(19)
(11)EP 2 771 835 B1

(12)EUROPEAN PATENT SPECIFICATION

(45)Mention of the grant of the patent:
01.01.2020 Bulletin 2020/01

(21)Application number: 12778587.1

(22)Date of filing:  18.10.2012
(51)Int. Cl.: 
G06F 21/57  (2013.01)
H04W 12/08  (2009.01)
H04L 29/06  (2006.01)
H04W 12/00  (2009.01)
H04W 4/50  (2018.01)
G06F 21/62  (2013.01)
(86)International application number:
PCT/US2012/060839
(87)International publication number:
WO 2013/062847 (02.05.2013 Gazette  2013/18)

(54)

POLICY ENFORCEMENT OF CLIENT DEVICES

ERZWINGUNG VON SICHERHEITSRICHTLINIEN VON CLIENT-GERÄTEN

APPLICATION DE POLITIQUE DE DISPOSITIFS CLIENTS


(84)Designated Contracting States:
AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

(30)Priority: 28.10.2011 US 201113284475

(43)Date of publication of application:
03.09.2014 Bulletin 2014/36

(60)Divisional application:
19199678.4

(73)Proprietor: Google LLC
Mountain View, CA 94043 (US)

(72)Inventors:
  • YIN, Li
    Redmond, Washington 98052 (US)
  • REDDAPPAGARI, Param
    Redmond, Washington 98052 (US)
  • KAMAT, Mayur
    Bothell, Washington 98021 (US)
  • ZUO, Zhengping
    Medina, WA 98039 (US)
  • ZHANG, Hong
    Redmond, Washington 98052 (US)

(74)Representative: Chettle, John Edward 
Venner Shipley LLP 200 Aldersgate
London EC1A 4HD
London EC1A 4HD (GB)


(56)References cited: : 
EP-A1- 1 780 643
EP-A2- 2 284 685
EP-A2- 2 196 933
  
  • "Network Access Control", , 19 August 2011 (2011-08-19), pages 1-4, XP055048014, Retrieved from the Internet: URL:http://en.wikipedia.org/w/index.php?ti tle=Network_Access_Control&oldid=445727945 [retrieved on 2012-12-17]
  
Note: Within nine months from the publication of the mention of the grant of the European patent, any person may give notice to the European Patent Office of opposition to the European patent granted. Notice of opposition shall be filed in a written reasoned statement. It shall not be deemed to have been filed until the opposition fee has been paid. (Art. 99(1) European Patent Convention).


Description

BACKGROUND



[0001] Hand-held mobile devices have become efficient tools for accessing information on computer networks. Employees are increasingly using their mobile devices to remotely access corporate information, applications and other resources. However, if an employee's mobile device does not adhere to a data security policy or access policy at least as stringent as an employer's policies, sensitive corporate information may be susceptible to unauthorized access. For example, if an employee loses his mobile device and the mobile device is not password protected, anyone who finds the mobile device may be able to access corporate information using the mobile device. In this context, EP 1 780 643 A1 describes a quarantine system for providing security measures for multiple client terminals connected to a network, such as an intranet. A client terminal is first connected to a quarantine network using a common certificate before connecting to a primary LAN (user network) to which servers and other facilities are connected, a security check is performed for the client terminal via the quarantine network, and the client terminal is connected to the user network using a user certificate after the security measures have been completed.

SUMMARY



[0002] In an embodiment, a method may include sending, by a client device, an access request to an authentication server device. The access request may include a request to access an administered resource. The method may include in response to the client device not complying with an administrative policy associated with the administered resource, receiving, from the authentication server device, one or more instructions regarding installation of a client application, receiving, by the client device, a client application in accordance with the instructions, and installing the client application on the client device.

[0003] In an embodiment, a method may include receiving, from a client device, an access request for an administered resource, determining whether the client device is compliant with an administrative policy associated with the administered resource, in response to the client device being compliant with the administrative policy, sending a token to the client device, and in response to the client device not being compliant with the administrative policy, sending the client device one or more instructions instructing the client device how to comply with the administrative policy.

[0004] In an embodiment, a method may include receiving, from a client device, a request to access a client application. The client application may be configured to apply an administrative policy to the client device. The method may include sending the client application to the client device and updating a client registry with information indicating that the client device is compliant with the administrative policy.

[0005] In an embodiment, a system may include an authentication server device in communication with the client device. The authentication server device may be configured to determine whether a client device is permitted to access one or more administered resources. The system may include a management server device in communication with the client device and the authentication server device. The management server device may be configured to determine whether the client device is compliant with an administrative policy that governs an ability of the client device to access the one or more administered resources.

BRIEF DESCRIPTION OF THE DRAWINGS



[0006] 

FIG. 1 illustrates a system for authenticating a client device and/or applying an administrative policy to a client device according to an embodiment.

FIGS. 2-4 illustrate methods of authenticating a client device and/or applying an administrative policy to a client device according to some embodiments.

FIG. 5 illustrates information that may be displayed on a client device regarding a client application according to an embodiment.

FIG. 6 illustrates a block diagram of internal hardware that may be used to contain or implement program instructions according to an embodiment.


DETAILED DESCRIPTION



[0007] This disclosure is not limited to the particular systems, devices and methods described, as these may vary. The terminology used in the description is for the purpose of describing the particular versions or embodiments only, and is not intended to limit the scope.

[0008] As used in this document, the singular forms "a," "an," and "the" include plural references unless the context clearly dictates otherwise. Unless defined otherwise, all technical and scientific terms used herein have the same meanings as commonly understood by one of ordinary skill in the art. Nothing in this disclosure is to be construed as an admission that the embodiments described in this disclosure are not entitled to antedate such disclosure by virtue of prior invention. As used in this document, the term "comprising" means "including, but not limited to."

[0009] For the purposes of this application, the following terms shall have the respective meanings set forth below:
A "computing device" refers to an electronic device that performs one or more operations according to one or more programming instructions.

[0010] A "client device" refers to a computing device that is configured to access one or more administered resources over a network. A client device may be a portable or mobile electronic device. A client device may include, without limitation, a computer, an Internet kiosk, a personal digital assistant, a cellular telephone, a gaming device, a desktop computer, a laptop computer, a tablet computer and/or the like.

[0011] An "authentication server device" refers to a computing device that is configured to determine whether a client device complies with an administrative policy. An authentication server device may include, without limitation, a server, a mainframe computer, a networked computer, a processor-based device, a virtual machine and/or the like.

[0012] A "management server device" refers to a computing device that is configured to apply an administrative policy to a client device. A management server device may include, without limitation, a server, a mainframe computer, a networked computer, a processor-based device, a virtual machine and/or the like.

[0013] An "administrative policy" refers to one or more rules, policies, guidelines and/or the like governing access by a client device to one or more administered resources.

[0014] An "administered resource" refers to one or more application programs that are managed by an administrator.

[0015] A "client application" refers to an application program configured to instruct a client device to perform one or more tasks.

[0016] FIG. 1 illustrates a system 100 for authenticating a client device and/or applying an administrative policy to a client device according to an embodiment. In an embodiment, one or more client devices 102 may be connected to one or more communication networks 104, 122. In an embodiment, a client device 102 may include a client memory 110. A communication network 104 may be connected to an authentication server device 106. In an embodiment, the communication network 122 may be connected to management server device 108.

[0017] In an embodiment, a communication network 104, 122 may be a local area network (LAN), a wide area network (WAN) and/or the like. For example, a communication network 104, 122 may be an extranet, an intranet, the Internet and/or the like. In an embodiment, a communication network 104, 122 may provide communication capability between the client device 102, the authentication server device 106 and/or the management server device 108.

[0018] In an embodiment, a communication network 104, 122 may use HyperText Transport Protocol (HTTP) to transport information using Transmission Control Protocol/Internet Protocol (TCP/IP). HTTP may allow client devices 102 to access resources that are available by way of a communication network 104, 122.

[0019] In an embodiment, the authentication server device 106 may include a processor 112 in communication with a computer-readable storage medium 114. The authentication server device 106 may be in communication with one or more client devices 102 and/or the management server device 108. The authentication server device 106, although depicted as a single computer system, may be implemented as a network of computer processors.

[0020] In an embodiment, the management server device 108 may include a processor 112 in communication with a computer-readable storage medium 114. The management server device 108 may be in communication with one or more client devices 102 and/or the authentication server device 106. The management server device 108, although depicted as a single computer system, may be implemented as a network of computer processors. Examples of a management server devices 108 may include servers, mainframe computers, networked computers, a processor-based device and/or the like.

[0021] In an embodiment, the authentication server device 106 and/or the management server device 108 may be in communication with a client registry 120. A client registry may include information associated with whether a client is in compliance with an administrative policy. In an embodiment, a client registry may be a database or other computer-readable storage medium. A client registry 120 may be stored on the authentication server device 106, the management server device 108 and/or another computing device.

[0022] FIG. 2 illustrates a method of authenticating a client device and applying an administrative policy to a client device according to an embodiment. In an embodiment, a client device may attempt 200 to access one or more administered resources. An administered resource may be a software application that is managed by an administrator that is not the client device user. For example, email applications, word processing applications and calendar applications may be examples of administered resources, and these resources may be managed by an employer administrator. Additional and/or alternate administrators may be used within the scope of this disclosure.

[0023] In an embodiment, a client device may attempt 200 to access an administered resource in response to a user selecting an icon, a graphic, a link or other representation of an administered resource on the client device. In an embodiment, a client device may attempt to access an administered resource in response to a client device user providing login information, such as a username and/or password, associated with an administered resource.

[0024] In an embodiment, a client device may transmit 202 an access request to an administered resource to the authentication server device. The access request may include an identifier associated with the client device that is requesting access. In an embodiment, the access request may include an administered resource or resources to which the client device is requesting access. The access request may include an encrypted password or other encrypted information.

[0025] FIG. 3 illustrates a method of authenticating a client device by an authentication server device according to an embodiment. As illustrated by FIG. 3, the authentication server device may receive 300 the access request and may verify 302 whether the client device is subject to an administrative policy. In an embodiment, an administrative policy may include one or more rules, conditions and/or the like that a client device must meet in order to access one or more administered resources. In an embodiment, an administrative policy may include one or more data security policies. Example data security policies may include remotely wiping data from lost or stolen client devices, locking idle client devices after a period of inactivity, requiring a password to access a client device, setting a minimum length for one or more client passwords, requiring passwords to have a certain format, and/or the like. In an embodiment, an administrative policy may be administered for a set of administered resources. For example, the same set of data security policies may apply to all administered resources associated with an employer. Alternatively, each administered resource may be associated with a different administrative policy. For example, a first administered resource may be associated with a first administrative policy while a second administered resource may be associated with a second administrative policy.

[0026] In an embodiment, the authentication server may verify 302 whether the client device is subject to an administrative policy by analyzing the client registry. The client registry may include a list of clients and a status associated with each. For example, the client registry may include a unique identifier associated with each client in the registry, and a status for each client as to whether the client device is compliant with an administrative policy. Exemplary unique identifiers may include a serial number or other unique alpha-numeric identifier associated with a client device. Table 1 illustrates an exemplary client registry according to an embodiment.
Table 1
Client DeviceIdentifierCompliant with Administrative
Client Device 1 245XCY23 Yes
Client Device 2 871FGB10 No
Client Device 3 3JB9082NB Yes


[0027] In an embodiment, upon receiving an access request, the authentication server may compare 304 at least a portion of information received in the access request to information in the client registry. For example, the authentication server may compare 304 the client identifier in the access request to the client registry to determine whether the client device requesting access is already subject to the administrative policy, is compliant with the administrative policy and/or the like.

[0028] In an embodiment, if the portion of information received in the access request matches information from the list of authenticated client devices and the client registry indicates that the client device is compliant with the administrative policy 306, the authentication server may send 308 the client device a token. For example, referring to Table 1, the authentication server device may send 308 Client Device 1 a token in response to receiving an access request from Client Device 1 because Client Device 1 is listed in the client registry and is identified by the client registry as being compliant with the administrative policy.

[0029] In an embodiment, a client device may receive 204 the token from the authentication server device. In an embodiment, the client device may 206 use the token to access one or more administered resources. In an embodiment, only those devices having a token may be allowed to access the one or more administered resources.

[0030] In an embodiment, if the portion of information received in the access request does not match information from the client registry 310, a notification may be sent 312 to an administrator. The notification may request that the administrator approve or deny the request. For example, an email that includes information regarding the access request may be sent to an administrator. The administrator may be asked to approve or deny the request. If the request is denied, the client user may be informed that access has been denied. If the request is approved, the authentication server device may send 314 the client device one or more instructions as described below.

[0031] In an embodiment, if the portion of information received in the access request does not match information from the client registry 310, or if the portion of information matches information from the client registry but the client registry indicates that the client is not compliant with the administrative policy 318, the authentication server may send 314 the client device one or more instructions. For example, referring to Table 1, the authentication server device may send 314 Client Device 4 one or more instructions in response to receiving an access request from Client Device 4 because a unique identifier associated with Client Device 4 is not included in the client registry. As another example, the authentication server device may send 314 Client Device 2 one or more instructions in response to receiving an access request from Client Device 2 because the client registry indicates that Client Device 2 is not compliant with the administrative policy.

[0032] In an embodiment, the one or more instructions may be received 208 by the client device. The instructions may instruct 210 the client device and/or a user of the client device how the client device can conform to the administrative policy. For example, the one or more instructions may instruct 210 the client device to download a client application from a certain location to the client device in order to apply the administrative policy to the client device. In an embodiment, the one or more instructions may cause text to be displayed on a display of the client device. The text may inform a user of the client device how to apply the administrative policy to the client device. For example, the text may inform a user that a client application must be downloaded from a certain location in order to apply the administrative policy to the client.

[0033] In an embodiment, a client application may send 212 a request to a management server device to obtain the client application. The request may be received 400 by the management server device. The management server device may store the client application in memory associated with the management server device. In an embodiment, a client device may send 212 a request to a management server device in response to a user selecting an icon, a graphic, a link or other representation associated with the client application. For example, a user may select an icon associated with the client application from a webpage, such as an application marketplace and/or the like. In an embodiment, a user may be required to purchase the client application. In an alternate embodiment, a user may receive the client application free of charge.

[0034] In an embodiment, the management server device may send 402 the client application to the client device which may receive 214 the client application. The client application may be installed 216 on the client device and may communicate 218 with the management server device. For example, the client device may register with the management server device. In an embodiment, a user of a client device may provide registration information to the management server device. Registration information may include a unique identifier associated with the client device, a telephone number associated with the client device, a user's name, a user's address and/or the like. In an embodiment, registration information may be automatically provided by the client device without user interaction.

[0035] In an embodiment, the management server device may store 404 registration information associated with one or more client devices that have received the client application. In an embodiment, the management server device may store 404 at least a portion of the registration information in the client registry. For example, if a client not already included in the client registry downloads a client application, the management server device may add information regarding the client device, such as, for example, a unique identifier, to the client registry. The management server device may also add an indication to the client registry that the client device is compliant with the administrative policy.

[0036] In an embodiment, the client application may apply 220 one or more of the policies of the administrative policy associated with the client application to the client. For example, if access to the client device does not require a password, the client application may prompt a user to enter a password for the client device. Similarly, if a password for a client device does not meet a minimum length or format as required by an administrative policy, the client application may require a client device user to provide a password that meets such requirements. In an embodiment, the client application may force a password reset. The password may be reset by the client device user, or it may be provided by the administrator.

[0037] In an embodiment, the client application may automatically lock the client device in response to the client operating in a sleep mode or other idle mode for a period of time. In an embodiment, the client application may prevent the client device from operating in a sleep or other idle mode.

[0038] In an embodiment, a client application may delete, erase or otherwise remove information from a client device. For example, a client application may perform a factory reset on a client device. A client application may remove information from a client device in response to receiving one or more instructions from the management server device. In an embodiment, the management server device may send the client application instructions to remove data if the client device is reported as lost or stolen. In an embodiment, the management server device may send the client application instructions to remove data if a client device's user becomes unaffiliated with the administrator. For example, an employer may want to remove information from an employee's client device if the employee quits, is fired or otherwise stops work for the employer. As such, a former employee may continue to use his or her personal client device even after his or her employment is terminated. In an embodiment, information may be removed from a client device without providing any notice or receiving any confirmation from a client device user.

[0039] FIG. 5 illustrates exemplary information that may be displayed on a client device regarding a client application according to an embodiment. As illustrated by FIG. 5, the information may include one or more current administrative policies that apply to the client device 500 and/or a date and/or time 502 of the most recent administrative policy update.

[0040] In an embodiment, the client application may communicate 222 one or more features of the client device to the management server device. For example, the client application may communicate 222 to the management server device a phone number associated with the client device, a serial number associated with the client, whether a call to or from the client device is active, a phone number associated with a telephone that called the client device, a phone number associated with a telephone that the client device called, a location, such as a GPS location, of the client device and/or the like. In an embodiment, the client application may allow a remote device, such as for example, the management server device to write to client memory, such as USB storage, an SD card, and/or the like. In an embodiment, the management server device may monitor failed login attempts to client. The client application may require that a password associated with the client device be reset in response to a certain number of sequential failed login attempts.

[0041] In an embodiment, updates to an administrative policy may be provided 406 to a client device. For example, if an administrative policy is changed, the management server device may send 406 the updated administrative policy to a client device. In an alternate embodiment, a client device may periodically or regularly query the management server device, or another device, for updates to an administrative policy.

[0042] In an embodiment, the client application may instruct 224 the client device to send a communication to the management server device at certain response times. For example, the client application may instruct 224 the client device to send a communication to the management server device after every three hours. In an alternate embodiment, the client application may instruct 224 the client device to send a communication to the management server device at one or more times. For example, the client application may instruct 224 the client device to send a communication to the management server device at 12:00 A.M., 6:00 A.M, 12:00 P.M. and 6:00P.M. every day. Additional and/or alternate times and/or time periods may be used within the scope of this disclosure.

[0043] In an embodiment, a management server device may determine 406 whether a communication has been received by a client device. For example, a management server device may determine 406 whether a communication has been received by a client device at a certain time, within a certain time period and/or the like. If the client device fails to send one or more communications to the management server, the client application may have been uninstalled or otherwise removed from the client device or may be faulty. In either case, a risk exists that the client device is no longer compliant with the administrative policy.

[0044] In an embodiment, the management server device may maintain 408 the status of a client device in the client registry as compliant with the administrative policy so long as the management server device receives a communication from the client device by the response time or within a certain time period after the response time. For example, if the client device is scheduled to send a communication to the management server device at 12:00 P.M., the management server device may maintain 408 the status of the client device in the client registry as compliant if the management server device receives a communication from the client device between 11:58 A.M. and 12:02 P.M. Additional and/or alternate time periods may be used within the scope of this disclosure.

[0045] In an embodiment, the management server device may change 410 a status of a client device in the client registry to non-compliant with the administrative policy if the management server device fails to receive one or more communications from the client device by a response time or within a time period after the response time. For example, the management server device may change 410 the status of a client device to non-compliant in the client registry if the management server device does not receive a communication from a client device by a response time or within a time period from the response time. In an embodiment, the management server device may change 410 the status of a client device to non-compliant in the client registry if a certain number of communications are not received from a client device during a time period. For example, the management server device may change 410 the status of a client device to non-compliant in the client registry if it does not receive three communications from a client device within a 24 hour time period. In an embodiment, the management server device may change 410 the status of a client device to non-compliant in the client registry if it does not receive a certain percentage of communications from a client device during a time period. For example, the management server device may change 410 the status of a client device to non-compliant in the client registry if it does not receive at least 90% of communications from the client device within a 24 hour time period. In an embodiment, the management server device may change 410 the status of a client device to non-compliant in the client registry if it does not receive a certain number of sequential communications from a client device. For example, the management server device may change 410 the status of a client device to non-compliant in the client registry if it does not receive two communications in a row from the client device.

[0046] In an embodiment, the management server device may change 410 the status of a client device to non-compliant with an administrative policy in response to the client device being reported lost or stolen, or in response to a user of the client device becoming unaffiliated with the administrator. For example, if an employee client device user is no longer employed by an employer administrator, the management server device may change the status of the client device to non-compliant in the client registry.

[0047] In an embodiment, after the client application is installed on the client device, the client device may transmit 202 an access request to an administered resource to the authentication server device. The authentication server device may verify 302 that the client device is in compliance with the administrative policy and, if so, may send 308 the client device a token that the client device may use to access the requested administered resources.

[0048] FIG. 6 depicts a block diagram of exemplary hardware that may be used to contain or implement program instructions according to an embodiment. A bus 600 serves as the main information pathway interconnecting the other illustrated components of the hardware. CPU 605 is the central processing unit of the system, performing calculations and logic operations required to execute a program. Read only memory (ROM) 610 and random access memory (RAM) 615 constitute exemplary memory devices.

[0049] A controller 620 interfaces with one or more optional memory devices 625 to the system bus 600. These memory devices 625 may include, for example, an external or internal DVD drive, a CD ROM drive, a hard drive, flash memory, a USB drive or the like. As indicated previously, these various drives and controllers are optional devices.

[0050] Program instructions may be stored in the ROM 610 and/or the RAM 615. Optionally, program instructions may be stored on a tangible computer readable storage medium such as a hard disk, compact disk, a digital disk, flash memory, a memory card, a USB drive, an optical disc storage medium, such as Blu-ray™ disc, and/or other recording medium.

[0051] An optional display interface 630 may permit information from the bus 600 to be displayed on the display 635 in audio, visual, graphic or alphanumeric format. Communication with external devices may occur using various communication ports 640. An exemplary communication port 640 may be attached to a communications network, such as the Internet or an intranet.

[0052] The hardware may also include an interface 645 which allows for receipt of data from input devices such as a keyboard 650 or other input device 655 such as a mouse, a joystick, a touch screen, a remote control, a pointing device, a video input device and/or an audio input device.

[0053] It will be appreciated that various of the above-disclosed and other features and functions, or alternatives thereof, may be desirably combined into many other different systems or applications. Also that various presently unforeseen or unanticipated alternatives, modifications, variations or improvements therein may be subsequently made by those skilled in the art which are also intended to be encompassed by the following claims.


Claims

1. A method comprising:

sending, by a client device (102), a first access request to an authentication server device (106) that maintains a client registry (120) indicating a unique identifier of the client device (102) and a status associated with the unique identifier indicating whether the client device (102) is compliant with an administrative policy, wherein the first access request includes the unique identifier of the client device (102) and comprises a request to access an administered resource that is subject to the administrative policy which governs access to the administered resource;

in response to the client device (102) not complying with the administrative policy associated with the administered resource, based on the status of the client registry (120) indicating that the client device (102) is not compliant with the administrative policy:

receiving, by the client device (102) and from the authentication server device (106), one or more instructions regarding installation of a client application that instruct, at least one of the client device (102) or a user of the client device (102), how to conform the client device (102) to the administrative policy,

receiving, by the client device (102), the client application in accordance with the one or more instructions, and

installing the client application on the client device (102), such that client device (102) is compliant with the administrative policy;

the method further comprising:

sending, by the client device (102), a second access request including the unique identifier of the client device (102) to the authentication server device (106);

receiving, by the client device (102), based on the status associated with the unique identifier in the client registry (120) that indicates the client device (102) is compliant with the administrative policy, a token that provides access to the administered resource;

accessing, using the token, the administered resource;

receiving, by the client device (102), at least one instruction to send a communication to a management server device (108) within a certain time period or at a certain time; and

sending, by the client device (102), the communication to the management server device (108) within the certain time period or at the certain time, such that the client device (102) has access to the administered resource.


 
2. The method of claim 1, further comprising:
sending a request for the client application to a management server device (108), wherein receiving a client application comprises receiving the client application from the management server device (108).
 
3. The method of claim 1, wherein the client application is configured, based on the administrative policy, to perform one or more of the following:

cause a password to be required to access the client device (102);

cause the password to meet one or more format requirements;

force a password reset for the client device (102);

automatically lock the client in response to the client operating in idle mode for a period of time; and

prevent the client device (102) from operating in idle mode.


 
4. The method of claim 1, further comprising:

receiving, by the client device (102), at least one instruction that causes the client device (102) to remove data from the client device (102); and

removing, by the client device (102) and based on the at least one instruction, the data.


 
5. The method of claim 1, further comprising:
after not sending, by the client device (102), a subsequent communication to the management server device (108) within the certain time period or at the certain time, sending, by the client device (102), a third access request to access the administered resource.
 
6. The method of claim 5, further comprising:
determining, by the client device (102) that access is denied to the administered resource.
 
7. The method of claim 1, wherein the client application is configured to communicate one or more of the following client device features to a management server device (108):

a phone number associated with the client device (102);

a serial number associated with the client device (102);

an indication of whether a call to or from the client device (102) is active; and

a location associated with the client device (102).


 
8. A device comprising:
at least one processor, and at least one module operable by the at least one processor to perform the method recited by any of claims 1-7.
 
9. A computer-readable storage medium encoded with instructions that, when executed, cause at least one processor of a computing device to perform the method recited by any of claims 1-7.
 
10. A system comprising:

an authentication server device (106) in communication with a client device (102), wherein the authentication server device (106) maintains a client registry (120) indicating a unique identifier of the client device (102) and a status associated with the unique identifier indicating whether the client device (102) is compliant with an administrative policy and determines whether the client device (102) is permitted to access one or more administered resources, wherein a first processor (112) of the authentication server device sends a token to the client device (102) in response to determining that the client device (102) is permitted to access the one or more administered resources; and

a management server device (108) in communication with the client device (102) and the authentication server device (106), wherein the management server device (108) determines whether the client device (102) is compliant with the administrative policy that governs an ability of the client device (102) to access the one or more administered resources,

wherein the authentication server device (106) and the client device (102) are configured such that:
in response to the client device (102) not complying with the administrative policy associated with the administered resource, based on the status of the client registry (120) indicating that the client device (102) is not compliant with the administrative policy:

receiving, by the client device (102) and from the authentication server device (106), one or more instructions regarding installation of a client application that instruct, at least one of the client device (102) or a user of the client device (102), how to conform the client device (102) to the administrative policy,

receiving, by the client device (102), the client application in accordance with the one or more instructions, and

installing the client application on the client device (102), such that client device (102) is compliant with the administrative policy;

sending, by the client device (102), a second access request including the unique identifier of the client device (102) to the authentication server device (106);

receiving, by the client device (102), based on the status associated with the unique identifier in the client registry (120) that indicates the client device (102) is compliant with the administrative policy, a token that provides access to the administered resource;

accessing, using the token, the administered resource;

receiving, by the client device (102), at least one instruction to send a communication to a management server device (108) within a certain time period or at a certain time; and

sending, by the client device (102), the communication to the management server device (108) within the certain time period or at the certain time, such that the client device (102) has access to the administered resource.


 
11. The system of claim 10, further comprising a client registry (120) in communication with the authentication server device (106) and the management server device (108), wherein the client registry (120) comprises information regarding compliance of one or more client devices (102) with the administrative policy.
 
12. The system of claim 10, wherein the management server device (108) is further configured to update the client registry (120) with an indication that the client is non-compliant with the administrative policy if the management server device (108) does not receive a communication from the client device (102) within a period of time.
 


Ansprüche

1. Verfahren, umfassend:

Senden, durch ein Client-Gerät (102), einer ersten Zugriffsanforderung an ein Authentifizierungsservergerät (106), das ein Client-Register (120) verwaltet, das eine eindeutige Kennung des Client-Geräts (102) und einen der eindeutigen Kennung zugeordneten Status, der angibt, ob das Client-Gerät (102) eine Verwaltungsrichtlinie erfüllt, angibt, wobei die erste Zugriffsanforderung die eindeutige Kennung des Client-Geräts (102) beinhaltet und eine Anforderung für einen Zugriff auf eine verwaltete Ressource, die der Verwaltungsrichtlinie, die den Zugriff auf die verwaltete Ressource regelt, unterliegt, umfasst;

in Reaktion darauf, dass das Client-Gerät (102) die der verwalteten Ressource zugeordnete Verwaltungsrichtlinie nicht erfüllt, basierend auf dem Status des Client-Registers (120), der angibt, dass das Client-Gerät (102) die Verwaltungsrichtlinie nicht erfüllt:

Empfangen, durch das Client-Gerät (102) und von dem Authentifizierungsservergerät (106), einer oder mehrerer Anweisungen bezüglich der Installation einer Client-Anwendung, die zumindest eines von dem Client-Gerät (102) oder einem Benutzer des Client-Geräts (102) anweisen, wie das Client-Gerät (102) an die Verwaltungsrichtlinie angepasst werden kann,

Empfangen, durch das Client-Gerät (102), der Client-Anwendung gemäß der einen oder den mehreren Anweisungen, und

Installieren der Client-Anwendung auf dem Client-Gerät (102), sodass das Client-Gerät (102) die Verwaltungsrichtlinie erfüllt;

das Verfahren ferner umfassend:

Senden, durch das Client-Gerät (102), einer zweiten Zugriffsanforderung, die die eindeutige Kennung des Client-Geräts (102) beinhaltet, an das Authentifizierungsservergerät (106);

Empfangen, durch das Client-Gerät (102), basierend auf dem der eindeutigen Kennung in dem Client-Register (120) zugeordneten Status, der angibt, dass das Client-Gerät (102) die Verwaltungsrichtlinie erfüllt, eines Tokens, das einen Zugriff auf die verwaltete Ressource bereitstellt;

Zugreifen, unter Nutzung des Tokens, auf die verwaltete Ressource;

Empfangen, durch das Client-Gerät (102), zumindest einer Anweisung zum Senden einer Kommunikation innerhalb eines bestimmten Zeitraums oder zu einem bestimmten Zeitpunkt an ein Verwaltungsservergerät (108); und

Senden, durch das Client-Gerät (102), der Kommunikation innerhalb des bestimmten Zeitraums oder zu dem bestimmten Zeitpunkt an das Verwaltungsservergerät (108), sodass das Client-Gerät (102) Zugriff auf die verwaltete Ressource hat.


 
2. Verfahren nach Anspruch 1, ferner umfassend:
Senden einer Anfrage nach der Client-Anwendung an ein Verwaltungsservergerät (108), wobei das Empfangen einer Client-Anwendung ein Empfangen der Client-Anwendung von dem Verwaltungsservergerät (108) umfasst.
 
3. Verfahren nach Anspruch 1, wobei die Client-Anwendung, basierend auf der Verwaltungsrichtlinie, konfiguriert ist, eines oder mehrere der folgenden durchzuführen:

zu veranlassen, dass ein Passwort erforderlich ist, um auf das Client-Gerät (102) zuzugreifen;

zu veranlassen, dass das Passwort eine oder mehrere Formatanforderungen erfüllt;

das Zurücksetzen des Passworts für das Client-Gerät (102) zu erzwingen;

den Client, in Reaktion auf den Betrieb des Clients über einen Zeitraum hinweg im Leerlaufmodus, automatisch zu sperren; und

zu verhindern, dass das Client-Gerät (102) im Leerlaufmodus betrieben wird.


 
4. Verfahren nach Anspruch 1, ferner umfassend:

Empfangen, durch das Client-Gerät (102), zumindest einer Anweisung, die das Client-Gerät (102) veranlasst, Daten vom Client-Gerät (102) zu entfernen; und

Entfernen der Daten durch das Client-Gerät (102) und basierend auf der zumindest einen Anweisung.


 
5. Verfahren nach Anspruch 1, ferner umfassend:
nach einem Nichtsenden, durch das Client-Gerät (102), einer nachfolgenden Kommunikation innerhalb des bestimmten Zeitraums oder zu dem bestimmten Zeitpunkt an das Verwaltungsservergerät (108), Senden, durch das Client-Gerät (102), einer dritten Zugriffsanforderung für einen Zugriff auf die verwaltete Ressource.
 
6. Verfahren nach Anspruch 5, ferner umfassend:
Ermitteln, durch das Client-Gerät (102), dass ein Zugriff auf die verwaltete Ressource verweigert wird.
 
7. Verfahren nach Anspruch 1, wobei die Client-Anwendung konfiguriert ist, eines oder mehrere der folgenden Client-Gerät-Merkmale an ein Verwaltungsservergerät (108) zu übermitteln:

eine dem Client-Gerät (102) zugeordnete Telefonnummer;

eine dem Client-Gerät (102) zugeordnete Seriennummer;

eine Angabe darüber, ob ein Anruf an das oder von dem Client-Gerät (102) aktiv ist; und

einen dem Client-Gerät (102) zugeordneten Standort.


 
8. Gerät, umfassend:
zumindest einen Prozessor und zumindest ein Modul, das durch den einen oder die mehreren Prozessoren betreibbar ist, um das Verfahren nach einem der Ansprüche 1-7 durchzuführen.
 
9. Computerlesbares Speichermedium, das mit Anweisungen codiert ist, die, bei Ausführung, den zumindest einen Prozessor eines Computergeräts veranlassen, das Verfahren nach einem der Ansprüche 1-7 durchzuführen.
 
10. System, umfassend:

ein Authentifizierungsservergerät (106) in Kommunikation mit einem Client-Gerät (102), wobei das Authentifizierungsservergerät (106) ein Client-Register (120) verwaltet, das eine eindeutige Kennung des Client-Geräts (102) und einen der eindeutigen Kennung zugeordneten Status, der angibt, ob das Client-Gerät (102) eine Verwaltungsrichtlinie erfüllt, angibt, und ermittelt, ob das Client-Gerät (102) auf eine oder mehrere verwaltete Ressourcen zugreifen darf, wobei ein erster Prozessor (112) des Authentifizierungsservergeräts, in Reaktion auf ein Ermitteln, dass das Client-Gerät (102) auf die eine oder die mehreren verwalteten Ressourcen zugreifen darf, ein Token an das Client-Gerät (102) sendet; und

ein Verwaltungsservergerät (108) in Kommunikation mit dem Client-Gerät (102) und dem Authentifizierungsservergerät (106), wobei das Verwaltungsservergerät (108) ermittelt, ob das Client-Gerät (102) die Verwaltungsrichtlinie, die eine Fähigkeit des Client-Geräts (102), auf die eine oder die mehreren verwalteten Ressourcen zuzugreifen, regelt, erfüllt,

wobei das Authentifizierungsservergerät (106) und das Client-Gerät (102) für Folgendes konfiguriert sind:
in Reaktion darauf, dass das Client-Gerät (102) die der verwalteten Ressource zugeordnete Verwaltungsrichtlinie nicht erfüllt, basierend auf dem Status des Client-Registers (120), der angibt, dass das Client-Gerät (102) die Verwaltungsrichtlinie nicht erfüllt:

Empfangen, durch das Client-Gerät (102) und von dem Authentifizierungsservergerät (106), einer oder mehrerer Anweisungen bezüglich der Installation einer Client-Anwendung, die zumindest eines von dem Client-Gerät (102) oder einem Benutzer des Client-Geräts (102) anweisen, wie das Client-Gerät (102) an die Verwaltungsrichtlinie angepasst werden kann,

Empfangen, durch das Client-Gerät (102), der Client-Anwendung gemäß der einen oder den mehreren Anweisungen, und

Installieren der Client-Anwendung auf dem Client-Gerät (102), sodass das Client-Gerät (102) die Verwaltungsrichtlinie erfüllt;

Senden, durch das Client-Gerät (102), einer zweiten Zugriffsanforderung, die die eindeutige Kennung des Client-Geräts (102) beinhaltet, an das Authentifizierungsservergerät (106);

Empfangen, durch das Client-Gerät (102), basierend auf dem der eindeutigen Kennung in dem Client-Register (120) zugeordneten Status, der angibt, dass das Client-Gerät (102) die Verwaltungsrichtlinie erfüllt, eines Tokens, das einen Zugriff auf die verwaltete Ressource bereitstellt;

Zugreifen, unter Nutzung des Tokens, auf die verwaltete Ressource;

Empfangen, durch das Client-Gerät (102), zumindest einer Anweisung zum Senden einer Kommunikation innerhalb eines bestimmten Zeitraums oder zu einem bestimmten Zeitpunkt an ein Verwaltungsservergerät (108); und

Senden, durch das Client-Gerät (102), der Kommunikation innerhalb des bestimmten Zeitraums oder zu dem bestimmten Zeitpunkt an das Verwaltungsservergerät (108), sodass das Client-Gerät (102) Zugriff auf die verwaltete Ressource hat.


 
11. System nach Anspruch 10, ferner umfassend ein Client-Register (120) in Kommunikation mit dem Authentifizierungsservergerät (106) und dem Verwaltungsservergerät (108), wobei das Client-Register (120) Informationen bezüglich einer Erfüllung der Verwaltungsrichtlinie durch eines oder mehrere Client-Geräte (102) umfasst.
 
12. System nach Anspruch 10, wobei das Verwaltungsservergerät (108) ferner konfiguriert ist, das Client-Register (120) mit einer Angabe darüber, dass der Client die Verwaltungsrichtlinie nicht erfüllt, zu aktualisieren, wenn das Verwaltungsservergerät (108) innerhalb eines Zeitraums keine Kommunikation von dem Client-Gerät (102) empfängt.
 


Revendications

1. Procédé comprenant :

l'envoi, par un dispositif client (102), d'une première demande d'accès à un dispositif serveur d'authentification (106) qui maintient un registre client (120) indiquant un identifiant unique du dispositif client (102) et un statut associé à l' identifiant unique indiquant si le dispositif client (102) est conforme à une politique administrative, dans lequel la première demande d'accès comprend l'identifiant unique du dispositif client (102) et comprend une demande d'accès à une ressource administrée qui est soumise à la politique administrative qui régit l'accès à la ressource administrée ;

en réponse au dispositif client (102) non conforme à la politique administrative associée à la ressource administrée, sur base du statut du registre client (120) indiquant que le dispositif client (102) n'est pas conforme à la politique administrative :

la réception, par le dispositif client (102) et depuis le dispositif serveur d'authentification (106), d'une ou plusieurs instructions concernant l'installation d'une application client qui instruit, au moins un du dispositif client (102) ou d'un utilisateur du dispositif client (102), à comment conformer le dispositif client (102), à la politique administrative,

la réception, par le dispositif client (102), de l'application client conformément à la ou aux instructions, et

l'installation de l'application client sur le dispositif client (102), de sorte que le dispositif client (102) soit conforme à la politique administrative ;

le procédé comprenant en outre :

l'envoi, par le dispositif client (102), d'une deuxième demande d'accès comprenant l'identificateur unique du dispositif client (102) au dispositif serveur d'authentification (106) ;

la réception, par le dispositif client (102), sur base de l'état associé à l'identifiant unique dans le registre client (120) indiquant que le dispositif client (102) est conforme à la politique administrative, d'un jeton qui fournit un accès à la ressource administrée ;

l'accès, à l'aide du jeton, à la ressource administrée ;

la réception, par le dispositif client (102), d'au moins une instruction pour envoyer une communication à un dispositif serveur de gestion (108) dans une certaine période de temps ou à un certain moment ; et

l'envoi, par le dispositif client (102), de la communication au dispositif serveur de gestion (108) dans la certaine période de temps ou à au certain moment, de sorte que le dispositif client (102) ait accès à la ressource administrée.


 
2. Procédé selon la revendication 1, comprenant en outre :
l'envoi d'une demande pour l'application client à un dispositif serveur de gestion (108), dans lequel la réception d'une application client comprend la réception de l'application client à partir du dispositif serveur de gestion (108).
 
3. Procédé selon la revendication 1, dans lequel l'application client est configurée, sur base de la politique administrative, pour exécuter un ou plusieurs des éléments suivants :

amener un mot de passe à être demandé pour accéder au dispositif client (102) ;

amener le mot de passe à répondre à une ou plusieurs exigences de format ;

forcer une réinitialisation du mot de passe pour le dispositif client (102) ;

verrouiller automatiquement le client en réponse au fonctionnement du client en mode veille pendant une période de temps ; et

empêcher le dispositif client (102) de fonctionner en mode veille.


 
4. Procédé selon la revendication 1, comprenant en outre :

la réception, par le dispositif client (102), d'au moins une instruction qui amène le dispositif client (102) à supprimer des données du dispositif client (102) ; et

la suppression, par le dispositif client (102), et sur base d'au moins une instruction, des données.


 
5. Procédé selon la revendication 1, comprenant en outre :
après l'envoi, par le dispositif client (102), d'une communication ultérieure au dispositif serveur de gestion (108) dans la certaine période de temps ou au certain moment, l'envoi par le dispositif client (102), d'une troisième demande d'accès pour accéder à la ressource administrée.
 
6. Procédé selon la revendication 5, comprenant en outre :
la détermination, par le dispositif client (102), que l'accès est refusé à la ressource administrée.
 
7. Procédé selon la revendication 1, dans lequel l'application client est configurée pour communiquer une ou plusieurs des caractéristiques suivantes du dispositif client à un dispositif serveur de gestion (108) :

un numéro de téléphone associé au dispositif client (102) ;

un numéro de série associé au dispositif client (102) ;

une indication de si un appel vers ou depuis le dispositif client (102) est actif ; et

un emplacement associé au dispositif client (102).


 
8. Dispositif comprenant :
au moins un processeur, et au moins un module exploitable par l'au moins un processeur pour exécuter le procédé selon l'une quelconque des revendications 1-7.
 
9. Support de stockage lisible par ordinateur encodé avec des instructions qui, lorsqu'elles sont exécutées, amènent au moins un processeur d'un dispositif informatique à exécuter le procédé selon l'une quelconque des revendications 1-7.
 
10. Système comprenant :

un dispositif serveur d'authentification (106) en communication avec un dispositif client (102), dans lequel le dispositif serveur d'authentification (106) maintient un registre client (120) indiquant un identificateur unique du dispositif client (102) et un état associé à l'identifiant unique indiquant si le dispositif client (102) est conforme à une politique administrative et détermine si le dispositif client (102) est autorisé à accéder une ou plusieurs ressources administrées, dans lequel un premier processeur (112) du dispositif serveur d'authentification envoie un jeton au dispositif client (102) en réponse à la détermination que le dispositif client (102) est autorisé à accéder à la ou aux ressources administrées ; et

un dispositif serveur de gestion (108) en communication avec le dispositif client (102) et le dispositif serveur d'authentification (106), dans lequel le dispositif serveur de gestion (108) détermine si le dispositif client (102) est conforme à la politique administrative qui régit une capacité du dispositif client (102) à accéder à la ou aux ressources administrées,

dans lequel le dispositif serveur d'authentification (106) et le dispositif client (102) sont configurés de telle sorte que :
en réponse au dispositif client (102) non conforme à la politique administrative associée à la ressource administrée, sur base du statut du registre client (120) indiquant que le dispositif client (102) n'est pas conforme à la politique administrative :

la réception, par le dispositif client (102) et depuis le dispositif serveur d'authentification (106), d'une ou plusieurs instructions concernant l'installation d'une application client qui instruit, au moins un du dispositif client (102) ou d'un utilisateur du dispositif client (102), à comment conformer le dispositif client (102), à la politique administrative,

la réception, par le dispositif client (102), de l'application client conformément à la ou aux instructions, et

l'installation de l'application client sur le dispositif client (102), de sorte que le dispositif client (102) soit conforme à la politique administrative ;

l'envoi, par le dispositif client (102), d'une deuxième demande d'accès comprenant l'identificateur unique du dispositif client (102) au dispositif serveur d'authentification (106) ;

la réception, par le dispositif client (102), sur base de l'état associé à l'identifiant unique dans le registre client (120) indiquant que le dispositif client (102) est conforme à la politique administrative, d'un jeton qui fournit un accès à la ressource administrée ;

l'accès, à l'aide du jeton, à la ressource administrée ;

la réception, par le dispositif client (102), d'au moins une instruction pour envoyer une communication à un dispositif serveur de gestion (108) dans une certaine période de temps ou à un certain moment ; et

l'envoi, par le dispositif client (102), de la communication au dispositif serveur de gestion (108) dans la certaine période de temps ou à au certain moment, de sorte que le dispositif client (102) ait accès à la ressource administrée.


 
11. Système selon la revendication 10, comprenant en outre un registre client (120) en communication avec le dispositif serveur d'authentification (106) et le dispositif serveur de gestion (108), dans lequel le registre client (120) comprend des informations concernant la conformité d'un ou plusieurs dispositifs clients (102) avec la politique administrative.
 
12. Système selon la revendication 10, dans lequel le dispositif serveur de gestion (108) est en outre configuré pour mettre à jour le registre client (120) avec une indication que le client est non conforme à la politique administrative si le dispositif serveur de gestion (108) ne reçoit pas de communication du dispositif client (102) dans une période de temps.
 




Drawing





















REFERENCES CITED IN THE DESCRIPTION



This list of references cited by the applicant is for the reader's convenience only. It does not form part of the European patent document. Even though great care has been taken in compiling the references, errors or omissions cannot be excluded and the EPO disclaims all liability in this regard.

Patent documents cited in the description