caused by loss of data, MDM equipment if it is determined that terminal user body
The frequency of failure of part verification failure, which is greater than to preset, verifies number, then lock instruction can be sent to terminal device, so that terminal is set
The standby lock instruction that executes after receiving the lock instruction locks terminal device.
It should be noted that in practical applications, the realization that can be individually provided using embodiment one or embodiment two
The method of mobile office carries out mobile office, or can also realize movement with the technical solution of in conjunction with the embodiments one and embodiment two
Office, the embodiment of the present invention are not specifically limited.
Embodiment three
Fig. 5 is referred to, based on the same inventive concept, the embodiment of the present invention provides a kind of terminal device, the terminal device
It is communicated to connect with MDM equipment, the terminal device includes:
MDM module 51 is integrated with Virtual Private Network VPN unit, detects terminal user for the MDM mould for working as
When block 51 carries out the log-on message of register, Xiang Suoshu MDM equipment sends the hard of the log-on message and the terminal device
Part identification information, the log-on message are determined by the subscriber identity information of the terminal user;
Receiving module 52 is based on the log-on message and the hardware identification information to institute for receiving the MDM equipment
It states terminal user and carries out the check results after proof of identity;
Processing module 53, if showing that the proof of identity of the terminal user passes through for the check results, completion is stepped on
It records and is based on sim module and start the VPN unit to realize mobile office.
In one possible implementation, the MDM module 51 is also used to:
Before sending the hardware identification information of the log-on message and the terminal device to the MDM equipment, obtain
The digital certificate of terminal user's application, the digital certificate is for establishing the channel VPN between the VPN unit and VPN platform;
The digital certificate is written in the sim module.
In one possible implementation, the processing module 53 is used for:
Data packet is obtained from the VPN platform by the VPN unit;
It wraps based on the data and determines authentication data from the sim module, and send the certification to the VPN platform
Data, the authentication data include the digital certificate;
Receive the response results that the VPN platform verifies the authentication data;
Start the VPN unit based on the response results.
In one possible implementation, the processing module 53 is also used to:
After completing to log in and start VPN unit to realize mobile office, the operation log of the MDM module is determined,
Wherein, the operation log includes that the terminal user records for a plurality of business operation of the MDM module, every business behaviour
One of the factory mark including the terminal device, the user name of the terminal user and operating time of noting down are appointed
Meaning combination;
Based on predetermined period, Xiang Suoshu MDM equipment sends the operation log.
Example IV
Refer to Fig. 6, based on the same inventive concept, the embodiment of the present invention provides a kind of MDM equipment, the MDM equipment with
Terminal equipment in communication connection, the MDM equipment include:
Receiving module 61, for receiving the hardware identification of log-on message and the terminal device that the terminal device is sent
Information, the log-on message are determined by the subscriber identity information of terminal user;
Processing module 62, for carrying out school to the log-on message and the hardware identification information based on default corresponding relationship
It tests, determines the terminal user ID, and obtain check results, wherein the default corresponding relationship is used to indicate the login
One-to-one relationship between information and hardware identification information;
Sending module 63, for sending the check results to the terminal device, so that the terminal device is based on institute
Check results are stated to complete to log in and start VPN realization mobile office.
In one possible implementation, the processing module 62 is also used to:
The log-on message and the hardware identification information are verified based on default corresponding relationship, determine the end
Before end subscriber identity, the subscriber identity information of terminal user's typing is obtained;
Generate and store the log-on message based on the subscriber identity information, and by the log-on message and the terminal
The hardware identification information of the terminal device of user is bound, with the determination default corresponding relationship.
In one possible implementation, the processing module 62 is also used to:
It based on default corresponding relationship, determines whether the log-on message matches with the hardware identification information, is verified
As a result, the proof of identity that the check results are used to indicate the terminal user passes through or failure.
In one possible implementation, the sending module 63 is also used to:
If the frequency of failure of the proof of identity failure is greater than default verification number, Xiang Suoshu terminal device sends locking and refers to
It enables, so that the terminal device executes the lock instruction after receiving the lock instruction and locks to the terminal device
It is fixed.
In one possible implementation, the receiving module 61 is also used to:
After sending the check results to the terminal device, the operation that the terminal device is sent is obtained and stored
Log, wherein the operation log includes that the terminal user records for a plurality of business operation of the MDM module, and every
Business operation record includes one of factory mark, the user name of the terminal user and operating time of the terminal device
Or any combination;
When detecting the inquiry operation for being used to indicate inquiry target service record, the inquiry operation is based on from the behaviour
Make to determine business operation record corresponding with the inquiry operation in log, and is fed back.
Embodiment five
Fig. 7 is referred to, provides a kind of computer installation based on the same inventive concept, in the embodiment of the present invention, including at least
One processor 71, and memory 72 and communication interface 73 with the communication connection of at least one described processor 71, in Fig. 7 with
For one processor 71 is shown.
Wherein, the memory 72 is stored with the instruction that can be executed by least one described processor 71, and described at least one
A processor 71, which passes through, executes the instruction that the memory 72 stores, using the communication interface 73 execution such as embodiment one or in fact
Apply method described in example two.
Embodiment six
Based on the same inventive concept, the embodiment of the present invention provides a kind of computer readable storage medium, and the computer can
It reads storage medium and is stored with computer instruction, when the computer instruction is run on computers, so that computer executes such as
Method described in embodiment one or embodiment two.
In the specific implementation process, computer readable storage medium includes: general serial bus USB
(Universal Serial Bus flash drive, USB), mobile hard disk, read-only memory (Read-Only Memory,
ROM), random access memory (Random Access Memory, RAM), magnetic or disk etc. are various can store program
The storage medium of code.
The apparatus embodiments described above are merely exemplary, wherein units/modules as illustrated by the separation member
It may or may not be physically separated, the component shown as units/modules may or may not be
Physical unit/module, it can it is in one place, or may be distributed in multiple network unit/modules.It can basis
It is actual to need that some or all of the modules therein is selected to achieve the purpose of the solution of this embodiment.Ordinary skill people
Member is without paying creative labor, it can understands and implements.
Through the above description of the embodiments, those skilled in the art can be understood that each embodiment can
It realizes by means of software and necessary general hardware platform, naturally it is also possible to pass through hardware.Based on this understanding, on
Stating technical solution, substantially the part that contributes to existing technology can be embodied in the form of software products in other words, should
Computer software product may be stored in a computer readable storage medium, such as ROM/RAM, magnetic disk, CD, including several fingers
It enables and using so that a computer equipment (can be personal computer, server or the network equipment etc.) executes each implementation
Method described in certain parts of example or embodiment.
Finally, it should be noted that the above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations;Although
Present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that: it still may be used
To modify the technical solutions described in the foregoing embodiments or equivalent replacement of some of the technical features;
And these are modified or replaceed, technical solution of various embodiments of the present invention that it does not separate the essence of the corresponding technical solution spirit and
Range.
Claims (20)
1. a kind of method for realizing mobile office is applied to terminal device, which is characterized in that the terminal device includes mobile whole
End pipe manages MDM module and user identity identification sim module, and the MDM module is integrated with Virtual Private Network VPN unit, described
Terminal device is communicated to connect by the MDM module and MDM equipment, which comprises
When detecting log-on message of the terminal user for MDM module progress register, Xiang Suoshu MDM equipment is sent
The hardware identification information of the log-on message and the terminal device, the log-on message by the terminal user user identity
Information determines;
It receives the MDM equipment and is based on the log-on message and the hardware identification information to terminal user progress identity school
Check results after testing;
If the check results show that the proof of identity of the terminal user passes through, complete to log in and based on the sim module
Start the VPN unit to realize mobile office.
2. the method as described in claim 1, which is characterized in that sending the log-on message and described to the MDM equipment
Before the hardware identification information of terminal device, the method also includes:
The digital certificate of terminal user's application is obtained, the digital certificate is for establishing between the VPN unit and VPN platform
The channel VPN;
The digital certificate is written in the sim module.
3. method according to claim 2, which is characterized in that described to start the VPN unit packet based on the sim module
It includes:
Data packet is obtained from the VPN platform by the VPN unit;
It wraps based on the data and determines authentication data from the sim module, and send the certification number to the VPN platform
According to the authentication data includes the digital certificate;
Receive the response results that the VPN platform verifies the authentication data;
Start the VPN unit based on the response results.
4. the method as described in claim any in claim 1-3, which is characterized in that described to complete to log in and to start VPN mono-
After member is to realize mobile office, the method also includes:
Determine the operation log of the MDM module, wherein the operation log includes the terminal user for the MDM mould
The a plurality of business operation of block records, and every business operation record includes the factory mark of the terminal device, the terminal user
User name and one of operating time or any combination;
Based on predetermined period, Xiang Suoshu MDM equipment sends the operation log.
5. a kind of method for realizing mobile office is applied to MDM equipment, which is characterized in that the MDM equipment and terminal device are logical
Letter connection, which comprises
Receive the hardware identification information of log-on message and the terminal device that the terminal device is sent, the log-on message by
The subscriber identity information of terminal user determines;
The log-on message and the hardware identification information are verified based on default corresponding relationship, determine the terminal user
Identity, and obtain check results, wherein the default corresponding relationship be used to indicate the log-on message and hardware identification information it
Between one-to-one relationship;
The check results are sent to the terminal device, so that the terminal device is based on the check results and completes to log in simultaneously
Start VPN and realizes mobile office.
6. method as claimed in claim 5, which is characterized in that based on default corresponding relationship to the log-on message and described
Hardware identification information is verified, before determining the terminal user ID, the method also includes:
Obtain the subscriber identity information of terminal user's typing;
Generate and store the log-on message based on the subscriber identity information, and by the log-on message and the terminal user
The hardware identification information of terminal device bound, with the determination default corresponding relationship.
7. such as method described in claim 5 or 6, which is characterized in that described to be based on default corresponding relationship to the log-on message
And the hardware identification information is verified, and determines the terminal user ID, and obtain check results, comprising:
It based on default corresponding relationship, determines whether the log-on message matches with the hardware identification information, obtains check results,
The proof of identity that the check results are used to indicate the terminal user passes through or failure.
8. the method for claim 7, which is characterized in that if the frequency of failure of proof of identity failure is greater than default school
Number is tested, the method also includes:
Lock instruction is sent to the terminal device, so that described in the terminal device executes after receiving the lock instruction
Lock instruction locks the terminal device.
9. method as claimed in claim 1 or 8, which is characterized in that the terminal device send the check results it
Afterwards, the method also includes:
Obtain and store the operation log that the terminal device is sent, wherein the operation log includes terminal user's needle
To a plurality of business operation record of the MDM module, every business operation record includes the factory mark of the terminal device, institute
State one of user name and operating time of terminal user or any combination;
When detecting the inquiry operation for being used to indicate inquiry target service record, the inquiry operation is based on from the operation day
Business operation record corresponding with the inquiry operation is determined in will, and is fed back.
10. a kind of terminal device, which is characterized in that the terminal device and MDM equipment communicate to connect, the terminal device packet
It includes:
MDM module is integrated with Virtual Private Network VPN unit, detects that terminal user carries out for the MDM module for working as
When the log-on message of register, Xiang Suoshu MDM equipment sends the hardware identification letter of the log-on message and the terminal device
Breath, the log-on message are determined by the subscriber identity information of the terminal user;
Receiving module is based on the log-on message and the hardware identification information to the terminal for receiving the MDM equipment
User carries out the check results after proof of identity;
Processing module completes to log in simultaneously base if showing that the proof of identity of the terminal user passes through for the check results
Start the VPN unit in sim module to realize mobile office.
11. terminal device as claimed in claim 10, which is characterized in that the MDM module is also used to:
Before sending the hardware identification information of the log-on message and the terminal device to the MDM equipment, terminal is obtained
The digital certificate of user's application, the digital certificate is for establishing the channel VPN between the VPN unit and VPN platform;
The digital certificate is written in the sim module.
12. terminal device as claimed in claim 11, which is characterized in that the processing module is used for:
Data packet is obtained from the VPN platform by the VPN unit;
It wraps based on the data and determines authentication data from the sim module, and send the certification number to the VPN platform
According to the authentication data includes the digital certificate;
Receive the response results that the VPN platform verifies the authentication data;
Start the VPN unit based on the response results.
13. the terminal device as described in claim any in claim 10-12, which is characterized in that the processing module is also used to:
After completing to log in and start VPN unit to realize mobile office, the operation log of the MDM module is determined, wherein
The operation log includes that the terminal user records for a plurality of business operation of the MDM module, every business operation note
Record includes one of factory mark, the user name of the terminal user and operating time of the terminal device or any group
It closes;
Based on predetermined period, Xiang Suoshu MDM equipment sends the operation log.
14. a kind of MDM equipment, which is characterized in that the MDM equipment is connect with terminal equipment in communication, and the MDM equipment includes:
Receiving module, for receiving the hardware identification information of log-on message and the terminal device that the terminal device is sent,
The log-on message is determined by the subscriber identity information of terminal user;
Processing module, for being verified based on default corresponding relationship to the log-on message and the hardware identification information, really
The fixed terminal user ID, and obtain check results, wherein the default corresponding relationship be used to indicate the log-on message with
One-to-one relationship between hardware identification information;
Sending module, for sending the check results to the terminal device, so that the terminal device is based on the verification
As a result it completes to log in and start VPN realization mobile office.
15. MDM equipment as claimed in claim 14, which is characterized in that the processing module is also used to:
The log-on message and the hardware identification information are verified based on default corresponding relationship, determine that the terminal is used
Before the identity of family, the subscriber identity information of terminal user's typing is obtained;
Generate and store the log-on message based on the subscriber identity information, and by the log-on message and the terminal user
The hardware identification information of terminal device bound, with the determination default corresponding relationship.
16. the MDM equipment as described in claims 14 or 15, which is characterized in that the processing module is also used to:
It based on default corresponding relationship, determines whether the log-on message matches with the hardware identification information, obtains check results,
The proof of identity that the check results are used to indicate the terminal user passes through or failure.
17. MDM equipment as claimed in claim 16, which is characterized in that the sending module is also used to:
If the frequency of failure of the proof of identity failure is greater than default verification number, Xiang Suoshu terminal device sends lock instruction,
So that the terminal device executes the lock instruction after receiving the lock instruction and locks to the terminal device.
18. the MDM equipment as described in claim 14 or 17, which is characterized in that the receiving module is also used to:
After sending the check results to the terminal device, the operation day that the terminal device is sent is obtained and stored
Will, wherein the operation log includes that the terminal user records for a plurality of business operation of the MDM module, every industry
Business operation note include the factory of the terminal device identify, one of the user name of the terminal user and operating time or
Person's any combination;
When detecting the inquiry operation for being used to indicate inquiry target service record, the inquiry operation is based on from the operation day
Business operation record corresponding with the inquiry operation is determined in will, and is fed back.
19. a kind of computer installation, the computer installation include:
At least one processor, and
The memory that is connect at least one described processor communication, communication interface;
Wherein, the memory is stored with the instruction that can be executed by least one described processor, at least one described processor
By executing the instruction of the memory storage, executed as described in claim any in claim 1-9 using the communication interface
Method.
20. a kind of computer readable storage medium, the computer-readable recording medium storage has computer instruction, when the meter
When the instruction of calculation machine is run on computers, so that computer executes the method as described in claim any in claim 1-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711226652.7A CN109842600B (en) | 2017-11-29 | 2017-11-29 | Method for realizing mobile office, terminal equipment and MDM equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711226652.7A CN109842600B (en) | 2017-11-29 | 2017-11-29 | Method for realizing mobile office, terminal equipment and MDM equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109842600A true CN109842600A (en) | 2019-06-04 |
| CN109842600B CN109842600B (en) | 2021-08-17 |
Family
ID=66882164
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711226652.7A Active CN109842600B (en) | 2017-11-29 | 2017-11-29 | Method for realizing mobile office, terminal equipment and MDM equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109842600B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111651746A (en) * | 2020-06-01 | 2020-09-11 | 支付宝(杭州)信息技术有限公司 | Login data processing method, device, equipment and system |
| CN114650140A (en) * | 2020-12-21 | 2022-06-21 | 国民科技(深圳)有限公司 | Mobile terminal, server, and method of executing electronic signature |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101789968A (en) * | 2010-01-08 | 2010-07-28 | 深圳市沟通科技有限公司 | Safe enterprise mobile working application delivery method |
| CN102215560A (en) * | 2010-04-08 | 2011-10-12 | 中兴通讯股份有限公司 | Method and system for managing M2M (machine to machine) terminal |
| CN104754582A (en) * | 2013-12-31 | 2015-07-01 | 中兴通讯股份有限公司 | Client and method for maintaining BYOD (Bring Your Own Device) safety |
| CN105743650A (en) * | 2014-12-11 | 2016-07-06 | 卓望数码技术(深圳)有限公司 | Mobile office identity authentication method, platform and system, and mobile terminal |
| CN107124422A (en) * | 2017-05-12 | 2017-09-01 | 北京明朝万达科技股份有限公司 | A kind of terminal admittance control method and system |
| US20170257357A1 (en) * | 2015-08-25 | 2017-09-07 | Huawei Technologies Co., Ltd. | Data Communication Method, User Equipment, and Server |
-
2017
- 2017-11-29 CN CN201711226652.7A patent/CN109842600B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101789968A (en) * | 2010-01-08 | 2010-07-28 | 深圳市沟通科技有限公司 | Safe enterprise mobile working application delivery method |
| CN102215560A (en) * | 2010-04-08 | 2011-10-12 | 中兴通讯股份有限公司 | Method and system for managing M2M (machine to machine) terminal |
| CN104754582A (en) * | 2013-12-31 | 2015-07-01 | 中兴通讯股份有限公司 | Client and method for maintaining BYOD (Bring Your Own Device) safety |
| CN105743650A (en) * | 2014-12-11 | 2016-07-06 | 卓望数码技术(深圳)有限公司 | Mobile office identity authentication method, platform and system, and mobile terminal |
| US20170257357A1 (en) * | 2015-08-25 | 2017-09-07 | Huawei Technologies Co., Ltd. | Data Communication Method, User Equipment, and Server |
| CN107124422A (en) * | 2017-05-12 | 2017-09-01 | 北京明朝万达科技股份有限公司 | A kind of terminal admittance control method and system |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111651746A (en) * | 2020-06-01 | 2020-09-11 | 支付宝(杭州)信息技术有限公司 | Login data processing method, device, equipment and system |
| CN114650140A (en) * | 2020-12-21 | 2022-06-21 | 国民科技(深圳)有限公司 | Mobile terminal, server, and method of executing electronic signature |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109842600B (en) | 2021-08-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA2868896C (en) | Secure mobile framework | |
| JP2020064668A (en) | Network connection automatization | |
| CN101227468B (en) | Method, device and system for authenticating user to network | |
| CN103747036B (en) | Trusted security enhancement method in desktop virtualization environment | |
| US8396214B2 (en) | Method and apparatus for centrally managed encrypted partition | |
| US20130104214A1 (en) | Token based two factor authentication and virtual private networking system for network management and security and online third party multiple network management method | |
| US20120324545A1 (en) | Automated security privilege setting for remote system users | |
| CN107122674B (en) | Access method of oracle database applied to operation and maintenance auditing system | |
| CN104202338B (en) | A kind of safety access method being applicable to enterprise-level Mobile solution | |
| KR20100029098A (en) | Device provisioning and domain join emulation over non-secured networks | |
| CN114598540B (en) | Access control system, method, device and storage medium | |
| CN108880822A (en) | A kind of identity identifying method, device, system and a kind of intelligent wireless device | |
| CN101841525A (en) | Secure access method, system and client | |
| CN101669128A (en) | Cascading authentication system | |
| CN108111473A (en) | Mixed cloud Explore of Unified Management Ideas, device and system | |
| CN101986598B (en) | Authentication method, server and system | |
| CN112436940A (en) | Internet of things equipment trusted boot management method based on zero-knowledge proof | |
| CN113472758B (en) | Access control method, device, terminal, connector and storage medium | |
| US11303633B1 (en) | Identity security gateway agent | |
| CN111277607A (en) | Communication tunnel module, application monitoring module and mobile terminal security access system | |
| CN108881243A (en) | (SuSE) Linux OS login authentication method, equipment, terminal and server based on CPK | |
| CN109842600A (en) | A kind of method that realizing mobile office, terminal device and MDM equipment | |
| CN110781465A (en) | BMC remote identity verification method and system based on trusted computing | |
| CN106856471B (en) | AD domain login authentication method under 802.1X | |
| KR101133210B1 (en) | Mobile Authentication System and Central Control System |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |