JP4005090B2 - Communication profile automatic distribution setting system and method, management apparatus, and program - Google Patents

Description

  The present invention relates to a communication profile automatic distribution setting system and method, a management apparatus, and a program suitable for use when using, for example, personal firewall software or IPSec software.

  In a client server system, communication setting information (hereinafter referred to as a communication profile) set in a client PC (Personal Computer) is manually input by a user for each client PC, or converted into an electronic file by a management server. The communication profile is brought into a client PC that is set using an electronic medium and the filed communication profile is manually expanded to enable communication according to the communication setting.

For example, Non-Patent Document 1 discloses a communication profile setting management method of IPsec (Security Architecture for Internet Protocol) software, and Non-Patent Document 2 discloses a personal firewall communication profile setting management method.
"IPsec", browsed March 5, 2005 <Internet URL> http://www.atmarkit.co.jp/fsecurity/hybooks/win_server_sec3/wss01-01.html "Personal firewall", browsed March 5, 2005 <Internet URL> http://pcweb.mycom.co.jp/special/2002/ipsec/007.html

According to the conventional communication profile setting management method described above, it is conceivable that the content of the communication profile that is manually input or the communication profile that has been converted to an electronic file is set or developed in another client PC. Therefore, even a client PC that is not permitted by the system administrator can access the network or the host. In this case, security problems such as information leakage and unauthorized use occur.
Further, when changing the communication profile of the set client PC, unless the above operation is performed, the setting is not changed as intended by the system administrator, and there is a problem that lacks responsiveness.

  The present invention has been made based on the above circumstances, the system administrator registers in advance a communication profile necessary for using personal firewall software, IPsec software, etc., to the management device, the management device, A terminal device performs terminal authentication based on terminal identification information sent when the terminal device is turned on, distributes a communication profile according to the result, and prompts the setting to avoid a security problem. It is another object of the present invention to provide a communication profile automatic distribution setting system and method, a management apparatus, and a program that can dynamically update a communication profile.

In order to solve the above-described problems, the present invention provides a communication profile automatic distribution setting in which a terminal device, a management device, and a server that is permitted to be accessed as a result of terminal authentication by the management device are connected via a network. In the system, the management device acquires terminal identification information from the terminal device, and sets a default communication profile in which destination information to a network permitted to communicate in an initial activation state of the terminal device is described as the terminal Storage means encrypted and stored with identification information; default communication profile transmission means for receiving the default communication profile acquisition request in the initial startup state of the terminal device and transmitting the default communication profile encrypted with the terminal identification information And the terminal device that has confirmed the setting of the default communication profile. An authentication request having a value obtained by encrypting the terminal identification information as a parameter is received, the parameter is decrypted with the terminal identification information, authentication is performed, and when the authentication is successful, a communication is possible after the terminal identification destination information is described, the corresponding dynamic communication profile, and a dynamic communication profile transmitting means for distributing transmitting, the terminal device communicates with the management device, which is distributed from the management apparatus Communication is performed with the server according to a dynamic communication profile.

In the present invention, the management device communicates with the terminal device at regular intervals, and when the access permission content of the terminal device to the server is changed, the updated device is updated. The dynamic communication profile is encrypted and distributed.

  Further, the present invention comprises a terminal device and a server that is permitted to be accessed as a result of terminal authentication by the management device via a network, and is connected to a network that is permitted to communicate in the initial startup state of the terminal device. A management device that manages a default communication profile in which destination information is described and a dynamic communication profile in which destination information to a network that can communicate after identification of the terminal device is described, and the terminal identification information from the terminal device Storage means for encrypting and storing the default communication profile with the terminal identification information, and receiving the default communication profile acquisition request in the initial startup state of the terminal device, and encrypting the default communication profile with the terminal identification information A default communication profile transmission means for transmitting a communication profile; and An authentication request having as a parameter a value obtained by encrypting the terminal identification information is received from the terminal device that has confirmed the setting of the fault communication profile, and the authentication is performed by decrypting the parameter with the terminal identification information. Dynamic communication profile transmitting means for transmitting a corresponding dynamic communication profile when successful.

The present invention also provides a communication profile automatic distribution setting method in a computer network system in which a terminal device, a management device, and a server permitted to be accessed as a result of terminal authentication by the management device are connected via a network. The management device acquires terminal identification information from the terminal device, and sets a default communication profile in which destination information to a network permitted to communicate in an initial activation state of the terminal device is described as the terminal identification information. In the process of encrypting and storing in the storage means, the default communication profile transmitting means receives the default communication profile acquisition request in the initial startup state of the terminal device, and encrypts the default communication profile encrypted with the terminal identification information. Transmission process and dynamic communication profile transmission Means for receiving an authentication request having as a parameter a value obtained by encrypting the terminal identification information from the terminal device that has confirmed the setting of the default communication profile, and performing authentication by decrypting the parameter with the terminal identification information A process of transmitting and distributing a corresponding dynamic communication profile in which destination information to a communicable network is described after the terminal identification when the authentication is successful, and the terminal device includes the management device And communicating with the server according to a dynamic communication profile distributed from the management device .

  Further, the present invention comprises a terminal device and a server that is permitted to be accessed as a result of terminal authentication by the management device via a network, and is connected to a network that is permitted to communicate in the initial startup state of the terminal device. A program used in the management device for managing a default communication profile in which destination information is described and a dynamic communication profile in which destination information to a network capable of communication after identification of the terminal device is described, the terminal device The terminal identification information is obtained from the terminal, the default communication profile is encrypted and stored with the terminal identification information, and the default communication profile acquisition request is received in the initial startup state of the terminal device, and the terminal identification information is encrypted. Processing for transmitting the default communication profile and the default communication profile An authentication request having as a parameter a value obtained by encrypting the terminal identification information is received from the terminal device that has confirmed the setting of the profile, and the parameter is decrypted with the terminal identification information for authentication, and the authentication is successful. And a process of transmitting a corresponding dynamic communication profile from time to time.

According to the present invention, the management device can identify a terminal device, distribute a communication profile suitable for the terminal device, and the terminal device can communicate with a desired partner by setting the communication profile. At this time, since the communication profile distributed by the management device is encrypted and decrypted only by the corresponding terminal device, the third party cannot use, view, or modify the communication profile. In addition, the communication profile distributed by the management device and set by the terminal device is developed in a volatile memory built in the terminal device, and the communication profile disappears when the power is turned off.
Further, according to the present invention, it is not necessary for the user or the system administrator to manually set the communication profile, so that it is freed from complicated setting work and the burden is reduced. Furthermore, the contents of the communication profile set in the terminal device can be changed immediately by the judgment of the system administrator, and a highly flexible system can be constructed.

FIG. 1 is a diagram showing a system configuration example of a communication profile automatic distribution setting system according to an embodiment of the present invention.
The communication profile automatic distribution setting system according to the embodiment of the present invention includes a terminal device 1, an in-house server segment 2, a policy management server 3 (PSPM), an IPsec termination device 4, and a hub 5.

The terminal device 1 communicates with the PSPM 3 and communicates with the in-house server segment 2 according to the volatile communication profile distributed from the PSPM 3. Here, the “volatile communication profile” refers to a file developed only on a volatile memory. Further, the development only on the volatile memory is performed by a dedicated program installed in the terminal device.
A communication control agent (hereinafter referred to as a PS client) is installed on the terminal device 1, and the PS client dynamically switches the rules of the VPN (Virtual Private Network) and the personal firewall by IPsec, thereby the terminal device 1. Agent software that controls access to Details will be described later.

On the other hand, the PSPM 3 functions as a management device described in the claims. Here, the PSPM 3 manages a communication profile registered in advance by a system administrator, receives a connection request from the terminal device 1, performs terminal identification, A volatile communication profile corresponding to the identification result is encrypted and distributed to the device 1.
Here, the communication profile refers to a VPN communication profile by IPsec and a filtering rule of a personal firewall, which are used by the PS client for communication control.

The communication profile is managed on the PSPM 3 and distributed to the terminal device 1 in an encrypted form based on a request from a PS client operating on the terminal device 1.
Further, there are two types of communication profiles, a default communication profile and a dynamic communication profile. The former describes destination information to a network that is permitted to communicate in the initial startup state of the terminal device 1, and the latter includes terminal identification. Describes destination information to a network that can be communicated later. The PSPM 3 receives the connection request in the initial activation state from the terminal device 1 and distributes the default communication profile, and receives the connection request in the normal use state and distributes the dynamic communication profile.

  The IPsec termination device 4 is a gateway that terminates the IPsec communication from the terminal device 1 based on the communication profile described above, and is installed at the entrance of a network that is to be protected by access from a third party. Only the terminal device 1 authorized by the PSPM 3 can be accessed.

  In the configuration of the above-described embodiment of the present invention, the PS client operating on the terminal device 1 makes an authentication request to the PSPM 3 using the dynamic communication profile when the terminal device 1 is activated or connected to the network. The dynamic communication profile of IPsec and personal firewall suitable for the authentication result of PSPM3 is acquired from PSPM3. And it expands to the volatile memory incorporated in the terminal device 1, and performs access control with respect to the internal server segment 2. FIG.

  After deploying the dynamic communication profile, the PSPSM 3 is notified of its own connection state by a response to polling periodically issued by the PSPM 3. In addition to the dynamic communication profile for the authentication result with PSPM3, if the communication profile is changed, the development of the dynamic communication profile is immediately performed when the system administrator performs the dynamic communication profile change registration process in PSPM3. The changed dynamic communication profile can be developed in the terminal device 1. Details will be described later.

FIG. 2 is a block diagram showing functional development of a part related to the present invention in the internal configuration of the management apparatus according to the embodiment of the present invention.
The management apparatus (PSPM3) according to the embodiment of the present invention includes a terminal identification information receiving unit 31, a default communication profile request receiving unit 32, a default communication profile transmitting unit 33, a dynamic communication profile request receiving unit 34, and a dynamic communication profile. A transmission unit 35, a default communication profile 36, and a dynamic communication profile 37 are included. The default communication profile 36 and the dynamic communication profile 37 are stored in a storage device (not shown) in a DB (Data Base) format.

The terminal identification information receiving unit 31 acquires terminal identification information (hereinafter referred to as a terminal identification ID) from the terminal device 1 and receives the default communication profile and the dynamic communication profile defined by the system administrator, respectively. And has a function of storing it in the default communication profile 36 and the dynamic communication profile 37 after encryption.
The default communication profile request receiving unit 32 has a function of receiving a default communication profile acquisition request in the initial startup state of the terminal device 1, and the default communication profile transmitting unit 33 is a default communication profile encrypted with the terminal identification information. With the function to send. Furthermore, the dynamic communication profile request receiving unit 34 has a function of receiving an authentication request having a value obtained by encrypting the terminal identification ID with the terminal identification ID as a parameter from the terminal device 1 that has confirmed the setting of the default communication profile. The communication profile update unit 35 has a function of decrypting the parameter with the terminal identification ID and performing authentication, and transmitting the corresponding dynamic communication profile when the authentication is successful.

FIGS. 3 to 5 are flowcharts cited for explaining the operation of the communication profile automatic distribution setting system according to the embodiment of the present invention. The preparatory operation (FIG. 3) and the operation leading to the default communication profile acquisition (FIG. 4). ) And operations (FIG. 5) leading to dynamic communication profile acquisition.
The operation of the embodiment of the present invention shown in FIGS. 1 and 2 will be described in detail below with reference to FIGS.

The operation in advance preparation when using the communication profile automatic distribution setting system according to the present invention is started when the terminal device 1 first acquires its own terminal identification ID as shown in the flowchart of FIG. S31). Then, the terminal identification ID is transmitted to PSPM 3 by e-mail or the like.
The terminal identification ID is generated by a terminal identification ID generation tool (not shown) that has been installed in the terminal device 1 in advance. Here, the terminal identification ID generation tool is software that generates a unique terminal identification ID for each terminal, which is used when the PSPM 3 performs terminal authentication of the terminal device 1. The terminal identification ID generation tool is provided as an executable file that can be manually activated by the user.
Further, as the terminal identification ID, a device number of a hard disk built in the terminal device 1 or its hash value may be used. This number is used because it is one of the devices that are unlikely to be exchanged in the terminal device 1.

On the other hand, the PSPM 3 encrypts the default communication profile (here, the authentication VPN information) with the terminal identification ID previously received via the terminal identification information receiving unit 32 and stores it on a Web (World Wide Web) server. It shall be (S32). At this time, the hash value obtained from the terminal identification ID, the terminal identification ID, and the communication profile are associated and stored in the database. The above-described PS client is also installed in the terminal device 1, and the above preparation work is completed by restarting (S34, S35).
As described above, the encrypted default communication profile is linked to the Web function in the PSPM 3, and the default communication profile can be downloaded and distributed by browser connection from the terminal device 1 to be used. At this time, distribution can be performed by normal HTTP (Hyper Text Transfer Protocol) communication depending on settings, but distribution by HTTPS (Hyper Text Transfer Protocol Security) communication is also possible.

Next, an operation flow of the communication profile automatic distribution setting system according to the embodiment of the present invention leading to acquisition of default VPN information will be described with reference to FIG. Here, the terminal device 1 can access the PSPM 3 by using the default communication profile.
The default communication profile can be obtained by installing a PS agent in the terminal device 1 and then accessing the PSPM 3 using a browser. Specifically, the default VPN information request issued from the terminal device 1 is received by the default communication profile request receiving unit 31 of the PSPM 3 together with the hash value of the terminal identification ID of the terminal device 1 (S41), and the default communication profile is transmitted. In response to this, the unit 32 refers to the default communication profile 36 as the hash value of the terminal identification ID and transmits the corresponding default VPN information. Here, the default VPN information encrypted with the previously received terminal identification ID is transmitted.

  On the other hand, the terminal device 1 can perform normal communication by initially setting the received default VPN information in the PS client. If there are a plurality of default VPN information, information corresponding to the communication destination is selected.

The default communication profile distributed from PSPM3 and the dynamic profile to be described later are encrypted with the terminal identification ID, and the terminal device acquires the terminal identification ID when it is expanded in the built-in volatile memory, and is decrypted. Only when the default communication definition information or dynamic communication profile is deployed.
For this reason, a program including a PS client installed in the terminal device 1 generates (1) a function for executing IPsec and a personal firewall based on the default communication profile and the dynamic communication profile, and (2) a terminal identification ID. (3) a function for performing authentication and communication with PSPM3, (4) a function for developing a dynamic communication profile from PSPM3 in a volatile memory, (5) an encrypted default communication profile, and A function for decoding a dynamic communication profile based on a terminal identification ID; (6) a function for selecting one default communication profile according to the communication means when there are a plurality of default communication profiles; and (7) a network connection state. Supervising (8) A log collection function for each of these functions is required.

Next, the operation of the communication profile automatic distribution setting system according to the embodiment of the present invention, from terminal authentication to dynamic communication profile acquisition, will be described with reference to the flowchart shown in FIG.
The terminal device 1 first activates the PS client when the power is turned on (S51, S52). Then, the network connection is confirmed (S53), and the default communication profile that has been acquired first is confirmed (S54). If the setting has not been made yet, an initial setting instruction is given (S55) to prompt the initial setting.

After confirming the default communication profile setting, the terminal device 1 decrypts the encrypted default communication profile with its own terminal identification ID, and expands the decrypted default communication profile in the built-in volatile memory. Then, an authentication request (dynamic communication profile request) with a hash value of the terminal identification ID and a value obtained by encrypting the terminal identification ID with the terminal identification ID as parameters is issued to the PSPM 3 (S56). If any of the above processing fails, a denial default communication profile is set (S57).
The PSPM 3 that has received the authentication request by the dynamic communication profile request receiving unit 34 executes the authentication process in the dynamic communication profile transmitting unit 35 (S61), specifically searches for the hash value of the terminal identification ID and associates it with it. When the terminal identification ID is extracted, the terminal identification ID is decrypted using the extracted terminal identification ID, and the result matches the extracted terminal identification ID, the corresponding Dyn A (dynamic) communication profile is extracted and transmitted (S62). Here, when the authentication is not established, a Dyn (dynamic) communication profile for denial is transmitted (S63).

  Upon receiving the dynamic communication profile or the denial Dyn (dynamic) communication profile, the terminal device 1 decodes them with the terminal identification ID, develops them in a volatile memory, and performs settings (S58). Then, the normal end is displayed on a display device (not shown) (S59).

  Here, a supplementary explanation will be given for the above-described authentication processing. The PSPM 3 receives a value obtained by hashing the terminal identification ID and a value obtained by encrypting the terminal identification ID using the terminal identification ID from the terminal device 1, and an agent possessed by the PS agent using the value obtained by hashing the received terminal identification ID. An information database (not shown) is searched to extract a corresponding terminal identification ID. Then, the “value obtained by encrypting the terminal identification ID with the terminal identification ID” sent with the extracted terminal identification ID is decrypted, and if the result matches the extracted terminal identification ID, authentication is established. . In the above, if the result does not match the extracted terminal identification ID, authentication is not established.

  If authentication is established, the corresponding encrypted dynamic communication definition information is included in the dynamic communication profile from the agent information and transmitted to the terminal device 1. At this time, the PSPM 3 performs a schedule check if schedule information such as a usage time zone, a specific day of the week and a deadline is added to the corresponding dynamic communication profile, and if the result does not match, the usage deadline. It is also possible to transmit external dynamic communication definition information to the terminal device 1 as a dynamic communication profile. If authentication is not established, the corresponding dynamic communication profile is transmitted from the agent information to the terminal device 1 that requested it. The dynamic communication profile transmitted at this time is transmitted as plain text.

On the other hand, the setting change of the dynamic communication profile is performed as follows. As described above, the terminal device 1 and the PSPM 3 always perform communication by polling at regular intervals.
The PSPM 3 can know the network connection state of the terminal device 1 by this polling, and can dynamically change the setting of the communication profile accordingly. The PSPM 3 that has detected that it is necessary to change the setting of the dynamic communication profile by polling, selects a corresponding dynamic communication profile, performs encryption processing, and transmits to the terminal device 1 to perform decryption and setting as described above. Prompt.
When changing the current dynamic communication profile, the system administrator needs to change the setting on the information setting screen. At that time, the changed dynamic communication profile can be sent immediately to the terminal device 1 receiving the polling.

  As described above, according to the present invention, there is no possibility that a user or a third party can know a communication profile, and therefore, information leakage and unauthorized use are eliminated, and security can be handled. In addition, the user or the system administrator does not need to manually set the communication profile, so that it is free from complicated setting work and the burden is reduced. In addition, communication settings suitable for the environment of each terminal device can be made, and the communication profile can be distributed only to terminal devices approved by the system administrator. Virus infection can be prevented.

Furthermore, communication profile settings are not only for terminal device authentication approved by the system administrator, but also for intelligent authentication such as user IDs and passwords used, IC cards, USB (Universal Serial Bus) tokens, and other devices It is possible to authenticate the identity by combining authentication.
Furthermore, the system administrator can immediately change the communication profile for each terminal device or for each individual that is ready for the network environment. In addition, since the communication profile to be distributed can set contents such as a usable time zone, a specific day of the week, and a period, detailed network operation management is possible. This makes it possible to centrally manage access restrictions of servers and hosts to which terminal devices can be connected, and to reduce work for operations.
As an application of this system, when an in-house system has a virus spread on the network and wants to restrict access urgently, the communication control server forcibly applies the dynamic communication definition information of the communication control agent currently applied. It is also possible to change to.

  In addition, the terminal identification information receiver 31, the default communication profile request receiver 32, the default communication profile transmitter 33, the dynamic communication profile request receiver 34, the dynamic communication profile transmitter 35, the default communication profile 36, and the dynamic communication shown in FIG. The management apparatus of the present invention is realized by recording the procedure executed by each of the profiles 37 on a computer-readable recording medium, causing the computer system to read and execute the program recorded on the recording medium. To do. The computer system mentioned here includes hardware such as an OS (Operating System) and peripheral devices.

Further, the “computer system” includes a homepage providing environment (or display environment) if a WWW system is used.
The program may be transmitted from a computer system storing the program in a storage device or the like to another computer system via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting the program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line.
The program may be for realizing a part of the functions described above. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer system, and what is called a difference file (difference program) may be sufficient.

  The embodiment of the present invention has been described in detail with reference to the drawings. However, the specific configuration is not limited to this embodiment, and includes a design and the like within a scope not departing from the gist of the present invention.

It is a figure which shows the system configuration example of the communication profile automatic distribution setting system concerning embodiment of this invention. It is the block diagram which expanded the function and showed the part relevant to this invention among the internal structures of the management apparatus concerning embodiment of this invention. It is the flowchart quoted in order to demonstrate operation | movement of the communication profile automatic distribution setting system concerning embodiment of this invention. It is the flowchart quoted in order to demonstrate operation | movement of the communication profile automatic distribution setting system concerning embodiment of this invention. It is the flowchart quoted in order to demonstrate operation | movement of the communication profile automatic distribution setting system concerning embodiment of this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 ... Terminal device, 2 ... In-house server segment, 3 ... Policy management server PSPM (management device), 4 ... IPsec termination device, 5 ... Hub, 31 ... Terminal identification information receiving part, 32 ... Default communication profile request receiving part, 33 ... default communication profile transmission unit, 34 ... dynamic communication profile request reception unit, 35 ... dynamic communication profile transmission unit, 36 ... default communication profile, 37 ... dynamic communication profile

Claims (5)

A communication profile automatic distribution setting system in which a terminal device, a management device, and a server that is permitted to be accessed as a result of terminal authentication by the management device are connected via a network,
The management device
Storage means for acquiring terminal identification information from the terminal device, and encrypting and storing a default communication profile in which destination information to a network permitted to communicate in an initial activation state of the terminal device is described with the terminal identification information When,
A default communication profile transmitting means for receiving the acquisition request for the default communication profile in the initial startup state of the terminal device and transmitting the default communication profile encrypted with the terminal identification information;
An authentication request having as a parameter a value obtained by encrypting the terminal identification information is received from the terminal device that has confirmed the setting of the default communication profile, and authentication is performed by decrypting the parameter with the terminal identification information. And a dynamic communication profile transmission means for transmitting and distributing a corresponding dynamic communication profile in which destination information to a network capable of communication after the terminal identification is described.
The communication device automatic distribution setting system, wherein the terminal device communicates with the management device and communicates with the server according to a dynamic communication profile distributed from the management device . The management device
When communication with the terminal device is performed at regular intervals, and the content of access permission to the server of the terminal device has changed, the updated dynamic communication profile is encrypted and distributed. The communication profile automatic distribution setting system according to claim 1, wherein: A terminal device and a server that is permitted to be accessed as a result of terminal authentication by the management device are connected via a network, and destination information to the network that is permitted to communicate in the initial startup state of the terminal device is described. The management device that manages a default communication profile and a dynamic communication profile in which destination information to a network that can communicate after identification of the terminal device is described,
Storage means for acquiring terminal identification information from the terminal device and encrypting and storing a default communication profile with the terminal identification information;
A default communication profile transmitting means for receiving the acquisition request for the default communication profile in the initial startup state of the terminal device and transmitting the default communication profile encrypted with the terminal identification information;
An authentication request having as a parameter a value obtained by encrypting the terminal identification information is received from the terminal device that has confirmed the setting of the default communication profile, and authentication is performed by decrypting the parameter with the terminal identification information. A dynamic communication profile transmitting means for transmitting the corresponding dynamic communication profile when the is successful,
A management apparatus comprising: A communication profile automatic distribution setting method in a computer network system in which a terminal device, a management device, and a server that is permitted to be accessed as a result of terminal authentication by the management device are connected via a network,
The management device is
The terminal identification information is acquired from the terminal device, and a default communication profile in which destination information to a network permitted to communicate in the initial activation state of the terminal device is described is encrypted with the terminal identification information and stored in a storage unit. The process of
A process of receiving an acquisition request for the default communication profile in an initial startup state of the terminal device and transmitting a default communication profile encrypted with the terminal identification information by a default communication profile transmission unit;
A dynamic communication profile transmission means receives an authentication request having as a parameter a value obtained by encrypting the terminal identification information from the terminal device that has confirmed the setting of the default communication profile, and decrypts the parameter with the terminal identification information. And transmitting and distributing a corresponding dynamic communication profile in which destination information to a network capable of communication after the terminal identification is described when the authentication is successful.
The terminal device communicates with the management device and communicates with the server according to a dynamic communication profile distributed from the management device ;
A communication profile automatic distribution setting method characterized by comprising: A terminal device and a server that is permitted to be accessed as a result of terminal authentication by the management device are connected via a network, and destination information to the network that is permitted to communicate in the initial startup state of the terminal device is described. A program used in the management device for managing a default communication profile and a dynamic communication profile in which destination information to a network capable of communication after identification of the terminal device is described,
Processing for obtaining terminal identification information from the terminal device and storing a default communication profile encrypted with the terminal identification information;
Processing for receiving the default communication profile acquisition request in the initial startup state of the terminal device and transmitting the default communication profile encrypted with the terminal identification information;
An authentication request having as a parameter a value obtained by encrypting the terminal identification information is received from the terminal device that has confirmed the setting of the default communication profile, and authentication is performed by decrypting the parameter with the terminal identification information. The process of sending the corresponding dynamic communication profile when
A program that causes a computer to execute.

Images