201118739 六、發明說明: 【發明所屬之技術領域】 -種應用程序之管理系統與其方法,特別有關於_種虛擬機 器的應用程序之管理系統與其方法。 【先前技術】 鼓著什异機運异速度的提高,使得虛擬機器的應用也連帶的 增加。彳遠端队(telnet)的对,使肖者可以獲得伺服 端的服務資源。到現在可以透過虛擬機器的方式,在客戶端以圖 形化介面的方式提供相應務。請參考「第1圖」,其係為習知 技術的客戶端110與虛擬機器架構示意圖。相較於實體機器而言, s'理者"T以自行決定虛擬機器的硬體環境,並在虛擬機器中安裝 不同作業系統。 相對於虛擬機器120而言,實體機器的各項硬體主控權均在 使用者手上。因此使用者可以透過各種不同的手段來規避管理者 的官理。舉例來說’使用者可以移除實體機器的綱路線等方式來 規避管理。雖然習知技術可以透過管理使用者權限的方式來達到 上述規範安裝軟體的目的。由於虛擬機器的實體資源是在伺服端 上’因此使用者無法以移除相關硬體來規避管理者的監督。 此外,使用者仍可以透過安裝軟體或卸载軟體的方式來達成 規避f理的目的。因此對於虛擬機器的軟體安裝需要進行安全性 的管控。 201118739 【發明内容】 的應題,本發_主要目的在於提供—種虛擬機器 ㈣糸統,對虛擬機器欲安裝的應用程序進行控管。 :4目的’本發明所揭露之虛擬機器的翻程序之管理 客戶端與伽端。恤端提供數個虛擬機器,每一客 啟^ 的虛賴器;當虛擬鋪初鱗,結擬機哭中 啟動虛擬機器監控程序;當客戶端發域聽序的安料中 由虛擬機雜控程序檢測絲的翻程序是轉合法.好 =凊^合法,朗行顧⑽的安裝處理;若絲請求係為非 法,則執行禁能程序,用以禁止該應用程序的安^ &從本發㈣另—觀點’本發明提出—種虛擬機器的應用程序 之嘗理方法’對虛擬機II欲安裝的應用程序進行控管。 *為達上述目的,本發明所揭露之—種虛擬機器的應用程序之 官理方法包括以下步驟··由舰端提供至少一虛擬機器,使得客 戶端連,該虛擬機器;當虛擬機器初始時,在虛擬機器中啟動 虛擬機器監控程序;當客戶端發出應用程序的安裝請求時,由虛 擬機器監控程序制安裝請求賴驗序衫為合法;若安裳請 求為合法,難行朗程序的絲處理;若絲請求係為非法 1 則禁止應用程序的安裝。 本發明提供-種虛擬機⑽應用程序之管理系統與其方法, 用輯虛擬機器中的應用程序進行管控,可以避免使用者在虛擬 201118739 機益中女裝麵軟體。並透過虛擬機㈣運作環境,可以有效的 杜絕使用者以不當的方式規避管理者的監控。 有關本發明的特徵與貧作,兹配合圖示作最佳實施例詳細說 明如下。 ' ° 【實施方式】 本發明可應用在具有提供虛擬機器服務的計算機(例如:飼服 端、個人電腦鱗記型等)。為能清楚制本發_整體架構 還喷參考「第2圖」所示,其係為本發明之架構示意、圖。在「第2 圖」中係包括客戶端2i〇、飼服端22〇與應用程序管理服務器挪。 在飼服端220中運行複數個虛擬機器221與後台代理程序223。本 發明對於虛擬機器奶運行的作業系統與虛擬的硬體環境並不限 定。後台代理程序223用以將虛擬機器監控程序從所接收的安 裝要求與應用程序管理服務器23〇中所記錄的該些應用程序進行 比對。客戶端21〇透過網路連接至虛擬機器221,並透過虛擬機器 功所提供的作業系統與應用程序進行作業。因此,客戶端加 的°十鼻機至;需具備連接網路與輸入/輸出之功能。 一應用程序管理服務g 230透過網路連·該伺服端。應用程 序管理服務器230中記錄有各類合法的應用程序的種類、授權數 量、安量隸件_料,便於酬使用者提㈣應用程 式女裝請求是否合法。 當客戶端21〇欲安絲的細縣錢新_程序時則由 201118739 舰端220執行下述步驟用以管控客戶端2】〇是 序或更新應用程序。請參考「第3圖」所示,其係為本 作流程不意圖。本發明的管理方法包括以下步驟: 步驟S3K).由伺服端提供至少一虚擬機器,使得客戶端連接 至虛擬機器,· 步驟耻當虛擬機器初始時,在虛擬機器中啟動虛擬機器 監控程序; Φ 步驟测:當客戶端發錢難序触料树,由虛擬機 4控程序檢測安裝請求的應用程序是否為合 法; 步驟S34G:若絲為合法,_储職相安裝處理,· 以及 步驟S35〇 .若安裝請求係為非法,則禁止該項應用程序的安 裝。 二:先在他端挪中運行至少—台以上的虛擬機器221β每一 例來說’對於電路板制人.員‘言,需要的高效能的 ,理-、大容量的記憶體、與相應的麯錢。對於程式開發人 ==擬_221所_程輪喻能力就可以不似 、·曰圖軟體來的吃重。在更進—步細分,對於 _____ 侧健=2 201118739 作業系統可以是視窗作業系統2_、NT、2003或χρ等) 或Linux作業系統。 伺服端220在接獲到客戶端21〇的連線要求時,伺服端22〇 會啟動虛擬機器22〗,藉以提供客戶端21〇進行連線運作。在本發 明中舰端220會在每-台虛擬機器221中裝設虛擬機器監控程 序222,使得虛擬機g 221在初始時,虛擬機^ 221中啟動虛擬機 器監控程序222。 在客戶端210操作虛擬機器221 _程中,使用者可能會安 裝=同的應用程序。當客戶端21G偵測到使用者欲進行應用程序 的安裝時’客戶端210 f發出應用程序的安裝請求,由虛擬機器 監控程序222檢測欲安裝的應用程序是否為合法。 若安裝請求的翻辦係為合法,舰行應贿序的安裝處 理。反之,若安裝請求係為非法,則禁止該項應用程序的安装, 並將該筆安裝請求回報至伺服端22G。當虛擬機器監控程序從 接收到非法的安裝要求時,虛擬機器監控程序Μ2會將安裝要求 轉發給後台代理程序223,藉以將安裝要求俸送到應用程序管理服 務器230。應用程序管理服務胃23〇可以比對欲安裝的應用 否合法。 . ♦ . ….· ··,. 對於非法的應用程序,可以在應用程序管理服務器230建立 相關的清單’並傳送給虛擬機器監控程序222,使得虛擬機器監杵 程序222可以實時的得到最新版本的資訊。舉例來說,若是管理 8 201118739 者禁止企業内部安裝即時通訊軟體(例如:msn、sk^或明 等)’則管理者可以在應用程序管理服務器no將各項即時通訊軟 體記錄於-黑;g單中,並傳送給虛擬機器監控餅π2。當使用者 要安裝上述的即時通訊軟體時,虛擬機器監控程序Μ2會禁止該 些軟體進行安裝’並同時將制者欲安裝的警訊回傳給飼服端 220。除了可以透過設定黑名單的方式阻撑使用者安裝非法的應用 程序’也可以透過白名單來另外設定允許制者安裝的應用程 序。換言之,只有白名單中有記錄的翻程序才能被安裝,而不 在白名單中的應用程序一律禁止使用者進行安裝。 本發明提供-種虛賴n 221的應雌序m统與其方 法’用以對虛擬機it 22i中的應用程序進行管控,可以避免使用 者在虛擬機g 221巾安裝非法軟體。並透過虛擬齡⑵的運作 壤境,可以有效的杜絕細相不#的方式規避管理者的監控。 雖然本發明以前述之較佳實施例揭露如上,然其並非用以限 疋本發明,任何熟習相像技藝者,在不脫離本發明之精神和範圍 内田可作些許之更動與潤飾,因此本發明之專利保護||圍須視 本說明書所附之申請專利範圍所界定者為準。 【圖式簡單說明】 第1圖係為習知技術的客戶端與虛擬機器架構示意圖。 第2圖係為本發明之架構示意圖。 第3圖係為本發明之運作流程示意圖。 201118739 【主要元件符號說明】 110 客戶端 120 虛擬機器 210 客戶端 220 伺服端 221 虛擬機器 222 虛擬機器監控程序 223 後台代理程序 230 應用程序管理服務器201118739 VI. Description of the invention: [Technical field to which the invention pertains] - A management system for an application and a method thereof, and particularly relates to a management system of an application of a virtual machine and a method thereof. [Prior Art] With the increase in the speed of different machines, the application of virtual machines has also increased. The pair of remote teams (telnet) enables the viewer to obtain the service resources of the server. Up to now, the virtual machine can be used to provide corresponding services on the client side in the form of a graphical interface. Please refer to "Figure 1", which is a schematic diagram of the client 110 and virtual machine architecture of the prior art. Compared to physical machines, s's "Terminal" determines the hardware environment of the virtual machine and installs different operating systems in the virtual machine. Relative to the virtual machine 120, the hardware masterships of the physical machines are in the hands of the user. Therefore, users can evade the manager's official management through various means. For example, the user can remove the outline of the physical machine to evade management. Although the prior art can achieve the purpose of installing the software by the above specification by managing user rights. Since the physical resources of the virtual machine are on the server side, the user cannot evade the supervision of the manager by removing the relevant hardware. In addition, the user can still achieve the purpose of avoiding the problem by installing the software or uninstalling the software. Therefore, the software installation of the virtual machine requires security control. 201118739 [Invention] The main purpose of this issue is to provide a kind of virtual machine (4), which controls the application to be installed by the virtual machine. : 4 Objectives The management of the program of the virtual machine disclosed by the present invention is client and gamma. The virtual machine provides several virtual machines, and each virtual guest opens the virtual machine; when the virtual shop is first scaled, the virtual machine monitors the virtual machine monitoring program; when the client sends the domain to listen to the order, the virtual machine is mixed by the virtual machine. The control program detects the silk flipping process is transfer legal. Good = 凊 ^ legal, Lang line Gu (10) installation processing; if the silk request is illegal, the prohibition program is executed to prohibit the application's security The present invention (4) is another viewpoint - the present invention proposes a method for arranging an application of a virtual machine to control an application to be installed by the virtual machine II. * For the above purposes, the method of the virtual machine application disclosed in the present invention includes the following steps: providing at least one virtual machine by the ship, so that the client connects to the virtual machine; when the virtual machine is initially The virtual machine monitoring program is started in the virtual machine; when the client issues an installation request of the application, the virtual machine monitoring program installs the request to the legal order; if the request is legal, it is difficult to process the program. Processing; if the silk request is illegal 1, the installation of the application is prohibited. The invention provides a management system and a method for the virtual machine (10) application program, and controls the application in the virtual machine to avoid the user's virtual software in the virtual 201118739 machine. And through the virtual machine (four) operating environment, it can effectively prevent users from evading the monitoring of managers in an inappropriate way. The features and disadvantages of the present invention are described in detail below with reference to the preferred embodiments. '° Embodiment】 The present invention can be applied to a computer having a virtual machine service (e.g., a feeding machine, a personal computer scale, etc.). In order to be able to clearly understand the present invention, the overall structure is also shown in the "Fig. 2", which is a schematic diagram and a diagram of the structure of the present invention. In "Picture 2", the client 2i, the service terminal 22, and the application management server are included. A plurality of virtual machines 221 and background agents 223 are run in the feeding end 220. The present invention is not limited to the operating system of the virtual machine milk operation and the virtual hardware environment. The background agent 223 is used to compare the virtual machine monitor from the received installation requirements with the applications recorded in the application management server 23A. The client 21 connects to the virtual machine 221 via the network and operates through the operating system and application provided by the virtual machine function. Therefore, the client adds the nose to the nose; it needs to have the function of connecting the network and input/output. An application management service g 230 connects to the server via the network. The application management server 230 records the types of various legitimate applications, the number of authorized applications, and the quantity of the security documents, so that the user can easily ask (4) whether the application for the women's clothing is legal. When the client 21 wants to pay for the fine county money new _ program, the following steps are performed by the terminal 18 of the 201118739 to control the client 2] to order or update the application. Please refer to "Figure 3" for the purpose of this process. The management method of the present invention comprises the following steps: Step S3K). Providing at least one virtual machine by the server, so that the client is connected to the virtual machine, step shame when the virtual machine is initially started, the virtual machine monitoring program is started in the virtual machine; Step test: When the client sends money to the orderly touch tree, the virtual machine 4 control program detects whether the application of the installation request is legal; Step S34G: If the wire is legal, the storage phase installation process, and the step S35〇 If the installation request is illegal, the installation of the application is prohibited. Second: first run in his end to at least - the virtual machine 221β above each case, for the case of the circuit board makers, the high-performance, rational, large-capacity memory, and corresponding Qu Qian. For the program developer == _ 221 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ In the further step-by-step subdivision, for _____ side health = 2 201118739 operating system can be Windows operating system 2_, NT, 2003 or χρ, etc.) or Linux operating system. When the server 220 receives the connection request from the client 21, the server 22 starts the virtual machine 22 to provide the client 21 to perform the connection operation. In the present invention, the terminal 220 installs the virtual machine monitoring program 222 in each virtual machine 221, so that the virtual machine g 221 initially starts the virtual machine monitoring program 222 in the virtual machine 221 . In the case where the client 210 operates the virtual machine 221, the user may install the same application. When the client 21G detects that the user wants to install the application, the client 210 f issues an installation request for the application, and the virtual machine monitor 222 detects whether the application to be installed is legitimate. If the installation request is legal, the ship should be installed. On the other hand, if the installation request is illegal, the installation of the application is prohibited, and the installation request is reported to the server 22G. When the virtual machine monitor receives an illegal installation request, the virtual machine monitor 转发2 forwards the installation request to the background agent 223 to send the installation request to the application management server 230. The application management service can be compared to the application to be installed. ♦ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Information. For example, if the management 8 201118739 prohibits the installation of instant messaging software (for example: msn, sk^ or Ming) within the enterprise, the administrator can record various instant messaging software in the application management server no - black; Single, and transmitted to the virtual machine to monitor the pie π2. When the user wants to install the above instant messaging software, the virtual machine monitoring program Μ2 prohibits the software from being installed ‘and at the same time returns the warning to be installed by the maker to the feeding end 220. In addition to being able to prevent users from installing illegal applications by setting a blacklist, it is also possible to additionally set up an application that allows the installer to install through a whitelist. In other words, only the files that have records in the whitelist can be installed, and the applications that are not in the whitelist are forbidden to install. The present invention provides a method for controlling the application in the virtual machine it 22i to prevent the user from installing illegal software on the virtual machine. Through the operation of the virtual age (2), it is possible to effectively eliminate the supervision of the manager by effectively eliminating the details. While the present invention has been described above in terms of the preferred embodiments thereof, it is not intended to limit the invention, and the invention may be modified and modified without departing from the spirit and scope of the invention. The patent protection|| is subject to the definition of the patent application scope attached to this specification. [Simplified Schematic] FIG. 1 is a schematic diagram of a client and virtual machine architecture of the prior art. Figure 2 is a schematic diagram of the architecture of the present invention. Figure 3 is a schematic diagram of the operational flow of the present invention. 201118739 [Key component symbol description] 110 Client 120 Virtual machine 210 Client 220 Server 221 Virtual machine 222 Virtual machine monitor 223 Background agent 230 Application management server