HK1181214B - Techniques to apply and share remote policies on mobile devices - Google Patents

Description

Techniques for applying and sharing remote policies on mobile devices

Technical Field

The present invention relates to techniques for applying and sharing remote policies on mobile devices.

Background

Computer and networking technologies make it possible for employees of an enterprise to work away from a physical enterprise site and for customers and clients to interact with the enterprise remotely. Increasingly, employees have chosen to use their personal mobile or home devices for work purposes. Mixing personal and business data on one device can improve employee efficiency and convenience, but challenges arise in protecting business data, especially in the event that a personal device is lost or stolen. It is with respect to these and other considerations that the improvements of the present invention are needed.

Disclosure of Invention

This summary is provided to introduce a selection of concepts in a simplified form that are further described below in the detailed description. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used as an aid in determining the scope of the claimed subject matter.

Various embodiments are generally directed to systems and techniques for applying and sharing remote policies on mobile devices. Some embodiments are particularly directed to systems and techniques for selectively applying and sharing remote policies on a mobile device without interfacing with non-enterprise data and applications on the mobile device. In one embodiment, for example, an apparatus may include a memory storage to store personal data and enterprise data and a processing unit coupled to the memory storage. The apparatus may also include a first enterprise application operating on the processing unit to connect to the enterprise server. When the enterprise application connects to an enterprise server, it may receive one or more policies from the enterprise server. The first enterprise application may apply the policy to itself. The apparatus may include additional enterprise applications that share policies received from the enterprise server. When one of the additional enterprise applications is launched, a policy may also be applied to the enterprise application. Other embodiments are also described and claimed.

These and other features and advantages will become apparent upon reading the following detailed description and upon reference to the accompanying drawings. It is to be understood that both the foregoing general description and the following detailed description are explanatory only and are not restrictive of aspects as claimed.

Drawings

FIG. 1 illustrates an embodiment of a system for applying and sharing remote policies on a personal device.

Fig. 2 shows an embodiment of a personal device.

FIG. 3 illustrates an embodiment of a first logic flow for obtaining and applying remote policies on a personal device.

FIG. 4 illustrates an embodiment of a second logic flow for applying and sharing remote policies on a personal device.

FIG. 5 illustrates an embodiment of a third logic flow for updating remote policies.

FIG. 6 illustrates an embodiment of a computing architecture.

Fig. 7 illustrates an embodiment of a communication architecture.

Detailed Description

Typically, when an employee wishes to use a personal device (such as a laptop, tablet, or smartphone) for work purposes, the employer may apply enterprise policies globally to the personal device. In the event that a personal device is lost or stolen, or if enterprise policies are otherwise violated, the resulting consequences (such as erasing all data) may affect all data on the personal device. If an employee incorrectly enters a password into the device too many times in a row, all data (including personal data such as photos and contact information) may be deleted, for example, in order to protect the security of the enterprise data.

Various embodiments are directed to techniques for selectively applying and sharing remote policies on a personal device. In one embodiment, a technique includes contacting an enterprise server from an enterprise application operating on a personal device. The enterprise application may receive the policy from the enterprise server. Policies may be applied to enterprise applications. When a second enterprise application on the personal device is launched, the policy may also be applied to the second enterprise application. Further, where enterprise data needs to be erased, techniques include erasing only the enterprise data while leaving any personal data intact. As a result, embodiments may increase efficiency while protecting enterprise data security by allowing employees to consolidate their work and personal devices.

FIG. 1 illustrates a block diagram of a system 100 for applying and sharing remote policies on a personal device. In one embodiment, for example, the system 100 may include a computer-implemented system 100 having multiple components, such as a personal device 110 and an enterprise server 120. As used herein, the terms "system" and "component" are intended to refer to a computer-related entity, comprising either hardware, a combination of hardware and software, or software in execution. For example, a component may be implemented as a process running on a processor, a hard disk drive, multiple storage drives (of optical and/or magnetic storage medium), an object, an executable, a thread of execution, a program, and/or a computer. By way of illustration, both an application running on a server and the server can be a component. One or more components may reside within a process and/or thread of execution and a component may be localized on one computer and/or distributed between two or more computers as desired for a given implementation. The embodiments are not limited in this context.

In the illustrated embodiment shown in fig. 1, the system 100 may be implemented as part of an electronic device. Examples of an electronic device may include, but are not limited to, a mobile device, a personal digital assistant, a mobile computing device, a smartphone, a cellular telephone, a handset, a one-way pager, a two-way pager, a messaging device, a computer, a Personal Computer (PC), a desktop computer, a laptop computer, a notebook computer, a handheld computer, a server array or server farm, a web server, a network server, an Internet server, a workstation, a minicomputer, a mainframe computer, a supercomputer, a network appliance, a web appliance, a distributed computing system, multiprocessor systems, processor-based systems, consumer electronics, consumer programmable electronics, television, digital television, set-top box, wireless access point, base station, subscriber station, mobile subscriber center, radio network controller, router, a network controller, a network, A hub, gateway, bridge, switch, machine, or combination thereof. Although the system 100 shown in fig. 1 has a limited number of elements in a certain topology, it may be appreciated that the system 100 may include more or less elements in alternate topologies as desired for a given implementation.

In one embodiment, as will be described in more detail below, an apparatus, such as personal device 110, may include a memory storage to store personal data 114 and enterprise data 118, and a processing unit coupled to the memory storage. An example of a memory storage and processing unit may be described with reference to fig. 6. The personal device 110 may also include a plurality of enterprise applications 116 executable on the processing unit, such as the enterprise applications 116-1, 116-2 shown in FIG. 1, and to receive a policy 122 for a first enterprise application 116-1 from an enterprise server 120 and automatically apply the policy 122 for the first enterprise application 116-1 to a second enterprise application 116-2. For example, a first enterprise application 116-1 may connect to the enterprise server 120. Once the first enterprise application 116-1 connects to the enterprise server 120, it may receive one or more policies 122 from the enterprise server 120. The first enterprise application 116-1 may apply the policy 122 to itself. The personal device 110 may include additional enterprise applications 116 that may share the policies 122 received from the enterprise server 120, such as, for example, a second enterprise application 116-2. When the second enterprise application 116-2 is launched, the same policies 122 as applied to the first enterprise application 116-1 may also be applied to the second enterprise application 116-2. This may continue for as many enterprise applications 116 as personal device 110 executes. Although only two enterprise applications 116-1, 116-2 are shown in FIG. 1 for purposes of example and not limitation, it is to be understood that personal device 110 may include any number of enterprise applications 116 that may share policies. The embodiments are not limited in this context.

Many of the various embodiments described herein are described in the context of a company or business as well as employees. Embodiments may be applied in other contexts, such as whenever a personal device receives data from and interacts with a remote device or server, where one or more policies are applied on the personal device to protect the data. For example, if a user on a personal device is receiving data that is restricted in some way (such as having a non-public protocol), a policy may be received that may prevent protected data from being sent to another device. In another example, the company or business entity may be a financial institution and the user may be a customer of the financial institution. The personal device may have several applications installed thereon that can access the user's account at the financial institution. The financial institution may provide policies to the application to prevent unauthorized access to the account. Embodiments are not limited to these examples.

In various embodiments, the system 100 may include a personal device 110. Personal device 110 may include any electronic device capable of executing enterprise applications, communicating with an enterprise server, and storing data. Examples of personal device 110 may include, but are not limited to, desktop computers, laptop computers, tablet computers, smart phones, and other electronic devices previously described with respect to system 100.

Personal device 110 may include personal application 112. Personal applications 112 may include applications included with personal device 110 at the time of purchase as well as applications installed by a user of personal device 110. Personal applications 112 may include, for example and without limitation, personal financial management applications, games, personal information management applications, camera applications, photo editing applications, web browsers, music player applications, video player applications, email applications, and the like. In general, personal application 112 may be an application that is not connected to enterprise server 120 except for work-related purposes.

Personal application 112 may use and generate personal data 114. Personal data 114 may include settings for personal application 112. Personal data 114 may include data generated by personal application 112 or generated using personal application 112, such as photographs, contact lists, word processing documents, bookmarks, and the like. Personal data 114 may include data that has been copied or otherwise imported onto personal device 110 (e.g., via a peer-to-peer exchange, a network download, or a synchronization operation with another personal device). Personal data 114 may generally be data that is not related to work.

Personal device 110 may include one or more enterprise applications 116, such as enterprise applications 116-1 and 116-2 shown in FIG. 1. Enterprise applications 116 may include any application that can connect to enterprise server 120 through an enterprise account of a user using personal device 110. The enterprise applications 116 may include, for example and without limitation, email applications, word processing applications, video conferencing applications, collaboration applications, inventory management applications, customer relationship management applications, business project planning applications, and the like.

The enterprise application 116 may need to communicate with the enterprise server 120 from time to time, or whenever the enterprise application 116 is executed on the personal device 110. The enterprise application 116 may upload data to the enterprise server 120 and/or receive data from the enterprise server 120. In an embodiment, enterprise application 116 may receive policy 122 from enterprise server 120. Policies 122 may impose a set of restrictions on how enterprise application 116 may operate on personal device 110. Policy 122 will be discussed further below.

Personal device 110 may also include enterprise data 118. Enterprise data 118 may include data used and generated by enterprise applications 116. Enterprise data 118 may include data received from enterprise server 120. Enterprise data 118 may include data that is considered sensitive, proprietary, confidential, or confidential by entity-setting policy 122. Enterprise data 118 may include, for example and without limitation, word processing documents, email messages, contact information, customer information, product information, presentation documents, publications, legal documents, and the like.

In various embodiments, the system 100 may include an enterprise server 120. Enterprise server 120 may include one or more electronic devices operated by an entity, such as a business, government agency, school, organization, etc. Enterprise server 120 may be operated by one entity on behalf of another entity. The enterprise server 120 may be capable of remote communication with the personal device 110, for example, over a wired or wireless network.

Enterprise server 120 may include policies 122. Policy 122 may include rules that an application needs to follow to interact with enterprise server 120. In particular, policies 122 may include rules that enterprise applications 116 on personal device 110 need to follow to connect with and communicate with enterprise server 120. The policies 122 may include, for example, password policies, encryption policies, erasure policies, data storage policies, and the like.

The password policy may specify that a password needs to be created and used to access enterprise application 116. The password policy may specify requirements for a required format of the password, such as a minimum password length, alphanumeric characters allowed within the password, and/or various types of character combinations. The requirements for various types of character combinations may specify, for example, that at least one character needs to be a number, that at least one character needs to be a capital letter, that at least one character needs to be a symbol, and so forth. The password policy may require that enterprise application 116 be locked after a specified period of inactivity, requiring re-entry of the password. The password policy may specify that the password expires after a specified period of time and that a new password needs to be created. The password policy may specify that a separate enterprise application password is not required when the password of personal device 110 complies with policy 122. Embodiments are not limited to these examples.

The encryption policy may specify that personal device 110 needs to support encryption of data and/or network communications. The encryption policy may specify that enterprise data 118 may not be stored on personal device 110 when personal device 110 does not support encryption. Embodiments are not limited to these examples.

The erasure policy may specify that enterprise data 118 be erased from personal device 110 without erasing personal data 114 when a condition occurs. The condition may include receiving an erase command from enterprise server 120. The enterprise server 120 may issue an erase command, for example, when a user of the personal device 110 reports that the personal device 110 is lost or stolen. A condition may occur when a maximum number of failed (incorrect) password entry attempts is exceeded. Embodiments are not limited to these examples.

The data storage policy may specify rules for storing enterprise data 118 on personal device 110. For example, a time limit may be set for how long certain types of data (e.g., word processing documents or documents downloaded from a particular catalog) may be saved. The data storage policy may specify that certain types of data may not be stored on personal device 110 at all. A data storage policy may specify that data may be stored only if enterprise application 116 complies with other policies 122. Embodiments are not limited to these examples.

The enterprise server 120 may store or utilize one or more enterprise accounts, such as enterprise accounts 124-1 and 124-2. There may be enterprise accounts 124 for a single user or for a group of users. The enterprise account 124 may include credential information that one or more users need to provide to gain access to the enterprise server 120. Credential information may include, for example, a username and password; challenge questions and answers; biometric information such as fingerprint data or retinal scan data, etc.

The enterprise account 124 may specify access privileges that a user/users associated with the enterprise account may have with respect to data and applications on the enterprise server 120. For example, a user within a department of a corporate entity operating enterprise server 120 may only access documents and applications for that department. In another example, a user may be able to read data from the enterprise server 120 but not be able to add or modify data on the enterprise server 120. In an embodiment, each enterprise application 116 on the personal device 110 may be linked to the same enterprise account 124 on the enterprise server 120. Once one enterprise application 116 is connected to the enterprise server 120 through an enterprise account (e.g., enterprise account 124-1), other enterprise applications 116 on the personal device 110 may also use the same enterprise account 124-1 to access the enterprise server 120.

In one embodiment, policies 122 may relate to access privileges in enterprise accounts 124. Enterprise accounts 124 that grant more access to data on enterprise server 120 may have more or stricter policies 122 to mitigate the higher risk of exposing more enterprise data. Policies 122 may be associated with enterprise accounts 124 rather than specific enterprise applications 116. This may allow enterprise applications 116 on personal devices 110 to share policies between enterprise applications 116 when they access enterprise server 120 using the same enterprise account 124 that was used to receive policies 122.

The enterprise server 120 may be arranged to provide remote access to enterprise applications and data. For example, the enterprise server 120 may include one or more enterprise application server components, such as enterprise application server components 126-1 and 126-2. The enterprise application server component 126 may provide server-side functionality for the corresponding enterprise application 116 on the personal device 110. For example, the enterprise application server component 126-1 may be an email system server component for an email client enterprise application 116-1. The enterprise application server component 126 can provide an interface through which the enterprise applications 116 can connect to the enterprise server 120, receive data and policies 122 from the enterprise server 120, and upload data to the enterprise server 120.

Fig. 2 shows a block diagram of a personal device 210. Personal device 210 may be a representative embodiment of personal device 110. Personal device 210 may include a memory store 230 and a processing unit 240 coupled to memory store 230.

Memory storage 230 may include one or more computer-readable storage media such as, but not limited to, an internal Hard Disk Drive (HDD), a removable magnetic disk, a removable optical disk (e.g., CD-ROM or DVD), a Read Only Memory (ROM), a Random Access Memory (RAM), a dynamic RAM (dram), a dual data rate dram (ddram), a synchronous dram (sdram), a static RAM (sram), a programmable ROM (prom), an erasable programmable ROM (eprom), an electrically erasable programmable ROM (eeprom), a flash memory, a polymer memory such as a ferroelectric polymer memory, an ovonic memory, a phase-change or ferroelectric memory, a silicon-oxide-nitride-oxide-silicon (SONOS) memory, a magnetic or optical card, or any other type of media suitable for storing information.

Processing unit 240 may include processing circuitry capable of executing programming instructions that provide the functionality described herein, including programming instructions for executing enterprise application 216. The processing unit 240 can include any of various commercially available processors. Dual microprocessors and other multi-processor architectures may also be employed as the processing unit 240.

Memory storage 230 may store programming instructions and data on personal device 210. For example, memory storage 230 may store programming instructions for personal application 212, enterprise application 216-1, and enterprise application 216-2. Memory store 230 may store personal data 214, policies 220, enterprise data 218-1, and enterprise data 218-2. Personal data 214 and policies 220 may represent personal data 114 and policies 122, respectively, as described with reference to fig. 1. Enterprise application 216-1 and enterprise application 216-2 may represent enterprise applications 116-1 and 116-2 as described with reference to fig. 1. Personal application 212 may represent personal application 112 as described with reference to fig. 1. Enterprise data 218-1 and 218-2 may represent enterprise data 118 as described with reference to fig. 1.

In an embodiment, enterprise data 218-1 may be stored logically separately from enterprise data 218-2, e.g., in a separate logical directory. Enterprise data 218-1 and 218-2 may further be stored logically separate from personal data 214. Alternatively, enterprise data 218-1 and 218-2 may be stored logically together in the same logical directory and logically separately from personal data 214. Generally, the enterprise data 218-1, 218-2 may be stored in the following manner: allowing enterprise applications 216 to identify enterprise data 218 separately from personal data 214.

Policies 220 may have various formats. In an embodiment, for example, policy 220 may be executable program instructions that, when executed, cause enterprise application 216 to apply policy 220. In an embodiment, policy 220 may include one or more variables having assigned values. When enterprise application 216 is executed, enterprise application 216 may read the values of the variables and these values may cause enterprise application 216 to apply policies 220. Embodiments are not limited to these examples.

In an embodiment, policy 220 may include policy token 222, which may also be stored on memory store 230. Policy flags 222 may include flags, status indicators, and/or attribute settings that signal to enterprise application 216 that a policy condition is set or not set. For example, policy token 222 may include a policy encryption compliance (compliant) token that, when true, indicates that personal device 210 is encryption compliant. Policy marker 222 may include storing encryption status, which may indicate whether encryption is active. Policy flags 222 may include a flag for erasure initiation, which may be set to true when enterprise application 216 performs an erasure of enterprise data 218. Policy flags 222 may include a remote erase flag that may be set to true when enterprise server 120 requests to erase enterprise data 218 on personal device 210. Policy indicia 222 may include a policy password compliance indicia that, when true, indicates that the device password of personal device 210 complies with the password policy and does not require the enterprise to apply the password.

In an embodiment, when a first enterprise application (e.g., enterprise application 216-1) connects to enterprise server 120 and receives policy 220 from enterprise server 120, enterprise application 216-1 may perform various checks and verifications to set any relevant policy flags 222. Enterprise application 216-1 may check, for example, whether personal device 210 has a device password and, if so, whether the device password complies with a password policy in policies 220. If the device password is true, enterprise application 216-1 may set the policy password compliance flag to true. When a second enterprise application (e.g., enterprise application 216-2) begins execution, enterprise application 216-2 may examine policy token 222 rather than perform the checks and verifications that have been performed by enterprise application 216-1. If one of policies 220 requires a password to execute enterprise application 216, enterprise application 216-2 may check the policy password compliance flag before prompting for the password. Embodiments are not limited to these examples.

In an embodiment, account information 224 may be stored on memory storage 230. In addition to the credentials entered by the user, account information 224 may include information needed to access enterprise account 124 on enterprise server 120. Account information 224 may include, for example, a network address of enterprise server 120, account identifier information, and the like. In an embodiment, an enterprise application (e.g., enterprise application 216-1) connects to enterprise server 120 using account information 224 for the first time and receives policy 220 from enterprise server 120. The policy 220 may be stored with the account information 224 or linked to the account information 224. When a second enterprise application (e.g., enterprise application 216-2) is launched, enterprise application 216-2 may look up and/or use account information 224 to initiate a connection to enterprise server 120. Enterprise application 216-2 may also retrieve and apply policies 220 linked to account information 224.

In an embodiment, enterprise application 216 may generate policy key 226. The policy key 226 may reflect the set of policies 220 currently installed on the personal device 210. Policy key 226 may be generated by, for example, performing a hash operation on policy 220. Policy key 226 may be provided to enterprise server 120 for comparison with policy 122 on enterprise server 120. When the policy reflected in policy key 226 differs from policy 122 on enterprise server 120, enterprise server 120 may notify enterprise application 216 that an update is needed. Enterprise server 120 may provide updated policy 122 to enterprise application 216. In an embodiment, enterprise server 120 may disable the download of data to personal device 210 until the update policy is applied.

The operations of the above embodiments may be further described with reference to one or more logic flows. It can be appreciated that the representative logic flows do not necessarily have to be executed in the order presented, or in any particular order, unless otherwise indicated. Further, various activities described with respect to the logic flows can be executed in serial or parallel fashion. The logic flows may be implemented using one or more hardware elements and/or software elements of the described embodiments or alternative elements as desired for a given set of design and performance constraints. For example, the logic flows may be implemented as logic (e.g., computer program instructions) for execution by a logic device (e.g., a general-purpose or special-purpose computer).

Fig. 3 illustrates one embodiment of a logic flow 300. Logic flow 300 may be representative of some or all of the operations executed by one or more embodiments described herein. The logic flow 300 may be performed by various systems and/or devices and may be implemented as hardware, software, and/or any combination thereof, as desired for a given set of design parameters or performance constraints. For example, the logic flow 300 may be implemented by logic device (e.g., a processor) and/or logic (e.g., threaded logic) comprising instructions, data, and/or code executed by the logic device. For purposes of illustration and not limitation, logic flow 300 is described with reference to fig. 1 and 2. The embodiments are not limited in this context.

In the illustrated embodiment shown in FIG. 3, the logic flow 300 may connect to an enterprise server using a first enterprise application from a personal device at block 302. For example, the enterprise applications 116-1, 216-1 may connect to the enterprise server 120 over a network. The enterprise applications 116-1, 216-1 may present credentials (e.g., account information 224) to the enterprise server 120 to identify and access the enterprise account 124-1.

In one embodiment, there may be no relationship as to which enterprise application 116, 216 first connects to enterprise server 120 and receives policies 122, 220. However, once the first connection is made, the enterprise application making the first connection (e.g., enterprise application 116-1) may be designated as the enterprise application that maintains and updates policy 220 and policy tag 222. In another embodiment, any of enterprise applications 116, 216 may update policies 220 and policy markup 222.

The logic flow 300 may receive a policy from an enterprise server at block 304. For example, enterprise applications 116-1, 216-1 may receive policies 122 from enterprise server 120 over a network. Enterprise applications 116-1, 216-1 may store policy 122 as policy 220 on memory storage 230 of personal devices 110, 210. Policy 220 may include, for example, a password policy; an encryption strategy; a data erasure strategy; and/or enterprise data storage policies.

The logic flow 300 may apply the policy to the first enterprise application at block 306. For example, enterprise applications 116-1, 216-1 may read and/or execute each policy 220. The enterprise application 116-1, 216-1 may check a condition, such as whether the personal device 110, 210 supports encryption or has a device password. Enterprise applications 116-1, 216-1 may set policy flags 222 according to the checked conditions.

Applying the password policy may include, for example, prompting a user of the personal device 110, 210 to create and/or enter a password for the enterprise application 116-1, 216-1. Applying the password policy may include enforcing password format restrictions. Applying the password policy may include requiring re-entry of the password after a specified period of inactivity. Applying the password may include disabling the enterprise application password restrictions when the personal device 110, 210 has password restrictions that meet or exceed password restrictions in the password policy. Embodiments are not limited to these examples.

Applying the encryption policy may include turning on device encryption when encryption is required. Applying the encryption policy may include detecting whether device encryption is enabled and setting a policy flag 222 reflecting the device encryption enabled status for other enterprise applications 116, 216 to check. Applying the encryption policy may include checking whether encryption is required to store the enterprise data 118, 218 on the personal device 110, 210. Applying the encryption policy may include preventing the enterprise data 118, 218 from being stored on the personal device 110, 210 when encryption is required and device encryption is not enabled. Embodiments are not limited to these examples.

Applying the erase policy may include receiving an erase command from the enterprise server 120 and erasing only the enterprise data 118, 218 from the personal device 110, 210. Applying the erase policy may include detecting when a maximum number of failed password entry attempts have occurred on the personal device 110, 210 and erasing only the enterprise data 118, 218 from the personal device 110, 210. Applying the erasure policy may include erasing enterprise data 118, 218 specific to the enterprise account 124 when the personal device 110, 210 is not cryptographically compliant and encryption is required. Embodiments are not limited to these examples.

Applying the enterprise data storage policy may include determining whether a storage period for an item of enterprise data 218-1 has expired and, if so, erasing the item from memory storage 230. In an embodiment, the enterprise applications 116, 216 may request the download of enterprise data 118, 218 from the enterprise server 120 when connecting to the enterprise server 120. Applying the data storage policy may include preventing downloading of the enterprise data from the enterprise server until the enterprise application requesting the enterprise data complies with the policy 122, 220. Embodiments are not limited to these examples.

Fig. 4 illustrates one embodiment of a logic flow 400. Logic flow 400 may be representative of some or all of the operations executed by one or more embodiments described herein. Logic flow 400 may occur after enterprise applications 116, 216 have received policies 122, 220 from enterprise server 120. The logic flow 400 may be performed by various systems and/or devices and may be implemented as hardware, software, and/or any combination thereof, as desired for a given set of design parameters or performance constraints. For example, the logic flow 400 may be implemented by logic device (e.g., a processor) and/or logic (e.g., threaded logic) comprising instructions, data, and/or code executed by the logic device. For purposes of illustration, and not limitation, logic flow 400 is described with reference to fig. 1 and 2. The embodiments are not limited in this context.

The logic flow 400 may execute a second enterprise application on the personal device in block 402. For example, when a user selects an enterprise application 116-2, 216-2 to execute, the enterprise application 116-2, 216-2 may begin operating on the personal device 110, 210.

The logic flow 400 may check the personal device for a policy in block 404. For example, the second enterprise application 116-2, 216-2 may look up and find the policy 220 on the memory store 230.

The logic flow 400 may apply the policy to the enterprise application in block 406. For example, enterprise applications 116-2, 216-2 may apply policy 220 in a manner similar to that described above with reference to block 306 and enterprise applications 116-2, 216-1. However, in the case when the policy specifies the condition indicated by policy flag 222, enterprise applications 116-2, 216-2 may examine the state of policy flag 222 rather than directly determine the state of the condition.

In an embodiment, other conditions set by policy 220 may be shared between enterprise applications 116, 216. For example, assume that the policy requires re-entering the password after a period of inactivity (say 10 minutes). The inactivity timer may start when the first enterprise application becomes inactive. The second enterprise application may not require entry of a password if the second enterprise application is started within the 10 minute window started by the inactivity timer. In effect, the second enterprise application shares the password restriction and inactivity time window with the first application. When there is no inactivity timing restriction, the second enterprise application may still share password entry from the first enterprise application. In this way, the second enterprise application does not need a password because the password has already been entered for the first enterprise application.

The logic flow 400 may connect to an enterprise server using an enterprise application from a personal device in block 408. In an embodiment, the connection to enterprise server 120 occurs only when the policy is properly applied. For example, if the enterprise application 116, 216 otherwise requires a password but not, the connection to the enterprise server 120 through the enterprise application may be denied.

Fig. 5 illustrates one embodiment of a logic flow 500. Logic flow 500 may be representative of some or all of the operations executed by one or more embodiments described herein. Logic flow 400 may occur after enterprise applications 116, 216 have received policies 122, 220 from enterprise server 120. The logic flow 500 may be performed by various systems and/or devices and may be implemented as hardware, software, and/or any combination thereof, as desired for a given set of design parameters or performance constraints. For example, the logic flow 500 may be implemented by logic device (e.g., a processor) and/or logic (e.g., threaded logic) comprising instructions, data, and/or code executed by the logic device. For purposes of illustration, and not limitation, logic flow 400 is described with reference to fig. 1 and 2. The embodiments are not limited in this context.

The logic flow 500 may generate a policy key on the personal device from a policy on the personal device in block 502. For example, the enterprise applications 116-1, 216-1 may perform a hash function on the policies 122, 220 to generate a policy key 226 that reflects the policies 122, 220 currently installed on the personal devices 110, 210.

Block 502 may be performed periodically, e.g., every time an enterprise application 116-1, 216-1 connects to the enterprise server 120, daily, weekly, etc. In an embodiment, block 502 may be performed on a schedule specified in the policies 122, 220. Block 502 may be performed in response to receiving a push notification from an enterprise server that a policy has been added, changed, and/or deleted.

The logic flow 500 may provide the policy key to the enterprise server for comparison with the policy currently on the enterprise server in block 504. The enterprise server 120 may compare the policy key 226 to the policy 122 to determine whether the policy is the same on both the enterprise server 120 and the personal devices 110, 210.

The logic flow 500 may receive a notification from the enterprise server at block 506. The notification may confirm to the enterprise applications 116-2, 216-1 that the policy 220 on the personal devices 110, 210 is up to date. The notification may notify enterprise applications 116-2, 216-1 that policy 220 needs to be updated.

When policy 220 is up-to-date, logic flow 500 may apply the up-to-date policy to the enterprise application in block 508. The logic flow 500 may download and update policies from the enterprise server 120 and apply the updated policies to the enterprise application in block 510.

FIG. 6 illustrates an embodiment of an exemplary computing architecture 600 suitable for implementing the various embodiments described above. Computing architecture 600 includes various common computing elements, such as one or more processors, co-processors, memory units, chipsets, controllers, peripherals, interfaces, oscillators, timing devices, video cards, audio cards, multimedia input/output (I/O) components, and so forth. However, the embodiments are not limited to implementation by the computing architecture 600.

As shown in FIG. 6, the computing architecture 600 includes a processing unit 604, a system memory 606, and a system bus 608. The processing unit 604 can be any of various commercially available processors. Dual microprocessors and other multi-processor architectures may also be employed as the processing unit 604. The system bus 608 provides an interface for system components including, but not limited to, the system memory 606 to the processing unit 604. The system bus 608 can be any of several types of bus structure that may further interconnect to a memory bus (with or without a memory controller), a peripheral bus, and a local bus using any of a variety of commercially available bus architectures.

The system memory 606 may include various types of memory units, such as read-only memory (ROM), random-access memory (RAM), dynamic RAM (dram), double-data-rate dram (ddram), synchronous dram (sdram), static RAM (sram), programmable ROM (prom), erasable programmable ROM (eprom), electrically erasable programmable ROM (eeprom), flash memory, polymer memory such as ferroelectric polymer memory, ovonic memory, phase-change or ferroelectric memory, silicon-oxide-nitride-oxide-silicon (SONOS) memory, magnetic or optical cards, or any other type of media suitable for storing information. In the illustrated embodiment shown in FIG. 6, the system memory 606 can include non-volatile memory 610 and/or volatile memory 612. A basic input/output system (BIOS) may be stored in the non-volatile memory 610.

The computer 602 may include various types of computer-readable storage media, including an internal Hard Disk Drive (HDD) 614, a magnetic Floppy Disk Drive (FDD) 616 to read from or write to a removable magnetic disk 618, and an optical disk drive 620 to read from or write to a removable optical disk 622 (e.g., a CD-ROM or DVD). The HDD 614, FDD 616 and optical disk drive 620 can be connected to the system bus 608 by a HDD interface 624, an FDD interface 626 and an optical drive interface 628, respectively. The HDD interface 624 for external drive implementations can include at least one or both of Universal Serial Bus (USB) and IEEE 1394 interface technologies.

The drives and associated computer-readable media provide volatile and/or nonvolatile storage of data, data structures, computer-executable instructions, and so forth. For example, a number of program modules can be stored in the drives and memory units 610, 612, including an operating system 630, one or more application programs 632, other program modules 634, and program data 636. The one or more application programs 632, other program modules 634, and program data 636 can include, for example, enterprise applications 116, 216, personal applications 112, 212, and enterprise application server components 126-1, 126-2.

A user can enter commands and information into the computer 602 through one or more wired/wireless input devices, e.g., a keyboard 638 and a pointing device, such as a mouse 640. Other input devices may include a microphone, an Infrared (IR) remote control, a joystick, a game pad, a stylus pen, touch screen, or the like. These and other input devices are often connected to the processing unit 608 through an input device interface 642 that is coupled to the system bus 604, but can be connected by other interfaces, such as a parallel port, IEEE 1394 serial port, a game port, a USB port, an IR interface, etc.

A monitor 644 or other type of display device is also connected to the system bus 608 via an interface, such as a video adapter 646. In addition to the monitor 644, a computer typically includes other peripheral output devices, such as speakers, printers, and so forth.

The computer 602 may operate in a networked environment using logical connections via wired and/or wireless communications to one or more remote computers, such as a remote computer 648. The remote computer 648 can be a workstation, a server computer, a router, a personal computer, portable computer, microprocessor-based entertainment appliance, a peer device or other common network node, and typically includes many or all of the elements described relative to the computer 602, although, for purposes of brevity, only a memory/storage device 650 is illustrated. The logical connections depicted include wired/wireless connectivity to a Local Area Network (LAN) 652 and/or larger networks, e.g., a Wide Area Network (WAN) 654. Such LAN and WAN networking environments are commonplace in offices and companies, and facilitate enterprise-wide computer networks, such as intranets, all of which may connect to a global communications network, e.g., the Internet.

When used in a LAN networking environment, the computer 602 is connected to the LAN 652 through a wired and/or wireless communication network interface or adapter 656. The adaptor 656 can facilitate wire and/or wireless communications to the LAN 652, and may also include a wireless access point disposed thereon for communicating with the wireless functionality of the adaptor 656.

When used in a WAN networking environment, the computer 602 can include a modem 658, or is connected to a communications server on the WAN 654, or has other means for establishing communications over the WAN 654, such as by way of the Internet. The modem 658, which can be internal or external and a wired and/or wireless device, connects to the system bus 608 via the input device interface 642. In a networked environment, program modules depicted relative to the computer 602, or portions thereof, can be stored in the remote memory/storage device 650. It will be appreciated that the network connections shown are exemplary and other means of establishing a communications link between the computers may be used.

The computer 602 is operable to communicate with wire and wireless devices or entities using the IEEE 702 family of standards, such as wireless devices operatively disposed in wireless communication (e.g., IEEE 702.7 over-the-air modulation techniques) with, for example, a printer, scanner, desktop and/or portable computer, Personal Digital Assistant (PDA), communications satellite, any piece of equipment or location associated with a wirelessly detectable tag (e.g., a kiosk, news stand, restroom), and telephone. This includes at least Wi-Fi (i.e., Wireless Fidelity), WiMax, and Bluetooth^TMWireless technology. Thus, the communication may be a predefined structure as for a conventional network, or simply an ad hoc (ad hoc) communication between at least two devices. Wi-Fi networks use radio technologies called IEEE 702x (a, b, g, etc.) to provide secure, reliable, fast wireless connectivity. A Wi-Fi network can be used to connect computers to each other, to the Internet, and to wired networks (which use IEEE 702.3-related media and functions).

Fig. 7 illustrates a block diagram of an exemplary communication architecture 700 suitable for implementing various embodiments described above. The communication architecture 700 includes various common communication elements such as a transmitter, receiver, transceiver, radio, network interface, baseband processor, antenna, amplifiers, filters, and so forth. Embodiments, however, are not limited to implementation by communication architecture 700.

As shown in FIG. 7, the communication architecture 700 includes one or more client(s) 702 and server(s) 704. The client 702 may implement the personal devices 110, 210. The server 704 may implement the enterprise server 120. The client(s) 702 and server(s) 704 are operably connected to one or more respective client data store(s) 708 and server data store(s) 710 that can be employed to store information local to the respective client(s) 702 and server(s) 704, such as cookies and/or associated contextual information.

The client(s) 702 and server(s) 704 can communicate information between each other using a communication framework 706. The communications framework 706 may implement any well-known communications techniques, such as techniques suitable for use with packet-switched networks (e.g., public networks such as the Internet, private networks such as an enterprise intranet, and so forth), circuit-switched networks (e.g., the public switched telephone network), or a combination of packet-switched networks and circuit-switched networks (using suitable gateways and translators). The clients 702 and the servers 704 may include various types of standard communication elements designed to be interoperable with the communication framework 706, such as one or more communication interfaces, Network Interface Cards (NICs), radios, wireless transmitters/receivers (transceivers), wired and/or wireless communication media, physical connectors, and so forth. By way of example, and not limitation, communication media includes wired communication media and wireless communication media. Examples of wired communications media may include a wire, cable, wire, Printed Circuit Board (PCB), backplane, switch fabric, semiconductor material, twisted-pair wire, co-axial cable, fiber optics, a propagated signal, and so forth. Examples of wireless communication media may include acoustic, Radio Frequency (RF) spectrum, infrared and other wireless media. One possible communication between a client 702 and a server 704 can be in the form of a data packet adapted to be transmitted between two or more computer processes. For example, the data packet may include a cookie and/or associated contextual information.

Embodiments may be implemented using hardware elements, software elements, or a combination of both. Examples of hardware elements may include devices, components, processors, microprocessors, circuits, circuit elements (e.g., transistors, resistors, capacitors, inductors, and so forth), integrated circuits, Application Specific Integrated Circuits (ASIC), Programmable Logic Devices (PLD), Digital Signal Processors (DSP), Field Programmable Gate Array (FPGA), memory units, logic gates, registers, semiconductor device, chips, microchips, chip sets, and so forth. Examples of software elements may include software components, programs, applications, computer programs, application programs, system programs, machine programs, operating system software, middleware, firmware, software modules, routines, subroutines, functions, methods, procedures, software interfaces, Application Program Interfaces (API), instruction sets, computing code, computer code, code segments, computer code segments, words, values, symbols, or any combination thereof. Determining whether an embodiment is implemented using hardware elements and/or software elements may vary in accordance with any number of factors, such as desired computational rate, power levels, heat tolerances, processing cycle budget, input data rates, output data rates, memory resources, data bus speeds and other design or performance constraints, as desired for a given implementation.

Some embodiments may comprise an article. An article of manufacture may comprise a storage medium to store logic. Examples of a storage medium may include one or more types of computer-readable storage media capable of storing electronic data, including volatile memory or non-volatile memory, removable or non-removable memory, erasable or non-erasable memory, writeable or re-writeable memory, and so forth. Examples of logic may include various software elements, such as software components, programs, applications, computer programs, application programs, system programs, machine programs, operating system software, middleware, firmware, software modules, routines, subroutines, functions, methods, procedures, software interfaces, Application Program Interfaces (API), instruction sets, computing code, computer code, code segments, computer code segments, words, values, symbols, or any combination thereof. For example, in one embodiment, an article of manufacture may store executable computer program instructions that, when executed by a computer, cause the computer to perform methods and/or operations in accordance with the described embodiments. The executable computer program instructions may include any suitable type of code, such as source code, compiled code, interpreted code, executable code, static code, dynamic code, and the like. The executable computer program instructions may be implemented according to a predefined computer language, manner or syntax, for instructing a computer to perform a certain function. The instructions may be implemented using any suitable high-level, low-level, object-oriented, visual, compiled and/or interpreted programming language.

Some embodiments may be described using the expression "one embodiment" and "an embodiment" along with their derivatives. The terms mean that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment. The appearances of the phrase "in one embodiment" in various places in the specification are not necessarily all referring to the same embodiment.

Some embodiments may be described using the expression "coupled" and "connected" along with their derivatives. These terms are not necessarily intended as synonyms for each other. For example, some embodiments may be described using the terms "connected" and/or "coupled" to indicate that two or more elements are in direct physical or electrical contact with each other. The term "coupled," however, may also mean that two or more elements are not in direct contact with each other, but yet still co-operate or interact with each other.

It is emphasized that this abstract of the disclosure is provided to comply with the 37c.f.r.1.72(b) abstract, which requires a quick determination of the characteristics of the technical disclosure by the reader. It is submitted with the understanding that it will not be used to interpret or limit the scope or meaning of the claims. In addition, in the foregoing detailed description, it can be seen that various features are grouped together in a single embodiment for the purpose of streamlining the disclosure. This method of disclosure is not to be interpreted as reflecting an intention that the claimed embodiments require more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive subject matter lies in less than all features of a single disclosed embodiment. Thus the following claims are hereby incorporated into the detailed description, with each claim standing on its own as a separate embodiment. In the appended claims, the terms "including" and "in which" are used as the plain-English equivalents of the respective terms "comprising" and "characterized by". Moreover, the terms "first," "second," "third," and the like are used merely as labels, and are not intended to impose numerical constraints on their objects.

Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.

Claims (9)

1. A computer-implemented method, comprising:

connecting to an enterprise server through a first enterprise application on a personal device using an enterprise account of a user of the personal device;

receiving, at the first enterprise application from the enterprise server, a first policy for the first enterprise application, the first policy comprising a password policy comprising a requirement to re-enter a password after a specified period of inactivity;

applying, by a processor circuit, the first policy to the first enterprise application;

automatically applying, by the processor circuit, the first policy to a second enterprise application on the personal device when the second enterprise application is used;

generating, on the personal device, a policy key representing a first policy that applies to the first enterprise application and the second enterprise application;

providing the policy key to the enterprise server for comparison with the first policy on the enterprise server; and

receiving a notification from the enterprise server that the first policy on the personal device is up-to-date or that the first policy on the personal device needs to be updated,

wherein activity within either the first enterprise application or the second enterprise application satisfies the password policy to avoid re-entering the password within either the first enterprise application or the second enterprise application.

2. The method of claim 1, wherein the first policy further comprises at least one of:

an encryption strategy;

a data erasure strategy; or

An enterprise data storage policy.

3. The method of claim 1, wherein applying the password policy further comprises implementing at least one of:

receiving a password to use the enterprise application;

a password format; or

Disabling an enterprise application password restriction when the personal device has a password that meets or exceeds a password restriction in the password policy.

4. The method of claim 2, wherein applying an encryption policy comprises implementing at least one of:

when encryption is required, starting device encryption;

detecting whether device encryption is enabled and setting a policy flag reflecting the device encryption enabled status for other enterprise applications to check;

checking whether encryption is required to store enterprise data on the personal device; or

Preventing enterprise data storage on the personal device when encryption is required and device encryption is not enabled.

5. The method of claim 2, wherein applying a data erasure policy comprises at least one of:

receiving an erase command from the enterprise server and erasing enterprise data only from the personal device;

detecting when a maximum number of failed password entry attempts have occurred on the personal device and erasing only enterprise data from the personal device; or

Erasing enterprise data specific to the enterprise account when encryption is required instead of the personal device being encrypted.

6. A computer-implemented method, comprising:

a first enterprise application on a personal device connects to an enterprise server using an enterprise account of a user of the personal device;

receiving, at the first enterprise application, a first policy for the first enterprise application from the enterprise server, the first policy comprising a password policy comprising a requirement to re-enter a password after inactivity for a specified period of time;

applying the first policy to the first enterprise application;

applying the first policy to a second enterprise application on the personal device when the second enterprise application is in use;

generating, on the personal device, a policy key representing a first policy that applies to the first enterprise application and the second enterprise application;

providing the policy key to the enterprise server for comparison with the first policy on the enterprise server; and

receiving a notification from the enterprise server that the first policy on the personal device is up-to-date or that the first policy on the personal device needs to be updated,

wherein activity within either the first enterprise application or the second enterprise application satisfies the password policy to avoid re-entering the password within either the first enterprise application or the second enterprise application.

7. The method of claim 6, further comprising preventing enterprise data from being downloaded from the enterprise server until an enterprise application requesting the enterprise data complies with the first policy.

8. An apparatus for applying and sharing remote policies, comprising:

a memory store for storing personal data and enterprise data;

a processing unit coupled to the memory storage;

a plurality of enterprise applications executable on the processing unit, connected to an enterprise server using an enterprise account of a user of the device, receiving a first policy for a first enterprise application from the enterprise server at the first enterprise application, and automatically applying the first policy for the first enterprise application to a second enterprise application, the first policy comprising a password policy comprising requiring re-entry of a password after inactivity for a specified period of time; and

wherein the apparatus generates a policy key representing a first policy that applies to the first enterprise application and the second enterprise application, provides the policy key to the enterprise server for comparison with the first policy on the enterprise server, and receives a notification from the enterprise server that the first policy on the apparatus is up-to-date or that the first policy on the apparatus needs to be updated,

wherein activity within either the first enterprise application or the second enterprise application satisfies the password policy to avoid re-entering the password within either the first enterprise application or the second enterprise application.

9. The apparatus of claim 8, wherein the first enterprise application and the second enterprise application are linked to a same enterprise account on the enterprise server.