KR20160019410A - Data management for an application with multiple operation modes - Google Patents

Abstract

A method and system for managing an application having multiple modes is disclosed. A device manager that manages the mobile device may monitor the mobile device. The device manager may detect that a first type of application running in a managed mode (or multiple management modes) and an unmanaged mode is installed on the mobile device. When an application is executed on a device, the application is executed according to the selected application mode, e.g., based on location, user, role, industry presence or other predefined context.

Description

[0001] DATA MANAGEMENT FOR APPLICATION WITH MULTIPLE OPERATION MODES [0002]

This application claims priority to U.S. Serial No. 14 / 021,227, filed on September 9, 2013 entitled " Data Management for an Application with Multiple Operation Modes, " Provisional Application No. 61 / 861,736, filed on August 2, 2013 entitled " Policy-Based Application Management ", filed on August 2, 2013, entitled " Data Management for an Application with Multiple Operation Modes & 61 / 861,758, entitled " Application with Multiple Operation Modes, " filed on March 29, 2013, entitled " Systems and Methods for Enterprise Mobility Management, And U.S. Patent Application Serial No. 13 / 886,889 filed on February 2, each of which is incorporated herein by reference in its entirety.

[002] The use of mobile computing devices continues to increase. In particular, businesses and other companies have relied on mobile computing devices to allow individuals to remotely access various corporate resources. Such resources may include, for example, electronic mail services, file services, data, and other electronic resources provided by enterprise computer systems.

[003] With this breach of business use, individuals have begun to use their mobile computing devices for both business and personal use. For example, an employee of an enterprise may access an enterprise email account and a personal email account with the same mobile computing device. Thus, certain functions of mobile computing devices may share business and personal aspects. However, business information often requires secure communication and storage. Additionally, business information stored in the mobile device may require management. Therefore, it is required that the device manager manage the information stored in the mobile device.

[004] The following description presents a simplified summary of the various aspects set forth herein. This summary is not a comprehensive overview, nor is it intended to identify key or critical elements or to delineate the scope of the claims. The following summary merely presents some concepts in a simplified form as a prelude to introduce the more detailed description provided below.

[005] A method and system for managing an application having a plurality of operating modes is described herein. The device manager managing the mobile device can monitor the mobile device. The device manager may detect that a predetermined type of application running in an unmanaged mode and a managed mode is installed on the mobile device. The mode of operation may be based on device context or device-related information. For example, an application may be run in a first management mode when user credentials authenticate a user as a trusted user, otherwise the application may be run in a second less secure mode . The mode of operation may also be a physical location of the device, a network location, user credentials, user roles, location types (e.g., healthcare, financial institutions, schools , Government agencies, etc.). An application may be executable in three or more modes of operation and may be executable in a number of different modes of administration providing multiple levels of access, security, resources, and so on.

[006] These and additional aspects will be recognized in connection with the advantages of the disclosure discussed in greater detail below.

A more complete understanding of aspects and advantages herein may be obtained by reference to the following description taken in conjunction with the accompanying drawings, in which like reference numerals identify similar features.
[008] FIG. 1 illustrates an exemplary computer system architecture that may be used in accordance with an exemplary embodiment.
[009] FIG. 2 illustrates an exemplary remote-access system architecture that may be used in accordance with an exemplary embodiment.
[0010] FIG. 3 illustrates an exemplary virtualization (hypervisor) system architecture that may be used in accordance with an illustrative embodiment.
[0011] FIG. 4 illustrates an exemplary cloud-based system architecture that may be used in accordance with an illustrative embodiment.
[0012] FIG. 5 illustrates an exemplary enterprise mobility management system that may be used in accordance with an exemplary embodiment.
[0013] FIG. 6 illustrates another exemplary enterprise mobility management system that may be used in accordance with an exemplary embodiment.
[0014] FIG. 7 illustrates a sample interface of a mobile device according to an exemplary embodiment.
[0015] FIG. 8 is a flow diagram illustrating the determination of an application mode for an application in accordance with an exemplary embodiment.
[0016] FIG. 9 is a flowchart illustrating the determination of an account type context for an application according to an exemplary embodiment.
[0017] FIG. 10 is a flow diagram illustrating the determination of a location context for an application according to an exemplary embodiment.
[0018] FIG. 11 is a flowchart illustrating the determination of a predetermined predetermine application status context for an application according to an exemplary embodiment.
[0019] FIG. 12 is a flowchart illustrating the determination of a network connection context for an application according to an exemplary embodiment.
[0020] FIG. 13 is a flowchart illustrating the determination of a settings context for an application according to an exemplary embodiment.
[0021] FIG. 14 is a flow diagram illustrating switching application modes for an application according to an exemplary embodiment.
[0022] FIG. 15 is a flow diagram illustrating the management of an application in multiple operating modes in accordance with an exemplary embodiment.
[0023] FIG. 16 is a flowchart illustrating the management of a multi-mode application according to an exemplary embodiment.
[0024] FIG. 17 is a flowchart illustrating an app store according to an exemplary embodiment.

BRIEF DESCRIPTION OF THE DRAWINGS [0025] The following description of the various embodiments forms part of the embodiments and, together with the above identified embodiments, is shown by way of illustration various embodiments in which the aspects described herein may be practiced. It is to be understood that other embodiments may be utilized and that the structure and function may be modified without departing from the scope of the invention as described herein. The various aspects enable other embodiments and may be practiced or carried out in various different ways.

[0026] As a general introduction to the subject matter described in greater detail below, the aspects described herein may be used in conjunction with applications that may be executed in a number of modes of operation, To controlling remote access to resources of a computing system. The access manager may perform a validation process that determines whether a mobile application requesting access to enterprise resources is itself correctly identified and that it has not been modified since it was installed on the mobile computing device . In this manner, the access manager does not attempt to circumvent security mechanisms used to secure mobile devices that request access to corporate resources and to protect these enterprise resources. As a result, individuals associated with the enterprise can leverage corporate resources with their personal mobile devices using pre-approved applications.

[0027] It is to be understood that the phraseology and terminology used herein are for the purpose of description and should not be regarded as limiting. Rather, the phrases and terminology used herein are to be interpreted as broadest and to the broadest meaning. The use of "comprising" and "comprising" and variations thereof is intended to include the items listed thereafter and equivalents thereof as well as additional items and equivalents thereof. The use of terms like "mounted "," coupled ", "coupled "," positioned ", "engaged ", including direct and indirect mounting, connection, coupling, positioning, do.

[0028] Computing architecture

[0029] Computer software, hardware and networks can be utilized in a variety of different system environments, particularly in standalone, networked, remote-access (also known as remote desktops), virtualization and / or cloud- have. 1 illustrates an example of a system architecture and / or data processing device that may be used to implement one or more of the exemplary aspects described herein in a standalone and / or networked environment. The various network nodes 103, 105, 107, and 109 may be interconnected via a wide area network (WAN) 101, e.g., the Internet. Other networks may also or alternatively be used, including private intranets, enterprise networks, LANs, metropolitan area networks (MANs), wireless networks, personal networks (PANs) The network 101 is for illustrative purposes and may be replaced with fewer computer networks or with additional networks. A local area network (LAN) may have one or more of any known LAN topologies and may use one or more of a variety of different protocols, such as Ethernet. The devices 103,105, 107,109 and other devices (not shown) may be connected to one or more of the networks via twisted pair wires, coaxial cables, optical fibers, radio waves or other communication media.

[0030] The term "network " as used herein and shown in the figures refers to a system in which remote storage devices are coupled together via one or more communication paths, as well as systems Refers to stand-alone devices. Consequently, the term "network" includes not only a "physical network ", but also a" content network ", wherein the "content network" consists of data residing across all of the physical networks.

[0031] The components may include a data server 103, a web server 105 and client computers 107, 109. The data server 103 provides full access, control, and management of control software and databases for performing one or more exemplary aspects described herein. The data server 103 may be connected to the web server 105 and through the web server 105 users interact with the requested data to obtain this data. Alternatively, the data server 103 may act as a web server by itself and may be directly connected to the Internet. The data server 103 may be connected to the web server 105 via the network 101 (e.g., the Internet), directly or indirectly, or some other network. Users can connect to the data server 103 via one or more externally exposed web sites hosted by the web server 105 and use the remote computers 107 and 109 to retrieve data Server 103. < / RTI > Client computers 107 and 109 may be used in conjunction with data server 103 to access data stored in data server 103 or may be used for other purposes. For example, from the client device 107, a user may use a software application that communicates with the web server 105 and / or the data server 103 using an Internet browser known in the art or via a computer network (e.g., the Internet) And can access the Web server 105 by executing it.

[0032] Servers and applications may be coupled on the same physical machines and may have separate virtual or logical addresses or may reside on separate physical machines. 1 illustrates only one example of a network architecture that may be used and one of ordinary skill in the art will recognize that the particular network architecture and data processing devices used, as further described herein, may be varied, . For example, the services provided by the web server 105 and the data server 103 may be combined on a single server.

[0033] Each component 103, 105, 107, 109 may be any type of well-known computer, server, or data processing device. The data server 103 may comprise a processor 111 for controlling the overall operation of a rate server 103, for example. The data server 103 further includes a RAM 113, a ROM 115, a network interface 117, input / output interfaces 119 (e.g., keyboard, mouse, do. I / O 119 may include various interface units and drives for reading, writing, displaying, and / or printing data or files. The memory 121 includes operating system software 123 for controlling the overall operation of the data processing device 103, control logic 125 for instructing the data server 103 to perform the aspects described herein, Additional application software 127 may be stored that provides secondary functions, support functions, and / or other functions that may be used with the described aspects or may not be used with the aspects described herein. The control logic may also be referred to herein as data server software 125. The functionality of the data server software may be automatically generated based on rules coded in the control logic or may be manually generated by the user providing input in the system or may be based on user input (e.g., queries, data updates, etc.) May refer to actions or decisions made in combination with automatic processing.

[0034] The memory 121, including the first database 129 and the second database 131, may also store data used in performing one or more aspects described herein. In some embodiments, the first database may comprise a second database (e.g., as an individual table, report, etc.). That is, depending on the system design, the information may be stored in a single database or may be separated into different logical, virtual or physical databases. The devices 105, 107, and 109 may have similar or different architectures as those described in connection with the device 103. Those skilled in the art will appreciate that the functionality of the data processing device 103 (or devices 105, 107, 109) described herein may be used, for example, to distribute the processing load across multiple computers, And may be spread across multiple data processing devices to separate transactions based on quality of service (QoS) and the like.

[0035] One or more aspects may be implemented as computer-usable or readable data and / or computer-executable instructions, as described herein, such as one or more program modules . ≪ / RTI > Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types when executed by a computer or other device's processor do. The modules may be written in a source code programming language compiled later for execution or written in a scripting language such as but not limited to HTML or XML. Computer-executable instructions may be stored on a computer-readable medium, such as a non-volatile storage device. Any suitable computer readable storage medium can be utilized including hard disks, CD-ROMs, optical storage devices, magnetic storage devices, and / or any combination thereof. Moreover, the various transmission (non-storing) media representing the data or events as described herein may be implemented as a signal such as metal wires, optical fibers, and / or wireless transmission media (e.g., air and / Can be moved between the source and destination in the form of electromagnetic waves traveling through the signal-conducting media. The various aspects described herein may be implemented as a method, a data processing system, or a computer program product. Thus, the various functions may be implemented in whole or in part by software, firmware and / or hardware or hardware equivalents such as integrated circuits, field programmable gate arrays (FPGAs), and the like. Certain data structures may be used to more effectively implement one or more aspects described herein, and such data structures are contemplated to be within the scope of computer-usable instructions and computer-usable data described herein.

[0036] With further reference to FIG. 2, one or more aspects described herein may be implemented in a remote-access environment. FIG. 2 illustrates an exemplary system architecture including a general purpose computing device 201 of an exemplary computing environment 200 that may be used in accordance with one or more illustrative aspects described herein. The general purpose computing device 201 may be used as a server 206a in a single-server or multi-server desktop virtualization system (e.g., a remote access or cloud system) configured to provide virtual machines to client access devices. The general purpose computing device 201 includes a server 205 and a server 208 including a random access memory (RAM) 205, a read-only memory (ROM) 207, an input / output (I / O) module 209, And a processor 203 for controlling the overall operation of the associated components.

The user of the general-purpose computing device 201 receives input (s) via the mouse, keypad, touch screen, scanner, optical reader, and / or stylus (or other input device , And may also include one or more of a speaker for providing audio output and a video display device for providing text, audiovisual and / or graphical output. The software may be stored in the memory 215 and / or other storage to provide the processor 203 with instructions for configuring the general purpose computing device 201 as a special purpose computing device to perform various functions as described herein . For example, memory 215 may store software used by computing device 201, e.g., operating system 217, application programs 219, and associated database 221.

[0038] The computing device 201 may operate in a networked environment that supports connections to one or more remote computers, such as terminals 240 (also referred to as client devices). Terminals 240 may be personal computers, mobile devices, laptop computers, tablets or servers, including all or a combination of the elements described above in connection with the general purpose computing device 103 or 201. The network components shown in FIG. 2 include a local area network (LAN) 225 and a wide area network (WAN) 229, but may also include other networks. When used in a LAN networking environment, the computing device 201 may be connected to the LAN 225 via a network interface or adapter 223. When used in a WAN networking environment, the computing device 201 may include a modem 227 or other wide area network interface for establishing communications over the WAN 229, such as a computer network 230 (e.g., the Internet) have. It will be appreciated that the network connections shown are exemplary and other means of establishing a communication link between the computers may be used. Computing device 201 and / or terminals 240 may also be coupled to mobile terminals (e.g., mobile phones, smart phones, PDAs, etc.) including batteries, speakers, and various other components such as antennas , Notebooks, etc.).

[0039] The aspects described herein may also be operational with many other general purpose or special purpose computing system environments or configurations. Examples of other computing systems, environments, and / or configurations that may be suitable for use with the aspects described herein include, but are not limited to, personal computers, server computers, hand-held or laptop devices, Microprocessor-based systems, set top boxes, programmable consumer electronics, network PCs, minicomputers, mainframe computers, distributed computing environments including any of the preceding systems or devices, But are not limited to these.

As shown in FIG. 2, one or more client devices 240 may communicate with one or more servers 206a-206n (generally referred to herein as "server (s) 206") . In one embodiment, computing environment 200 may include a network device installed between server (s) 206 and client machine (s) The network device may manage client / server connections and, in some cases, may load balance client connections between the plurality of backend servers 206.

The client machine (s) 240 may be referred to in some embodiments as a single group of client machines 240 or client machines 240, while the server (s) May be referred to as a single group of servers 206 or servers 206. In one embodiment, a single client machine 240 communicates with two or more servers 206, while in another embodiment, a single server 206 communicates with two or more client machines 240. In yet another embodiment, a single client machine 240 communicates with a single server 206.

[0042] In some embodiments, client machine 240 includes the following non-limiting items: client machine (s); Client (s); Client computer (s); Client device (s); Client computing device (s); Local machine; Remote machine; Client node (s); May be referred to by either endpoint (s) or endpoint node (s). In some embodiments, server 206 may include the following non-limiting items: server (s); Local machine; Remote machine; May be referred to by either the server farm (s) or the host computing device (s).

[0043] In one embodiment, client machine 240 may be a virtual machine. While in some embodiments the virtual machine may be a type 1 or type 2 hypervisor, such as a hypervisor developed by Citrix Systems, IBM, VMware, or any other And may be any virtual machine managed by the hypervisor. In some aspects, the virtual machine may be managed by the hypervisor, while in aspects the virtual machine may be managed by the hypervisor running on the server 206 or by the hypervisor running on the client 240 .

[0044] Some embodiments include a client device 240 that displays an application output that is generated by an application that is run remotely on the server 206 or another remotely located machine. In these systems, the client device 240 may execute a virtual machine receiver program or application to display output in an application window, browser, or other output window. In one example, the application is a desktop, while in another example, the application is an application that creates or presents a desktop. The desktop may include a graphical shell that provides a user interface to an instance of the operating system in which local and / or remote applications may be integrated. Applications, such as those described herein, are programs that run after an instance of the operating system (and optionally also the desktop) is loaded.

 [0045] In some embodiments, server 206 may be a thin-client or remote-display application running on a client to present a display output generated by an application executing on server 206 Use a remote presentation protocol or other program to transmit the data. The thin-client or remote-display protocol may include the following non-limiting list of protocols: Independent Computing Architecture (ICA) protocol developed by Citrix Systems, Inc. in Fort Lauderdale, Florida or Microsoft Corporation Or RDP (Remote Desktop Protocol) manufactured by the same manufacturer.

[0046] The remote computing environment may include two or more servers 206a-206n, for example, in a cloud computing environment where the servers 206a-206n are logically grouped together into a server farm 206. [ The server farm 206 may include servers 206 that are geographically dispersed while logically grouped together, or servers 206 that are logically grouped together while being placed close together. In some embodiments, the geographically dispersed servers 206a-206n within the server farm 206 may communicate using WAN (wide area), MAN (metropolitan), or LAN (area), where different geographic areas Different continents; Different continental areas; Different countries; Different states; Different cities; Different campuses; Different rooms; Or any combination of the above geographic locations. In some embodiments, the server farm 206 may be managed as a single entity, while in other embodiments, the server farm 206 may comprise multiple server farms.

[0047] In some embodiments, the server farm may include servers 206 executing substantially similar types of operating system platforms (eg, WINDOWS, UNIX, LINUX, iOS, ANDROID, SYMBIAN, etc.). In other embodiments, the server farm 206 may include a first group of one or more servers running a first type of operating system platform and a second group of one or more servers running a second type operating system platform .

The server 206 may be any type of server as required, such as a file server, an application server, a web server, a proxy server, an appliance, a network appliance, a gateway, an application gateway, a gateway server, An SSL VPN server, a firewall, a web server, an application server, or a server running a master application server, a server running Active Directory, or a server running an application acceleration program providing firewall function, application function or load balancing function. Other server types may also be used.

[0049] Some embodiments receive requests from the client machine 240, forward requests to the second server 106b, and generate requests from the client machine 240 in response from the second server 106b And a first server 106a that responds to the request. The first server 106a may obtain address information associated with the application server 206 hosting the application identified in the list of applications as well as a list of applications available to the client machine 240. [ The first server 106a may then use the web interface to present a response to the request of the client and may communicate directly with the client 240 to provide access to the identified application have. One or more clients 240 and / or one or more servers 206 may transmit data over the network 230, e.g.,

[0050] FIG. 2 illustrates a high-level architecture of an exemplary desktop virtualization system. As shown, the desktop virtualization system may include a single-server or multi-server system 200 that includes at least one virtualization server 206 configured to provide virtual desktops and / or virtual applications to one or more client access devices 240 Or a cloud system. As used herein, a desktop refers to a graphical environment or space in which one or more applications are hosted and / or executed. The desktop may include a graphics shell that provides a user interface to an instance of the operating system in which local and / or remote applications may be integrated. Applications may include programs that run after the instance of the operating system (and optionally also the desktop) is loaded. Each instance of the operating system may be physical (e.g., one operating system per device) or virtual (e.g., many instances of an OS running on a single device). Each application may be executed on a local device or may be executed on a remotely located device (e.g., a remote device).

[0051] Still referring to FIG. 3, the computer device 301 may be configured as a virtualization server in a virtualized environment, such as a single-server, multi-server, or cloud computing environment. The virtualization server 301 illustrated in FIG. 3 may be implemented and / or deployed by one or more embodiments of the server 206 illustrated in FIG. 2, or by other known computing devices. Included in the virtualization server 301 is a hardware layer that may include one or more physical disks 304, one or more physical devices 306, one or more physical processors 308, and one or more physical memory 316. In some embodiments, the firmware 312 may be stored in a memory element of the physical memory 316 and may be executed by one or more physical processors 308. The virtualization server 301 may further include an operating system 314 that is stored in a memory element of the physical memory 316 and may be executed by one or more physical processors 308. [ The hypervisor 302 may also be stored in a memory element of the physical memory 316 and may be executed by one or more physical processors 308. [

[0052] It may be one or more virtual machines 332A-C, generally 332, to execute on one or more physical processors 308. Each virtual machine 332 may include virtual disks 326A-C and virtual processors 328A-C. In some embodiments, the first virtual machine 332A may execute a control program 320 that includes a tools stack 324 using the virtual processor 328A. The control program 320 may be referred to as a control virtual machine, Dom0, Domain 0, or other virtual machine used for system operation and / or control. In some embodiments, one or more virtual machines 332B-C may execute guest operating systems 330A-B using virtual processors 328B-C.

[0053] The virtualization server 301 may include a hardware layer 310 having one or more pieces of hardware in communication with the virtualization server 301. In some embodiments, hardware layer 310 may include one or more physical disks 304, one or more physical devices 306, one or more physical processors 308, and one or more memory 216. The physical components 304, 306, 308, and 316 may include, for example, any of the above-described components. The physical device 306 may be any type of device such as a network interface card, a video card, a keyboard, a mouse, an input device, a monitor, a display device, a speaker, an optical drive, a storage drive, a universal serial bus connection, (DHCP), a network address translator, a load balancer, a virtual private network (VPN) gateway, a Dynamic Host Configuration Protocol (DHCP) router, etc.) or any device that communicates with or connects to the virtualization server 301. The physical memory 316 of the hardware layer 310 may comprise any type of memory. The physical memory 316 may store data, and in some embodiments may store one or more programs, or a set of executable instructions. Figure 3 illustrates an embodiment where the firmware 312 is stored in the physical memory 316 of the virtualization server 301. [ Programs or executable instructions stored in physical memory 316 may be executed by one or more processors 308 of virtualization server 301. [

[0054] The virtualization server 301 may also include a hypervisor 302. In some embodiments, the hypervisor 302 may be a program that is executed by the processor 308 on the virtualization server 301 to create and manage any number of virtual machines 332. The hypervisor 302 may be referred to as a virtual machine monitor or platform virtualization software. In some embodiments, the hypervisor 302 may be any combination of hardware and executable instructions for monitoring a virtual machine running on the computing machine. The hypervisor 302 may be a type 2 hypervisor and the hypervisor running within the operating system 314 may be running on the virtualization server 301. The difference is that the virtual machine runs at the higher level of the hypervisor. In some embodiments, the Type 2 hypervisor is executed within the context of the user's operating system, and the Type 2 hypervisor interacts with the user's operating system. In another embodiment, one or more virtualization servers 201 in a virtualized environment may instead include a type 1 hypervisor (not shown). The Type 1 hypervisor can be run on the virtualization server 301 by directly accessing resources and hardware within the hardware layer 310. [ That is, although the Type 2 hypervisor 302 accesses system resources through the host operating system 314 as shown, the Type 1 hypervisor can directly access all system resources without the host operating system 314. [ The type 1 hypervisor may execute directly on one or more physical processors 308 of virtualization server 301 and may include program data stored in physical memory 316. [

[0055] In some embodiments, the hypervisor 302 executes virtual resources on virtual machine 332 in any manner that simulates direct access to system resources by operating system 330 or control program 320 To the operating system 330 or the control program 320. The system resources may include physical devices 306, physical disks 304, physical processors 308, physical memory 316 and any other components included in the virtualization server 301 hardware layer 310, But is not limited to. The hypervisor 302 may be used to execute virtual machines that emulate virtual hardware, partition physical hardware, virtualize physical hardware, and / or provide access to a computing environment. In another embodiment, the hypervisor 302 controls memory partitioning and processor scheduling for the virtual machine 332 running on the virtualization server 301. [ The hypervisor 302 is manufactured by VMWare, Inc. of Palo Alto, California; The XEN hypervisor, an open source product whose development is overseen by the open source Xen.org community; A virtual PC provided by Microsoft, HyperV, or a VirtualServer or other hypervisor. In some embodiments, the virtualization server 301 executes a hypervisor 302 that creates a virtual machine platform on which the guest operating system can run. In these embodiments, the virtualization server 301 may be referred to as a host server. An example of such a virtualization server is XEN SERVER provided by Citrix Systems, Inc. of Fort Lauderdale, Florida.

[0056] The hypervisor 302 may create one or more virtual machines 332B-C, generally 332, in which the guest operating system 330 is running. In some embodiments, the hypervisor 302 may load the virtual machine image to create the virtual machine 332. In another embodiment, the hypervisor 302 may execute the guest operating system 330 within the virtual machine 332. [ In another embodiment, the virtual machine 332 may execute the guest operating system 330. [

[0057] In addition to creating the virtual machine 332, the hypervisor 302 may control the execution of one or more virtual machines 332. In an alternative embodiment, the hypervisor 302 may be an abstraction of one or more hardware resources provided by the virtualization server 301 (e.g., any hardware resources available within the hardware layer 310) 332). In another embodiment, the hypervisor 302 may control how the virtual machine 332 accesses the physical processor 308 available in the virtualization server 301. [ Controlling access to the physical processor 308 includes determining whether the virtual machine 332 should have access to the processor 308 and how the physical processor functionality is provided to the virtual machine 332 .

[0058] As shown in FIG. 3, the virtualization server 301 may host or execute one or more virtual machines 332. The virtual machine 332 is operable to execute executable instructions that, when executed by the processor 308, allow the virtual machine 332 to execute programs and processes in much the same manner as physical computing devices, Set. 3 illustrates an embodiment in which the virtualization server 301 hosts three virtual machines 332. In another embodiment, the virtualization server 301 can host any number of virtual machines 332 have. The hypervisor 302 may in some embodiments provide a unique virtual view of each virtual machine 332 to physical hardware, memory, processor, and other system resources available to the virtual machine 332 to provide. In some embodiments, the unique virtual view may include one or more virtual machine permissions, an application of a policy engine for one or more virtual machine identifiers, a user accessing a virtual machine, an application executing on a virtual machine, A network accessed by the machine, or any other desired criteria. For example, the hypervisor 302 may create one or more unsecured virtual machines 332 and one or more secure virtual machines 332. The insecure virtual machine 332 may be restricted from accessing the program, resources, hardware, and memory locations that the secure virtual machine 332 can access. In another embodiment, the hypervisor 302 may provide each virtual machine 332 with a substantially similar view of physical hardware, memory, processor, and other system resources available to the virtual machine 332. [

[0059] Each virtual machine 332 may include virtual disks 326A-C (typically 326) and virtual processors 328A-C (typically 328). The virtual disk 326 may in some embodiments be a virtualized view of one or more physical disks 304 of the virtualization server 301 or a portion of one or more physical disks 304 of the virtualization server 301, to be. A virtualized view of the physical disk 304 may be created, provisioned and managed by the hypervisor 302. In some embodiments, the hypervisor 302 provides a unique view of the physical disk 304 to each virtual machine 332. Thus, in these embodiments, the particular virtual disk 326 included in each virtual machine 332 may be unique compared to the other virtual disk 326. [

[0060] The virtual processor 328 may be a virtualized view of one or more physical processors 308 of the virtualization server 301. In some embodiments, the virtualized view of the physical processor 308 may be created, provided, and managed by the hypervisor 302. In some embodiments, the virtual processor 328 may have substantially the same characteristics as the one or more physical processors 308. The virtual processor 308 provides a modified view of the physical processor 308 such that at least some of the features of the virtual processor 328 are different from the corresponding physical processor 308 features .

[0061] Referring additionally to FIG. 4, some aspects described herein may be implemented in a cloud-based environment. 4 illustrates an example of a cloud computing environment (or cloud system) 4, client computers 411-414 communicate with the cloud management server 410 to communicate computing resources (e.g., host server 403, storage resources 404, and network resources 405) of the cloud system, ). ≪ / RTI >

[0062] The management server 410 may be implemented on one or more physical servers. The management server 410 may, for example, execute CLOUDSTACK or, in particular, OPENSTACK from Citrix Systems, Inc. of Fort Lauderdale, Florida. The management server 410 may manage various computing resources including cloud hardware and software resources, such as host computer 403, data storage device 404, and network device 405. [ Cloud hardware and software resources may include private and / or public components. For example, the cloud may be configured as a private cloud to be used by a private network and / or by one or more specific customers or client computers 411-414. In another embodiment, the public cloud or hybrid private-public cloud may be used by other customers using an open or hybrid network.

[0063] The management server 410 may be configured to provide a user interface that allows the cloud operator and cloud customer to interact with the cloud system. For example, the management server 410 may provide a set of APIs and / or one or more cloud operator console applications (e.g., web-based standalone applications) to a cloud operator to manage cloud resources, configure the virtualization layer, And provide a user interface that allows other cloud operations to be performed. The management server 410 may also provide a set of APIs and / or one or more cloud operator console applications, via the client computers 411-414, to create and modify a cloud computing request, e.g., a virtual machine in the cloud, from an end user. Or to receive a request to remove the user interface. The cloud computers 411-414 may connect to the management server 410 via the Internet or other communications network and may request access to one or more computing resources managed by the management server 410. [ In response to the client request, the management server 410 may include a resource manager configured to select and supply physical resources of the hardware layer of the cloud system based on the client request. For example, the management server 410 and the additional components of the cloud system may use a network (e.g., the Internet) to provide the customer with computational resources, data storage services, network capabilities, Create, and manage virtual machines and their operating environment (e.g., hypervisor, storage resources, services provided by network elements, etc.) for customers at client computers 411-414. The cloud system may also be configured to provide various specific services, including security systems, development environments, user interfaces, and the like.

[0064] Certain clients 411-414 may be related, for example, different client computers may create virtual machines that represent the same end users, or different users may be involved in the same company or organization. In another example, the particular client 411-414 may be unrelated and, for example, the users may be related to different companies or organizations. For unrelated clients, information about any particular user's virtual machine or storage may be hidden by other users.

[0065] Referring now to the physical hardware layer of the cloud computing environment, an availability zone 401-402 (or zone) can refer to a collocated set of physical computing resources have. A zone can be geographically separated from other zones of the former cloud of computing resources. For example, zone 401 may be a first cloud data center located in California, and zone 402 may be a second cloud data center located in Florida. The management server 410 may be located in one of the available zones, or in a remote location. Each zone may include an internal network that interfaces with devices outside the zone, such as the management server 410, via a gateway. The end users of the cloud (e.g., clients 411-414) may or may not be able to distinguish between zones. For example, end users can request the creation of a virtual machine with a certain amount of memory, processing power, and network capabilities. The management server 410 may respond to the user's request and allocate resources for creating the virtual machine without the user knowing whether the virtual machine is created using the resources of the zone 401 or the zone 402 . In another embodiment, the cloud system may allow an end user to request that a virtual machine (or other cloud resource) be allocated to a particular zone or to a particular resource 403-405 within the zone.

[0066] In this example, each zone 401-402 includes a variety of physical hardware components (or computing resources) 403-405, such as physical hosting resources (or processing resources), physical network resources, Switches, and placement of additional hardware resources that can be used to provide the customer with cloud computing services. The physical hosting resources of the cloud zones 401-402 may include one or more computer servers 403, such as the virtualization server 301 described above, which may be configured to create and host virtual machine instances. The physical network resources of the cloud zone 401 or 402 may be hardware configured to provide network services such as a firewall, a network address translator, a load balancer, a virtual private network (VPN) gateway, a Dynamic Host Configuration Protocol And / or one or more network elements 405 (e.g., network service providers) that include software. The storage resources of the cloud zones 401-402 may include storage disks (e.g., solid state drives (SSDs), magnetic hard disks, etc.) and other storage devices.

[0067] The exemplary cloud computing environment shown in FIG. 4 may also include a virtualization layer (e.g., as shown in FIGS. 1-3), a virtual machine that creates and manages virtual machines and utilizes the physical resources of the cloud Or may include additional hardware and / or software resources configured to provide services. The virtualization layer may include a hypervisor as described above in FIG. 3 and other components that provide network virtualization, storage virtualization, and the like. The virtualization layer may be a separate layer from the physical resource layer, or may share some or all of the same hardware and / or software resources as the physical resource layer. For example, the virtualization layer may include a hypervisor and physical computing resources installed in each virtualization server 403. Known cloud systems such as WINDOWS AZURE (Microsoft Corporation of Redmond Washington), AMAZON EC2 (Amazon.com Inc. of Seattle, Washington), IBM BLUE CLOUD (IBM Corporation of Armonk, New York) .

[0068] Enterprise Mobile Management Architecture

[0069] Figure 5 illustrates an enterprise mobile technology architecture 500 for use in a BYOD environment. The architecture allows a user of the mobile device 502 to access both the enterprise or personal resources of the mobile device 502 and to use the mobile device 502 for personal use. A user may access such enterprise services 508 or enterprise resources 504 using a mobile device 502 provided to the user by the enterprise or a mobile device 502 purchased by the user. The user may use the mobile device 502 for business purposes only, or for business and personal purposes. The mobile device may be run on an iOS operating system, an Android operating system, or the like. The enterprise may choose to implement a policy for managing the mobile device 504. The policies may be injected through a firewall or gateway for the manner in which the mobile device is identified, secured or secured, and is provided with optional or full access to enterprise resources. The policies may be some combination of mobile device management policies, mobile application management policies, mobile data management policies or mobile device, application and data management policies. The mobile device 504 managed through application of the mobile device management policy can be referred to as a managed device.

[0070] In some embodiments, the operating system of the mobile device may be separated into a managed partition 510 and an unmanaged partition 512. The management partition 510 may have policies that apply to it to securely secure data stored in the application and management partition running on the management partition. An application running on the management partition may be a security application. In other embodiments, all applications may be executed according to a set of one or more policy files received separately from the application, which may include one or more security parameters, features, resource limits, and / or mobile device management Define other access controls enforced by the system. By operating in accordance with each of these policy file (s), each application can be allowed or restricted to communicate with one or more other applications and / or resources, thereby creating a virtual partition. Thus, as used herein, a partition may be a portion of a physically partitioned memory (a physical partition), a portion of a logically partitioned memory (a logical partition), and / or one or more policies across multiple apps And / or virtual partitions (virtual partitions) created as a result of enforcement of policy files. In other words, by enforcing policies on managed apps, these apps can be restricted to only communicate with other managed apps and trusted enterprise resources, which can lead to unmanaged apps and devices (impenetrable) virtual partitions.

[0071] The security application may be an email application, a web browsing application, a software-as-a-service (SaaS) access application, a Windows application access application, or the like. The security application may be a secure native application 514, a secure remote application 522 executed by a secure application launcher 518, a virtualization application 526 executed by a secure application launcher 518, . The secure native application 514 may be wrapped by a secure application wrapper 520. The security application wrapper 520 may include an integration policy that runs on the mobile device 502 when the secure native application is running on the device. The secure application wrapper 520 may include metadata that points to a secure native application 514 running on the mobile device 520 to a resource hosted in the enterprise and the secure native application 514 may include a secure native application 514, < / RTI > The secure remote application 522 executed by the secure application launcher 518 may be executed within the secure application launcher application 518. [ The virtualization application 526 executed by the security application launcher 518 may utilize resources on the mobile device 502 or resources of the enterprise resources 504. [ The resources used on the mobile device 502 by the virtualization application 526 executed by the security application launcher 518 may include user interaction resources, processing resources, and the like. User interaction resources may be used to collect and transmit keyboard input, mouse input, camera input, tactile input, audio input, visual input, gesture input, and the like. The processing resources may be used for providing a user interface, processing data received from the enterprise resources 504, and so on. The resources used in the enterprise resource 504 by the virtualization application 526 executed by the security application launcher 518 may include user interface generation resources, processing resources, and the like. User Interface Creation Resources can be used to configure the user interface, change the user interface, refresh the user interface, and so on. Processing resources can be used for generating information, reading information, updating information, deleting information, and the like. For example, a virtualization application may record user interaction associated with a GUI and communicate to a server application, which will use the user interaction data as input to an application running on the server. In this configuration, the enterprise can select on the server side to maintain data and files associated with the application and application. While the enterprise may be selected to "mobilize" some applications in accordance with the principles herein by securely ensuring for deployment on a mobile device, such a configuration may also be selected for a particular application. For example, some applications may be securely secured for use on a mobile device, while other applications may not be prepared or appropriate for deployment on a mobile device, You can choose to provide access. As another example, an enterprise may have a large and complex application (e.g., a material resource planning application) having a large and complex data set, and it may be very difficult or undesirable to customize the application for the mobile device, Enterprises can choose to provide access to applications through virtualization technology. As yet another example, an enterprise may have applications that maintain highly secure data (e.g., human resource data, customer data, engineering data) that are deemed too sensitive by the enterprise even in a secure mobile environment, May choose to use virtualization technology to allow mobile access to these applications and data. An enterprise can be selected to provide a fully secure and fully functional application on a mobile device and a virtualization application that allows access to applications that are considered to operate more properly on the server side. In one embodiment, the virtualization application may store some data, files, etc. on a mobile phone of one of the secure storage locations. An entity may, for example, choose to allow specific information to be stored on the phone and not allow other information.

[0072] In connection with virtualization applications, as described herein, a mobile device may have a virtualization application designed to present a GUI and then to pass / write user interaction with the GUI. The application may communicate user interaction to the server side and may be used by the server side application as user interaction with the application. In response, the server-side application can resend a new GUI to the mobile device. For example, the new GUI may be a static page, a dynamic page, an animation, etc., and thus may provide access to remotely located resources.

[0073] The security application may access data stored in the secure data container 528 of the management partition (510) of the mobile device. The data stored in the secure data container may be accessed by secure wrapped applications 514, an application executed by security application launcher 522, a virtualization application 526 executed by secure application launcher 522, . The data stored in secure data container 528 may include files, databases, and the like. The data stored in the secure data container 528 may include data that is restricted to specific security applications 530, shared between security applications 532, and the like. The data restricted to the security application may include security general purpose data 534 and highly secure data 538. [ Secure general purpose data may utilize strong forms of encryption such as AES 128-bit encryption, and the highly secure data 538 may utilize very strong forms of encryption, such as AES 254-bit encryption. The data stored in the secure data container 528 may be deleted from the device upon receipt of an instruction from the device manager 524. The security application may have dual mode option 540. [ The dual mode option 540 may provide an option for the user to operate the secure application in the unsecured mode. In the unsecured mode, the security application can access data stored in the non-secure data container 542 on the unmanaged partition 512 of the mobile device 502. The data stored in the non-secure data container may be personal data 544. [ The data stored in the insecure data container 542 may also be accessed by an insecure application 548 running on the unmanaged partition 512 of the mobile device 502. If the data stored in the secure data container 528 is deleted from the mobile device 502, the data stored in the insecure data container 542 may remain on the mobile device 502. An enterprise may delete personal data, files and / or applications (enterprise data) that are owned, licensed, or controlled by the enterprise from the mobile device, but which are owned, licensed, You may want to keep or preserve files and / or applications (personal data). This operation can be referred to as a selective wipe. With enterprise and personal data configured in accordance with the aspects described herein, the enterprise can perform selective erasure.

The mobile device may connect to enterprise resources 504, enterprise services 508, public Internet 548, and the like in the enterprise. The mobile device may connect to the enterprise resources 504 and enterprise services 508 via a virtual private network connection. A virtual private network connection, also referred to as a micro VPN (microVPN) or an application-specific VPN, may be specific to a particular application 550, a specific device, a particular security area 552 on a mobile device, For example, each wrapping application in the secure area of the phone may access enterprise resources via an application specific VPN, and access to the VPN may be authorized based on attributes associated with the application, possibly with user or device attribute information have. Virtual private network connections can carry Microsoft Exchange traffic, Microsoft Active Directory traffic, HTTP traffic, HTTPS traffic, and application management traffic. The virtual private network connection may support and activate the single-sign-on authentication process 554. Single sign-on processes allow a user to provide a single set of authentication credentials that are later verified by authentication service 558. The authentication service 558 may then permit the user to access the multiple enterprise resources 504 without requiring the user to provide authentication credentials for each individual enterprise resource 504. [

[0075] The virtual private network connection may be established and managed by the access gateway 560. The access gateway 560 may include performance enhancement functions to manage, accelerate, and enhance delivery of enterprise resources 504 to the mobile device 502. The access gateway also allows the mobile device 502 to access the publicly available and insecure applications running on the public Internet 548 and to re-route traffic from the mobile device 502 to the public Internet 548 It is possible. The mobile device may connect to access the gateway via the transport network 562. [ The transmission network 562 may be a wired network, a wireless network, a cloud network, a local area network, an urban area network, a wide area network, a public network, a private network, and the like.

The enterprise resource 504 may include an email server, a file sharing server, a SaaS application, a web application server, a Windows application server, and the like. The email server may include an Exchange, a Lotus Notes server, and the like. The file sharing server may include a ShareFile server or the like. SaaS applications can include Salesforce. The Windows application server may include any application server or the like configured to provide an application intended to run on a local Windows operating system. The enterprise resource 504 may be a premise-based resource, a cloud-based resource, or the like. The enterprise resources 504 may be accessed directly by the mobile device 502 or through the access gateway 560. [ The enterprise resource 504 may be accessed to the mobile device 502 via the transport network 562. The transmission network 562 may be a wired network, a wireless network, a cloud network, a local area network, an urban area network, a wide area network, a public network, a private network, and the like.

The enterprise service 508 includes an authentication service 558, a threat detection service 564, a device management service 524, a file sharing service 568, a policy management service 570, a social integration services ) 572, application controller services 574, and the like. The authentication service 558 may include a user authentication service, a device authentication service, an application authentication service, a data authentication service, and the like. The authentication service 558 may use the certificate. The certificate may be stored on mobile device 502 by enterprise resource 504, and so on. The certificate stored on the mobile device 502 may be stored in an encrypted location on the mobile device and the certificate may be temporarily stored on the mobile device 502 for use at an authentication point, The threat detection service 564 may include an intrusion detection service, a non-authorized access detection service, and the like. Unauthorized access attempt detection services may include unauthorized attempts to access devices, applications, data, and so on. The device management service 524 may include configuration, provisioning, security, support, monitoring, reporting, and post-service. The file sharing service 568 may include a file management service, a file storage service, a file collaboration service, and the like. The policy manager service 570 may include a device policy manager service, an application policy manager service, a data policy manager service, and the like. The social integration service 572 may include integration with social networks such as contact integration services, collaboration services, Facebook, Twitter and LinkedIn. The application controller service 574 may include a management service, a provisioning service, a deployment service, an assignment service, a revocation service, a wrapping service, and the like.

[0078] The enterprise mobile technology architecture 500 may include an application store 578. The application store 578 may include a non-unwrapped application 580, a pre-wrapped application 582, and the like. The application may be populated from the application controller 574 to the application store 578. The application store 578 may be accessed by the mobile device 502 via the access gateway 560, via the public Internet 548, and the like. The application store can be provided with an intuitive and easy to use user interface. The application store 578 may provide access to the software development kit 584. The software development kit 584 may provide a function to the user to ensure the safety of the application selected by the user by wrapping the application as described above in this description. The wrapped application using the software development kit 584 may then be made available to the mobile device 502 by filling it into the application store 578 using the application controller 574. [

[0079] Enterprise mobile technology architecture 500 may include management and analysis functions 588. The management and analysis function 588 may provide information about the manner in which resources are used, the frequency with which they are used, and so on. Resources may include devices, applications, data, and the like. The manner in which the resource is used may include what device is downloading which application, which application is accessing which data, and so on. The frequency with which the resource is used may include how often the application was downloaded, how many times a particular set of data was accessed by the application, and so on.

[0080] FIG. 6 illustrates another exemplary enterprise mobile management system 600. Some components of the mobile management system 500 described above with reference to FIG. 5 have been omitted for simplicity. The architecture of system 600 shown in FIG. 6 is similar in many respects to the architecture of system 500 described above with respect to FIG. 5, and may include additional features not previously discussed.

In this case, the left side represents the management mobile device 602 and the client agent 604, which are interconnected by a gateway server 606 (including an access gateway and an app controller function) And access services 609 such as various corporate resources 608 as shown on the right and Exchange, Sharepoint, PKI resources, Kerberos resources, and certificate issuing services. Although not shown in detail, the management mobile device 602 may also interact with a corporate application store (StoreFront) for selecting and downloading applications.

[0082] The client agent 604 may act as a user interface (UI) intermediary for a Windows app / desktop hosted in an enterprise data center, which may be accessed using the HDX / ICA display remote protocol . The client agent 604 also supports the installation and management of native applications, such as native iOS or Android applications, on the mobile device 602. For example, the management application 610 (mail, browser, wrapping application) shown in the preceding figures are all native applications that are executed locally on the device. The client agent 604 and the application management framework of this architecture operate to provide policy based management capabilities and features, such as connectivity to enterprise resources / services 608 and single sign on (SSO). The client agent 604 handles the main user authentication to the SSO and the Access Gateway (AG) for the enterprise, usually for other gateway server components. The client agent 604 obtains the policy from the gateway server 606 to control the behavior of the management application 610 on the mobile device 602.

The secure IPC link 612 between the native application 610 and the client agent 604 represents a management channel and the client agent includes an application management framework 614 that "wraps" each application, To provide a policy to be enforced by. The IPC channel 612 also allows the client agent 604 to supply credentials and authentication information to enable connection to the enterprise resource 608 and SSO. Finally, the IPC channel 612 allows the application management framework 614 to invoke user interface functions implemented by the client agent 604, such as online and offline authentication.

[0084] Communication between the client agent 604 and the gateway server 606 is essentially an extension of the management channel from the application management framework 614 that wraps each native management application 610. The application management framework 614 requests policy information from the client agent 604 and then requests it from the gateway server 606. [ The application management framework 614 requests authentication and the client agent 604 logs to the gateway service portion of the gateway server 606 (also known as the NetScaler Access Gateway). The client agent 604 may also make a call supporting the service on the gateway server 606 and may generate an input material to derive an encryption key for the local data vault 616, A client certificate may be provided that allows for direct authentication of the resource being accessed, as will be described in more detail below.

[0085] More specifically, the application management framework 614 "wraps" each management application 610. This can be integrated through an explicit build step or through a post-build processing step. The application management framework 614 may "pair" with the client agent 604 at the initial launch of the application 610 to initialize the secure IPC channel and obtain a policy for the application. The application management framework 614 may include client agent logon dependencies and some containment policies that limit how the local OS services can be used or how they can interact with the application 610. [ The relevant part may be enforced.

[0086] The application management framework 614 may use the services provided by the client agent 604 over the secure IPC channel 612 to utilize authentication and internal network access. Key management for the private and shared data vault 616 (container) may also be managed by appropriate interaction between the management application 610 and the client agent 604. The bolt 616 may be available only after on-line authentication, or may be made available after off-line authentication if allowed by policy. The initial use of the bolt 616 requires on-line authentication, and a large number of off-line accesses may be limited to the policy refresh period before online authentication is again required.

[0087] Network access to internal resources may be generated directly from the individual management application 610 through the access gateway 606. The application management framework 614 is responsible for coordinating network access for each application 610. The client agent 604 may utilize this network connection by providing an appropriate time limited to secondary credentials obtained in subsequent online authentication. Multiple modes of network connection may be used, such as a reverse web proxy connection and an end-to-end VPN-style tunnel 618.

[0088] The mail and browser management application 610 may have a special status and may use functions that may not be generally available to any wrapping application. For example, the mail application may use a special background network access mechanism, which allows the mail application to access the exchange for extended periods of time without requiring a complete AG logon. Browser applications can use multiple private data vaults to separate different types of data.

[0089] This architecture supports the integration of various other security features. For example, in some cases the gateway server 606 (including the gateway service) will not need to validate the AD password. Whether the AD password is used as an authentication factor for some users in some situations may depend on the discretion of the enterprise. Different authentication methods may be used if the user is online or offline (i.e., connected or disconnected from the network).

[0090] Step up authentication allows the gateway server 606 to identify a management native application 610 that allows access to highly classified data requiring strong authentication, It is a feature that ensures that access to these applications is allowed only after proper authentication has been performed, even if the re-authentication is required by the user after a weak level of login.

[0091] Another security feature of this solution is the encryption of the data vault 616 (container) on the mobile device 602. The vault 616 is encrypted to protect data on all devices, including files, databases, and configurations. For an online vault, a key may be stored on the server (gateway server 606), and for an offline vault, a local copy of the key may be protected by a user password. If data is stored locally on the device 602 in the secure container 616, then a minimum AES 256 encryption algorithm is preferably used.

[0092] Other security container features may also be implemented. For example, a logging function may be included, and all security events occurring within the application 610 are logged and reported to the backend. If the application 610 detects corruption, data erasure may be supported, the associated encryption key may be written as random data, and the user data may not have any hint on the destroyed file system have. Screen shot protection is another feature that allows an application to prevent arbitrary data from being stored in the screenshot. For example, the hidden attribute of the key window may be set to YES. This causes any content currently displayed on the screen to be hidden, thereby creating a blank screen shot in which all content normally exists.

[0093] Local data transmission can be prevented, such as by preventing any data from being transmitted locally to the outside of the application container, eg, by copying or transmitting it to an external application. The keyboard cache feature may be operable to disable the auto-correction function for sensitive text fields. SSL certificate validation may be operable to enable an application to specifically validate server SSL certificates instead of storing them in the keychain. The encryption key generation feature can be used to generate a key that is used to encrypt data on the device (if offline access is required) using a passphrase supplied by the user. It can be XORed with other keys randomly generated and stored on the server side if offline access is unnecessary. The key derivation function may operate to use a KDF (key derivation function, in particular PBKDF2) instead of generating a cryptographic hash from the user password. The latter makes the key vulnerable to brute force or dictionary attack.

[0094] Also, one or more initialization vectors may be used for the encryption method. The initialization vector generates multiple copies of the same encrypted data to generate different ciphertext outputs and prevents both playback and decryption attacks. This also prevents an attacker from decrypting any data with a stolen encryption key if the concrete initial vector used to encrypt the data is not known. In addition, post-authentication decryption can be used and the application data can only be decrypted after the user is authenticated in the application. Other features may be related to sensitive data in the memory, and may be retained in memory only (if not in the disk) as needed. For example, loggin credentials are removed from memory after login, and encryption keys and other data within Objective C instance variables are not stored because they can be easily referenced. Instead, the memory can be manually assigned to them.

[0095] An inactivity timeout may be implemented, and the user's session is terminated after the inactivity of the policy-defined period.

[0096] Data leaks from the application management framework 614 may be prevented in other manners. For example, when the application 610 enters the background, the memory may be deleted after a predetermined (configurable) time period. In the background, a snapshot of the application's final display screen may be taken to freeze the foreground process. Screenshots may contain confidential data and should be removed.

[0097] Another security feature relates to the use of one time password (OTP) 620 without the use of an active directory (AD) 622 password to access one or more applications. In some cases, some users do not (or are not allowed to) know their AD password. Thus, these users can authenticate using the OTP 620, such as using a hardware OTP system such as SecurID (the OTP can be supplied by different manufacturers such as Entrust or Gemalto). In some cases, after the user authenticates with the user ID, the text is sent to the user at OTP 620. In some cases, this can only be implemented for online use that includes prompts with a single field.

[0098] Offline passwords may be implemented for offline authentication for these applications 610, where offline use is allowed through corporate policies. For example, an enterprise may want StoreFront to be accessed in this manner. In this case, the client agent 604 may request that the user set a custom offline password and that the AD password is not used. The gateway server 606 may provide policies for controlling and enforcing password criteria for the minimum length, character class configuration, age of passwords as described by standard Windows server password complexity requirements, The matter may change.

[0090] Another feature is the ability to enable client-side certificates for a particular application 610 as secondary credentials (for purposes of accessing PKI-protected web resources via the application management framework micro VPN function) ). For example, applications such as @WorkMail can use these certificates. In this case, certificate based authentication using the ActiveSync protocol may be supported, and the certificate from the client agent 604 may be retrieved by the gateway server 606 and used in the keychain. Each management application may have an associated client certificate identified by a label defined by the gateway server 606. [

[00100] The gateway server 606 may interact with a corporate-specific web service to support the issuance of client certificates to allow an associated management application to authenticate to internal PKI protected resources.

[00101] The client agent 604 and application management framework 614 may be enhanced to support obtaining and using a client certificate for authenticating to an internal PKI protected network resource. In order to meet various levels of security and / or separation requirements, more than one certificate may be supported. Certificates can be used by mail and browser management applications, and ultimately by any wrapping application (these applications can use web services style communication patterns, which is reasonable for application management frameworks to mediate https requests) .

[00102] Application management client certificate support on iOS may rely on importing a PKCS 12 Binary Large Object (BLOB) into the iOS keychain of each management application for each usage period. Application management framework Client certificate support can take advantage of the HTTPS implementation with private in-memory key storage. Client certificates will never exist in the iOS keychain, and will not last except in potentially strongly protected "online-only" data values.

[00103] The inter-SSL may also be implemented to provide additional security by requiring the mobile device 602 to authenticate to the enterprise and vice versa. A virtual smart card for authentication to the gateway server 606 may also be implemented.

[00104] Limited and full Kerberos support may be additional features. The full support feature relates to the ability to perform a full Kerberos login to the AD 622 using an AD password or a trusted client certificate and to obtain Kerberos service tickets to respond to HTTP Negotiate authentication challenges. The limited support feature relates to constrained delegation in the AFEE, where AFEE supports invoking the Kerberos protocol conversion, so it can be used to send Kerberos service tickets (mandatory delegation) in response to HTTP Negotiate authentication challenges Can be obtained and used. This mechanism works in reverse web proxy (also called CVPN) mode and when http (not https) connections are proxied in VPN and micro VPN mode.

[00105] Another feature relates to application container locking and erasing, which occurs automatically upon jail-break or routing detection and can occur as a push command from the management console, and the application 610 may not be executed Even when it is possible to include remote wipe function.

[00106] A multi-site architecture or configuration of StoreFront and App controllers may be supported, which allows users to be served from one of several different locations in case of failure.

[00107] In some cases, management applications 610 may be allowed to access the certificate and private key via an API (e.g., OpenSSL). The enterprise's trusted management applications 610 may be allowed to perform certain public key operations using the application's client certificate and private key. For example, when an application acts as a browser and does not require certificate access, when an application reads a certificate for "who am I", when an application uses a certificate to establish a secure session token, When using private keys for digital signatures (e.g., transaction logs) or temporary data encryption of data, a variety of use cases can be identified and processed.

[00108] The exemplary embodiment (s)

[00109] FIG. 7 illustrates a sample interface of a mobile device, and FIGS. 8-14 illustrate sample embodiments of methods for determining an operational mode for an application. The methods shown in Figs. 8-14 may be combined in any suitable manner in various embodiments. The sample interface shown in Figure 7 may be displayed on a mobile device such as devices 107, 109, 240, 502 and / or 602, and the methods shown in Figures 8-14 may be implemented by such mobile device .

[00110] In FIG. 8, a flow diagram of exemplary method steps for determining an application mode for an application is shown. The method of FIG. 8 may begin at step 802, where a plurality of applications are presented at step 802. For example, a plurality of applications may be presented to a user on a mobile device. Figure 7 illustrates a user interface 700 that is displayed on a mobile device (e.g., a tablet, smart phone, etc.) that presents applications A 700, B 701, C 702 and E 703 to the user An embodiment is illustrated. This is merely an example, and a plurality of applications can be presented in any suitable manner. In one embodiment, the plurality of applications may include email applications, web browsing, applications, software-as-a-service (SaaS) access applications, and the like.

[00111] The method of FIG. 8 may proceed from step 802 to step 804, and at step 804, a selection for one of a plurality of applications is received. With reference to the embodiment shown in FIG. 7, a user of the mobile device can select one of the presented applications, for example, by pressing the display of the mobile device to select the application. This is merely an example, and the application may be selected in an appropriate manner.

[00112] The method of FIG. 8 may proceed from step 804 to step 806, where at step 806, the context for the selected applications may be determined based on one or more operating parameters of the device executing the selected application . For example, the context may be based on the account to be accessed by the application, the location of the mobile device, or the network connection state of the mobile device executing the application, or may be based on any other operational parameter. The methods of FIGS. 9-13 further described below illustrate various embodiments in which the exemplary contexts are described.

[00113] The method of FIG. 8 may proceed from step 804 to step 806, and at step 806, the mode of operation for the selected application is determined based on the context. In one embodiment, the operating modes may include a management mode and an unmanaged mode, respectively, which represent a business mode and a non-business mode of the device, respectively, for example when the user performs job-related activities or personal activities. The business mode may provide access to corporate resources and may include one or more content filters and / or constraints, while the non-business mode may include content filters / Constraints (or no such content filters / constraints) and / or policies (or non-policy).

[00114] In addition, it is possible to use different sets of credentials, such as sets of credentials provided by a user or different security levels of various users, different user roles (eg, manager-to-employee employees) identified by a set of credentials, Different management modes may exist based on geographic locations, network locations, operational environment (e.g., healthcare-related management mode versus financial industry management mode) or based on any other context determination. Some modes may be based on multiple contexts, e.g., location and role. In one such combination, the first management mode may provide policies applicable to the healthcare provider, while the second management mode may apply policies applicable to the patient. Because the device is delivered between two users, the user (or software based on user behavior) can initiate a mode change when the device is delivered to a user with a different role. A new user may be required to enter appropriate credentials to change modes, for example, when changing to a more secure mode. The healthcare provider mode may provide access to a variety of patient records, resources, scheduling details, financial records and other information, while a patient mode may provide access to various patient records, resources, scheduling details, It may be limited to patient information only. Other combinations of contextual determinations may also be used.

[00115] In one embodiment, the determined context may be compared with a stored policy to determine the mode of operation. A mobile device, such as mobile device 502, may store one or more policies used to determine the mode of operation for the application. In one embodiment, the policies may be remotely stored, for example, in the policy manager 570 described above with reference to FIG. 5, or may be stored locally on the device. In one example, the context may include a selected application configured to access a secure account, e.g., an email application configured to access a secure email account. This context can be compared to stored policies. For example, a stored policy may define that an email application configured to access a secure email account should be run as a management application. The stored policy may further indicate that the email application may be operating in unmanaged mode when configured to access the device user's personal account. Additional contexts and policies will be described with respect to Figs. 9-13.

[00116] The method of FIG. 8 may proceed from step 806 to step 808, where, at step 808, the selected application is executed in a determined mode of operation. For example, the operating mode may be determined as an unmanaged mode, or may be determined as one of a plurality of management modes, and the selected application may be executed in the determined mode.

[00117] In one embodiment, the management mode of operation may include running the application as part of the management partition 510 of the mobile device 502 as described above with reference to FIG. Accordingly, the management application may be executed as secure native applications 514, secure remote applications 522 executed by the security application launcher 518, virtualized applications 526 executed by the secure application launcher 518, .

[00118] In one embodiment, an application running in the management mode may access data stored in the secure data container 528 of the management partition (physical, logical or virtual partition) 510 of the mobile device. Data stored in secure data container 528 may include data constrained to specific security / management application 530, data shared among other security / management applications, and the like. The data constrained to the security application may include security generic data 534 and high security data 538. The security features of the different levels and types may be used to distinguish the levels of security data. In one embodiment, an application running in the management mode may save, modify, or remove data in the secure data container 528. [ The saved or modified data may be encrypted similar to other data stored in secure data container 528. [

[00119] In one embodiment, an application running in the management mode may be connected to enterprise resources 504 and enterprise services 508 via virtual private network connections as described above in connection with FIG. Virtual private network connections may be specific micro VPNs for a particular application, such as a selected application, specific devices, specific security areas on a mobile device, and so on. For example, applications wrapped in the security zone of the phone can access enterprise resources via an application specific VPN, so that access to the VPN is possible with attributes associated with the application, along with user or device attribute information and policy information, Will be approved on a basis.

[00120] In one embodiment, an application running in the management mode may encrypt data transmitted from the application. For example, an application running in the management mode can communicate with the computing device via the network, and the data transferred from the application to the device can be encrypted. In addition, data communicated from the computing device to the application may also be encrypted, and an application running in the management mode may be configured to decrypt the received data.

[00121] In one embodiment, an application running in the management mode can access the secure portal. For example, an application may connect to a computing device via a network, e.g., a micro VPN, and may access a security portal that may not be accessed by non-security applications, such as applications running in an unmanaged mode.

[00122] In one embodiment, the unmanaged mode of operation is to run the application as part of the unmanaged partition 512 (physical, logical, or virtual partition) of the mobile device 502, as described above with respect to FIG. 5 ≪ / RTI > In an unmanaged mode, an application may access data stored in an insecure data container 542 on an unmanaged partition 512 of the mobile device 502. The data stored in the insecure data container may be personal data 544 have.

[00123] In one embodiment, where two or more management modes are possible, an application running in a less secure management mode may be executed similar to an application running in a more secure management mode, but not all aspects of the latter . For example, as described with reference to FIG. 5, an application running in a less secure management mode may cause information to be transmitted from the application over the encrypted network, but the application may not be able to access the secure data container 528 . In another example, an application running in a less secure management mode may access the secure data container 528, but may not be able to connect to enterprise resources 504 and enterprise services 508 via virtual private network connections . Thus, depending on the determined context, an application running in a less secure administrative mode may include aspects of an application running in a more secure administrative mode and aspects of an application running in an unmanaged mode.

[00124] In Figures 9-13, flowcharts of exemplary method steps for determining the context and mode of operation for an application are shown. In one embodiment, steps 806 and 808 of FIG. 8 may include the method steps of any one or more of FIGS. 9-13. The method of FIG. 9 begins at step 902, and at step 902, an account to be accessed by the selected application is detected. For example, the selected application may include an email application, and an email account configured to access the email application may be detected. In this example, the email application will be able to access a number of email accounts, such as a corporate email account and a personal email account, and the account configured to access the email application at run time can be determined to be a context account to be accessed.

[00125] The method of FIG. 9 may proceed from step 902 to step 904, and at step 904, the account type of the account to be accessed may be determined. The account type may include the context for the selected application. For example, the selected application may include an email application, and the email application may be configured to access a corporate account. In another example, an email application may be configured to access an individual account.

[00126] The method of FIG. 9 may proceed from step 904 to step 906, and at step 906, the account type may be compared to an account type policy. For example, the policy may define that the email application that needs to access the corporate account must be running in managed mode and that the email application that needs to access the personal account must run in unmanaged mode. The method of FIG. 9 may proceed from step 906 to step 908, and in step 908 the operating mode may be determined based on the comparison.

[00127] The method of FIG. 10 may begin at step 1002, and at step 1002, a location for the mobile device is determined. For example, a policy may be implemented by a mobile device, such as mobile device 502, according to the method of FIG. 10, and a location for the mobile device may be determined. The location may be determined by GPS, signal triangulation, or any other suitable or otherwise known method. The location may include the context for the selected application.

 [00128] The method of FIG. 10 may proceed from step 1002 to step 1004, and at step 1004, the determined location may be compared to a location policy. For example, the policy may define that when the selected application is in a specific location, e.g., in a corporate building, it runs in a more secure management mode. In one embodiment, the policy may define that when the selected application is in a particular location, for example, it runs in a less secure administrative mode when the determined location is within the United States but away from the corporate building. For example, a less secure management mode may encrypt communication with selected applications and selected applications, but not access to enterprise resources such as resources 504. [ In another embodiment, the policy may define that when the selected application is in a particular location, for example, it runs in an unmanaged mode when the determined location is outside the United States. The method of FIG. 10 may proceed from step 1004 to step 1006, and at step 1006, the mode of operation is determined based on the comparison.

[00129] Alternatively or in addition to the physical location, the network location may be used as well, or instead, to determine whether access is allowed. For example, the network location may refer to whether the user is within the data center (or a pre-approved WiFi access point) or outside the data center. Appropriate access modes may be based on this determination.

[00130] The method of FIG. 11 may begin at step 1102, and at step 1102, it is monitored whether a predetermined application is running on the device. For example, a mobile device, such as mobile device 502, may implement the method of FIG. 11 and the mobile device may be monitored to determine whether predetermined applications are running. The predetermined application may include any application that may be executed on the mobile device, such as the client agent 604 described with reference to FIG. The monitored predetermined application may include a context for the selected application.

[00131] The method of FIG. 11 may proceed from step 1102 to step 1104, where, at step 1104, the monitored application is compared to a policy. For example, the policy may define that when the predetermined application, such as the client agent 604, is running, the selected application is run in the administrative mode and the selected application is running in the unmanaged mode when the predetermined application is not running. The method of FIG. 11 may proceed from step 1104 to step 1106, and at step 1106, the mode of operation is determined based on the comparison.

[00132] The method of FIG. 12 may begin at step 1202, and at step 1202, one or more network connections are detected. For example, a mobile device such as mobile device 502 may implement the method of FIG. 12, and network connections created by the mobile device may be detected. In one example, network connections may include connecting to a cellular network, connecting to a WIFI network, or connecting to a wireless local area network (WLAN). One or more network connections may include a context for the selected application.

[00133] The method of FIG. 12 may proceed from step 1202 to step 1204, where, in step 1204, the detected network connections are compared to a network connection policy. For example, the policy may be that when the selected application is run in the management mode and the mobile device is connected to a wireless network, such as a cellular network or a WIFI network, when the mobile device is connected to an Internet network such as a WLAN inside the company, Can be defined. The method of FIG. 12 may proceed from step 1204 to step 1206, and at step 1206, the mode of operation is determined based on the comparison.

[00134] The method of FIG. 13 may begin at step 1302, and at step 1302 one or more settings for the mobile device are detected. For example, a mobile device such as mobile device 502 may implement the method of FIG. 13, and one or more settings for the mobile device may be detected. For example, whether a mobile device has a lock screen, such as a PIN required during use of the mobile device, can be detected, or whether the mobile device is jailbroken / rooted, For example, it can be detected whether the mobile device has received after-market corrections. One or more settings may include a context for the selected application.

[00135] The method of FIG. 13 may proceed from step 1302 to step 1304, where the detected settings are compared with a setting policy. For example, the policy may define that the selected application may not be running in the management mode if the mobile device does not have a lock screen or if the mobile device is jailbroken / settled. The method of FIG. 13 may proceed from step 1304 to step 1306, and at step 1306, the mode of operation is determined based on the comparison. In one embodiment, when the selected application is run in a predetermined mode, an indicator that notifies the user of the requirements that the mobile device has a lock screen, e.g., before the mobile device is allowed to run the selected application in the management mode, Lt; / RTI > Figures 9-13 illustrate a plurality of contexts, and any other suitable context and corresponding policies may be implemented.

[00136] In one embodiment, one or more of the contexts described in FIGS. 9-13 may be combined, and these contexts may be compared to a policy for the selected application. For example, the contexts for the selected application may include an account type to be accessed as a corporate email account and a detected network connection to be accessed as a cellular network. In this example, the policy may define that the selected application should be run in the management mode when the enterprise account is attempted to be accessed through the cellular network. Policies can be defined in this way because the selected application can encrypt communications with corporate email accounts and thus mitigate the risk of sending secure traffic over the cellular network.

[00137] In another example, the contexts for the selected application may include a location determined to be outside the United States and a network connection using a WLAN within the company. The policy can define that the selected application runs in managed mode when the determined location is outside the United States and the network connection is made to the WLAN inside the company. Policies can be defined this way because network connections using corporate internal WLANs mitigate the risks associated with secure communications outside the United States.

[00138] In one embodiment, one or more contexts such as those described in FIGS. 9-13 may include priorities. For example, the context for the selected application may include a determination that the mobile device is jailbroken / settled, and the policy is such that when the context displays the mobile device being jailbroken / fixed, whatever other contexts may indicate, Mode can be defined. Thus, the jailbroken / settled mobile device will cause the selected application to run in an unmanaged mode even when the mobile device is connected to a WLAN within the company or when the selected applications are attempting to access the enterprise account.

[00139] In one embodiment, the policy may indicate that the selected application is running in a less secure administrative mode, based on the plurality of contexts as described in FIGS. 9-13. For example, the contexts for the selected application may include an account type to be accessed as a corporate email account and a detected network connection to be accessed as a cellular network. In this example, the policy may define that the selected application should be run in a less secure administrative mode when the enterprise account is attempted to be accessed through the cellular network. The less secure management mode may encrypt communications with selected applications and selected applications but may not allow access to enterprise resources such as resources 504. [ Policies can be defined in this way because encrypted communications using corporate e-mail accounts can be low-risk communications and allowing access to corporate resources can be a high-risk communication.

[00140] In FIG. 14, a flow diagram of exemplary method steps for switching operational modes for an application is shown. For example, the method steps of FIG. 14 may follow the method steps of FIG. The method of FIG. 14 may begin at step 1402, and at step 1402, one or more contexts may be monitored while the selected application is running. In one embodiment, the context of one or more of the contexts described with reference to Figures 9-13 may be monitored. For example, the mobile device running the selected application may be connected to the cellular network, and while the selected application is running, the mobile device may make a new network connection with the internal WLAN.

[00141] The method of FIG. 14 may proceed from step 1402 to step 1404, wherein, at step 1404, a change in the operating mode for the selected application is detected based on the monitoring. In other words, a mobile device can detect a change in information, and this change is the basis for selecting a particular mode of operation. For example, the selected application may be running in an unmanaged mode, and once the mobile application running the selected application is connected to a WLAN within the company, the policy may define that the operational mode for the selected application should be switched to the managed mode . The method of FIG. 14 may proceed from step 1404 to step 1406, and at step 1406, the mode of operation for the selected application is switched.

[00142] In one embodiment, an administrator, such as a mobile device manager, may manage one or more mobile devices. In this example, the mobile device may be referred to as a registered device. In one embodiment, the mobile device may be managed based on software installed in a management mode, such as the client agent 604 of FIG.

In one embodiment, the client agent 604 includes a connection management software development kit (SDK), a connection manager 520, a connection / status application programming interface (API), a set of virtualization services, And a client core.

The virtualization service in the client agent architecture may include, for example, a graphics service, a desktop integration service, a multimedia service, input / output services, a smart card service, a printing service, and the like. The run-type SDK may be, for example, a stand-alone computing architecture (ICA) runtime SDK that includes an ICA engine. The platform SDK may be, for example, an ICA platform SDK or other platform SDK, and may include various subcomponents, such as a virtual channel SDK, configuration and load manager, trace subcomponent, platform abstraction SDK, have. The client core may include, for example, terminal services (e.g., a Winstation driver with a core ICA protocol), a reducer subcomponent configured to perform compression and prioritization, a multi-stream ICA, a TCP stack with session reliability, A core protocol for remote access to SSL, and a UDP subcomponent. The client core may also include implementations such as platform-specific subcomponents, such as graphics smart cards and thread support, configuration and load manager libraries, SSL SDK, and the like.

[00145] The mobile device may be registered with the enterprise system using, for example, the client agent 604. [ For example, at the registered client device 602, the client agent 604 may interact with the gateway server 606 or other access gateway to access various corporate resources 608 and services 609. [ Registering a device may involve BYOD (bring your own device) and related technologies, and may involve participating in an MDM or similar system. Registering a device in a company account (or other corporate account) may involve pushing certificates to the device and registering the device with the device management server of the enterprise system. After registration, the device may be operated by a company manager (or other group manager) using mobile device experience description (application management framework) policies and / or mobile device management (MDM) that are pushed to the device. Registered devices may also be referred to as management devices. In other words, after registration, the device may be a management device as described herein. In certain instances, in order to register the device with the enterprise system, the client agent 604 and / or the application registration token may be downloaded and installed on the device. The application registration token may be derived from the certificate of the company or other entity to which the device is to be registered. After downloading the client agent 604 and the application registration token, the device user may be prompted to open the token and add a company account (or other corporate account) to the device.

[00146] In one embodiment, a registered mobile device, such as the mobile device 502 of FIG. 5, may be managed by a service such as the device manager 524 of FIG. The device manager 524 may provide services including configuration, provisioning, security, support, monitoring, reporting and decommissioning. For example, the device manager 524 may monitor which applications are installed on the registration / management mobile device. In this example, the device manager 524 may store / access the list of black-list applications and may further determine the installation of the black-list application on the registration / management mobile device. The black-listing application may include applications that are suspected malware or any other suitable application. In another example, the device manager 524 may monitor the operational status for the registered mobile device. In this example, device manager 524 may determine that the registered mobile device has been jailbroken / settled. The device manager 524 may perform various management activities on the registered device based on these determinations.

[00147] In another example, the device manager 524 may monitor the network connection to the mobile device. In this example, the device manager 524 may determine that the registered mobile device is connected to a cellular network, a wireless local area network (WLAN), a local area network (LAN), a combination thereof, or any other suitable network. In another example, the device manager 524 may monitor the location for the mobile device. In this example, device manager 524 may determine the geographical location for the mobile device, e.g., latitude and longitude, country, state, any suitable region, or any other suitable location for the mobile device.

[00148] In another example, the device manager 524 may monitor whether a particular application is running on the mobile device. In this example, the device manager 524 may determine whether a particular application, such as the client agent 604 of FIG. 6, is running on the mobile device. The device manager 524 may perform various management activities on the registered devices based on these determinations.

[00149] In one embodiment, as described above, an application installed on a registered mobile device may be run in a managed mode or an unmanaged mode. In one embodiment, the management mode of operation may include running the application as part of the management partition 510 of the mobile device 502, as described above with reference to Fig. In one embodiment, an application running in the management mode may access data stored in the secure data container 528 of the management partition 510 of the mobile device. The data stored in the secure data container 528 may include data constrained to a particular secure application 530 that is shared among other secure applications. The data constrained to the security application may include security generic data 534 and high security data 538. Secure general purpose data may use high strength encryption such as AES 128-bit encryption, while high security data 538 may use ultra high strength encryption such as AES 254-bit encryption. Other types of encryption may be used, and other levels and other types of security measures may be applied based on different key recovery features as well as the desired level and / or desired type of security. In one embodiment, an application running in the management mode may save or modify data in the secure data container 528 or remove it. The saved or modified data may be encrypted similar to other data stored in secure data container 528. [

[00150] In one embodiment, the management mode may include an enterprise mode, and the unmanaged mode may include an individual mode. For example, when an application is running in a management mode or an enterprise mode, the application can access resources (e.g., enterprise data) stored on the security server. The device manager 524 running in the management mode may be associated with the enterprise. In this example, an application running in administrative mode may communicate with one or more servers (e.g., gateway server 606) that authorize applications accessing enterprise data. When an application is run in unmanaged mode or in private mode, the application may not be able to access enterprise data.

[00151] In one embodiment, an application that may be run in a managed mode or an unmanaged mode may leverage storage policies for storing data associated with an application. In FIG. 15, a flow diagram of exemplary method steps for managing an application running in multiple modes is shown. 15 may begin at step 1502, where at step 1502, the application is run on the mobile device in one of the managed or unmanaged modes. For example, as described above, an application that may be run in a management mode or an unmanaged mode may be run in one of these modes.

[00152] The process of FIG. 15 may proceed from step 1502 to step 1504, and at step 1504, a request to store data associated with the application is received. For example, when an application is run in the management mode, a request may be received to store security data accessed from data, e.g., a secure server (e.g., gateway server 606). In this example, as described above, the security data may include enterprise data. As another example, when an application is running in an unmanaged mode, a request to store data such as personal data may be received.

[00153] The process of FIG. 15 may proceed from step 1504 to step 1506, where, at step 1506, the data is stored on the mobile device according to the storage protocol. The storage protocol may define how the requested data is to be stored on the mobile device. For example, when the application is running in the management mode, the data can be stored according to the first protocol, and when the application is running in the unmanaged mode, the data can be stored according to the second protocol.

[00154] In one embodiment, the first storage protocol may define that the requested data may be stored in a first data container, e.g., a secure data container (e.g., secure data container 528). In this example, the data stored in the first data container may not be accessible to the application while the application is running in the unmanaged mode. In one embodiment, the second storage protocol may define that the requested data may be stored in a second data container that is different from the first data container. The second data container may comprise, for example, a universal data container storing personal data.

[00155] In one embodiment, the first storage protocol may define that the requested data may be encrypted before being stored. In this example, the data may be encrypted using the first key, and in some embodiments, the first key may be associated with a device manager (e.g., device manager 524) that manages the device. In one embodiment, the second storage protocol may define that the requested data may be encrypted before being stored using a second key different from the first key. As another example, the first storage protocol may define that the requested data can be stored unencrypted.

[00156] The stored data may be automatically updated when the storage protocol is changed or modified. For example, the policy for changing the encryption scheme used for data storage from encryption of the first type to encryption of the second type may be updated. When such a situation occurs, the mobile device can automatically decrypt the stored data based on the first type of encryption and re-encrypt the stored data based on the second type of encryption using the new or changed policy have. In this way, the stored data can always be maintained according to the current storage policy.

[00157] In one embodiment, the first storage protocol may define that the requested data may be stored in association with a managed account. An application running in administrative mode can be associated with a managed account. For example, a cloud storage application that allows access to a secure mode while running in an administrative mode may be associated with a managed account used to obtain access to secure data. The requested data can be stored in association with the management account. In one embodiment, the first storage protocol may define that the stored requested data may be managed by the device manager 524.

[00158] Thus, while the application is running in the management mode, the data can be stored according to the first protocol, as described above. While the application is running in the unmanaged mode, as described above, the data may be stored according to the second protocol.

[00159] In some embodiments, the storage type and / or storage location may depend on the operating mode in use. For example, a storage protocol or policy may specify that data is to be stored in a cloud-based storage. The storage protocol or policy may further specify that corporate or non-enterprise cloud storage should be used based on the mode of operation. When in management mode, the data can be saved to a company or other cloud storage that is provided with a predefined level of security as selected by the enterprise or policy. Alternatively, when in the management mode, the data may be saved or stored in a less secure cloud storage service or location selected by the user, for example. Exemplary embodiments may include hybrid storage policies, and in hybrid storage policies, based on specific environments of the mobile device or application, the data may be stored locally when the app is running in an unmanaged mode, Data can be stored in cloud storage while your app is running in managed mode, and vice versa.

[00160] The process of FIG. 15 may proceed from step 1506 to step 1508, and at step 1508, a signal is received to disable the mode of the application. For example, a signal may be received to disable the management mode of the application. In one embodiment, the device manager 524 may monitor the registered mobile device, detect the status for the mobile device, and send a signal to disable the management mode of the application installed on the mobile device. For example, the device manager 524 may detect that the registered mobile device is jailbroken / fixed and may decide to disable the management mode of the application based on detection. In another embodiment, the device manager 524 may detect that the blacklist application has been installed on the registered mobile device and may decide to disable the management mode of the application based on detection.

[00161] In yet another embodiment, the device manager 524 may detect that the management account associated with the application has expired or been removed and may decide to disable the management mode of the application based on detection. For example, a cloud storage application that allows access to secure data while running in an administrative mode may be associated with a managed account used to obtain access to secure data. The device manager 524 may detect that the management account has expired or has been removed and may send a signal to disable the management mode of the cloud storage application based on the detection. In one embodiment, when a signal is received to disable the management mode of the application, the application may be converted to an application that is not running in the management mode.

[00162] In one embodiment, it may be determined that based on the received signal for disabling the management mode of the application, the stored data according to the first protocol is selectively removed. For example, data stored according to the first protocol may be associated with a management mode to be disabled, and data stored according to the first protocol may be selectively removed as a portion that disables the management mode.

[00163] The process of FIG. 15 may proceed from step 1508 to step 1510 where, at step 1510, the location of the data stored on the mobile device is determined according to the protocol. For example, the device manager 524 may monitor the registered mobile device and may determine the location of the data to be stored according to the first protocol. Data stored in accordance with the first protocol may include data associated with a particular application running in the first mode, e.g., an application running in the management mode. In one embodiment, the positioned data may include enterprise data for the application.

[00164] In one embodiment, the data stored according to the first protocol may be located based on an account. For example, an account may be associated with a managed account. The application may be run in a management mode, and the stored data may be associated with a managed account. In this embodiment, the data stored according to the first protocol may be associated with a management account, and the data stored according to the first protocol may be located based on the management account.

[00165] In yet another embodiment, the data stored according to the first protocol may be located based on the storage container. For example, a secure storage container, such as secure data container 528 of FIG. 5, may be associated with data stored according to the first protocol. The application can be run in the management mode, and the stored data according to the first protocol can be stored in the secure data container. In this embodiment, the data stored according to the first protocol may be stored in the secure data container, and the stored data according to the first protocol may be located based on the storage of the secure storage container.

[00166] In another embodiment, the data stored according to the first protocol may be located based on encryption. For example, data stored according to the first protocol may be encrypted using a particular encryption, such as encryption using the first key. The application may be run in the management mode, and the stored data according to the first protocol may be encrypted based on the specific encryption. In this embodiment, the data stored according to the first protocol may be located based on the encryption for the data. In one example, the first key may be associated with the device manager 524.

[00167] The process of FIG. 15 may proceed from step 1510 to step 1512, and at step 1512, the positioned data may be selectively removed. For example, the device manager 524 may monitor the registered mobile device, determine the location of the stored data according to the first protocol on the registered mobile device, and remove the selectively positioned data. In one embodiment, selectively removing the positioned data does not remove any other data stored on the mobile device. For example, if the positioned data includes corporate data for an application, the personal data for the application may not be removed. Alternatively, access to data stored in accordance with the first protocol may be locked or blocked until the device can re-register or the application can be run again in the management mode.

[00168] In FIG. 16, a flow diagram of exemplary method steps for managing an account for an application that may be executed in multiple modes is shown. The process of FIG. 16 can be used in detecting that an installed application can be executed in multiple modes, in order to configure an application running in the management mode to access corporate resources. In addition, resources may be provisioned in advance based on specific events (e.g., a new employee may start a company life and resources may be pre-provisioned as part of the new employee procedures) Can be accelerated. 16 may begin at step 1602, where at step 1602 the mobile device is monitored for new applications. For example, device manager 524 may monitor a registered mobile device, e.g., mobile device 502, as described above. The device manager can monitor applications installed on the mobile device. In one embodiment, the device manager may periodically monitor the mobile device for installation of new applications.

[00169] The process of FIG. 16 may proceed from step 1602 to step 1604, and at step 1604 it is detected that an application capable of running in a managed mode and an unmanaged mode has been installed on the mobile device. For example, the device manager 524 may monitor the registered mobile device and may determine that an application capable of running in the management mode and the unmanaged mode is installed on the mobile device. The device manager may detect that an installed application may be run on the managed mode and on the unmanaged board based on the meta-data associated with the application or on any other suitable detection scheme.

[00170] The process of FIG. 16 may proceed from step 1604 to step 1606, where at step 1606, the resources are provisioned to communicate with the detected application. For example, a resource such as a gateway server (e.g., gateway server 560) may be provisioned to communicate with an application detected when the application is running in the management mode.

[00171] In one embodiment, management may include cloud storage resources. Cloud storage resources can store security data such as corporate data. In this example, the cloud storage resource can be provisioned to communicate with the detected application running in the management mode, so that the detected application running in the management mode can access the security data stored in the cloud storage resource after provisioning.

[00172] In one embodiment, provisioning a resource may include creating an account for the application. In this embodiment, the process of FIG. 16 may proceed from step 1604 to step 1606 where, at step 1606, an account is created for the application associated with the identification information from the mobile device. For example, the registered mobile device may be associated with the mobile device and / or may have identification information associated with the user of the mobile device. In one embodiment, the identification information may include a corporate credential, such as a login and password for the Active Directory to the enterprise. In another embodiment, the identification information may include a token associated with the enterprise. For example, the registered mobile device may receive a token, e.g., a Security Assertion Markup Language (SAML) token, or any other suitable token, from the enterprise server that identifies the user to the registered mobile device and / or the registered mobile device. The identification information may include any other suitable identification information. The device manager (e.g., device manager 524) may access the identification on the mobile device, such as a token, or the mobile device may provide identification information.

[00173] In one embodiment, an account may be created for an application that may be executed in a management mode and an unmanaged mode, associated with the identification information. In this example, the identification information may include user credentials, such as corporate credentials, tokens, or any other appropriate identifying information. In one embodiment, an account may be created based on a determination that an account associated with the identification information for the application does not already exist. For example, the server may search the account for the application based on the identification information, and the account may be created based on the server failing to retrieve the account.

[00174] In one embodiment, the generated account may be associated with a resource configured to communicate with an application running in a management mode. For example, the generated account may be associated with a cloud storage resource configured to communicate with applications running in the management mode.

[00175] The process of FIG. 16 may proceed from step 1606 to step 1608, and at step 1608, the account may be identified based on the identification information. For example, an account for a user, e.g., a user associated with a company, can be identified based on identification information, e.g., credentials for the user. The identified account may include an enterprise Active Directory account, an account associated with corporate resource rights, or any other appropriate corporate account. In one embodiment, enterprise resources can be accessed on the registered mobile device by signing on to identified accounts, as described above.

[00176] The process of FIG. 16 may proceed from step 1608 to step 1610, and at step 1610, the generated account may be linked with the identified account. For example, an account created for an application that can run in both the administrative mode and the unmanaged mode may be linked to a corporate account, such as an Active Directory account. Using the link, an application running in administrative mode can access system resources based on access rights to the identified account. For example, if the resource configured to communicate with the application running in the management mode comprises a cloud storage resource, the application running in the management mode can access the security data of the cloud storage resource based on the link.

[00177] In one embodiment, after an account is created for an application that can be executed in the management mode according to FIG. 16, the application can access the secure data based on the created account. For example, a user may log in to a created account using a credential, e.g., a login and a password or a token, for the application and the user running in the administration mode. A server, such as gateway server 560, may allow an application running in the management mode to log into an account created based on the credentials provided to the user. The application may request access to enterprise data, e. G., E-mail or secure documents for the user. The server may grant access to the application based on the linked account. For example, the linked account may include an account and / or an Active Directory account that includes access rights to the user. The application may be allowed to access enterprise data according to the access rights included in the linked account.

[00178] In one embodiment, the application may include a bring-your-own device (BYOD) and the device manager 524 may modify and / or configure the application. For example, the modification and / or configuration may include adjusting the application so that the application can be run in the management mode. For example, the application may be altered and / or configured such that data stored by the application is encrypted or stored in the secure data container while the application is running in the management mode. In another example, an application may be altered and / or configured such that an application may communicate with one or more security resources (e.g., gateway server 560) while the application is running in a management mode. In this example, as described above, the security resource may include a cloud storage resource that is provisioned to communicate with an application running in the management mode.

[00179] In one embodiment, an application store can provide an application that can be executed in a number of modes of operation. The application store can provide downloadable applications to mobile devices. For example, the mobile device may request a list of downloadable applications, and the application store may provide the requested list. The mobile device may then download one of the listed applications from the application store and install the downloaded application.

[00180] In one embodiment, an application store may provide multiple versions of an application, and may provide a version that can be executed in multiple operating modes. For example, as described above, an application store may provide a version of an application that may be run in a managed or unmanaged mode.

[00181] In FIG. 17, a flow diagram of exemplary method steps for providing a downloadable application that can be executed in multiple modes is illustrated in accordance with one embodiment. Figure 17 may begin at step 1702, and at step 1702, a request for downloadable applications is received. For example, a mobile device, such as mobile device 502, may request a list of downloadable applications from an application store.

[00182] The process of FIG. 17 may proceed from step 1702 to step 1704, and at step 1704 it is determined whether the mobile device is configured to run the application in multiple modes. For example, it may be determined whether the mobile device is configured to run an application in a management mode and an unmanaged mode.

[00183] In one embodiment, it may be determined whether the mobile device can be configured with an application management framework capable of running applications in a managed mode and an unmanaged mode. It may be determined whether the mobile device is configured with an application management framework such as application management framework 614. [

[00184] In one embodiment, determining whether the mobile device is configured with an application management framework capable of executing applications in a management mode and an unmanaged mode includes determining if a management application associated with the application management framework is installed on the mobile device For example. For example, it may be detected whether a management application, such as client agent 604, associated with an application management framework, such as application management framework 614, is installed on the mobile device. Detecting that an application, such as the client agent 604, is installed on the mobile device may allow the determination that the mobile device is configured with an application management framework that is capable of running the application in both the managed mode and the unmanaged mode.

[00185] In one embodiment, determining whether the mobile device is configured with an application management framework capable of executing applications in a management mode and an unmanaged mode means that the mobile device is managed by the device manager associated with the application management framework ≪ / RTI > For example, whether a device manager, such as device manager 524, associated with an application management framework, such as application management framework 614, manages the mobile device can be detected. Detecting that a device manager, such as the device manager 524, manages the mobile device may allow a determination that the mobile device is configured with an application management framework that is capable of running the application in a managed mode and an unmanaged mode.

[00186] The process of FIG. 17 may proceed from step 1704 to step 1706, and at step 1706, a list of downloadable applications may be transmitted to the mobile device based on the determination. For example, when it is determined that the mobile device is configured with an application management framework capable of running applications in a management mode and an unmanaged mode, a list of downloadable applications including a first version of an application executable in a management mode and an unmanaged mode May be provided. In another example, when it is determined that the mobile device is not configured as an application management framework capable of running applications in the management mode and the non-management mode, it is possible to download the first version of the application executable in the management mode and the non- A list of applications may be provided. For example, as described above, an application may include a file sharing application, and a first version of the file sharing application may include applications executable in both a managed mode and an unmanaged mode.

[00187] In one embodiment, a first version of an application executable in a managed mode and an unmanaged mode may be associated with an application management framework, such as an application management framework 614, on the mobile device. The first version of the application may be selected based on an association with an application management framework implemented by the mobile device. For example, an application store may include multiple versions of an application executable in a management mode and an unmanaged mode, and a first version of the application may be configured such that a first version is configured for execution and / or management by an application management framework So it can be selected for listing. By selecting the appropriate version of the application based on the application management framework of a given mobile device, a single application store can provide applications to various mobile devices regardless of the application management framework implemented by the device. Thus, each application management framework provider need not maintain a dedicated application store, and application developers can simply apply one or more versions of the application to a single application store for distribution.

[00188] In one embodiment, a first version of an application executable in a management mode and an unmanaged mode may be associated with a device manager that manages a mobile device, such as device manager 524. The first version of the application may be selected based on the association with the device manager. For example, an application store may include multiple versions of an application executable in a management mode and an unmanaged mode, and a first version of the application may be selected for listing based on an association with a device manager managing the mobile device have.

[00189] In one embodiment, based on the list of downloadable applications, the mobile device may download and install the application. For example, in an embodiment where the list includes a version of an application executable in a management mode and an unmanaged mode, the mobile may download a version of the application and install a version of the application. Thereafter, the mobile device may run the installed application in a managed mode or an unmanaged mode.

[00190] In another embodiment, an application installed on a registered mobile device may include an external application. For example, the registered mobile device may be a device manager (e.g., a device manager) of a mobile device, such as a general purpose application store, rather than an enterprise source associated with a device manager (e.g., device manager 524) (E.g., device manager 524). ≪ RTI ID = 0.0 > In one embodiment, the external application may include a general purpose application that is not associated with the enterprise application store.

[00191] In one embodiment, the external application may request to sign on to the corporate account and / or the enterprise server. A corporate account can include an account associated with a business, such as an account associated with Active Directory for a business. For example, the external application may include an email client and the email client may request to sign on to the corporate email account. In another example, the external application may include a cloud storage application, and the cloud storage application may request to sign on to a server that allows access to enterprise resources, such as a gateway server.

[00192] In one embodiment, a registered mobile device, such as the registered mobile device 502 of FIG. 5, may cause an external application to be installed and an external application may be installed on the same server as the gateway server 560 of FIG. You can submit a request to access your account. This may include an example of a BYOA (bring your own application) embodiment.

[00193] In one embodiment, the bring-in own application (BYOA) installed on the management mobile device may be changed and / or configured by the device manager managing the mobile device. For example, the BYOA (bring your own application) installed on the mobile device 502 may be changed by the device manager 524. The modification and / or configuration may include adjusting the application so that the application can be run in the management mode. For example, the application may be altered and / or configured such that data stored by the application is encrypted or stored in the secure data container while the application is running in the management mode. In another example, an application may be altered and / or configured such that an application may communicate with one or more security resources (e.g., gateway server 560) while the application is running in a management mode.

[00194] Although the subject matter has been described in language specific to structural features and / or methodical acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above Should be understood. Rather, the specific features and acts described above are described as exemplary implementations of the following claims, and other embodiments may be practiced. For example, various other embodiments include, but are not limited to, the following description.

[00195] One embodiment includes executing an application on a mobile device in a first mode that is a managed mode; Executing an application on a mobile device in a second mode that is an unmanaged mode, the application running in a second mode at a time that is mutually exclusive with when the application is running in the first mode; Receiving a request to store data associated with an application; Storing data according to a first protocol when the application is running in a management mode; And storing the data according to a second protocol when the application is running in an unmanaged mode. In this embodiment, the first protocol may include storing data in a first data container, and the second protocol may include storing data in a second data container that is mutually exclusive with the first data container . This embodiment may further comprise restricting access to the first data container when the application is run in an unmanaged mode. This embodiment includes a first protocol that includes encrypting the data with a first key before storing the data and at least one of encrypting the data with the second key and storing the decrypted data prior to storing the data And a second protocol including a second protocol. In some cases, the application running in the management mode is managed by the device manager in accordance with one or more policy files that are separate from the application and applicable to the plurality of applications. Some aspects may also include receiving a signal from the device manager to disable the management mode of the application. When such a situation occurs, the embodiment can, in response to the received signal, determine the location of the stored data according to the first protocol and selectively remove the positioned data. Determining the location of the stored data according to the first protocol may include determining a management account associated with the application and determining the location of the data based on the management account. In some cases, determining the location of the stored data according to the first protocol further comprises determining the location of the container storing the data according to the first protocol. In some aspects, determining the location of the stored data in accordance with the first protocol comprises: determining an encryption key associated with the first protocol; And determining the location of the data based on the determined encryption key. In some embodiments, the device manager disables the management mode in response to identifying a blacklist application installed on the mobile device. The device manager may disable the management mode in response to detecting that the management account associated with the application has expired. The device manager may disable the management mode in response to detecting that the mobile device has jailbroken or established. In some cases, selectively removing the positioned data does not remove the personal data associated with the application stored on the mobile device.

[00196] Another embodiment may include a computing device including a processor, wherein the computing device executes the application in a first mode, the first mode comprising: separating operations from a plurality of applications separated from the application and executing on the computing device A management mode operating under control of one or more policy files available for management; Executing an application in a second mode, the application executing in a second mode at a time that is mutually exclusive with when the application is running in the first mode; Receive a request to store data associated with the application; And to store the data according to the first protocol when the application is running in the first mode and to store the data according to the second protocol when the application is running in the second mode. In some aspects, the first protocol comprises storing data in a first data container, and the second protocol comprises storing data in a second data container different from the first data container. In some embodiments, the computing device is further configured to restrict access to the first data container when the application is run in an unmanaged mode. In some embodiments, the first protocol includes encrypting the data with a first key before storing the data, the second protocol encrypting the data with a second key before storing the data, and encrypting the decrypted data Or < / RTI > In some embodiments, the first mode is a first management mode, and the second mode is a second management mode managed according to at least one policy file different from the first management mode.

[00197] Yet another embodiment may include one or more non-transient computer-readable storage media storing computer-executable instructions, wherein the instructions, when executed by one or more processors of the data processing system, To execute an application in a first mode, the first mode being a management mode; Wherein the second mode is an unmanaged mode and the application is run in a second mode at a time that is mutually exclusive with when the application is running in the first mode; Receive a request to store data associated with the application; Stores the data according to the first protocol when the application is running in the management mode and stores the data according to the second protocol when the application is running in the unmanaged mode.

[00198] In another exemplary embodiment, the method includes periodically monitoring a mobile device to determine that a new software application is installed on the mobile device; Detecting that the application can be executed in both the first mode and the second mode, the first mode comprising the steps of, under the control of one or more policy files available to manage the operations of the plurality of applications separate from the application and run on the computing device Operating mode in which it operates; The resource may comprise provisioning the resource to communicate with the application only when the application is running in the first mode and to communicate with the application so that it is configured not to communicate with the application when the application is running in the second mode. In some aspects, the resource includes a cloud storage resource that stores security data. In some aspects, provisioning the resource includes provisioning the cloud data storage resource so that the application accesses secure data stored in the cloud data storage resource while the application is running in the first mode. In some aspects, the mobile device is managed by a device manager, which manages one or more policy files. In some aspects, provisioning the resource comprises creating an account from the mobile device with resources for the application associated with the identification information; Determining a location of the management account based on the identification information; And linking the managed account to the created account. In some aspects, the second mode is a second management mode that operates under control of one or more policy files that are different from the first mode. In some aspects, the first mode is associated with a first user role, and the second mode is associated with a second user role that is different from the first user role. In some aspects, the first mode is associated with a first workplace environment type, and the second mode is associated with a second workplace environment type. In some aspects, the method includes detecting that an application is running in a first mode; And allowing the application to access the secure data based on the created account. In some aspects, the method includes receiving a request from an application running in a first mode, the request including a request to access secure data; And authorizing application access to the secure data based on the created account. In some aspects, the application is distributed to the device by the enterprise.

[00199] In another exemplary embodiment, a device with a processor periodically monitors a mobile device to determine that a new software application is installed on the mobile device; Detecting that the application is executable in both the first mode and the second mode, the first mode being operable under control of one or more policy files available to manage operations of the plurality of applications separate from the application and run on the computing device Management mode; The resources are configured to communicate with the application only when the application is running in the first mode and to provision the resources to communicate with the application such that the application is configured not to communicate with the application when the application is running in the second mode. In some aspects, the resource includes a cloud storage resource that stores security data. In some aspects, provisioning the resource includes provisioning the cloud data storage resource so that the application accesses the secure data stored in the cloud data storage resource while the application is running in the first mode. In some aspects, the mobile device is managed by a device manager, which manages one or more policy files. In some aspects, provisioning the resource comprises creating an account from the mobile device with resources for the application associated with the identification information; Determining the location of the managed account based on the identification information; And linking the managed account to the created account. In some aspects, the second mode is a second management mode that operates under control of one or more policy files that are different from the first mode. In some aspects, the first mode is associated with a first user role and the second mode is associated with a second user role. In some aspects, the device detects that the application is running in the first mode; And the application is further configured to access the secured data based on the created account.

[00200] In another exemplary embodiment, the one or more non-transient computer-readable storage media stores computer-executable instructions, the computer-executable instructions being executable by one or more processors of the data processing system Periodically monitoring the mobile device to determine that a new software application is to be installed on the mobile device; Detecting that the application can be executed in both the first mode and the second mode - the first mode is a process of detecting, under control of one or more policy files available to manage operations of a plurality of applications separated from the application and executing on the computing device Operating mode in which it operates; And the resource is configured to communicate with the application only when the application is running in the first mode and to provision the resource to communicate with the application so that it is configured not to communicate with the application when the application is running in the second mode.

Claims (20)

As a method,
Receiving, from the mobile device, a request for a list of downloadable applications;
Determining whether the mobile device is comprised of an application management framework capable of running an application in both an unmanaged mode and a managed mode; And
Sending a list of downloadable applications to the mobile device,
When the application management framework is determined to be capable, the list includes a first version of the application executable in both the unmanaged mode and the managed mode, and
Wherein the list includes a second version of the application executable in the unmanaged mode and not executable in the managed mode except for the first version of the application when the application management framework is determined to be unavailable, Way. The method according to claim 1,
Wherein the step of determining whether the mobile device is configured with an application management framework capable of running an application in both an unmanaged mode and an administrative mode comprises: And detecting that the device is installed on the device. The method according to claim 1,
Wherein the first version of the downloadable application is associated with the application management framework. The method of claim 3,
The step of sending a list of downloadable applications to the mobile device further comprises selecting the first version of the application from among a plurality of versions of the application executable in both the unmanaged mode and the managed mode and,
Wherein the first version of the application is selected based on an association with the application management framework. The method according to claim 1,
Wherein the step of determining whether the mobile device is configured with an application management framework capable of running an application in both an unmanaged mode and a managed mode comprises the step of determining whether the mobile device is configured by a device manager associated with the application management framework The method further comprising: 6. The method of claim 5,
Wherein the first version of the downloadable application is associated with the device manager. The method according to claim 6,
The step of sending a list of downloadable applications to the mobile device further comprises selecting the first version of the application from among a plurality of versions of the application executable in both the unmanaged mode and the managed mode and,
Wherein the first version of the application is selected based on an association with the device manager. The method according to claim 1,
Wherein the first version of the application comprises an unmanaged application modified by an enterprise employing a user of the mobile device to operate as a management application. As a computing device,
A processor,
The computing device may, at least,
Receiving, from the mobile device, a request for a list of downloadable applications;
Determine whether the mobile device is configured as an application management framework capable of running an application in both an unmanaged mode and a managed mode; And
To the mobile device, a list of downloadable applications,
When the application management framework is determined to be available, the list includes a first version of the application executable in both the unmanaged mode and the managed mode, and
Wherein the list includes a second version of the application executable in the unmanaged mode and not executable in the managed mode except for the first version of the application when the application management framework is determined to be unavailable, Computing device. 10. The method of claim 9,
Determining whether the mobile device is configured with an application management framework capable of running applications in both an unmanaged mode and a managed mode includes detecting that a management application associated with the application management framework is installed on the mobile device Lt; / RTI > computing device. 10. The method of claim 9,
Wherein the first version of the downloadable application is associated with the application management framework. 12. The method of claim 11,
Wherein sending a list of downloadable applications to the mobile device further comprises selecting the first version of the application from among a plurality of versions of the application executable in both the unmanaged mode and the managed mode,
Wherein the first version of the application is selected based on an association with the application management framework. 10. The method of claim 9,
Wherein determining whether the mobile device is configured with an application management framework capable of running an application in both an unmanaged mode and an administrative mode includes detecting that the mobile device is managed by a device manager associated with the application management framework The computing device further comprising: 14. The method of claim 13,
Wherein the first version of the downloadable application is associated with the device manager. 15. The method of claim 14,
Wherein sending a list of downloadable applications to the mobile device further comprises selecting the first version of the application from among a plurality of versions of the application executable in both the unmanaged mode and the managed mode,
Wherein the first version of the application is selected based on an association with the device manager. 10. The method of claim 9,
Wherein the first version of the application comprises an unmanaged application modified by an enterprise employing a user of the mobile device to operate as a management application. 18. One or more non-transient computer-readable storage media storing computer-executable instructions,
The instructions, when executed by one or more processors of a data processing system,
Receiving, from the mobile device, a request for a list of downloadable applications;
Determining whether the mobile device is configured as an application management framework capable of running applications in both an unmanaged mode and a managed mode; And
Cause the mobile device to perform transmitting a list of downloadable applications,
When the application management framework is determined to be available, the list includes a first version of the application executable in both the unmanaged mode and the managed mode, and
Wherein the list includes a second version of the application executable in the unmanaged mode and not executable in the managed mode except for the first version of the application when the application management framework is determined to be unavailable, At least one non-transient computer readable storage medium. 18. The method of claim 17,
Determining whether the mobile device is configured with an application management framework capable of running applications in both an unmanaged mode and a managed mode includes detecting that a management application associated with the application management framework is installed on the mobile device One or more non-transient computer readable storage media. 19. The method of claim 18,
Wherein the first version of the downloadable application is associated with the application management framework. 20. The method of claim 19,
Wherein sending a list of downloadable applications to the mobile device further comprises selecting the first version of the application from among a plurality of versions of the application executable in both the unmanaged mode and the managed mode,
Wherein the first version of the application is selected based on an association with the application management framework.

Images