CN106031128B - The method and apparatus of mobile device management - Google Patents

Abstract

It presents for providing mobile device management (MDM) method, system, computer-readable medium and device of function.In some embodiments, the pseudo-device of expression thing reason end user device can be established in cloud computing environment.Pseudo-device can be supplied for being used together with MDM service provider, and be configured as representing order of the physical terminal user equipment reception from MDM service provider.In some embodiments, each multiple pseudo-devices for indicating physics end user device can be established in cloud computing environment.First pseudo-device can be supplied for being used together with the first MDM service provider, and be configured as representing order of the physical terminal user equipment reception from the first MDM service provider.Second pseudo-device can be supplied for being used together with the 2nd MDM service provider, and be configured as receiving the order from the 2nd MDM service provider.

Description

The method and apparatus of mobile device management

Background

All aspects of this disclosure are related to computer hardware and software.Specifically, the one or more aspects of the disclosure are substantially On be related to computer hardware and software for providing mobile device management function.

Company and other tissues are increasingly offered to their employee and other colleague's mobile devices and/or with other Mode makes their employee and other colleagues enable mobile device, such as smart phone, tablet computer and other mobile meters Calculate equipment.Since these equipment persistently become increasingly popular and provide more and more functions, many tissues be may want to such as How is the application that is able to use these equipment, what resource is these equipment be able to access that and runs on devices It is interacted with other resources and carries out certain controls.

It summarizes

Various aspects of the disclosure provides more effective, reality, functionalization and convenient mode is come to can be how using moving Dynamic equipment, mobile device be able to access that resource and the application run on devices and other softwares can how with its The interaction of its resource is controlled.Specifically, in the one or more embodiments discussed in greater detail below, mobile device pipe Function is managed in several different ways by deployment, realization and/or using to provide the one or more of these and/or other advantages Advantage.

In some embodiments, pseudo-device can be established in cloud computing environment.Pseudo-device can represent physical terminal User equipment.Pseudo-device can be supplied for making together with one or more mobile device managements (MDM) service provider With.Pseudo-device can be configured as represent the reception of physical terminal user equipment from one or more MDM service providers one A or multiple orders.

In some embodiments, multiple pseudo-devices can be established in cloud computing environment.Each pseudo-device can represent Physical terminal user equipment.First pseudo-device can be supplied for being used together with the first MDM service provider.Second is pseudo- Equipment can be supplied for being used together with the 2nd MDM service provider.First pseudo-device, which can be configured as, represents physics End user device receives the order from the first MDM service provider.Second pseudo-device, which can be configured as, represents physics end End user device receives the order from the 2nd MDM service provider.

Discuss these features together with many other features in greater detail below.

Brief description

The disclosure illustrates in an illustrative manner and is not limited to attached drawing, in the accompanying drawings, similar Ref. No. instruction Similar element, and wherein:

Fig. 1 depicts the illustrative department of computer science that can be used according to the illustrative aspect of one or more described herein System framework.

Fig. 2 depicts the illustrative remote access that can be used according to the illustrative aspect of one or more described herein System architecture.

Fig. 3 depicts the illustrative virtualization that can be used according to the illustrative aspect of one or more described herein (Hypervisor) system architecture.

Fig. 4 depict can be used according to the illustrative aspect of one or more described herein it is illustrative based on cloud System architecture.

Fig. 5 depicts illustrative enterprise mobility management system.

Fig. 6 depicts another illustrative enterprise mobility management system.

Fig. 7 depicts another the illustrative enterprise that can be used according to the illustrative aspect of one or more described herein Industry mobile management system.

It is illustrative that Fig. 8 depicts another that can use according to the illustrative aspect of one or more described herein Enterprise Mobile management system.

Fig. 9, which is depicted, to be shown via pseudo-device according to the illustrative aspect of one or more discussed in this article by one or more A mobile device management strategy is applied to the flow chart of the method for physical terminal user equipment.

Figure 10 depict shown according to the illustrative aspect of one or more discussed in this article supplied for one or The flow chart of the method for the pseudo-device that multiple mobile device management service providers are used together.

Figure 11, which is depicted, to be shown according to the illustrative aspect of one or more being discussed herein in response to from mobile device pipe Manage the flow chart of the method for the order of service provider.

Figure 12, which depicts to be shown according to the illustrative aspect of one or more discussed in this article, is pushed to object for resource data Manage the flow chart of the method for end user device.

Figure 13 depicts the order shown at modification pseudo-device according to the illustrative aspect of one or more discussed in this article Method flow chart.

Figure 14, which is depicted, to be shown according to the illustrative aspect of one or more discussed in this article using selective erasing order Method flow chart.

Figure 15, which depicts to be shown according to the illustrative aspect of one or more discussed in this article, is deployed to physics end for information End user device and from physical terminal user equipment the method for revocation information flow chart.

Figure 16 is depicted to be shown according to the illustrative aspect of one or more discussed in this article and is solved to set in different movements The flow chart of the method for conflict between the strategy of standby management service provider.

Detailed description

In being described below of each embodiment, with reference to identified above and its a part for forming this paper attached Figure, and each embodiment is wherein shown by way of explanation, wherein aspects described herein can be practiced.It answers When understanding, other embodiments can be used, and structural and functional modification can be made without departing from this The range of text description.Various aspects can be other embodiments and can practice in a variety of ways or real It applies.

As the general introduction to the theme described in greater detail below, aspects described herein is directed in mobile computing The remote access to the resource at enterprise computing system is controlled at equipment using managed mobile application.Access manager can be with It executes and determines whether request is accurately identified the mobile application itself of the access of corporate resources and is being mounted on mobile meter Equipment is calculated later whether not in the subsequent verification process being changed.In this way, access manager may insure request pair The mobile application of corporate resources access can be trusted and be not intended to evade the security mechanism for protecting those corporate resources. Therefore, individual associated with enterprise can use corporate resources advantageously at their personal mobile device.

It should be understood that phraseology and terminology employed herein is for purposes of description, and to be not construed as limiting System.On the contrary, phrase used herein and term will be presented their broadest explanations and meaning." including (including) " It includes the item listed thereafter and its equivalent that the use of " including (comprising) " and its modification, which is intended to, and it is additional Item and equivalent.Term " installation ", " connection ", " coupling ", " positioning ", " engagement " and similar terms make With being intended to include both installation directly or indirectly, connection, coupling, positioning and engagement.

Computing architecture

Computer software, hardware and network can be used in a variety of different system environments, wherein a variety of different System environments include inter alia it is independent, networking, remote access (be called and do remote desktop), virtualization and/or Environment based on cloud.Fig. 1, which is shown, can be used for realizing one described herein or more in independent and/or networking environment The system architecture of a illustrative aspect and an example of data processing equipment.Each network node 103,105,107 and 109 can To be interconnected via wide area network (WAN) 101 (such as internet).It also can be used or optionally use other networks, including is privately owned Intranet, corporate networks, local area network (LAN), Metropolitan Area Network (MAN) (MAN), wireless network, personal network (PAN) etc..Network 101 be for It the purpose of explanation and can be replaced with less or additional computer network.LAN can have any of LAN to open up One or more of one or more of flutter, and a variety of different agreements can be used, such as Ethernet.Equipment 103,105, 107,109 and other equipment (not shown) can be via twisted pair, coaxial cable, optical fiber, radio wave or other communication medias It is connected to one or more of network.

As used herein and term depicted in the drawing " network " refers not only to wherein remote storage device warp The system being coupled together by one or more communication paths, and also refer to be coupled to frequently with storage capacity Such system independent equipment.Therefore, term " network " includes not only " physical network ", further includes " content network ", It is made of the data for belonging to single entity being located on whole physical networks.

Component may include data server 103, network server 105 and client computer 107,109.Data clothes Business device 103 provides total access, control and the management of database and for executing the illustrative side of one or more described herein The control software in face.Data server 103 may be coupled to network server 105, and user is as desired by network server 105 with data interaction and acquisition data.Optionally, data server 103 may be used as network server itself and can be straight It is connected to internet in succession.Data server 103 can be by network 101 (such as internet) via direct or indirect connection or warp By some other network connections to network server 105.Remote computer 107,109 and data server can be used in user 103 interactions, such as data server is connected to via the website of the one or more exposure by 105 trustship of network server 103 web browser.Client computer 107,109 can be used cooperatively with data server 103 and wherein be stored with access Data or can be used for other purposes.For example, internet can be used as known in the art from 107 user of client device Browser or by execute on computer network (such as internet) with network server 105 and/or data server 103 into The software application of row communication accesses network server 105.

Server and application can be combined on identical physical machine and keep independent virtual or logical address, Or it may reside on independent physical machine.Fig. 1 illustrate only an example of the network architecture that can be used, and this Field the skilled person will understand that, the used specific network architecture and data processing equipment can change, and right In they provide function be it is secondary, as further described herein.For example, by network server 105 and data server 103 services provided can combine on a single server.

Each component 103,105,107,109 can be any kind of known computer, server or data processing Equipment.Data server 103 for example may include the processor 111 of the integrated operation of speed control server 103.Data clothes Be engaged in device 103 can also include RAM 113, ROM 115, network interface 117, input/output interface 119 (for example, keyboard, mouse, Display, printer etc.) and memory 121.I/O 119 may include for reading, being written, show and/or print data Or the various interface units and equipment of file.Memory 121 can also store the integrated operation for controlling data processing equipment 103 Operating system software 123, be used to indicate data server 103 execute aspects described herein control logic 125 and Auxiliary is provided, supports, and/or other can be used for or the other of the function being used in combination with aspects described herein can be not used in answering With software 127.Control logic is also referred to as data server software 125 herein.The function of data server software can With refer to it is being carried out automatically based on the rule for being encoded into control logic, carried out manually by providing input to the user in system Operation and decision and/or based on user input (such as inquiry, data update etc.) the combination automatically processed.

Memory 121 can also store the data used when executing one or more aspects described herein, including One database 129 and the second database 131.In some embodiments, first database may include the second database (example Such as, as individual table, report etc.).That is, being designed according to system, information can be stored in single database, Or it is separated into different logics, virtual or physical database.Equipment 105,107,109 can have to be described with about equipment 103 The similar or different framework of framework.It will be appreciated by those skilled in the art that data processing equipment 103 as described herein The function of (or equipment 105,107,109) can be throughout multiple data processing equipments, such as across at multiple computer distribution Manage load, with based on geographical location, the other, service quality (QoS) of user access level etc. come separating work.

One or more aspects can be embodied in be executed by one or more computers as described herein or other equipment Such as the computer in one or more program modules is available or readable data and/or computer executable instructions in.It is logical Often, program module includes executing specific task when being executed by the processor in computer or other equipment or realizing specific Routine, programs, objects, component, data structure of abstract data type etc..The module can be write with Source code programming language, Then be compiled for executing or Available scripts language is write, such as (but not limited to) Javascript or ActionScript.Computer executable instructions can be stored in computer-readable medium (such as non-volatile memory device) On.Any suitable computer readable storage medium, including hard disk, CD-ROM, optical storage apparatus, magnetic storage can be used Equipment, and/or any combination thereof.In addition, various transmission (non-memory) medium for representing data or event as described herein can To pass through signal transduction medium (for example, metal wire, optical fiber) and/or wireless transmission medium (for example, air and/or space) The form of the electromagnetic wave of propagation is transmitted between a source and a destination.Various aspects described herein can be presented as method, data Processing system or computer program product.Therefore, each function can entirely or partly be embodied in software, firmware and/or hard In part or hardware equivalents, for example, integrated circuit, field programmable gate array (FPGA) etc..Specific data structure can be used In more effectively realizing one or more aspects described herein, and such data structure is expected at meter described herein Within the scope of calculation machine executable instruction and computer data available.

With further reference to Fig. 2, one or more aspects described herein can be realized in remote access environment.Fig. 2 is retouched Drawn include universal computing device 201 in illustrative calculating environment 200 example system architecture, can be according to retouching herein The illustrative aspects of one or more stated use.Universal computing device 201 may be used as being configured to supply for client In the single server or multiserver desktop virtual system (for example, remote access or cloud system) of the virtual machine of access equipment Server 206a.Universal computing device 201 can have the processor 203 and its phase of the integrated operation for control server Close component, including random access storage device (RAM) 205, read-only memory (ROM) 207,209 He of input/output (I/O) module Memory 215.

I/O module 209 may include that mouse, keyboard, touch screen, scanner, optical reader and/or contact pilotage are (or other Input equipment), the user of universal computing device 201 can provide input by it, and can also include for providing audio The loudspeaker of output and one or more of video display apparatus for providing text, audiovisual and/or images outputting.It is soft Part can be stored in memory 215 and/or other reservoirs to provide instruction based on will be general to processor 203 It calculates equipment 201 and is configured to dedicated computing equipment to execute various functions as described herein.For example, memory 215 can be with The software used by calculating equipment 201 is stored, for example, operating system 217, application program 219 and associated database 221.

Calculating equipment 201 can support the one or more to such as terminal 240 (also referred to as client device) remote It is operated in the networked environment of the connection of journey computer.Terminal 240 can be personal computer, mobile device, laptop computer, Tablet computer or include above with respect to universal computing device 103 or 201 describe element in many or whole servers. The network connection described in Fig. 2 includes local area network (LAN) 225 and wide area network (WAN) 229, it is also possible to include other nets Network.When in lan network environment in use, calculate equipment 201 LAN can be connected to by network interface or adapter 223 225.When in WAN network environment in use, calculating equipment 201 may include modem 227 or for such as calculating Other Wide Area Network interface of communication are established on the WAN 229 of machine network 230 (for example, internet).It will be appreciated that shown Network connection is illustrative, and the other devices for establishing communication link between the computers can be used.Calculate equipment 201 And/or terminal 240 can also be mobile terminal (for example, mobile phone, smart phone, PDA, laptop etc.), packet Include various other components, such as battery, loudspeaker and antenna (not shown).

Aspects described herein can also be operated using numerous other general or specialized computing system environments or configuration.It can The example for being suitable for the other computing systems, environment and/or the configuration that are used together with aspects described herein includes but is not limited to Personal computer, server computer, handheld device or laptop devices, multicomputer system, microprocessor-based system, In set-top box, programmable-consumer electronic product, network PC, minicomputer, mainframe computer including system above or equipment Either one or two of distributed computing environment etc..

As shown in Figure 2, one or more client devices 240 can be with one or more server 206a-206n (herein commonly referred to as " server 206 ") is communicated.In one embodiment, calculating environment 200 may include peace The network equipment between server 206 and client machine 240.The network equipment can be connected with management client/server, And client can be connected between multiple back-end servers 206 carry out load balancing in some cases.

In some embodiments, client machine 240 can be referred to as single client machine 240 or client machines Single group of device 240, while server 206 can be referred to as single group of individual server 206 or server 206.At one In embodiment, single client machine 240 is communicated with more than one server 206, however in another embodiment In, individual server 206 is communicated with more than one client machine 240.In yet another embodiment, single client Machine 240 is communicated with individual server 206.

In some embodiments, client machine 240 can be drawn by any one of following non exhaustive term With: (multiple) client machine；(multiple) client；(multiple) client computer；(multiple) client device；(multiple) visitors Family end calculates equipment；Local machine；Remote machine；(multiple) client node；(multiple) endpoint；Or (multiple) endpoint node. In some embodiments, server 206 can be quoted by any one of following non exhaustive term: (multiple) services Device；Local machine；Remote machine；(multiple) server zone or (multiple) host computer device.

In one embodiment, client machine 240 can be virtual machine.Virtual machine can be any virtual machine, and In some embodiments, virtual machine can be by 1 type or 2 type Hypervisors (for example, by thinking outstanding system, IBM, VMware The Hypervisor of exploitation) or any other Hypervisor management any virtual machine.In certain aspects, virtual machine can be with Managed by Hypervisor, and in certain aspects, virtual machine can by the Hypervisor that executes on server 206 or The Hypervisor that executes in client 240 manages.

Some embodiments include showing by applying with remotely executing on server 206 or the machine of other long range positionings The client device 240 of application output generated.In these implementation cases, virtual machine client is can be performed in client device 240 Broker program or application are held, to show output in application widget, browser or other output windows.In one example, it answers With being desktop, and in other examples, using being the application for generating or presenting desktop.Desktop may include the reality for operating system Example provides the figure shell of user interface, wherein locally and/or remotely application can be integrated.Application is to grasp as used herein Make system (also, optionally, also having desktop) example be loaded after the program that executes.

In some embodiments, server 206 is using long-range presentation protocol or other programs to send data to thin visitor Family end or the long-range display application executed on the client are to be presented the display generated by the application executed on server 206 Output.Thin-client or remote display protocol can be any one of following non-exhaustive listing of agreement: by Florida Independent computing architecture (ICA) agreement of the Si Jie system house exploitation of the Fort Lauderdale in state；Or it is covered by the Randt of the State of Washington The Remote Desktop Protocol (RDP) of Microsoft's manufacture of moral.

Remote computing environment may include more than one server 206a-206n, so that server 206a-206n is for example It is logically grouped together in cloud computing environment as bundle of services 206.Server zone 206 may include geographically dividing It dissipates however and the server 206 that is logically grouped together or positioning close to each other while being logically grouped together Server 206.In some embodiments, the server 206a-206n being geographically spread out in server zone 206 can be with It is communicated using WAN (wide area), MAN (metropolitan area) or LAN (local), wherein different geographic areas can be characterized as being: no Same continent；The different zones in continent；Different countries；Different states；Different cities；Different gardens；Different rooms；Or it is preceding State any combination in geographical location.In some embodiments, server zone 206 can be used as single entity to manage, and In other embodiments, server zone 206 may include multiple server zones.

In some embodiments, server zone may include the operating system platform (example executed substantially like type Such as, WINDOWS, UNIX, LINUX, iOS, ANDROID, SYMBIAN etc.) server 206.In other embodiments, Server zone 206 may include first group of one or more servers of the operating system platform for executing the first kind and hold Second group of one or more servers of the operating system platform of row Second Type.

Server 206 can according to need be configured as any kind of server (for example, file server, using clothes Business device, network server, proxy server, equipment, the network equipment, gateway, application gateway, gateway server, virtualization services Device, deployment services device, SSL vpn server, firewall, network server, application server) or be configured as main application service Device, the server for executing Active Directory or the application for executing offer firewall functionality, application function or load-balancing function accelerate The server of program.Other type of server can also be used.

Some embodiments include first server 206a, receive the request from client machine 240, take to second Business device 206b forwarding is requested and is asked with the response from second server 206b in response to what is generated by client machine 240 It asks.First server 206a can obtain enumerating and enumerating with hosts applications for the application that can be used for client machine 240 The associated address information of application server 206 of the application of interior identification.Then first server 206a can be used network and connect The response of the request to client is presented in mouth, and is directly communicated with client 240 to provide to client 240 to identification Application access.One or more clients 240 and/or one or more servers 206 can pass through 230 (example of network Such as, network 101) transmission data.

Fig. 2 shows the high level architectures of illustrative desktop virtual system.As shown, desktop virtual system can be with It is single server or multi-server system or cloud system comprising be configured as providing virtual desktop and/or virtual application At least one virtualized server 206 of one or more client access devices 240.As used herein, desktop refers to Wherein one or more applications can the in trust and/or graphics environment executed or space.Desktop may include for operating system Example provide user interface figure shell, wherein locally and/or remotely application can be integrated.Using may include operating The program that the example of system (also, optionally, also having desktop) executes after being loaded.Each example of operating system can be with It is physics (for example, one operating system of each equipment) or virtual (for example, many realities of the OS run on a single device Example).Each application can be executed on the local device or be executed in the equipment of long range positioning (for example, long-range).

With further reference to Fig. 3, computer equipment 301 be can be configured as in virtualized environment (for example, single server, more Server or cloud computing environment) in virtualized server.The virtualized server 301 being shown in FIG. 3 can be deployed as One or more embodiments of server 206 shown in Figure 2 or other known calculating equipment and/or by being shown in Fig. 2 Server 206 one or more embodiments or realized by other known calculating equipment.It is included in virtualization services In device 301 is hardware layer, which may include one or more physical disks 304, one or more physical equipments 306, one or more physical processors 308 and one or more physical storages 316.In some embodiments, firmware 312 It can be stored within the memory element in physical storage 316 and can be by one or more in physical processor 308 It is a to execute.Virtualized server 301 can also include operating system 314, can be stored in physical storage 316 Memory element in and executed by one or more of physical processor 308.Further, Hypervisor 302 can With in the memory element that is stored in physical storage 316 and can by one or more of physical processor 308 Lai It executes.

Execution can be one or more virtual machine 332A-C (usually on one or more of physical processor 308 For 332).Each virtual machine 332 can have virtual disk 326A-C and virtual processor 328A-C.In some embodiments In, virtual processor 328A can be used to execute the control program 320 including tool storehouse 324 in the first virtual machine 332A.Control Processing procedure sequence 320 can be referred to as control virtual machine, Dom0, Domain 0 or for the other virtual of system administration and/or control Machine.In some embodiments, virtual processor 328B-C can be used to execute client in one or more virtual machine 332B-C Operating system 330A-B.

Virtualized server 301 may include the hardware with the one or more blocks communicated with virtualized server 301 Hardware layer 310.In some embodiments, hardware layer 310 may include one or more physical disks 304, one or more A physical equipment 306, one or more physical processors 308 and one or more memories 216.Physical assemblies 304,306, 308 and 316 may include such as any one of assembly described above.Physical equipment 306 may include that such as network connects Mouth card, video card, keyboard, mouse, input equipment, monitor, display equipment, loudspeaker, CD-ROM drive, storage facilities, general serial Bus connection, printer, scanner, network element (for example, router, firewall, network address translater, load balancer, Virtual Private Network (VPN) gateway, dynamic host configuration protocol (DHCP) router etc.) or it is connected to virtualized server 301 or any equipment for being communicated with virtualized server 301.Physical storage 316 in hardware layer 310 can wrap Include any kind of memory.Physical storage 316 can store data, and in some embodiments, can store one A or multiple programs or one group of executable instruction.Fig. 3 is shown in which that firmware 312 is stored in the object of virtualized server 301 Manage the embodiment within memory 316.The program or executable instruction being stored in physical storage 316 can be by virtual Change the one or more processors 308 of server 301 to execute.

Virtualized server 301 can also include Hypervisor 302.In some embodiments, Hypervisor 302 It can be and executed by the processor 308 on virtualized server 301 to create and manage the journey of any amount of virtual machine 332 Sequence.Hypervisor 302 can be referred to as monitor of virtual machine or platform virtualization software.In some embodiments, super Overseer 302 can be executable instruction and monitor any combination of the hardware of the virtual machine executed on computing machine.It is super Overseer 302 can be 2 type Hypervisors, wherein the Hypervisor executed in operating system 314 is in virtualization services It is executed on device 301.Then virtual machine is executed in the level for being higher than Hypervisor.In some embodiments, the super prison of 2 types The person of superintending and directing executes in the environment of the operating system of user, so that the operating system of 2 type Hypervisors and user interact.? In other embodiments, one or more virtualized servers 201 in virtualized environment can include the super prison of 1 type on the contrary The person's of superintending and directing (not shown).1 type Hypervisor can be executed by directly accessing hardware in hardware layer 310 and resource in void On quasi-ization server 301.That is, although 2 type Hypervisors 302 pass through the access system (as shown) of master operating system 314 System resource, but 1 type Hypervisor can directly access all system resources without master operating system 314.The super prison of 1 type The person of superintending and directing can directly execute on one or more physical processors 308 of virtualized server 301, and may include storage Program data in physical storage 316.

In some embodiments, Hypervisor 302 can be direct with simulated operating system 330 or control program 320 Any mode of access system resources provides virtually to the operating system 330 or control program 320 executed on virtual machine 332 Resource.System resource can include but is not limited to physical equipment 306, physical disk 304, physical processor 308, physical store Device 316 and include any other component in the hardware layer 310 of virtualized server 301.Hypervisor 302 can be used for Simulation virtual hardware carries out subregion, virtualization physical hardware to physical hardware and/or executes to provide to the access for calculating environment Virtual machine.In still other embodiments, Hypervisor 302 is virtual on virtualized server 301 for executing The scheduling of 332 control processor of machine and memory partition.Hypervisor 302 may include the Ma Luoaer by California Those of VMWare company manufacture of support；XEN Hypervisor, a kind of open source that exploitation is supervised by open source Xen.org group Product；HyperV, VirtualServer or Virtual PC Hypervisor for there is provided by Microsoft or other Hypervisors.One In a little embodiments, virtualized server 301 executes Hypervisor 302, creates virtual machine platform, can execute on it Client operating system.In these embodiments, virtualized server 301 can be referred to as host server.It is such virtual Change server another example is the Si Jie system house of the Fort Lauderdale by Florida State provide XEN SERVER.

Hypervisor 302 can create one or more virtual machine 332B-C (usually 332), client operating system 330 execute wherein.In some embodiments, Hypervisor 302 can be with loaded virtual machine image to create virtual machine 332.In other embodiments, Hypervisor 302 can execute client operating system 330 in virtual machine 332.Another In outer other embodiments, virtual machine 332 can execute client operating system 330.

Other than creating virtual machine 332, Hypervisor 302 can control the execution of at least one virtual machine 332. In other embodiments, Hypervisor 302 can present at least one virtual machine 332 and be mentioned by virtualized server 301 Abstract (for example, the available any hardware resource in hardware layer 310) of at least one hardware resource supplied.In other embodiment party In case, Hypervisor 302 can control virtual machine 332 and access available physical processor 308 in virtualized server 301 Mode.Control to the access of physical processor 308 can include determining that virtual machine 332 whether should access process device 308 with And how physical processor ability is presented to virtual machine 332.

As shown in Figure 3, virtualized server 301 can be with trustship or the one or more virtual machines 332 of execution.Virtual machine 332 be one group of executable instruction, when being executed by processor 308, the operation of analog physical computer, so that virtual machine 332 Program and process can be equally executed like physical computing devices.Although Fig. 3 is shown in which 301 trustship three of virtualized server The embodiment of a virtual machine 332, but in other embodiments, virtualized server 301 can be any amount of with trustship Virtual machine 332.In some embodiments, Hypervisor 302 provides physical hardware, memory, place to each virtual machine 332 Manage device and unique virtual view to the available other system resources of the virtual machine 332.In some embodiments, uniquely Virtual view one or more of can permit based on virtual machine, to the policy engine of one or more virtual machine identifiers Using, the user of access virtual machine, on a virtual machine the application that executes, by the network or any other desired of virtual machine access Criterion.For example, Hypervisor 302 can create one or more unsafe virtual machines 332 and one or more safety Virtual machine 332.Unsafe virtual machine 332 can be prevented from the resource that access safety virtual machine 332 can be licensed for access to, hard Part, memory location and program.In other embodiments, Hypervisor 302 can provide physics to each virtual machine 332 Hardware, memory, processor and to virtual machine 332 available other system resources substantially like virtual view.

Each virtual machine 332 may include virtual disk 326A-C (usually 326) and virtual processor 328A-C (usual For 328).In some embodiments, virtual disk 326 is one or more physical disks 304 of virtualized server 301 A part of one or more physical disks 304 of virtualized view or virtualized server 301.Physical disk 304 it is virtual Changing view can be generated by Hypervisor 302, provided and managed.In some embodiments, Hypervisor 302 is to each The unique views of the offer physical disk 304 of virtual machine 332.Therefore, in these embodiments, it is included in each virtual machine 332 In specific virtual disk 326 can be when compared with other virtual disks 326 uniquely.

Virtual processor 328 can be the virtualization of one or more physical processors 308 of virtualized server 301 View.In some embodiments, the virtualized view of physical processor 308 can be generated by Hypervisor 302, be provided And management.In some embodiments, virtual processor 328 has the essentially all of of at least one physical processor 308 Identical characteristic.In other embodiments, virtual processor 308 provides the modification view of physical processor 308, so that virtual place Manage the characteristic that at least some of the characteristic of device 328 characteristic is different from corresponding physical processor 308.

With further reference to Fig. 4, some aspects described herein can be realized in environment based on cloud.Fig. 4 shows cloud Calculate the example of environment (or cloud system) 400.As shown in Figure 4, client computer 411-414 can be with cloud management server 410 are communicated to access the computing resource of cloud system (for example, host server 403, storage resources 404 and Internet resources 405)。

Management server 410 can be realized on one or more physical servers.Management server 410 can be run Such as by Florida State Fort Lauderdale Si Jie system house CLOUDSTACK or OPENSTACK, in addition to it is other it Outside.Management server 410 can manage various computing resources comprising cloud hardware and software resource, for example, host computer 403, Data Holding Equipment 404 and the network equipment 405.Cloud hardware and software resource may include private or public component.For example, Cloud can be configured as will be by one or more specific customers or client computer 411-414 and/or on the private network The private clound used.In other embodiments, public cloud or mix public-private clound can in opening or hybrid network by Other customers use.

Management server 410 can be configured as offer user interface, can be with cloud by its cloud operator and cloud customer System interaction.For example, management server 410 can provide one group of API and/or one or more cloud operations with user interface Person's console applies (for example, network-based or independent application), to allow cloud operator to manage cloud resource, configuration virtualization Layer manages clients account and executes other cloud management tasks.Management server 410 can also include having user interface One group of API and/or one or more customer console applications, the user interface are configured as via client computer 411- 414 receive the cloud computing request from terminal user, for example, creation, modification or the request for destroying the virtual machine in cloud.Client End computer 411-414 can be connected to management server 410 via internet or other communication networks, and can request pair The access of one or more of the computing resource managed by management server 410.In response to client request, management server 410 may include being configured as that the money of the physical resource in the hardware layer of cloud system is selected and provided based on client request Source manager.For example, the add-on assemble of management server 410 and cloud system can be configured as in network (for example, internet) It is upper for the customer at client computer 411-414 provide, create and manage virtual machine and their operating environment (for example, Hypervisor, storage resources, the service provided by network element etc.), computing resource, data storage clothes are provided to customer Business, network capabilities and computer platform and application are supported.Cloud system can be additionally configured to provide various special services, packet Include security system, exploitation environment, user interface etc..

Specifically client 411-414 can be relevant, for example, the different client computers of creation virtual machine, It represents identical terminal user or is attached to the different users of identical company or tissue.In other examples, specific visitor Family end 411-414 can be incoherent, such as be attached to the user of different company or tissue.For incoherent client Other users can be hiding about the virtual machine of any one user or the information of reservoir by end.

Referring now to the physical hardware layer of cloud computing environment, Free Region 401-402 (or region) also refers to one group Physical computing resources arranged side by side.Region can geographically be separated with other regions in whole clouds of computing resource.For example, area Domain 401 can be the first cloud data center positioned at the state Jia Lifoniya, and region 402 can be positioned at Florida State Two cloud data centers.Management server 410 can be located at one in Free Region or at individual position.Each region can To include the internal network being connect by gateway with the equipment (for example, management server 410) of the outside in the region.The end of cloud End subscriber (for example, client 411-414) may or may not know the difference between region.For example, terminal user can ask Ask the creation of the virtual machine with specified amount of storage, processing capacity and network capabilities.Management server 410 can in response to It the request at family and resource can be distributed is known whether with creating virtual machine without user using from region 401 or region 402 resource creates virtual machine.In other examples, cloud system can permit end-user request virtual machine (or other clouds Resource) it is assigned on the specific resources 403-405 in a particular area or in region.

In this example, each region 401-402 may include various physical hardware components (or computing resource) 403-405 (for example, physics trustship resource (or process resource), physical network resource, physical storage resource, interchanger and can be used for Gu Visitor provide cloud computing service additional hardware resource) arrangement.Physics trustship resource in the 401-402 of cloud sector domain can be with Including one or more computer servers 403, all virtualized servers 301 as described above can be configured as wound It builds and hosts virtual machine example.Physical network resource in cloud sector domain 401 or 402 may include one or more network elements 405 (for example, Internet Service Providers) comprising it is configured as providing the hardware and/or software of network service to cloud customer, it is all Such as firewall, network address translater, load balancer, Virtual Private Network (VPN) gateway, dynamic host configuration protocol (DHCP) router etc..Storage resources in the 401-402 of cloud sector domain may include stored disk (for example, solid state drive (SSD), magnetic hard-disk etc.) and other storage facilities.

The example cloud computing environment being shown in FIG. 4 can also include the void with additional hardware and/or software resource Quasi-ization layer (for example, as shown in fig. 1-3), additional hardware and/or software resource are configured as creating and managing virtual Physical resource in machine and use cloud provides other services to customer.Virtualization layer may include as above described in Fig. 3 Hypervisor provides network virtualization, Storage Virtualization etc. together with other components.Virtualization layer can be used as to be provided with physics The separated layer of active layer, or some or all of identical hardware and/or software resource can be shared with physical resource layer.Example Such as, virtualization layer may include the super supervision being mounted in each of virtualized server 403 with physical computing resources Person.Known cloud system can be used optionally, for example, (Microsoft of Redmond, Washington is public by WINDOWS AZURE Department), AMAZON EC2 (the Amazon.com company of Seattle, Washington), IBM BLUE CLOUD (Armonk, New York IBM Corporation) or it is other.

Enterprise Mobile management framework

Fig. 5 is indicated for the Enterprise Mobile Technical Architecture 500 used in BYOD environment.Framework makes mobile device 502 User can slave mobile device 502 access enterprise or personal resource and using mobile device 502 to be used for personal use.With The mobile device 502 or enterprise that user can be used to be bought for family are supplied to the mobile device 502 of user to access such enterprise Resource 504 or enterprises service 508.User can use mobile device 502 to be only used for commercial use or for business and individual Purposes.Mobile device can run iOS operating system, Android operation system and/or similar.Enterprise can choose realization plan Slightly to manage mobile device 504.Strategy can be identified with mobile device by firewall or gateway, protected or be tested safely It card and provides to the selectivity of corporate resources or the mode that accesses completely is implanted into.Strategy can be mobile device management plan Some groups in summary, mobile application management strategy, mobile data management strategy or mobile device, application and data management policies It closes.Registering apparatus or managed device are referred to alternatively as by the mobile device 504 of the application management of mobile device management strategy.

In some embodiments, the operating system of mobile device can be divided into managed subregion 510 and unmanaged subregion 512. Managed subregion 510, which can have, is applied to it to protect the application run on managed subregion and store in managed subregion The strategy of data.In other embodiments, all applications can separate received one group of one or more according to application Strategy file executes, and when this is applied and executes in equipment, define one or more security parameters, feature, resource constraint, And/or other access controls executed by mobile device management system.By being operated according to their own strategy file, Each application can be allowed to or limit with it is one or more of the other application and/or resource communication, to create virtual partition.Cause This, as used herein, subregion can refer to the physical extent part (physical extent) of memory, the logical partition part of memory (is patrolled Volume subregion) and/or as the one or more strategy and/or the result that executes of strategy files as described herein across multiple applications The virtual partition (virtual partition) created.In other words, by the implementation strategy in managed application, those applications can be only limited to Can with it is other it is managed application and trustworthy corporate resources communicate, thus create it is unmanaged apply with equipment it is inaccessiable Virtual partition.

The application run on managed subregion can be security application.Security application can be e-mail applications, network Browse application, software service (SaaS) access application, the application of Windows application access etc..Security application can be safety The machine is using 514, the safety long-distance that is executed by security application starter 518 is executed using 522, by security application starter 518 Virtualization applications 526 etc..Safe the machine can be encapsulated using 514 by security application wrapper 520.Security application encapsulation Device 520 may include the Integrated Strategy executed on the device when safe the machine is applied and executed in mobile device 502.Safety It may include that the safe the machine run in mobile device 502 is directed toward the trustship at enterprise using 514 using wrapper 520 The metadata of resource, safe the machine can need to complete the requested task when executing safe the machine using 514 using 514. The safety long-distance executed by security application starter 518 can be performed using 522 in security application launcher application 518. The virtualization applications 526 executed by security application starter 518 can use in mobile device 502, in corporate resources 504 Etc. resource.The money used in mobile device 502 by the virtualization applications 526 executed by security application starter 518 Source may include user's mutual resource, process resource etc..User's mutual resource can be used for collecting and transmitting keyboard input, mouse Mark input, video camera input, tactile input, audio input, vision input, gesture input etc..Process resource can be used for Existing user interface is handled from received data of corporate resources 504 etc..It is virtual by being executed by security application starter 518 Changing the resource used at corporate resources 504 using 526 may include that user interface generates resource, process resource etc..User Interface, which generates resource, can be used for assembling user interface, modification user interface, refreshes user interface etc..Process resource can be used In creation information, reading information, more new information, deletion information etc..For example, virtualization applications can recorde it is associated with GUI User interaction and transmit them to server application, wherein server application will use user interactive data as to The input of the application run on server.In this arrangement, enterprise, which can choose, keeps on the server side using and with this Using associated data, file etc..Although enterprise can choose according to principle herein by protect some applications come " transfer " they with for disposing on the mobile apparatus, but the arrangement could be selected for specific application.For example, although Some applications can be the safe use being used on the mobile apparatus, but other application may be not ready to or be unsuitable for being deployed in In mobile device, therefore enterprise may be selected to provide by virtualization technology and access the mobile subscriber of unripe application.Make For another example, enterprise can have the large complicated application for having big and complicated data set (for example, material resources are planned Using), wherein will be for mobile device customized application it is very difficult or opposite undesirable, therefore enterprise can choose it is logical Access of the virtualization technology offer to application is provided.As another example, enterprise can have the data (example for keeping highly safe Such as, human resource data, customer data, project data) application, highly safe data can be considered as by enterprise even for Safety mobile environment be it is too sensitive, therefore, enterprise can choose using virtualization technology to allow to such application With the mobile access of data.Enterprise can choose the application of the application and consummating function that provide overall safety on the mobile apparatus The two and virtualization applications are to allow the access to the application for being considered as being more suitable for running on the server side.In embodiment In, virtualization applications can store some data, file etc. on the mobile phone in one in secure memory location.Example Such as, enterprise can choose to allow specific information to be stored on phone while not allow other information to be stored in phone On.

In conjunction with virtualization applications as described herein, mobile device, which can have, to be designed to present GUI and then remembers Employ the virtualization applications at family and the interaction of GUI.Using that user's interaction can be passed to server side, for server side application It is used as the interaction of user and application.In response, the application in server side can be passed back new to mobile device GUI.For example, new GUI can be static page, dynamic page, animation etc..

Number in the accessible secure data container 528 being stored in the managed subregion 510 of mobile device of security application According to.Protected data can be by secure package using 514, by security application starter 518 in secure data container The application of execution, the virtualization applications 526 executed by security application starter 518 etc. access.It is stored in secure data appearance Data in device 528 may include file, database etc..The data being stored in secure data container 528 may include limit In specific security application 530, the data shared between security application 532 etc..The data for being limited to security application can wrap Include safety general data 534 and highly safe data 538.Strong encryption form (such as AES 128 can be used in safety general data Bit encryption etc.), and very strong encrypted form (such as 256 bit encryption of AES) can be used in highly safe data 538.It is connecing After receiving the order from equipment manager 524, the data being stored in secure data container 528 can be deleted from the device It removes.Security application can have double mode option 540.Double mode option 540 can be presented to user and be operated with non-security mode The option of security application.In non-security mode, the accessible unmanaged subregion for being stored in mobile device 502 of security application The data in non-secure data container 542 on 512.The data being stored in non-secure data container can be personal data 544.The data being stored in non-secure data container 542 can also be by running on the unmanaged subregion 512 of mobile device 502 Non-security application 548 access.When deleted in the data slave mobile device 502 being stored in secure data container 528 When, the data being stored in non-secure data container 542 may remain in mobile device 502.Enterprise may wish to from movement Equipment deletes selection or all data for being possessed by enterprise, speciallyying permit or being controlled, file and/or applies (business data), together When leave or retain in other ways the personal data for being possessed by user, speciallyying permit or being controlled, file and/or apply (a number According to).The operation can be referred to as selective erasing.For the business data arranged according to aspects described herein and number According to enterprise can execute selective erasing.

Mobile device may be coupled to corporate resources 504 and enterprises service 508 at enterprise, be connected to public internet 548 etc..Mobile device can be connected to corporate resources 504 and enterprises service 508 by Virtual Private Network.It is virtual private There is network connection (also referred to as micro- VPN or application specific VPN) to can be specific to the specific application 550, specific in mobile device Equipment, particular safety region, etc. (for example, 552).For example, each of the application of encapsulation in the safety zone of phone can To access corporate resources by the specific VPN of application, so that will be based on to the access of VPN (may with the associated attribute of application In conjunction with user or device attribute information) Lai Shouquan.Virtual Private Network connection can deliver microsoft exchange (Microsoft Exchange) flow, Microsoft Active Directory (Microsoft Active Directory) flow, HTTP flow, HTTPS stream Amount, application management flow etc..Single sign-on authentication process 554 can be supported and be realized to Virtual Private Network connection.Single-point is stepped on Record process can permit user and provide the single set of Service Ticket, then be verified by authentication service 558.Certification clothes Business 558 can then access of the authorized user to multiple corporate resources 504, without user provide to each individual enterprise The Service Ticket of resource 504.

Virtual Private Network connection can be established and be managed by access gateway 560.Accessing gateway 560 may include pipe Reason, the performance enhancement characteristic for accelerating and improving the transmitting of corporate resources 504 to mobile device 502.Accessing gateway can also be again The flow that slave mobile device 502 arrives public internet 548 is routed, so that mobile device 502 is able to access that in public internet 548 The publicly available and non-security application of upper operation.Mobile device can be connected to access gateway via transmission network 562.Transmission Network 562 can be cable network, wireless network, cloud network, local area network, Metropolitan Area Network, Wide Area Network, public network, specially With network etc..

Corporate resources 504 may include e-mail server, file-sharing server, SaaS application, network application clothes Business device, Windows application server etc..E-mail server may include swap server, Lotus Notes server Etc..File-sharing server may include ShareFile server etc..SaaS application may include Salesforce etc. Deng.Windows application server may include being constructed to provide the application for being intended to run in local Windows operating system Any application server etc..Corporate resources 504 can be in-building type resource, resource based on cloud etc..Corporate resources 504 can To be accessed by the directly access of mobile device 502 or by access gateway 560.Corporate resources 504 can be passed through by mobile device 502 It is accessed by transmission network 562.Transmission network 562 can be cable network, wireless network, cloud network, local area network, metropolitan area Network, Wide Area Network, public network, dedicated network etc..

Enterprises service 508 may include authentication service 558, threat detection service 564, equipment manager service 524, file Shared service 568, policy manager service 570, social integrated service 572, application controller service 574 etc..Authentication service 558 may include user authentication service, equipment authentication service, application authorization service, data authentication service etc..Authentication service 558 can be used certificate.Certificate can be stored in mobile device 502 by corporate resources 504 etc..It is stored in mobile device Certificate on 502 can be stored in the encrypted location in mobile device, and certificate can be temporarily stored in mobile device For being used etc. in certification on 502.Threat detection service 564 may include intrusion detection service, unwarranted visit It asks and attempts detection service etc..It may include attempting access equipment without permission, answering that detection service is attempted in unwarranted access With, data etc..Equipment management service 524 may include configuration, offer, safety, support, monitoring, report and the clothes that stop operating Business.File-sharing service 568 may include file-management services, file storage service, file collaboration services etc..Tactical management Device service 570 may include the service of equipment strategy manager, manager application strategy service, data policy manager service etc. Deng.Social integrated service 572 may include contact person's integrated service, collaboration services, with social networks (for example, Facebook, Twitter and LinkedIn) integration etc..Application controller service 574 may include management service, provide service, deployment Service, distribution service, revocation service, packing service etc..

Enterprise Mobile Technical Architecture 500 may include application shop 578.Application shop 578 may include unencapsulated answers With 580, pre-packaged application 582 etc..Using can be filled in application shop 578 by application controller 574.Using Shop 578 can be accessed by mobile device 502 by access gateway 560, by public internet 548 etc..Application shop Intuitive and wieldy user interface can be provided with.Application shop 578 can be provided to Software Development Kit 584 Access.Software Development Kit 584 can provide the user with protection by encapsulating the application as described in previously in this description The ability of application selected by user.Use application that Software Development Kit 584 encapsulates can be then by using answering It is filled with can be used for mobile device 502 in application shop 578 with controller 574.

Enterprise mobility Technical Architecture 500 may include management and analysis ability.Management and analysis ability can provide and how Using resource, how long use the inferior relevant information of resource one.Resource may include equipment, application, data etc..How to use Resource may include which device downloads which application, which application access which data etc..How long once may be used using resource With include how long download primary application, specific set of data has also been employed that access how many times etc..

Fig. 6 is another illustrative Enterprise Mobile management system 600.For simplicity, above with respect to Fig. 5 description Some components in the component of mobile management system 500 have been omitted.The framework for the system 600 described in Fig. 6 is very much Aspect is similar to the framework above with respect to Fig. 5 system 500 described and may include the above additional feature that do not mention.

In this case, left-hand side indicates to have registration/managed mobile device 602 of Client Agent 604, with Gateway server 606 (it includes access gateway and application controller function) interaction is to access various corporate resources 608 and service 609, such as, Exchange, Sharepoint, PKI resource, Kerberos resource as shown in the above right-hand side and certificate hair Cloth service.It is not shown specifically, still mobile device 602 can also be interacted with application shop with for application selection and under It carries.

Client Agent 604 serves as UI (user interface) medium, in enterprise data center the Windows of trustship answer With/desktop, accessed using display remote protocol, such as, but not limited to ICA agreement.Client Agent 604 also supports movement The installation and management of the machine application in equipment 602, such as the machine iOS or Android application.For example, showing in the figures above Managed application 610 (Email, browser, package application) out is entirely the machine application locally executed in equipment.Visitor The application management frame (AMF) of family end agency 604 and this framework is such as right for providing policy-driven managerial ability and feature The connectivity and SSO (single-sign-on) of corporate resources/service 608.The processing of Client Agent 604 authenticates the primary user of enterprise, Certification usually to having the access gateway (AG) to the SSO of other gateway service device assemblies.Client Agent 604 takes from gateway Business 606 acquisition strategy of device, to control the behavior of the managed application 610 of the AMF in mobile device 602.

The machine indicates management passage using the safe IPC link 612 between 610 and Client Agent 604, allows client End agency's supply will pass through the strategy of application management frame 614 " encapsulation " each application execution.IPC channel 612 also allows client 604 supply of end agency can be realized to the connection of corporate resources 608 and the voucher of SSO and authentication information.Finally, IPC channel 612 permission application management frames 614 call the user interface capabilities implemented by Client Agent 604, such as on-line authentication and Offline authentication.

Communication between Client Agent 604 and gateway server 606 substantially comes from that each the machine of encapsulation is managed to answer With the extension of the management passage of 610 application management frame 614.Application management frame 614 requests plan from Client Agent 604 Slightly information, Client Agent 604 transfer to request the policy information from gateway server 606.Application management frame 614 requests to recognize Card, and Client Agent 604 logs into the gateway service part of gateway server 606 (also referred to as NetScaler connects Function Access Gateway).Client Agent 604 may call upon the support service on gateway server 606, can produce and is used for The input material of the encryption key in local data warehouse 616, or provide to enable and KPI locked resource is directly recognized The client certificate of card, as will be explained more fully below.

In more detail, application management frame 614 " encapsulation " is each managed applies 610.This can be via specific building step Suddenly it is incorporated to or via building post-processing step.Application management frame 614 can be when starting be using 610 for the first time and Client Agent 604 " pairings ", to initialize safe IPC channel and obtain the strategy for the application.Application management frame 614 can execute sheet How the dependence and limitation that the relevant portion of the strategy of ground application, such as Client Agent log in can be serviced using local OS Or the containment that can how interact with application 610 of local OS service it is tactful in it is some.

Application management frame 614 can be used Client Agent 604 on safe IPC channel 612 it is provided service with Promote certification and internal network access.It can also be by managed for the key management of private and shared data warehouse 616 (container) It is managed using the interaction appropriate between 610 and Client Agent 604.It warehouse 616 can be only after on-line authentication It is available, or can be available after offline authentication (if strategy allows).The use for the first time in warehouse 616 can be with It is required that on-line authentication, and offline access can be limited to the tactful refresh cycle at most before on-line authentication is again required.

The network access of internal resource can directly be occurred by access gateway 606 from independent managed application 610. Application management frame 614 is responsible for the elaborately planned network access for representing each application 610.After offer on-line authentication Right times obtained limit secondary voucher, and Client Agent 604 can promote these network connections.What is be connected to the network is multiple Mode can be used, such as reversed different web agent connection and end-to-end VPN formula tunnel 618.

Mail and the managed application 610 of browser have special state and can be used and may generally be not used in any encapsulation The facility of application.For example, special background network access mechanism can be used in mail applications, allow it within the extended period Access Exchange is logged in without complete AD.A variety of exclusive data warehouses can be used to separate variety classes in browser application Data.

The framework supports being incorporated to for various other security features.For example, in some cases, gateway server 606 (including Its gateway service) verifying AD password will not needed.Enterprise can be given to determine whether for AD password to be used as about some cases Under some users authentication factor.If user is online or offline (that is, be connected to network or be not attached to network), can To use different authentication methods.

Reinforcing certification is feature, and wherein gateway server 606, which can identify, is allowed to have to the height for needing strong authentication The managed the machine for spending the access right of confidential data (classified data) applies 610, and ensures the access to these applications It is only allowed to after executing certification appropriate, even if this means that user needs to recognize again after weaker rank logs in previous Card.

Another security feature of the solution is the encryption of the data warehouse 616 (container) in mobile device 602. Warehouse 616 can be encrypted so as to be protected including data on file, database and all devices of configuration.For online storehouse Library, key are storable on server (gateway server 606), and for offline warehouse, the local replica of key can be by user Cryptoguard.When data are in the equipment 602 being locally stored in safety container 616, it is preferred to use minimum AES 256 The Encryption Algorithm of position.

Other safety container features can also be implemented.For example, log feature can be included, wherein in application 610 All security incidents occurred are recorded and report to rear end.Data erasing can be supported, such as if using 610 detections To distorting, then associated encryption key can be covered with random data, and user data is not left in file system and is broken Bad clue.Screenshot capture protection is another feature, wherein application can prevent any data from being stored in screenshot capture. For example, the hiding attribute of key window can be set to YES.This can enable whatsoever contents to be currently displayed in quilt On hiding screen, any of them content can be all generated by the screenshot capture of the blank of normal presence.

Local data transfer can be prevented from, such as by preventing any data by except local transmission to application container, For example, sending them to applications by being replicated or being sent out.Keyboard cache feature can be run to disable sensitive the text field Zero offset capability.SSL certificate verifying can be operable, therefore particularly authentication server SSL certificate replaces for application It is stored in key chain.Encryption key generates feature and can be used, so that using customer-furnished password (if needed Want offline access) generate the key for the encryption data in equipment.If you do not need to offline access, then it can with Machine generates and another key of storage on the server side carries out exclusive or.Key export function can operate, so that close by user The key that code generates uses KDF (key export function, especially PBKDF2) rather than creates its cryptographic hash (cryptographic hash).Cryptographic hash makes key vulnerable to the influence of Brute Force or dictionary attack.

In addition, one or more initialization vectors can be used in encryption method.Initialization vector will make identical encryption Multiple copies of data generate different ciphertext outputs, prevent both Replay Attack and crypt analytical attack.If for adding The specific initialization vector of ciphertext data be it is unknown, then this also by prevent attacker solved even with stolen encryption key Close any data.In addition it is possible to use certification followed by decryption, wherein being only certified it in application in user using data After be decrypted.Another feature can be related to the sensitive data in memory, can only be maintained at when it is required Shi Qicai In memory (and not in disk).For example, logging on authentication can be wiped free of from memory after the login, and encrypt Other data in key and objective-C instance variable are not stored, this is because they can easily be quoted.Phase Instead, memory can be by manual allocation to be used for these functions.

Idle time-out can be performed, wherein user conversation is terminated after the idle period of policy definition.

The leaking data of application management frame 614 can be prevented in other ways.For example, after being placed on using 610 When in platform, memory can be removed after predetermined (configurable) period.When by as backstage, application can be taken The snapshot of the screen finally shown is to accelerate foregrounding process.Screenshot capture may include confidential data and therefore should be by It removes.

Another security feature is related to using OTP (disposal password) 620, without the use of accessing one or more application 622 password of AD (Active Directory).In some cases, some users do not know (or be not permitted and know) their AD password, Therefore these users can be used OTP 620 and authenticate, such as by using the hardware OTP system for being similar to SecurID (OTP can also be provided by different suppliers, such as Entrust or Gemalto).In some cases, it is used in user After User ID is authenticated, text is sent to the user with OTP 620.In some cases, this can only for Line use executes, wherein prompt is single field.

Offline cryptogram can be implemented to these offline authentications for applying 610, for 610 offline uses of application via enterprise Industry strategy can be allowed to.It is accessed in this way for example, enterprise may want to enterprise's application shop.In the case, client End agency 604 can require the customized offline cryptogram of user setting, and not use AD password.Gateway server 606 can be with There is provided strategy to control and execute the minimum length about password, character type form and the password standard of service life, such as lead to It crosses described in the requirement of standard Windows server password complexity, but these requirements can be modified.

Another feature is related to (being used for for the enabling of the client-side certificates as the second voucher of certain applications 610 Via the purpose of micro- VPN feature access shielded Internet resources of PKI).For example, e-mail applications can utilize this certificate. In this case, the certification based on certificate using ActiveSync agreement can be supported, wherein from Client Agent 604 Certificate can be retrieved by gateway server 606, and be used in key chain.Each managed application can have an associated visitor Family end certificate, is identified by the label defined in gateway server 606.

Gateway server 606 can be interacted with enterprise private service, to support the publication of client certificate, with Relevant managed application is allowed to authenticate internal PKI locked resource.

Client Agent 604 and application management frame 614, which can be enhanced, obtains with support and uses client certificate, with For being authenticated to internal PKI protected network resource.It can support more than one certificate, such as to match various grades Safety and/or separation requirement.The certificate can be managed using and what is finally arbitrarily encapsulated answers by mail and browser With using (assuming that those communication patterns using Cyber-service Patterns, wherein for the application management for reconciling HTTPS request Frame is reasonable).

Client certificate on iOS support can by by PKCS 12BLOB (binary large object) imported into it is each by In iOS key chain in pipe application, with the use for each period.Client certificate, which is supported can be used, has privately owned memory The HTTPS embodiment of middle key storage.Client certificate will be not present in iOS key chain and in addition to may be in quilt forever It will be not preserved other than in " only online " data value protected by force.

Mutual SSL can also be performed to provide additional peace by requiring mobile device 602 to authenticate enterprise Quan Xing, and vice versa.Also the virtual smart card for authenticating to gateway server 606 can be implemented.

Limited and complete Kerberos supports the two to can be additional feature.Complete supported feature is related to using AD Password or trust client certificate execute complete Kerberos login to AD 622 and obtain Kerberos service ticket Respond the ability that HTTP negotiates authentication challenge.Limited supported feature is related to the constrained delegation in AGEE, and wherein AFEE is supported Kerberos protocol conversion is called, therefore it may be in response to HTTP and negotiates authentication challenge to obtain and use Kerberos service ticket It demonstrate,proves (being directed to constrained delegation).This mechanism under reversed network agent (also known as CVPN) mode, and HTTP (rather than Work when HTTPS) being connected to proxied under VPN and micro- VPN mode.

Another feature be related to application container locking and erasing, can detect escape from prison or obtain administrator right when It is automatic to occur, and occur as the push order for carrying out Self management console, and even may be used also when application 610 is not run To include remote wipe function.

It can support multi-site framework or the configuration of enterprise's application shop and application controller, allow the feelings in failure User is serviced by one in several different locations under condition.

In some cases, managed application 610 can be allowed to via API (example OpenSSL) access certificate and privately owned Key.The trusted managed application 610 of enterprise can be allowed to execute using the client certificate and private cipher key of application Specific public-key cryptography operation.Such as when application behavior is similar to browser and does not need certificate access, when application reading pair When the certificate of " Who Am I ", when constructing secured session token using certificate, and when using private cipher key When with the digital signature for significant data (for example, transaction journal) or for ephemeral data encryption, various service conditions can be with It is identified and correspondingly handles.

Enterprise mobility equipment management feature

Fig. 7 is another illustrative enterprise mobility management system 700.For simplicity, above with respect to Fig. 5 and figure Some components in the mobility management systems 500 of 6 descriptions and the component of mobility management systems 600 have been omitted.In Fig. 7 The framework of the system 700 of description in many aspects with above with reference to Fig. 5 and Fig. 6 description system 500 and system 600 framework phase It seemingly, and may include the other feature that do not mention above.

In this example, enterprise mobility management system 700 may include cloud computing environment 702, pass through communication network 710 with the physical mobile device 724 (for example, physical terminal user equipment) of end subscriber 726 and mobile device management (MDM) service One or more of provider 712,718 interacts.Communication network 710 can enable two or more calculating equipment Using Wireless LAN (WLAN) interface and/or signal, handset port and/or signal, blue tooth interface and/or signal, and/or appoint What its communication interface and/or signal are communicated.

Cloud computing environment 702 may include one or more mobile device management service provider servers based on cloud 704.Server 704 can be computer, thin-client, cutter server, and/or other calculating equipment.Shifting based on cloud At least one of dynamic equipment management service provider server 704 may include that the physics movement of GC group connector user 726 is set Standby 724 pseudo-device 706.Cloud computing environment can also include firewall 708 or gateway, to promote to pass through MDM service provider 712, one or more of 718 and any one of physical mobile device 724 and pseudo-device 706 secure communication and To the selective access of pseudo-device 706.In some embodiments, cloud computing environment 702 can be MDM service provider 712, one a part in 718.In some embodiments, one in MDM service provider 712,718 can provide Enterprise's premise is disposed to control conversion of the physical mobile device 726 between one or more MDM service providers 712,718. For example, registration can be transferred to local server by MDM service provider 712,718, then existing can be mentioned with them It works together for quotient with the new supplier with preference, configuration file strategy while being activity in new supplier is turned Move (or being done so in advance to completely cut off the following supplier and change).

According to one or more aspects, pseudo-device 706 can be with the physical mobile device 724 of GC group connector user 726.Specifically Ground, pseudo-device 706 may be used as the agency about physical mobile device 724 (being also referred to as physical terminal user equipment herein). Additionally or alternatively, pseudo-device 706 can be the logical expressions of physical mobile device 724.Just because of this, pseudo-device can benefit With the processor of server 704 and memory to execute task and storage information respectively.In some embodiments, pseudo-device 706 may include computer program, executes and interacts required agreement with MDM service provider 712,718.In addition or Optionally, in some embodiments, pseudo-device 706 can behave like physical mobile device 724, in addition to pseudo-device can be with It is registered to multiple MDM service providers.Additionally or alternatively, in some embodiments, pseudo-device 706 can emulate And/or analog physical mobile device 724, pseudo-device 706 is shown as to MDM service provider 712,718 actual Physical mobile device 724.For example, representing physical mobile device 724 in emulation and/or analog physical mobile device 724 Pseudo-device 706 can authenticate to MDM service provider 712 and 718, receive one or more from MDM service provider 712 and 718 A order and/or other communications, and/or one or more message are sent to MDM service provider 712 and 718 and/or other are logical Letter, like pseudo-device 706 is physical mobile device 724.As a result, MDM service provider 712,718 can handle pseudo-device It 706 or is otherwise interacted with pseudo-device 706, seemingly they are interacted with actual physical mobile device 724.Cause This, can be realized above with reference to Fig. 5 and Fig. 6 feature related with mobile device described and/or component with pseudo-device 706.

For example, pseudo-device 706 can with wherein typical physical mobile device will to the first MDM service provider 712 into The same way of row registration is registered to the first MDM service provider 712 (for example, by the first MDM service provider 712 certifications, by requesting one or more strategies and/or configuration file, etc. from the first MDM service provider 712).With this Kind of mode, pseudo-device 706 can be arranged for being used together with the first MDM service provider 712 (for example, be similar to how Traditional physical mobile device is provided for being used together with MDM service provider).For example, to MDM service provider In 712 registrations, pseudo-device 706 can send registration request to the first MDM service provider 712.Then, pseudo-device 706 can be with The strategy execution configuration file 716 of the first MDM service provider 712 is received (for example, card from the first MDM service provider 712 Book).Then the strategy execution configuration file 716 of first MDM service provider 712 can be stored in server by pseudo-device 706 In 704 associated memory.

Strategy execution configuration file 716 can promote the identification of pseudo-device 706 and the first MDM service provider 712, and And the secure communication between promotion pseudo-device 706 and the first MDM service provider 712.Once pseudo-device 706 be arranged for First MDM service provider 712 is used together, the various enterprises of the accessible first MDM service provider 712 of pseudo-device 706 Resource 714 and/or otherwise the various corporate resources 714 with the first MDM service provider 712 interact.Represent object The pseudo-device 706 of reason mobile device 724, which can be configured as from one or more MDM service providers 712,718, receives one Or multiple orders, so that MDM service provider 712,718 be enable to manage physical mobile device 724 via pseudo-device 706.

Similarly, pseudo-device 706 can will be to the 2nd MDM service provider 718 with wherein typical physical mobile device The same way registered is registered to the 2nd MDM service provider 718.Specifically, use can be set in pseudo-device 706 Bis- MDM service provider 718 of Yu Yu is used together.More specifically, pseudo-device 706 can be to the 2nd MDM service provider 718 Send registration request.Then, pseudo-device can receive the 2nd MDM service provider's 718 from the 2nd MDM service provider 718 Strategy execution configuration file 722 (for example, certificate).Pseudo-device 706 can be by the strategy execution of the 2nd MDM service provider 718 Configuration file 722 is stored in the associated memory of server 704.The strategy execution of first MDM service provider 712 Configuration file 716 and the strategy execution configuration file 722 of the 2nd MDM service provider 718 can be stored in server simultaneously At pseudo-device 706 in 704 associated memory.

Strategy execution configuration file 722 can promote the identification of pseudo-device 706 and the 2nd MDM service provider 718, and And the secure communication between promotion pseudo-device 706 and the 2nd MDM service provider 718.Once pseudo-device 706 be arranged for 2nd MDM service provider 718 is used together, the various enterprises of the accessible 2nd MDM service provider 718 of pseudo-device 706 Resource 720 and/or otherwise the various corporate resources 720 with the 2nd MDM service provider 718 interact.Represent object The pseudo-device 706 of reason mobile device 724, which can be configured as, receives one from one or more MDM service providers 712,718 A or multiple orders are to manage physical mobile device 724.

As described above, pseudo-device 706 can be communicated with the physical mobile device 724 of terminal user 726.Once puppet is set Standby 706 are arranged for being used together with the first MDM service provider 712, and pseudo-device 706 can be by strategy execution configuration file 716 from the deployment of pseudo-device 706 (for example, transmission) to physical mobile device 724.Strategy execution configuration file 716 can promote Execution of the strategy of one MDM service provider 712 at physical mobile device 724 is (all for example, acted on behalf of by MDM strategy execution It such as may operate on physical mobile device 724 and can be configured as the MDM cloud generation for receiving and then executing this strategy Reason).

Because physical mobile device 724 be allowed to via pseudo-device 706 and the first and second MDM service providers 712, 718 work together, so when physical mobile device 724 is for example moved to from working together with the first MDM service provider 712 When working together with the 2nd MDM service provider 718, physical mobile device 724 do not need release registration (un-enroll) and/ Or it re-registers.For example, physical mobile device 724 does not need the configuration file and again of the first MDM service provider 712 of unloading The configuration file of the 2nd MDM service provider is registered to access the corporate resources of the 2nd MDM service provider 718.In addition, with Family does not need to have more than one physical mobile device to make together with each of MDM service provider 712,718 With.

In being communicated with physical mobile device 724, pseudo-device 706 can be disposed and/or be enabled to corporate resources 714 Access, which applies for example including enterprise, using data, and/or such as can be by the first MDM service provider The other information that 712 strategy execution configuration file 716 allows.Pseudo-device 706 can also be carried out with physical mobile device 724 It sends and orders to physical mobile device 724 when communication.In some instances, pseudo-device 706 can independently be set to physics movement Standby 724 send order, mention without being prompted by the first MDM service provider 712 and/or without receiving from the first MDM service For any order of quotient 712.In other examples, in response to receiving the one or more from the first MDM service provider 712 Order, pseudo-device 706 can send to physical mobile device 724 and order.In some instances, object is sent to from pseudo-device 706 The order of reason mobile device 724 can be one from the received order of the first MDM service provider 712 different from pseudo-device 706 A or multiple orders.For example, in some instances, pseudo-device 706 can be modified from those of MDM service provider's reception life It enables, and sends the order modified then to physical mobile device 724.Life that is one or more different and/or having modified Order can be based at least partially at pseudo-device 706 from the received order of the first MDM service provider 712.Pseudo-device 706 can To generate order that is one or more different and/or having modified and those orders can be sent to physical mobile device 724. Additionally or alternatively, pseudo-device 706 can receive the order from the first MDM service provider 712 and to physical mobile device 724 send the received order of institute.

Pseudo-device 706 can send order to physical mobile device 724 to execute and 712 phase of the first MDM service provider Associated strategy.For example, the order can make one or more corporate resources 714 previously disposed (for example, it may include one A or multiple enterprises apply, using data, the data or other information that are allowed by strategy execution configuration file 716) it is moved from physics It is recalled in dynamic equipment 724.This can be referred to as " recalling (retraction) " in the following discussion.Made one or more previously The corporate resources 714 of deployment from being recalled in physical mobile device 724, order can make by with the first MDM service provider The data that 712 related physical mobile devices 724 generate are removed from physical mobile device 724.In some instances, it is set from puppet Corporate resources is recalled in standby 706 and/or other information may include that revocation policies execute configuration file 716.

It is executing from the received countermand of pseudo-device 706, physical mobile device 724 can be sent to pseudo-device 706 One in corporate resources 714, the data generated at the physical mobile device 724, and/or strategy execution configuration file 716 or It is multiple.Then, physical mobile device 724 can execute selective erasing to remove/delete corporate resources 714, in physics movement One or more in the data generated at equipment 724, and/or the strategy execution configuration file 716 from physical mobile device 724 It is a.In these examples, individual application and personal data are (for example, the number unrelated to MDM service provider 712,718 According to) maintained by physical mobile device 724 during the selective erasing of physical mobile device 724.In other words, it is stored in physics Individual application and personal data in mobile device 724 may not be removed and/or in the selective erasing phase during recalling Between be deleted.

In some embodiments, pseudo-device 706 can send one or more orders to physical mobile device 724, The data, and/or strategy that physical mobile device 724 can be made to generate to corporate resources 714, at physical mobile device 724 are held One or more in row configuration file 716 carries out Local partition and/or is otherwise divided and arranged, so that terminal User 726 cannot access (for example, being prevented from accessing) corporate resources 714, at physical mobile device 724 generate data and/ Or one or more of strategy execution configuration file 716.

In some embodiments, pseudo-device 706 can correspond directly to from the first MDM service provider 712 and/or The order (for example, without participation of physical mobile device 724) of 2nd MDM service provider 718.Specifically, pseudo-device 706 can To receive one or more orders from one or more MDM service providers 712,718.Pseudo-device 706 can determine It is no that order is sent from pseudo-device 706 to physical mobile device 724.It can be made decision based on several factors, for example, the factor packet Include whether need the unknown message from physical mobile device 724 in response to from one or more MDM service providers 712, The one or more orders sent in 718；With received one or more from one or more MDM service providers 712,718 Whether a associated strategy of order ought preceding one into the MDM service provider 712,718 that it is registered with pseudo-device 706 Or another multiple policy conflict；And/or one or more of the other factor.In response to not sent out to physical mobile device 724 Send one or more decisions ordered, pseudo-device 706 can be sent to one or more MDM service providers 712,718 to from The response of one or more received one or more orders of MDM service provider 712,718.For example, if having been carried out from The received one or more of first MDM service provider 712 is ordered expected or desired as a result, without mobile to physics Equipment 724 sends any order, then the response can be sent to the first MDM service provider 712.The response may include Have been completed with from the associated operation of the received one or more orders of one or more MDM service providers 712,718 Instruction.In some instances, which may include not completing the instruction or some other instructions of operation.

In some embodiments, physical mobile device 724 may not be in no puppet for indicating physical mobile device 724 It is communicated in the case where the participation of equipment 706 with the one or more in MDM service provider 712,718.In other implementations In scheme, physical mobile device 724 can be with or without the feelings for indicating the participation of pseudo-device 706 of physical mobile device 724 It is communicated under condition with the one or more in MDM service provider 712,718.

In some embodiments, the user 726 of physical mobile device 724 can register and/or participate in and cloud meter The associated cloud service of environment 702 is calculated, and the configuration file certificate about the cloud service on physical mobile device 724 is installed. When user 726 is desirable for the first MDM service of the first MDM service provider 712, pseudo-device 706 can be in cloud computing ring It is established in border 702 and is arranged for being used together with the first MDM service provider 712 as discussed herein.Similarly, When user 726 is desirable for the 2nd MDM service of the 2nd MDM service provider 718, pseudo-device 706 can be as begged for herein Opinion is arranged for being used together with the 2nd MDM service provider 718.Pseudo-device 706 can be serviced from other MDM and be provided Quotient receives message and this message is made to be lined up or potentially reply this message (for example, sending back respectively by that will reply MDM service provider).In pseudo-device 706 in response to the first MDM service provider 712 without physical mobile device 724 Participation (for example, prevent message) example in, pseudo-device 706 can send the instruction of message to physical mobile device 724, And in response, physical mobile device 724 can notify the user 726 of the message of any prevention.Physical mobile device 724 It can receive user's input that instruction physical mobile device 724 shows message.Then physical mobile device 724 can transmit instruction To pseudo-device 706, and in response, message can receive for showing.

In some embodiments, user 726 and cloud service associated with cloud computing environment 702 can sign a contract. User can be allowed to what movement is executed on physical mobile device 724 in regulation cloud service at physical mobile device 724.Object Reason mobile device 724 can transmit these regulations to cloud computing environment 702.For example, user 726 can specify that cloud service should not Attempt to execute any movement to the native bank of physical mobile device 724.It is mobile to physics in cloud service (and/or pseudo-device 706) Before equipment 724 issues any message for for example representing the first MDM service provider 712, cloud service (and/or pseudo-device 706) It can explain the contract provision indicated in contract.For example, pseudo-device can operate according to the contract.

Although only the first MDM service provider 712 and the 2nd MDM service provider 718 are shown in FIG. 7 and above It is discussed, but can have more than two mobile device management service provider.Pseudo-device 706 can be with any additional MDM Service provider interacts and/or otherwise executes the phase above with respect to any additional MDM service provider's description Same function.

Although example discussed above is related to being provided with several MDM service providers' 712,718 via pseudo-device 706 Single physical mobile device 724, but which provide the arrangements of another (for example, second) physical mobile device (not shown) It is expected.In these arrangements, the second pseudo-device can be established in cloud computing environment 702.Second pseudo-device can be with table Show the second physical mobile device.Second pseudo-device can be arranged for and one or more MDM service providers 712,718 It is used together.Second pseudo-device can execute function similar with pseudo-device discussed above, in addition to this operation will be with second Physical mobile device rather than physical mobile device described above is related.Additional physical mobile device and corresponding pseudo-device It can similarly be provided in other arrangements.

Fig. 8 is another illustrative enterprise mobility management system 800.For simplicity, above with respect to Fig. 5 and figure Some components in the mobility management systems 500 of 6 descriptions and the component of mobility management systems 600 have been omitted.Fig. 8 institute The framework of the system 800 of description in many aspects with above with reference to Fig. 5 and Fig. 6 description system 500 and system 600 framework phase It seemingly, and may include the supplementary features that do not mention above.

It in addition, the framework of system 800 is similar to the framework of system 700 at many aspects, and may include not mentioning above Supplementary features.Specifically, in the arrangement shown in Fig. 8, enterprise mobility management system 800 may include cloud computing environment 802, the physics by communication network 810 and one or more MDM service providers 812,818 and terminal user 826 is mobile Equipment 824 (for example, physical terminal user equipment) interacts.Communication network 810 can make two or more calculate equipment It is able to use WLAN interface and/or signal, handset port and/or signal, blue tooth interface and/or signal and/or any other logical Interface and/or signal are believed to communicate.

Cloud computing environment 802 may include one or more mobile device management service provider servers based on cloud 804.Server 804 can be computer, thin-client, cutter server, and/or other calculating equipment.Movement based on cloud At least one of equipment management service provider server 804 may include the physical mobile device for indicating terminal user 826 824 multiple pseudo-devices 806,828.Cloud computing environment 802 can also include firewall 808 or gateway to be mentioned by MDM service Promote for any of one or more of quotient 812,818 and physical mobile device 824 and pseudo-device 806,828 Secure communication and selective access to pseudo-device 806,828.

As described above, multiple pseudo-devices 806,828 can be built in cloud computing environment 802 within server 804 It is vertical.Each of pseudo-device 806,828 can indicate physical mobile device 824.Indicate that the puppet of physical mobile device 824 is set Standby each of 806,828 can be arranged for making together with the MDM service provider of MDM service provider 812,818 With.For example, the first pseudo-device 806 can be arranged for being used together with the first MDM service provider 812.Second pseudo-device 828 can be arranged for being used together with the 2nd MDM service provider 818.First and second pseudo-devices 806,828 can be with every One includes computer program, realizes the association for being required to interact with their own MDM service provider 812,818 View.

Specifically, the first pseudo-device 806 and the first MDM service provider 812 can communicate with one another to provide the first puppet and set Standby 806 with the first MDM service provider 812 for being used together.First pseudo-device 806 can be by from the first pseudo-device 806 The first registration request is sent to the first MDM service provider 812 to start setting.In response, the first pseudo-device 806 can be from First MDM service provider 812 receive the first strategy execution configuration file 816, and can at the first pseudo-device 806 incite somebody to action First strategy execution configuration file 816 is stored in memory associated with the first pseudo-device 806.Second pseudo-device 828 Setting for being used together with the 2nd MDM service provider 818 may include: to service from the second pseudo-device 828 to the 2nd MDM Provider 818 sends the second registration request；The second strategy is received from the 2nd MDM service provider 818 at the second pseudo-device 828 Execute configuration file 822.Second strategy execution configuration file 822 can be different from the first strategy execution configuration file 816.Second Second strategy execution configuration file 822 can be stored in memory associated with the second pseudo-device 828 by pseudo-device 828.

Once the first pseudo-device 806 is set, the first pseudo-device 806, which can be configured as, represents physical mobile device 824 One or more orders are received from the first MDM service provider 812.Similarly, once the second pseudo-device 828 is set, second Pseudo-device 828, which can be configured as, to be represented physical mobile device 824 and receives one or more from the 2nd MDM service provider 818 Order.

Therefore, the first pseudo-device 806 can receive the first order from the first MDM service provider 812.In response, One pseudo-device 806 can send the second order to physical mobile device 824.Similarly, the second pseudo-device can be about the 2nd MDM Service provider 818 receives order in an identical manner and sends order.

Once the first pseudo-device 806 receives the first order from the first MDM service provider 812, the first pseudo-device 806 can be with Decide whether to send the second order to physical mobile device 824.The decision can factor based on one or more.For example, should be certainly Surely whether enough information can be had in response to the first order based on the first pseudo-device 806.In response to being set to physics movement Standby 824 send the decision of the second order, and the first pseudo-device 806 can send the second order to physical mobile device 824.In response to The decision of the second order is not sent to physical mobile device 824, the first pseudo-device 806 can be to the first MDM service provider 812 send the response of the first order.The response can be sent without any participation from physical mobile device 824.For example, The response can be sent to respond without sending order to physical mobile device 824 and receiving from physical mobile device 824.To The response that one MDM service provider 812 sends may include having completed the instruction of operation associated with the first order.Example Such as, which can indicate to execute selective erasing at physical mobile device 824.

First pseudo-device 806 can receive corporate resources (for example, resource data from the first MDM service provider 812 814).It is at physical mobile device 824 currently in the strategy execution configuration file 822 of wherein the second MDM service provider 818 During movable (for example, in being used by it) period or when no strategy execution configuration file is currently in physical mobile device When being movable at 824 (for example, in being used by it), the first pseudo-device 806 can receive resource data 814.In this example In, the first pseudo-device 806 can cache or storage resource data 814 in other ways, until the first MDM service provider 812 Strategy execution configuration file 816 become movable at physical mobile device 824.When strategy execution configuration file 816 is current When being movable on physical mobile device 824, then the first pseudo-device 806 can be moved from the first pseudo-device 806 to physics Equipment pushes resource data 814.Therefore, physical mobile device 824 has the access right to resource data 814 now and/or can To be interacted in other ways with resource data 814.Second pseudo-device 828 can be executed similarly in a similar manner.For example, When strategy execution configuration file 816 is currently movable at physical mobile device 824, the second pseudo-device 828 be can receive With resource data 820 of the caching from the 2nd MDM service provider 818.When strategy execution configuration file 822 is currently moved in physics When being movable at dynamic equipment 824, then the second pseudo-device 828 can push resource data 820 to physical mobile device 824.

In some embodiments, the first pseudo-device 806 can receive the first life from the first MDM service provider 812 It enables.Then first pseudo-device 806 can modify order before sending order to physical mobile device 824.First pseudo-device 806 The device status information based on order stored at the first pseudo-device 806 can be modified.First order can be with wherein second Quilt during the strategy execution configuration file 822 of MDM service provider 818 is the movable period on physical mobile device 824 It receives.

In some embodiments, the first pseudo-device 806 can send selective erasing life to physical mobile device 824 It enables.Selective erasing order can be configured as the subset for making application associated with the first MDM service provider 812 and with The associated data of the subset of application are deleted.Selective erasing order can be additionally configured to make individual application and answer with individual It is maintained with associated data and strategy execution configuration file 816 associated with the first MDM service provider 812.Example Such as, selective erasing order can be such that physical mobile device 824 deletes at physical mobile device 824 to mention with the first MDM service For the associated any data of quotient 812, without deleting any personal data and/or independently of the first MDM service provider 812 data.

In some embodiments, MDM cloud agency may be mounted on physical mobile device 824.MDM agency can be by It is configured to the device status information of monitoring physical mobile device and determines the variation in this device status information.MDM agency It can be configured as the strategy for executing MDM service provider 812,818 and/or respectively to first or second pseudo-device 806,828 Variation in report device states information.

In some embodiments, the first pseudo-device 806 can be received from physical mobile device 824 and be requested, the request base In the instruction in the first geography fence that user's input or physical mobile device 806 are located at the first MDM service provider 812 One initiation.In response, the first pseudo-device 806 can be disposed from the first pseudo-device 806 (for example, send corporate resources, Such as resource data, using data, application, and/or strategy execution configuration file 816) arrive physical mobile device 824.In response to Receive a hair being no longer in the instruction in the first geography fence based on another user input or physical mobile device 824 Another request risen, the first pseudo-device 806 can recall the first MDM service provider's 812 from physical mobile device 824 Strategy execution configuration file 816 and/or resource data 814 such as, such as are applied, are serviced using data, and/or the first MDM Other data of provider 812.

In response to receiving the new request from physical mobile device 824 at the second pseudo-device 828, which is based on new User input or physical mobile device 824 be located in the instruction in the second geography fence of the 2nd MDM service provider 818 One initiation, the second pseudo-device 828 can to physical mobile device 824 dispose the 2nd MDM service provider 818 the second plan Slightly execute configuration file 822, application, using data, and/or other data of the 2nd MDM service provider 818.

In some embodiments, the first pseudo-device 806 can identify the first MDM service provider 812 strategy and Conflict between the strategy of 2nd MDM service provider 818.First pseudo-device 806 can be by applying from cloud computing environment 802 The solution that determines of KBS Knowledge Based System solve to conflict.First pseudo-device 806 can be by physical mobile device 824 send warning to solve to conflict.For example, warning may include the at user option life of one or more for solving conflict It enables.Additionally or alternatively, the first pseudo-device 806 can be by sending miniature erasing (mini- to physical mobile device 824 Wipe) order is to solve to conflict.Additionally or alternatively, miniature erasing order can be configured as the data at least making to cause conflict Subset be deleted.

Second pseudo-device 828 can execute and first about the 2nd MDM service provider 818 and physical mobile device 824 The similar function of pseudo-device 806.In addition, the first pseudo-device 806 and/or the second pseudo-device 828 can execute with it is described herein Other associated any functions of pseudo-device.Therefore, the first pseudo-device 806 and/or the second pseudo-device 828 can be executed with ShiShimonoseki In one or more of the function that Fig. 9-16 is discussed.Although the function of Fig. 9-16 is regarded from enterprise mobility management system 700 Angle write-in, but this function is also applied to system 800.When by the functional application of Fig. 9-16 to system 800, it is noted that, be not With the pseudo-device for being arranged for being used together with the first and second MDM service providers, but the first pseudo-device is set For being used together with the first MDM service provider and the second pseudo-device is arranged for and the 2nd MDM service provider one It rises and uses.

In some embodiments, third pseudo-device and the 4th pseudo-device can be established in cloud computing environment 802. Third pseudo-device and the 4th pseudo-device can indicate the second physical mobile device with each.Third pseudo-device can be arranged for It is used together with the first MDM service provider 812 and the 4th pseudo-device can be arranged for and the 2nd MDM service provider 818 are used together.These pseudo-devices can execute any function associated with other pseudo-devices described herein.

Mobile device management feature

The computing architecture and enterprise mobility pipe of the various aspects that can be used for providing and/or realizing the disclosure are discussed The several examples for managing framework, will be discussed in more detail many embodiments now.Specifically, and as described above, this public affairs The some aspects opened, which relate generally to, provides mobile device management function.In the following description, discussion is shown into mobile device The various examples how management function can be provided according to one or more embodiments.

Fig. 9, which is depicted, to be shown via pseudo-device according to the illustrative aspect of one or more discussed in this article by one or more A mobile device management strategy is applied to the flow chart of the method for physical terminal user equipment.In one or more embodiments In, the method and/or one or more step of calculating equipment (for example, universal computing device 201) Lai Zhihang Fig. 9 can be passed through. In other embodiments, method shown in Fig. 9 and/or one or more step can be in computer executable instructions It is embodied as, which is stored in the computer-readable medium of such as non-transitory computer-readable memory In.

Such as seen in fig. 9, method can be since step 905, and wherein pseudo-device is established in cloud computing environment.Example Such as, in step 905, cloud computing environment is (for example, one or more server, cutter point server, thin-client, computer, flat Plate computer, laptop computer or other types of calculating equipment) expression thing reason terminal use can be established in the server of cloud Family equipment is (for example, mobile computing device, such as, laptop computer, tablet computer, smart phone or other types of physics Mobile device) pseudo-device.

The pseudo-device of expression physics end user device can send one to associated physical terminal user equipment will The MDM cloud agency to install on it.In one or more arrangements, MDM cloud agency can be application, service or process, It is configured as running and be additionally configured to collect and/or obtained in other ways about equipment on physical terminal user equipment Information, the information including the current state about physical terminal user equipment.For example, MDM cloud agency can be configured to collect And/or to maintain equipment grade status information, for example, the operating system that instruction is stored and/or run on physical terminal user equipment And/or the net that the status information of application, instruction can be used physical terminal user equipment and/or used by physical terminal user equipment The status information and/or indicating equipment of network connection are placed and/or are used (for example, according to geographical coordinate；It is marked according to semanteme Label, such as " family ", " work ", " client site "；Deng) current location status information.In some instances, although these The device level state that the status information of type is listed as to be acted on behalf of here the type collected and/or safeguarded by MDM cloud is believed The example of breath, but in other examples, the status information of other and/or optional type can be collected as MDM cloud proxy class and/ Or maintenance.

Other than collecting and safeguarding various types of status informations, MDM cloud generation for being run on physical terminal user equipment Reason is also configured to assessment, analysis and/or monitors collected various types of status informations in other ways.For example, MDM Cloud agency can be configured to periodically determine whether the status information of physical terminal user equipment has changed and/or based in state The change detected in information executes one or more movements.For example, physical terminal user equipment status information (herein also by Referred to as device level status information) it may include about what application is mounted and/or is operated on physical terminal user equipment, object Reason end user device be positioned in where, physical terminal user equipment be connected to the information and/or other equipment of what network Grade considers.In some instances, MDM cloud agency can provide state letter to one or more of the other application, service and/or process Breath.For example, in some examples being discussed below, MDM cloud agency on physical terminal user equipment and/or it is one or more its It is applied, service and/or process can be analyzed and/or be handled in other ways and execute mobile device management strategy by MDM agency And/or combine collected status information in the other movements of mobile device management strategy execution.For example, based on can be used by MDM Agency collect device status information assessment different set of circumstances, some mobile device management strategies can limit license and/ Or the function and/or application forbidden.In these and/or other modes, status information can be used for executing in various functions and/or It is limited using upper behavior.

In some embodiments, physical terminal user equipment and/or MDM cloud on physical terminal user equipment is operated in Agency can be to the one or more tactical management services established in cloud computing environment (for example, its state that can influence equipment) Pseudo-device in device provides information, and/or can receive one or more orders from the pseudo-device.For example, in cloud meter When the pseudo-device offer information for carrying out logical partition in one or more policy management servers of environment is provided, physical terminal user Equipment and/or the MDM cloud run on physical terminal user equipment act on behalf of transmittable status information (for example, it may include such as this Various types of device status informations that text discusses) pseudo-device is arrived, for example, it can be configured as the analysis information and will order And/or the MDM cloud generation that other information is provided back to physical terminal user equipment and/or runs on physical terminal user equipment Reason.In addition, when receiving the order of the pseudo-device from cloud computing environment, physical terminal user equipment and/or in physical terminal The MDM cloud agency run on user equipment can receive new and/or update tactful and/or other policy information, remote analysis And/or handle in other ways physical terminal user equipment status information (for example, pseudo-device can remote analysis and/or with That otherwise processed is collected by physical terminal user equipment, being obtained from physical terminal user equipment and/or and physical terminal The related status information of user equipment, and the analysed and/or processed status information is then provided back to physics end End user device) and/or other information.

Indicate that the pseudo-device of physics end user device can be in one or more tactical management services of cloud computing environment It is established in device.Pseudo-device can be received and is somebody's turn to do between the settling period for the pseudo-device being used together for MDM service provider The associated MDM agency of MDM service provider.Therefore, multiple MDM can be acted on behalf of and are maintained at associated with pseudo-device by pseudo-device Memory in.Pseudo-device can be communicated with the MDM cloud agency run on physical terminal user equipment, so that MDM cloud Agency can execute the function of the different MDM agency of the one or more at physical terminal user equipment.MDM cloud agency can To execute the function of one or more MDM agency, while showing as the agency of the single MDM cloud on physical terminal user equipment.Example Such as, the MDM cloud agency operated on physical terminal user equipment can exchange from the different MDM agencies being stored at pseudo-device Data and/or order is received from the different MDM agencies being stored in from pseudo-device.Therefore, physics may be implemented in MDM cloud agency The function of one or more MDM agency at end user device, without modifying physical terminal user equipment to include from MDM Received each MDM agency of service provider.

In step 910, pseudo-device can be arranged for being used together with one or more MDM service providers.Example Such as, in step 910, pseudo-device can send to each MDM service provider or provide registration request, and in response, Strategy execution configuration file can be received from each MDM service provider, authorize the access to their own corporate resources. For example, enterprise can require its some or all of employee and/or other users at them from carrying device (BYOD) scheme Mounting strategy executes configuration file to reduce enterprise security risk in respective mobile device, and can lead in step 910 Cross the received strategy execution configuration file of pseudo-device can enterprise in this way come limit and/or with otherwise with such enterprise It is associated.Additionally or alternatively, when not by physical terminal user equipment in use, strategy execution configuration file can store In memory associated with pseudo-device.In addition, memory associated with pseudo-device can also be stored simultaneously from each MDM Pseudo-device is arranged with the MDM service provider in the strategy execution configuration file of service provider.Because pseudo-device is in cloud computing ring It is established in one or more policy management servers in border, so pseudo-device is not by physical terminal user equipment about multiple Any physics of the parallel storage and/or other information (such as, for example, using, using data etc.) of strategy execution configuration file Constraint is to limit.For example, in addition to storage the 2nd MDM service provider strategy execution configuration file, its it is associated application and/ Or outside application data, pseudo-device can store the strategy execution configuration file of the first MDM service provider, its associated application And/or apply data.In such an example, in addition to the strategy execution configuration file of the 2nd MDM service provider, its correlation Connection application and/or application data outside, physical terminal user equipment can have insufficient memory space and/or processing capacity with Maintain and simultaneously store the first MDM service provider strategy execution configuration file, its it is associated application and/or apply number According to.Additionally or alternatively, physical terminal user equipment may not store two configuration files simultaneously, this is because each matching Setting file may have the respective configuration file of requirement to be mounted in, be stored in or maintain in other ways physical terminal use The rule of unique dedicated configuration file in the equipment of family.Additionally or alternatively, physical terminal user equipment may not be same When registered to two MDM service providers, this is because the operating system of physical terminal user equipment may only support list A configuration file.

In step 915, once pseudo-device is arranged for being used together with one or more MDM service providers, generation The pseudo-device of table physical terminal user equipment can be configured as from one or more MDM service providers and receive one or more A order.For example, in step 915, pseudo-device from the first MDM service provider and/or can represent the first MDM service and provide The entity of quotient receives the first order.First MDM service provider and/or the entity for representing the first MDM service provider can be led It generates dynamicly the first order (for example, being not based on from the received data-triggered event of pseudo-device), and the first order is pushed To pseudo-device.Additionally or alternatively, in response to received (for example, mentioning from pseudo-device and/or from physical terminal user equipment Take) variation in the device status information of physics end user device, the first life can be generated in the first MDM service provider or entity It enables.Variation in device status information for example may include the finger of the variation in the application occurred at physical terminal user equipment The instruction changed in the instruction of variation in showing, being connected to the network, the position of physical terminal user equipment and/or physical terminal user Any other variation at equipment.For example, the instruction of the variation in the application occurred at physical terminal user equipment can wrap It includes the list of the application occurred at physical terminal user equipment and may include about each of the application listed Associated status information.For example, whether state may include applying be mounted, open in current system, whether the application It is locally or remotely performed and/or other information.

In some instances, the first order can be configured as sets as the first order will be sent to physical terminal user It is standby.For example, MDM service provider may not realize that the first order will when pseudo-device analog physical end user device Pseudo-device is sent to without being destined to physical terminal user equipment.In such instances, the first order can be configured as Physical terminal user equipment is managed according to the strategy of the first MDM service provider.

First order may include management information, such as by one or more policy updates of MDM cloud agent application.First Order, which can be configured as the specific user for physical terminal user equipment and/or be directed to, uses physical terminal user equipment Anyone role (for example, strategy can be applied to specific role with sale, accounting, consulting, law etc. or The user of position).

In some embodiments, the first order can be looking into for the current state information of request physical terminal user equipment It askes.In this case, MDM service provider can receive the device status information of physical terminal user equipment from pseudo-device. In some instances, pseudo-device can transmit the query to physical terminal user equipment and from physical terminal user equipment Receiving device status information.Additionally or alternatively, pseudo-device may not send to physical terminal user equipment and inquire, and opposite The device status information being stored in memory associated with pseudo-device can be sent to the first MDM service provider.

In some embodiments, the first order, which can be configured as, makes MDM cloud agency and/or physical terminal user equipment Execute one or more behaviors limitation at physical terminal user equipment.Some strategies and/or behavior limitation can lead to first Order be configured as execute resource recall and/or selective erasing.For example, the first order can be for recalling the first MDM The strategy execution configuration file of service provider, with the first MDM service provider it is associated application, it is associated with this application Data, the corporate resources of the first MDM service provider, in physical terminal user associated with the first MDM service provider The order of one or more of data generated at equipment, and/or other information.In some instances, the first order can be with It is selective erasing order, is configured as deleting the strategy execution configuration file of the first MDM service provider and the first MDM takes Be engaged in provider it is associated application, with it is this using associated data, the corporate resources of the first MDM service provider, with One or more of data for being generated at the associated physical terminal user equipment of first MDM service provider and/or other Information.In some embodiments, selective erasing keeps the strategy of (for example, not deleting) the first MDM service provider to hold Row configuration file, individual application and personal data.

In some embodiments, according to one or more strategies, the first order can be configured as authorization pseudo-device and/ Or access of the physical terminal user equipment to some corporate resources and/or service, while limiting and/or preventing to provide other enterprises The access of source and/or service.In other embodiments, first order can be configured as prevent physical terminal user equipment to Another equipment sends corporate resources or associated other with the first MDM service provider from physical terminal user equipment Data.Additionally or alternatively, the first order, which can be configured as, allows physical terminal user equipment to send data enterprise to pseudo-device Industry resource or other data associated with the first MDM service provider are so that subsequent retrieval is (for example, work as physical terminal user When equipment is located in the geographical location of the first MDM service provider).

In some embodiments, according to some strategies, the first order can be configured as and prevent by pseudo-device and/or object Manage the modification of the corporate resources of end user device access (for example, read-only).In addition, the first order can be configured as and set in puppet Software or data are reconfigured at standby and/or physical terminal user equipment.In addition, the first order, which can be configured as, makes MDM generation Reason and/or physical terminal user equipment are prevented using being opened or be performed in other ways, and if it currently in physics It is carrying out (for example, operation) at end user device, then can close application.

In some embodiments, the first order can be by being configured as selective enabling and/or disabling physical terminal The one or more functions (such as, the one or more functions of operating system) of user equipment, using, physical terminal user is set The local at standby place and/or on one or more networks the access of the data or resource of remote accessible execute some strategies And/or behavior limitation.Limitation may include prevention, limit to the access of one or more resources of physical terminal user equipment local System, and/or control in other ways to the resource of physical terminal user equipment (such as, for example, camera-enabled, SMS function, Any other function of Bluetooth function, locally applied function, and/or physical terminal user equipment) access.Limitation to one or The access of multiple Internet resources may include the enterprise for preventing to be not authorized to certain websites, physical terminal user equipment access The access of resource or the resource of any other long range positioning.

Alternatively, or in addition, in some embodiments, the first MDM service provider is known that pseudo-device.Therefore, First MDM service provider can be configured to the first order to instruct how pseudo-device manages physical terminal user equipment.At this In the embodiment of sample, the first order can be configured as management physical terminal user equipment and/or be mentioned according to the first MDM service The management of the pseudo-device of physical terminal user equipment is managed for the strategy of quotient.Specifically, the first order, which can be configured as, leads Cause the execution of the strategy via pseudo-device at physical terminal user equipment.For example, first order can be designed to have with Any difference of first order discussed above configures identical result.

In addition to from the enterprise servers of the first MDM service provider receive order other than, pseudo-device can receive it is new and/or The tactful and/or other policy information of update, remotely analysis and/or in other ways processing device status information are (for example, enterprise Industry server can remotely analyze and/or handle in other ways by physical terminal user equipment collect, obtain, and/or with The related status information of physical terminal user equipment, and then this having analyzed and/or processing status information is provided Return to physical terminal user equipment) and/or other information.In some embodiments, pseudo-device can be serviced to the first MDM Provider forwards from the received device status information of physical terminal user equipment.In such an implementation, the first MDM service mentions It can analyze device status information for quotient and the analysis made to be associated with pseudo-device.Then pseudo-device can be analyzed this And/or device status information, other information and/or the strategy of processing are provided back to physical terminal user equipment.Alternatively or additionally Ground, before providing this device status information analyzed to physical terminal user equipment, pseudo-device can be further processed From the received device status information analyzed of the first MDM service provider.

In some embodiments, pseudo-device can determine the first order or the realization first at physical terminal user equipment Whether the prediction result state of the physical terminal user equipment after order will violate or create and pseudo-device institute in other ways The conflict of any strategy of the MDM service provider of registration.If there is no violating or conflict, as described below, pseudo-device can be with It sends and orders to physical terminal user equipment.If there is violating or conflicting, pseudo-device can be according to the Figure 16 being discussed below Action.

In step 920, pseudo-device can send one or more lives from pseudo-device to physical terminal user equipment It enables.For example, pseudo-device can send the second order from pseudo-device to physical terminal user equipment in step 920.Puppet is set It is standby the second order to be generated based on ordering from the first MDM service provider received first and/or can be in addition with first MDM service provider is associated.For example, in response to receiving the first order, pseudo-device can be generated and send the second order to object Manage end user device.Second order, which can be configured as, executes strategy associated with the first order.Second order can be with It is different from received first order of the first MDM service provider.In some instances, the second order can take with from the first MDM Received first order of business provider is identical.In such an implementation, the second order does not need to be generated simultaneously at pseudo-device And received first order of institute can be used and retransfer.

In some embodiments, pseudo-device can have independently produced the second order.For example, pseudo-device can be generated second The participation and the first order of no reception ordered without the first MDM service provider.Therefore, pseudo-device can still independently Management and the strategy for executing the first MDM service provider.For example, if the connection with the first MDM service provider is lost, it is pseudo- Equipment may need to manage and execute the strategy of the first MDM service provider.

Second order can be similar to any configuration for the first order being discussed herein to configure.For example, the second order can To be configured as making MDM cloud to act on behalf of and/or the execution of physical terminal user equipment is recalled, disposed, selective erasing, limitation is to enterprise The access of resource, authorization to the access of corporate resources, limitation to the access of function, reconfigure function, prevent to corporate resources Modification, prevent corporate resources from the transmission of physical terminal user equipment or any other configuration for the order being discussed herein.

When receiving the first and/or second order from pseudo-device, MDM cloud agency and/or physical terminal user equipment can be with The first and/or second order is executed, so that strategy associated with the order is satisfied.For example, physical terminal user equipment can To execute the selective erasing for the data being stored at physical terminal user equipment.For example, physical terminal user equipment can limit It makes to the access of function, prevent modification to corporate resources, and/or realize in other ways special by the first and/or second order Any configuration.Execution of the order at physical terminal user equipment can influence the equipment shape of physical terminal user equipment State information.Therefore, device status information can be provided to pseudo-device.

In some embodiments, the variation in device status information can be such that MDM cloud agency and/or physical terminal uses Family equipment executes management operation to execute the strategy of one or more MDM service providers.For example, the change based on geographical location Change, MDM cloud agency can limit the access of certain corporate resources to the first MDM service provider.

According to for example by MDM cloud agency execute strategy and order, physical terminal user equipment also accessible one or The corporate resources of multiple MDM service providers.For example, the accessible first MDM service provider of physical terminal user equipment It is provided to the corporate resources of pseudo-device.Additionally or alternatively, physical terminal user equipment can be mentioned directly from the first MDM service Corporate resources is accessed without the participation of pseudo-device for quotient.Physical terminal user equipment can store, edit, and/or other root It is interacted according to the strategy of the first MDM service provider with corporate resources.

In some embodiments, MDM cloud agency, physical terminal user equipment, and/or pseudo-device can be based on equipment shape State information determines whether to have violated the one or more strategy of one or more MDM service providers.In response to having violated The determination of strategy, physical terminal user equipment can take correct action.Physical terminal user equipment can also be sent out to pseudo-device Send the report of violation.Then pseudo-device can determine correct action and send the order generated to physical terminal user equipment.? In some embodiments, pseudo-device can send report or the MDM service provider for violating strategy is arrived in the report of modification.In response to The determination of strategy is not violated, normal management operation is continued.

In step 925, pseudo-device can receive the response to the second order from physical terminal user equipment.Example Such as, in step 925, pseudo-device can determine whether the response is sufficient for from the first MDM service provider received first Order.It is to be insufficient for the first order and/or the second order (for example, after utility command, physics is whole in response to the response There is no realize for the state that the expectation of end user device generates) determination, pseudo-device can send to physical terminal user equipment Order is configured as correcting the state of physical terminal user equipment, so that second from physical terminal user equipment responds Can be sufficient for the first order and/or second order (for example, after utility command, have been carried out physical terminal user The state that the expectation of equipment generates).

In some embodiments, pseudo-device can determine the variation in the state of physical terminal user equipment whether with puppet Any other policy conflict for any MDM service that equipment is registered.In response to the determination of the response and another policy conflict, Pseudo-device can be acted according to the Figure 16 being discussed below.

In step 930, the determination of the first order and/or the second order is sufficient in response to the response, pseudo-device can With one or more responses of the transmission from pseudo-device into MDM service provider.For example, pseudo-device can in step 930 The first MDM service provider is responsive to from received second order of physical terminal user equipment to send.The response can be with Device status information including physical terminal user equipment, so such as the first MDM service provider can verify and the first life Associated operation is enabled to be properly completed via physical terminal user equipment.For example, response may include servicing with the first MDM The instruction that the associated data of provider have been removed from physical terminal user equipment.

In some embodiments, pseudo-device can be based on to the sound from received second order of physical terminal user equipment New response should be generated.New response can be sufficient for from received first order of the first MDM service provider.Some In example, response may include the instruction or more associated with the first order for operating and being completed associated with the first order Other instructions.For example, new response may include data associated with the first MDM service provider from pseudo-device by portion The instruction of physical terminal user equipment is affixed one's name to, or optionally, data associated with the first MDM service provider are from object The instruction of pseudo-device is retracted into reason end user device.

In some embodiments, for example, pseudo-device can provide information to one or more MDM service providers' Enterprise servers.For example, pseudo-device can be sent from physics in the enterprise servers for providing information to MDM service provider The received status information of end user device such as can be configured as analysis to the enterprise servers of MDM service provider Such information and offer are ordered and/or other information returns to pseudo-device, and then can relay or generate will be to physical terminal The order that user equipment provides.

In some embodiments, pseudo-device can receive third order from the 2nd MDM service provider.Third order can To be configured as making the execution of the strategy of the 2nd MDM service provider at physical terminal user equipment.Third order can be with As above with respect to first order configuration but about the 2nd MDM service provider rather than the first MDM service provider begs for Opinion configures.For example, third order can be strategy execution configuration file for recalling the 2nd MDM service provider, with 2nd MDM service provider it is associated application, with this using associated data, the enterprise of the 2nd MDM service provider One or more of resource, the data generated at physical terminal user equipment associated with the 2nd MDM service provider And/or other information.In some instances, third order can be selective erasing order, be configured as deleting the 2nd MDM The strategy execution configuration file of service provider, with the 2nd MDM service provider it is associated application, it is associated with this application Data, the corporate resources of the 2nd MDM service provider, in physical terminal user associated with the 2nd MDM service provider One or more of data generated at equipment and/or other information.In some embodiments, selective erasing order is protected Hold the strategy execution configuration file of (for example, not deleting) the 2nd MDM service provider.

In some embodiments, pseudo-device can determine the strategy of third order or realize the strategy of third order The MDM the clothes whether result phase of the prediction of physical terminal user equipment afterwards violates or registered in other ways with pseudo-device Any policy conflict of business provider.If not violating or conflicting, as described below, pseudo-device can be set to physical terminal user Preparation is lost one's life order.If there is violating or conflicting, pseudo-device can be according to Figure 16 action being discussed below.

In some embodiments, pseudo-device can send one or more orders from pseudo-device and set to physical terminal user It is standby.For example, pseudo-device can send the 4th order to physical terminal user equipment from pseudo-device.Pseudo-device can be based on from second The received third order of MDM service provider is ordered to generate the 4th.In response to receive third order, pseudo-device can be generated and The 4th order is sent to physical terminal user equipment.4th order can be ordered with from the received third of the 2nd MDM service provider It enables different.In some instances, the 4th order can be identical as from the received third order of the 2nd MDM service provider.At this In kind of example, the 4th order does not need the received third order of institute is generated and can be used at pseudo-device to be passed again It send.

4th order can be configured as execution strategy associated with third order.4th order can such as above with respect to The configuration of second order but about the 2nd MDM service provider rather than matching of being discussed of the first MDM service provider It sets.MDM cloud agency and/or the execution of physical terminal user equipment is set to recall, dispose, select for example, the 4th order can be configured as The erasing of selecting property is limited to the access of corporate resources, authorization to the access of corporate resources, limitation to the access of function, is reconfigured Function prevents modification to corporate resources, prevents corporate resources from the transmission of physical terminal user equipment or the life being discussed herein Any other configuration enabled.

In some embodiments, the 4th order can be generated in pseudo-device.For example, pseudo-device can have independently produced the 4th It orders and without the participation of the 2nd MDM service provider.Specifically, the 4th order can be generated without from second in pseudo-device MDM service provider receives third order.

In some embodiments, pseudo-device can receive the sound to the 4th order from physical terminal user equipment It answers.For example, pseudo-device can determine whether the response is sufficient for from the received third order of the 2nd MDM service provider.It rings It should be insufficient for the determination of third order in the response, pseudo-device can send to physical terminal user equipment and order, quilt It is configured to correct the state of physical terminal user equipment, so that the from physical terminal user equipment second response can be sufficient for Third order.

In some embodiments, the determination of third and/or the 4th order is sufficient in response to the response, pseudo-device can With one or more responses of the transmission from pseudo-device into MDM service provider.For example, pseudo-device can be sent to from object Received 4th order of reason end user device is responsive to the 2nd MDM service provider.In some instances, pseudo-device can be with New response is generated based on to from the response of received 4th order of physical terminal user equipment.New response can be sufficient for From the received third order of the 2nd MDM service provider.In some instances, response may include associated with third order The operation instruction or some other instructions associated with third order that are completed.

In some embodiments, cloud computing environment can be established in the server of cloud indicates that another physical terminal is used Second pseudo-device of family equipment (for example, the second physical terminal user equipment for being different from the first physical terminal user equipment).Table Show that the second pseudo-device of the second physical terminal user equipment can be arranged for together with one or more MDM service providers It uses.Second pseudo-device can receive the first order from MDM service provider at pseudo-device.Second pseudo-device can be from second Pseudo-device sends the second order or another is ordered to the second physical terminal user equipment as discussed in this article.Second pseudo-device can It is responded with being received from physical terminal user equipment.Second pseudo-device can send being responsive to as discussed herein for the response or modification MDM service provider.Although having discussed only two pseudo-devices for respectively indicating two physical terminal user equipmenies, More than two pseudo-device and physical terminal user equipment are expected.

Figure 10 depict according to the illustrative aspect of one or more discussed in this article show setting pseudo-device be used for and one The flow chart for the method that a or multiple mobile device management service providers are used together.In one or more embodiments, The method and/or one or more step of Figure 10 can be by calculating equipment (for example, universal computing device 201) Lai Zhihang.? In other embodiments, method shown in Figure 10 and/or one or more step can be embodied in the executable finger of computer In order, which is stored in such as computer-readable medium of non-transitory computer-readable memory.

Such as seen in fig. 10, method can be since step 1005 place, and wherein pseudo-device can be arranged for and first MDM service provider is used together.For example, in step 1005, can for example, by execute the step 1010 being discussed herein, One or more of 1015 and 1020 are arranged pseudo-device with for being used together with the first MDM service provider.Pseudo-device The physical terminal user equipment of pseudo-device expression can be shown as to the first MDM service provider.For example, pseudo-device can be imitated The physical terminal user equipment that true and/or simulation pseudo-device indicates, and therefore, pseudo-device can be serviced to the first MDM and be provided Quotient shows as actual physical terminal user equipment.For example, representing object in emulation and/or analog physical end user device The pseudo-device for managing end user device can be to the first MDM service provider certification, reception from the first MDM service provider's One or more order and/or communication, and/or to the first MDM service provider send one or more message and/or other It is physical terminal user equipment that communication, which just looks like pseudo-device,.Pseudo-device can be with will be to first with typical physical mobile device The identical mode that MDM service provider is registered is registered to the first MDM service provider.In some instances, pseudo- Equipment can be shown as to the first MDM service provider be different from physical terminal user equipment but with physical terminal user equipment phase Associated equipment.

In step 1010, pseudo-device can send the first registration request to the of one or more MDM service providers One MDM service provider.For example, in step 1010, the first registration can be sent from pseudo-device to the first MDM service provider Request.In some instances, pseudo-device can make another equipment represent pseudo-device the first registration request of transmission.Registration request can It include necessary any information such as security credence, identity documents to include for being arranged.

In response, in step 1015, pseudo-device can receive the first plan associated with the first MDM service provider Slightly execute configuration file.For example, pseudo-device can receive the first strategy from the first MDM service provider and hold in step 1015 Row configuration file.In some instances, pseudo-device can receive first from another entity for representing the first MDM service provider Strategy execution configuration file.First strategy execution configuration file, which can be configured as, promotes pseudo-device and/or the first MDM service The identification of provider.First strategy execution configuration file can promote the safety between pseudo-device and the first MDM service provider Communication.Strategy execution configuration file can be configured as the one or more strategy of the first MDM service provider of identification, will The access and/or registration of the corporate resources to the first MDM service provider are implemented as at physical terminal user equipment Condition.

In step 1020, pseudo-device can store the first strategy execution associated with the first MDM service provider and match Set file.For example, in step 1020, the first strategy execution configuration file can be stored in the one of cloud computing environment by pseudo-device In the associated memory of a or multiple servers.Once pseudo-device is arranged for together with the first MDM service provider It uses, pseudo-device can be provided according to the enterprise of strategy the first MDM service provider of access proposed by the first MDM service provider Source.Pseudo-device can receive order from the first MDM service provider to manage physical terminal user equipment as discussed above.Example Such as, it is such order may include dispose as discussed in this article, recall, and/or selective erasing in one.

It, can be by executing one in the step 1030,1035 and 1040 that are for example discussed herein in step 1025 Or multiple pseudo-device is set with for being used together with the 2nd MDM service provider.Pseudo-device can propose the 2nd MDM service The physical terminal user equipment of pseudo-device expression is shown as quotient.For example, the physics that pseudo-device can simulate pseudo-device expression is whole End user device.Pseudo-device can be identical will register to the 2nd MDM service provider with typical mobile device Mode is registered to the 2nd MDM service provider.In some instances, pseudo-device can be to the 2nd MDM service provider's table Now for different from physical terminal user equipment but equipment associated with physical terminal user equipment.

In step 1030, pseudo-device can send the second registration request to the of one or more MDM service providers Two MDM service providers.For example, second registration request can be issued from pseudo-device in step 1030.In some instances, Pseudo-device can make another equipment represent pseudo-device the second registration request of transmission.Registration request may include including for being arranged Such as necessary any information such as security credence, identity documents.

In response, in step 1035, pseudo-device can receive the second plan associated with the 2nd MDM service provider Slightly execute configuration file.For example, pseudo-device can receive the second strategy from the 2nd MDM service provider and hold in step 1035 Row configuration file.In some instances, pseudo-device can receive second from another entity for representing the 2nd MDM service provider Strategy execution configuration file.Second strategy execution configuration file, which can be configured as, promotes pseudo-device and/or the 2nd MDM service The identification of provider.Second strategy execution configuration file can be configured as promote pseudo-device and the 2nd MDM service provider it Between secure communication.Strategy execution configuration file can be configured as one or more plans of the 2nd MDM service provider of identification Slightly, will be implemented as at physical terminal user equipment the access to the corporate resources of the 2nd MDM service provider and/ Or the condition of registration.

In step 1040, pseudo-device can store the second strategy execution associated with the 2nd MDM service provider and match Set file.For example, in step 1040, the second strategy execution configuration file can be stored in the one of cloud computing environment by pseudo-device In the associated memory of a or multiple servers.Once pseudo-device is arranged for making together with second service provider With the corporate resources of the accessible 2nd MDM service provider of pseudo-device.Pseudo-device can connect from the 2nd MDM service provider Order is received to manage physical terminal user equipment.Such order may include disposing, recall, and/or selecting as discussed in this article One in the erasing of selecting property.

In some embodiments, associated with the pseudo-device at the one or more servers for being located in cloud computing environment Memory can store the first strategy execution configuration file associated with the first MDM service provider simultaneously and with second The associated second strategy execution configuration file of MDM service provider.In some embodiments, physical terminal user equipment can Without enough resources to store and/or realize the first strategy execution configuration associated with the first MDM service provider simultaneously File and the second strategy execution configuration file associated with the 2nd MDM service provider.

In some embodiments, indicate the second physical terminal user equipment the second pseudo-device can be arranged for One or more MDM service providers are used together.It is asked for example, the second pseudo-device can send the first registration from the second pseudo-device It asks to the first MDM service provider, and in response, strategy execution configuration text can be received from the first MDM service provider Part.Strategy execution configuration file can be stored in memory associated with the second pseudo-device by the second pseudo-device.Once pseudo- Equipment is arranged for being used together with the first MDM service provider, the accessible first MDM service provider of the second pseudo-device Corporate resources.Second pseudo-device can send the second registration request to the 2nd MDM service provider from the second pseudo-device, and In response, strategy execution configuration file can be received from the 2nd MDM service provider.Second pseudo-device can be by strategy execution Configuration file is stored in memory associated with the second pseudo-device.Once pseudo-device is arranged for servicing with the 2nd MDM Provider is used together, the corporate resources of the accessible 2nd MDM service provider of the second pseudo-device.

In some embodiments, multiple pseudo-devices can be associated with identical user.Pseudo-device can be in cloud computing It is established in environment.For example, the first pseudo-device can indicate the first physical terminal user equipment associated with the user.Second is pseudo- Equipment can indicate the second physical terminal user equipment associated with same subscriber.Second physical terminal user equipment can not It is same as the first physical terminal user equipment.In this illustration, the first and second pseudo-devices can be arranged for it is identical MDM service provider and/or different MDM service providers are used together.

Figure 11, which is depicted, to be shown according to the illustrative aspect of one or more discussed in this article in response to from mobile device The flow chart of the method for the order of management service provider.In one or more embodiments, the method and/or one of Figure 11 A or multiple steps can be by calculating equipment (for example, universal computing device 201) Lai Zhihang.In other embodiments, Figure 11 Shown in method and/or one or more step can be embodied in computer executable instructions, the computer is executable Instruction is stored in such as computer-readable medium of non-transitory computer-readable memory.

Such as seen in fig. 11, method can be since step 1105, and wherein pseudo-device can receive one or more orders. For example, pseudo-device can receive the first order from the first MDM service provider in step 1105.In some instances, first Order can be received from the entity or equipment separated with the first MDM service provider, but can be represented the first MDM service and be provided Quotient is issued.

First order can be as configured in conjunction with what Fig. 9 was discussed above.For example, the first order, which can be configured as, to make to transport Row executes and the recalling of corporate resources, enterprise in the MDM cloud agency of physical terminal user equipment and/or physical terminal user equipment Access to the access, authorization of corporate resources to corporate resources of the deployment of resource, the selective erasing of corporate resources, limitation, limit It makes to the access of function, reconfigure function, prevent modification to corporate resources, prevent corporate resources from setting from physical terminal user The associated operation of any other configuration of standby transmission or the order being discussed herein.

In step 1110, pseudo-device can be it is determined that send order and/or message to whom.For example, in step 1110 In, pseudo-device may determine whether to send the second order to physical terminal user equipment and/or the first MDM service provider.It should Determination can factor based on one or more.For example, factor may include whether to need from physical terminal user equipment not Information present in pseudo-device from the received one or more of one or more MDM service providers in response to ordering.Example Such as, factor may include being with from the associated strategy of the received one or more order of one or more MDM service providers No another policy conflict with one or more MDM service providers.

In some embodiments, pseudo-device can be generated and send a query to physical terminal user equipment.The inquiry can To request the status information of physical terminal user equipment.In response, physical terminal user equipment can determine and send its shape State information is to pseudo-device.Pseudo-device then can determine the status information of received physical terminal user equipment whether match pass In the desired status information of physical terminal user equipment.Pseudo-device can determine that desired status information is based at least partially on From received first order of the first MDM service provider.If the received status information of institute simultaneously mismatches desired state letter Breath, then pseudo-device can determine to send the second order to physical terminal user equipment to reach desired state.If connect The status information of receipts matches desired status information, then pseudo-device can decide not to send the second order to physical terminal user Equipment.Because the received status information of institute matches desired status information and because can be provided based on servicing from the first MDM Received first order of quotient determines desired status information, so pseudo-device can decide not to send the second order to physical terminal User equipment, this is because desired state associated with the first order has been the state of physical terminal user equipment.Separately Outside or optionally, in some embodiments, inquiry does not need to be sent to physical terminal user equipment.For example, physical terminal User equipment periodically and/or when state change occurs within physical terminal user equipment, can send the state letter of update Cease pseudo-device.Therefore, pseudo-device can keep the record of the status information of the current and past of physical terminal user equipment.Cause For physical terminal user equipment current state information present in pseudo-device, so pseudo-device can determine physical terminal user Whether the status information of equipment matches desired status information without sending a query to physical terminal user equipment.

In step 1115, the decision of physical terminal user equipment is arrived in response to sending the second order, pseudo-device can be from Pseudo-device sends the second order and arrives physical terminal user equipment.Second order, which can be configured as, executes one or more MDM clothes The strategy of business provider.Second order can be as configured in conjunction with what Fig. 9 was discussed above.For example, the second order can be matched It is set to the MDM cloud agency for making to operate on physical terminal user equipment and/or physical terminal user equipment executes and corporate resources Recall, the deployment of corporate resources, the selective erasing of corporate resources, limitation provide the access of corporate resources, authorization to enterprise The access in source, limitation to the access of function, reconfigure function, prevent modification to corporate resources, prevent corporate resources from object Manage the associated operation of any other configuration of transmission or the order being discussed herein of end user device.

In step 1120, pseudo-device can be received from physical terminal user equipment and be responded.For example, in step 1120, Pseudo-device can receive the instruction for operating and being completed associated with the second order sent.The response may include with The associated device status information for operating the physical terminal user equipment before or after being completed of two orders.For example, ringing Should may include application associated with one or more MDM service providers, using data, and/or other data from The instruction deleted in physical terminal user equipment.The response may include that individual application and personal data are used via physical terminal Family equipment keeps the instruction of (for example, not being deleted).The response can be configured similar to the other responses being discussed herein.

In some embodiments, pseudo-device can determine whether the response from physical terminal user equipment meets from Received first order (for example, the state of physical terminal user equipment matches desired state) of one MDM service provider.If Pseudo-device, which determines, to be responded and is unsatisfactory for the response, then pseudo-device can send third order to physical terminal user equipment.Third Order can be configured as the expected result for operationally causing to obtain the first order.Then, pseudo-device can be from physical terminal User equipment receives another response.

In step 1125, pseudo-device can send a response to one or more MDM service providers.For example, in step In 1125, pseudo-device, which can be sent, is responsive to the first MDM service provider to the first order.If pseudo-device determines the response It is sufficient for the first order, then the response can be sent.In some instances, pseudo-device can be based on from physical terminal user Equipment is received to be responded to generate the response of modification.The response of modification is also based on other factors, such as, for example, with addition It is associated with the first order to operate the instruction being completed.The first MDM service that is responsive to that pseudo-device can send modification provides Quotient.The response can configure similar to any response being discussed herein and it may be thus possible, for example, to include taking about the first MDM The device status information of business provider is to analyze and may respond to it.

In step 1130, pseudo-device may not send the second order to physical terminal user equipment.For example, in step In 1130, pseudo-device may be in response to determine that not sending the second order is locally generated to physical terminal user equipment to from first The response for the first order that MDM service provider sends.In some instances, pseudo-device can be from different from physical terminal user The equipment or entity of equipment receive response to be incorporated into the response to the first order.Generate and/or institute is received right The response of first order for example may include the information or any other information stored by pseudo-device.The response may include and the One order is associated to operate the instruction being completed.For example, the response may include that selective erasing is used in physical terminal The instruction completed at the equipment of family.

In step 1135, pseudo-device can send a response to one or more MDM service providers from pseudo-device.Example Such as, in step 1135, pseudo-device can be sent from pseudo-device services the first MDM that is responsive to of the first order locally generated Provider.The response can be sent to the first MDM service provider without sending any order (for example, the first order And/or second order) arrive physical terminal user equipment.Therefore, the response can represent physical terminal user equipment by transmission and There is no any participation of physical terminal user equipment.For example, pseudo-device can be independently of any behaviour of physical terminal user equipment Make to receive the first order and sends a response to the first MDM service provider.

In some embodiments, indicate that the second pseudo-device of the second physical terminal user equipment can be mentioned from MDM service The first order is received for quotient.Second pseudo-device can determine whether that the second physical terminal is used based on any factor being discussed herein Family equipment sends the second order.The second order is sent in response to determining to the second physical terminal user equipment, the second pseudo-device can To send the second order to the second physical terminal user equipment from the second pseudo-device.Second pseudo-device then can be from the second physics End user device receives response.What then the second pseudo-device can send response or modification is responsive to MDM service provider.It rings Any order should not be sent to the second physical terminal user equipment in determining, the sound to the first order can be generated in the second pseudo-device It answers, for example, first order includes the instruction for operating and being completed associated with the first order.Pseudo-device can be sent a response to MDM service provider.

Figure 12, which depicts to be shown according to the illustrative aspect of one or more discussed in this article, is pushed to object for resource data Manage the flow chart of the method for end user device.In one or more embodiments, the method for Figure 12 and/or one or it is more A step can be by calculating equipment (for example, universal computing device 201) Lai Zhihang.In other embodiments, it is shown in Figure 12 Method and/or one or more step can be embodied in computer executable instructions, which deposits Storage is in such as computer-readable medium of non-transitory computer-readable memory.

Such as seen in fig. 12, method can be since step 1205 place, and wherein pseudo-device can receive one or more enterprises Industry resource (for example, resource data).For example, pseudo-device can receive first from the first MDM service provider in step 1205 The resource data of MDM service provider.Resource data may include document, chart, software, application, using data or with first The associated any other data of MDM service provider.It can be with the strategy execution of the wherein second different MDM service provider Configuration file receives resource data during being the period that is movable or being used by physical terminal user equipment.For example, pseudo-device It can receive and apply from the first MDM service provider, only when the strategy execution configuration file of the first MDM service provider is It is movable or by physical terminal user equipment in use, physical terminal user equipment can be used in.However, when the first MDM takes The be engaged in strategy execution configuration file of provider is inactive or not by physical terminal user equipment in use, the application can be with It is received by pseudo-device.

Similarly, strategy associated with the 2nd MDM service provider (be different from the first MDM service provider) wherein During execution configuration file is the movable period on physical terminal user equipment or at which, pseudo-device can be from first MDM service provider receives the first order.For example, not living when the strategy execution configuration file of the first MDM service provider is in It is dynamic or by physical terminal user equipment using when and/or when the strategy execution configuration file of the 2nd MDM service provider is living It is dynamic or by physical terminal user equipment in use, pseudo-device can from the first MDM service provider receive first order.

In some embodiments, wherein without the strategy execution configuration file of MDM service provider in physical terminal During being on user equipment or at which the movable period, pseudo-device can receive number of resources from the first MDM service provider According to and/or first order.

In some embodiments, resource data receive can in response to by physical terminal user equipment initiate for The request of resource data.For example, physical terminal user equipment can be from physical terminal user equipment by asking about resource data It asks and is sent directly to the first MDM service provider, without the participation of pseudo-device.In some instances, physical terminal user sets It is standby to send pseudo-device for the request of the resource data for the first MDM service provider.Then pseudo-device can be sent The request is to the first MDM service provider.In some instances, pseudo- before sending the request to the first MDM service provider Equipment can modify the request.In some embodiments, in response to being initiated by pseudo-device and being sent to the first MDM service to mention For the request of quotient, physical terminal user equipment can receive resource data.

In step 1210, pseudo-device can determine that configuration file is currently movable on pseudo-device.For example, in step In 1210, the strategy execution configuration file that pseudo-device can make the first MDM service provider is currently set in physical terminal user It is standby it is upper whether be movable determination.In some instances, pseudo-device can to physical terminal user equipment send order, inquiry or Request, request physical terminal user equipment (and/or the MDM cloud agency being mounted on physical terminal user equipment) are whole by physics The current device status information of end user device is sent to pseudo-device.Which current device status information for example may include Instruction that strategy execution configuration file currently uses on physical terminal user equipment is worked as by what physical terminal user equipment used The instruction of preceding corporate resources, the geographical location of physical terminal user equipment, whether physical terminal user equipment is located at is serviced by MDM Instruction or any other information in the geography fence of a setting in provider.In response, physical terminal user equipment (and/or the MDM cloud agency being mounted on physical terminal user equipment) can determine that the current of physical terminal user equipment sets For status information and current status information is sent to pseudo-device.

In some embodiments, the strategy execution configuration file that pseudo-device can make the first MDM service provider is worked as Whether preceding be movable determination on physical terminal user equipment, is requested without sending to physical terminal user equipment.Physics End user device (and/or MDM cloud agency) can be believed regularly and/or as the current state for being sent to pseudo-device before The result of variation in breath sends current status information.For example, determine the variation in device status information whether by In detection, MDM cloud agency and/or physical terminal user equipment can for example determine new application whether have been installed with/ Or it is added on physical terminal user equipment, deleted, the physical terminal from physical terminal user equipment using whether Whether the network connection that user equipment uses has changed, and whether the geographical location that physical terminal user equipment is being located therein It has been be changed that, and/or any other variation in the device status information being discussed herein.Once the variation in device status information Detected, information associated with the variation can be sent (example by MDM cloud agency and/or physical terminal user equipment Such as, push) to pseudo-device, allow pseudo-device to keep the device status information of the current and past of physical terminal user equipment Record.

In step 1215, resource data can be pushed to physical terminal user equipment by pseudo-device.For example, in step In 1215, in response to determining the strategy execution configuration file of the first MDM service provider currently at physical terminal user equipment It is movable (for example, by the use of physical terminal user equipment), pseudo-device can be from pseudo-device by the first MDM service provider's Resource data is sent to physical terminal user equipment.Therefore, when strategy execution configuration file is used by physical terminal user equipment When, physical terminal user equipment is accessible and/or receives the resource data of the first MDM service provider.

In some embodiments, physical terminal user equipment can be initiated for the more of the first MDM service provider Resource data another request (for example, second request).Physical terminal user equipment can send second to pseudo-device and ask It asks.Then pseudo-device can send the second request to the first MDM service provider for more resource datas.As sound It answers, then the first MDM service provider can send more resource datas to pseudo-device.When the first MDM service provider's Strategy execution configuration file is by physical terminal user equipment in use, then pseudo-device can send such resource data to Physical terminal user equipment.

In some embodiments, once pseudo-device has determined strategy execution configuration file in physical terminal user equipment Place uses, and pseudo-device can send the first MDM service provider for the instruction of the determination.First MDM service provider is then Resource data can be transmitted directly to physical terminal user equipment (for example, the not further participation of pseudo-device).One In a little embodiments, the first MDM can will be sent directly to from physical terminal user equipment for the subsequent request of resource data Service provider (for example, the not participation of pseudo-device).

In step 1220, pseudo-device can be by resource data store in memory associated with pseudo-device.For example, In step 1220, in response to determining the strategy execution configuration file of the first MDM service provider currently in physical terminal user It is inactive (for example, not by the use of physical terminal user equipment) at equipment, pseudo-device can cache or in other ways The resource data of the first MDM service provider is stored until the strategy execution configuration file of the first MDM service provider is in physics Become at end user device movable.Pseudo-device can be for example, by sending as discussed herein for physical terminal user Whether the request of the current state of equipment determine the strategy execution configuration file of the first MDM service provider in physics again It is movable at end user device.Once or when pseudo-device determines that the strategy execution configuration file of the first MDM service provider is current At physical terminal user equipment when activity, resource data can be pushed (example from caching associated with pseudo-device by pseudo-device Such as, automatically send) to physical terminal user equipment.In some embodiments, once pseudo-device determines that the first MDM service mentions It is movable at physical terminal user equipment for the strategy execution configuration file of quotient, pseudo-device can permit by from pseudo-device phase Associated caching extract (for example, in response to physical terminal user equipment request and send) resource data is to physical terminal user Equipment.

In some embodiments, indicate that the second pseudo-device of the second physical terminal user equipment can take from the first MDM Business provider receives such as resource data of the first MDM service provider and/or the first order.The 2nd MDM service mentions wherein Strategy execution configuration file for quotient's (being different from the first MDM service provider) is living on the second physical terminal user equipment During the dynamic period, resource data and/or the first order can receive.When the strategy execution of the first MDM service provider is matched File is set currently when inactive on the second physical terminal user equipment, the second pseudo-device can be by the first MDM service provider Resource data be buffered in memory associated with the second pseudo-device.When the strategy execution of the first MDM service provider is matched File is set currently when movable on the second physical terminal user equipment, the second pseudo-device can push the first MDM service provider Resource data.

Figure 13 depicts the order shown at modification pseudo-device according to the illustrative aspect of one or more discussed in this article Method flow chart.In one or more embodiments, the method and/or one or more step of Figure 13 can pass through Calculate equipment (for example, universal computing device 201) Lai Zhihang.In other embodiments, method shown in Figure 13 and/or its One or more steps can be embodied in computer executable instructions, which is stored in such as non-temporary In the computer-readable medium of when property computer-readable memory.

Such as seen in fig. 13, method can be since step 1305 place, and wherein pseudo-device can take from one or more MDM Being engaged in, provider's reception is one or more to order.For example, pseudo-device can connect from the first MDM service provider in step 1305 Receive the first order.The order can be any order being discussed herein comprising for example selective erasing order, countermand, And/or deployment order.

At step 1310, pseudo-device can modify one or more orders.For example, pseudo-device can in step 1310 It is ordered with modifying institute received first to generate the order of modification.The modification strategy execution can configure text based on one or more Part, the strategy of one or more MDM service provider, physical terminal user equipment current state, and/or it is any other because Element.The order of modification can be configured as if ordering by the reception of physical terminal user equipment in physical terminal user equipment Execute operation.For example, the order of modification can be configured as resource data being deployed to physical terminal user equipment from pseudo-device, From physical terminal user equipment revoke resources data to pseudo-device, selective erasing, order associated with conflict is solved are executed, And/or execute any other operation being discussed herein.

At step 1315, pseudo-device can send one or more orders to physical terminal user equipment.For example, in step In rapid 1315, pseudo-device can be from the order of pseudo-device transmission modification to physical terminal user equipment.Therefore, physical terminal user Equipment can execute the operation of the order of modification, may include that such as deletion is related to one or more MDM service providers The data of connection or any other operation being discussed herein.Executing the operation can cause by operating on physical terminal user equipment MDM cloud act on behalf of the variation in monitored device status information, the equipment state of generation can be changed from physical terminal and be used Family equipment is sent to pseudo-device, and pseudo-device is allowed to continue to execute the strategy of MDM service provider.

In some embodiments, indicate that the second pseudo-device of the second physical terminal user equipment can be mentioned from MDM service It receives and orders for quotient.Second pseudo-device can modify order to generate the order of modification.Second pseudo-device then can be from second Pseudo-device sends the order of modification to the second physical terminal user equipment.Second physical terminal user equipment then can execute with What is generated in the associated operation of the order and sending device status information changes to the second pseudo-device.

In some embodiments, the order of modification is sent to physical terminal user equipment in factor based on one or more Before, pseudo-device can be modified from the received order of MDM service provider.For example, pseudo-device can modify order so as to physics End user device can handle the order of (for example, understanding) modification.It specifically, can from the received order of MDM service provider It is associated with the agreement or standard that may not be able to handle with physical terminal user equipment and/or understand in other ways.Pseudo-device Can modify it is received order so that the order of modification can be capable of handling and/or with it with physical terminal user equipment The different agreement or standard that its mode understands are associated.

Figure 14, which is depicted, to be shown according to the illustrative aspect of one or more discussed in this article using selective erasing order Method flow chart.In one or more embodiments, the method and/or one or more step of Figure 14 can pass through Calculate equipment (for example, universal computing device 201) Lai Zhihang.In other embodiments, method shown in Figure 14 and/or its One or more steps can be embodied in computer executable instructions, which is stored in such as nonvolatile In the computer-readable medium of property computer-readable memory.

Such as seen in fig. 14, method can be since step 1405 place, and wherein physical terminal user equipment can be set from puppet Standby receiver selectivity erasing order.For example, in step 1405, in response to being wiped from the first MDM service provider's receiver selectivity Except order, pseudo-device can send selective erasing order to physical terminal user equipment.In some embodiments, pseudo-device Selective erasing order can be generated.Selective erasing order, which can be configured as, makes corporate resources (for example, resource data) exist It is deleted at physical terminal user equipment.For example, selective erasing order, which can be configured as, to be made and the first MDM service provider The subset of associated application and data associated with the subset of application are deleted at physical terminal user equipment.Selection Property erasing order can be configured as holding personal information.For example, selective erasing order can keep and (not delete) personal Using and with the associated data of individual application, and the optionally strategy execution configuration file of the first MDM service provider.

In step 1410, in response to receiver selectivity erasing order, physical terminal user equipment deletes resource data.Example Such as, in step 1410, physical terminal user equipment can delete the son of application associated with the first MDM service provider Collection, data associated with the subset of application use the resource data of the first MDM service provider by physical terminal user equipment Come the data, and/or other data associated with the first MDM service provider generated.

In step 1415, physical terminal user equipment can keep personal information.For example, in step 1415, physics End user device can keep individual application, data associated with individual application, personal data and one or more MDM The associated strategy execution configuration file of service provider, and/or independently of associated any with the first MDM service provider Other data.In such an example, the information kept is deleted by physical terminal user equipment, and therefore continue by Physical terminal user equipment stores.In some embodiments, the strategy execution for not deleting the first MDM service provider is matched Set file.

In some example embodiments, based on being acted on behalf of from MDM cloud to pseudo-device and/or the first MDM service provider The device status information of offer, the variation in device status information can be acted on behalf of by MDM cloud, pseudo-device, and/or the first MDM take Provider be engaged in detect.One or more of MDM cloud agency, pseudo-device, and/or the first MDM service provider can determine Selectively wipe physics end user device.For example, the first MDM service provider can send selective erasing to pseudo-device Order.Then pseudo-device can send selective erasing order to physical terminal user equipment.In some instances, pseudo-device can To generate and send selective erasing order to physical terminal user equipment.In response to receiver selectivity erasing order or it is being based on Local to determine, MDM cloud agency and/or physical terminal user equipment can be wiped associated with the first MDM service provider Resource, while leaving personal data and/or with the first incoherent data of MDM service provider (for example, taking with another MDM The business associated data of provider).

In some embodiments, selective erasing only can wipe or delete the enterprise used by physical terminal user equipment The subset of industry resource.In some embodiments, selective erasing can only delete within certain periods be accessed The first associated data of MDM service provider.

In some embodiments, the second physical terminal user equipment can be from the second physical terminal user equipment of expression Second pseudo-device receiver selectivity erasing order.Second physical terminal user equipment can delete the subset of resource data, packet It includes the subset of application for example associated with MDM service provider, taken with the associated data of subset of application, and/or with MDM The business associated other data of provider.Second physical terminal user equipment can keep personal information comprising for example personal Using, data associated with individual application, and/or other personal data.Second physical terminal user equipment can also be kept The strategy execution configuration file of MDM service provider.

Figure 15, which depicts to be shown according to the illustrative aspect of one or more discussed in this article, is deployed to physics end for information End user device and from physical terminal user equipment the method for revocation information flow chart.In one or more embodiments In, the method and/or one or more step of Figure 15 can be by calculating equipment (for example, universal computing device 201) Lai Zhihang. In other embodiments, it is executable can be embodied in computer for method shown in Figure 15 and/or one or more step In instruction, which is stored in the computer-readable medium of such as non-transitory computer-readable memory In.

Such as seen in fig. 15, method can be since step 1505 place, and wherein physical terminal user equipment can initiate pair In the one or more request of the resource data from one or more MDM service providers.For example, in step 1505, base It is inputted in user or when physical terminal user equipment is located in the first geography fence of the first MDM service provider, physics is whole End user device can initiate the first request.Specifically, user can initiate to service one or more MDM at any time The request of the resource data of provider.Additionally or alternatively, when physical terminal user equipment determines physical terminal user equipment position When in one or more geography fences that mono- MDM service provider of Yu You pre-sets, physical terminal user equipment can be automatic Initiate the request for such as resource data of the first MDM service provider in ground (for example, the not participation of user).For example, object Managing end user device may include by the global positioning system of the MDM cloud agent monitors operated on physical terminal user equipment (GPS).When MDM cloud acts on behalf of the one or more building for determining that physical terminal user equipment is located at the first MDM service provider When within the associated geography fence in the geographical location in object or campus, request is can be generated in MDM cloud agency.In some embodiments In, geography fence can be associated with the geographical location of the house of the user of physical terminal user equipment.Additionally or alternatively, ground Managing fence can be associated with any other region limited by the first MDM service provider.

At step 1510, pseudo-device can receive one or more requests from physical terminal user equipment.For example, in step In rapid 1510, pseudo-device can receive the first request from physical terminal user equipment.The request may include being inputted based on user It is located at request in the first geography fence of the first MDM service provider to initiate instruction or the physical terminal user equipment of request Instruction.

In step 1515, pseudo-device can dispose the data of (for example, transmission) the first MDM service provider.For example, In step 1515, pseudo-device can dispose the strategy execution configuration file of the first MDM service provider, the first MDM service provides Quotient's is stored in caching associated with pseudo-device or other memories using data, as what is discussed herein in conjunction with Figure 12 The resource data of first MDM service provider, and/or associated any other data with the first MDM service provider. Therefore, physical terminal user equipment can use resource data associated with the first MDM service provider and/or with the resource Data interact.In some embodiments, the first MDM service provider can receive request from pseudo-device and can be to Pseudo-device sends resource data for the deployment to physical terminal user equipment.

In step 1520, physical terminal user equipment can initiate the second request to pseudo-device.For example, in step 1520 In, it is inputted based on user or is enclosed based on the first geography for being no longer at the first MDM service provider when physical terminal user equipment When within column, physical terminal user equipment can initiate the second request.Specifically, user can initiate at any time user not The request of the resource data of one or more MDM service providers is needed again.Additionally or alternatively, physical terminal user equipment Request can be automatically initiated (for example, the not participation of user), when physical terminal user equipment determines that physical terminal user sets For when being no longer within the one or more geography fences pre-seted by the first MDM service provider, physical terminal user is set The standby resource data that can not recycle the first MDM service provider.

In step 1525, pseudo-device can receive the second request from physical terminal user equipment.Second request can wrap Include the instruction that user no longer needs the access of resource data to the first MDM service provider.Second request may include physics End user device is no longer at instruction and/or physical terminal use within the first geography fence of the first MDM service provider Family equipment can not use or the instruction of the access with the resource data to the first MDM service provider.

In step 1530, in response to receiving the second request, pseudo-device can recall one or more MDM services and provide One or more strategy execution configuration files of quotient and/or the resource data of one or more MDM service providers.For example, In step 1530, pseudo-device can recall that the application of such as the first MDM service provider, these answer from physical terminal user equipment The first MDM service provider is based on using data, the document of the first MDM service provider, by physical terminal user equipment Resource data generate data, and/or any other data associated with the first MDM service provider.Therefore, on this The resource stated is removed from physical terminal user equipment and is sent to pseudo-device.In some embodiments, the first MDM takes The strategy execution configuration file and/or selection resource data of business provider can be kept (for example, not being deleted) at physics end At end user device.

In step 1535, physical terminal user equipment can initiate the money for one or more MDM service providers The third of source data is requested.For example, being inputted based on user or in step 1535 when physical terminal user equipment is located at second When within the second geography fence of MDM service provider, physical terminal user equipment can be initiated to service the 2nd MDM and be provided The third of the resource data of quotient is requested.Specifically, user can initiate to service one or more MDM at any time and provide The request of the resource data of quotient.It is mentioned when physical terminal user equipment determines that physical terminal user equipment is located at by the 2nd MDM service When within the one or more geography fences pre-seted for quotient, physical terminal user equipment can also be automatically (for example, do not use The participation at family) request of the initiation for such as resource data of the 2nd MDM service provider.For example, geography fence can be with One or more buildings of two MDM service providers or the geographical location in campus are associated.Geography fence can be with physics end The geographical location of the house of the user of end user device is associated.Geography fence can be limited with by the 2nd MDM service provider Any other region it is associated.

In step 1540, pseudo-device can receive one or more requests from physical terminal user equipment.For example, in step In rapid 1540, pseudo-device can receive third request from physical terminal user equipment.The request may include being inputted based on user The instruction or physical terminal user equipment for initiating request are located at the request within the second geography fence of the 2nd MDM service provider Instruction.

In step 1545, pseudo-device can dispose the data of (for example, transmission) the 2nd MDM service provider.For example, In step 1545, pseudo-device can dispose the strategy execution configuration file of the 2nd MDM service provider, the 2nd MDM service provides Quotient's is stored in caching associated with pseudo-device or other memories using data, as what is discussed herein in conjunction with Figure 12 The resource data of 2nd MDM service provider, and/or any other data associated with the 2nd MDM service provider.Cause This, physical terminal user equipment can use resource data associated with the 2nd MDM service provider and/or with the number of resources According to interacting.

In some embodiments, it is inputted based on user or is serviced when the second physical terminal user equipment is located at the first MDM When within the geography fence of provider, the second physical terminal user equipment can initiate the first request.Indicate the second physical terminal Second pseudo-device of user equipment can receive the first request from the second physical terminal user equipment.In response, the second puppet is set It is standby to dispose in the strategy execution configuration file of the first MDM service provider and the resource data of the first MDM service provider One or more, the resource data include such as application of the first MDM service provider, these application application data and/ Or other data associated with the first MDM service provider.It is inputted based on user or works as the second physical terminal user equipment not When being located at the geography fence of the first MDM service provider again, the second physical terminal user equipment can initiate the second request.Second Pseudo-device can be received from the second physical terminal user equipment and be requested.In response, the second pseudo-device can be from the second physics end One or more of resource data and the strategy execution configuration file of the first MDM service provider are recalled in end user device (for example, remove resource from the second physical terminal user equipment and send them to the second pseudo-device).It is inputted based on user Or when within the geography fence that physical terminal user equipment is located at the 2nd MDM service provider, the second physical terminal user is set It is standby to initiate third request.Second pseudo-device can receive the second request from the second physical terminal user equipment.Second puppet is set It is standby then can be by the strategy execution configuration file of the 2nd MDM service provider and/or the number of resources of the 2nd MDM service provider According to one or more of be deployed to the second physical terminal user equipment, which includes that such as the 2nd MDM service provides The application data, and/or any other data associated with the 2nd MDM service provider of the application of quotient, these applications.

Figure 16 is depicted to be shown according to the illustrative aspect of one or more discussed in this article and is solved different MDM services and mention For the flow chart of the method for the conflict between the strategy of quotient.In one or more embodiments, the method and/or one of Figure 16 A or multiple steps can be by calculating equipment (for example, universal computing device 201) Lai Zhihang.In other embodiments, Figure 16 Shown in method and/or one or more step can be embodied in computer executable instructions, the computer is executable Instruction is stored in such as computer-readable medium of non-transitory computer-readable memory.

Such as seen in fig. 16, method can be since step 1605 place, wherein indicating that the puppet of physics end user device is set The standby conflict that can be identified in the strategy of one or more MDM service providers.For example, in step 1605, pseudo-device can be with It identifies between the one or more strategy of the first MDM service provider and the one or more strategy of the 2nd MDM service provider Conflict.In some embodiments, pseudo-device can identify the first strategy and the first MDM clothes of the first MDM service provider Conflict between second strategy of business provider.Similarly, pseudo-device can identify the first plan of the 2nd MDM service provider Conflict slightly between the second strategy of the 2nd MDM service provider.

When one or more operations associated with the execution of strategy execution configuration file of the first MDM service provider and When one or more operations associated with the execution of strategy execution configuration file of the 2nd MDM service provider have conflict, when From the received one or more orders of the first MDM service provider and from the 2nd received one or more of MDM service provider Order is when having conflict, or any combination thereof, based on the inconsistent operation for example executed by strategy execution configuration file, from first The received inconsistent order of MDM service provider, from the received inconsistent order of the 2nd MDM service provider, pseudo-device can be with Conflict between recognition strategy.

In step 1610, pseudo-device can solve one or more strategies of one or more MDM service providers Between the conflict identified.For example, pseudo-device can be by executing step 1615,1620, and/or 1625 in step 1610 One or more of solve to conflict.When conflict is identified, pseudo-device can solve the conflict.In some instances, when When physical terminal user equipment attempts to obtain the corporate resources that can initiate conflict, pseudo-device can solve the conflict.

In step 1615, pseudo-device can solve this from the determining solution of KBS Knowledge Based System by application Conflict.For example, pseudo-device can be using the solution party determined from the KBS Knowledge Based System of cloud computing environment in step 1615 Case.KBS Knowledge Based System may include the database of rule, strategy, and/or other orders, can be when these rules, plan It is applied when slightly, and/or the condition of order is satisfied.Database can receive existing rule, the plan to storage in the database The update omited, and/or ordered.Database can receive new rule, strategy, and/or order to solve to conflict.

Pseudo-device can be using rule, strategy, and/or the order of (for example, utilization) storage in the database.For example, one Denier pseudo-device has identified entry/exit conflicts, pseudo-device can inquire or search rule associated with the conflict identified, strategy, And/or order.In response, pseudo-device can receive rule associated with the conflict identified, strategy, and/or order.It is pseudo- Equipment, which may then pass through, for example sends one or more orders to physical terminal user equipment to realize or execute such rule Then, strategy, and/or order.The order can be configured as execution for example from the received rule of database.Additionally or alternatively, Pseudo-device can inquire one or more of MDM service provider.Pseudo-device can be from one or more MDM service providers Receive response comprising the one or more orders sent to physical terminal user equipment.Pseudo-device then can be to physics end End user device sends the order.In response to receive order, physical terminal user equipment can to pseudo-device send with one or Multiple orders are associated to operate the instruction being completed.

In step 1620, pseudo-device can be sent to physical terminal user equipment and solve to conflict by that will alert.Example Such as, in step 1620, pseudo-device can transmit alerts to physical terminal user equipment.The warning may include one or more At user option order is to solve to conflict.It is alerted for example, physical terminal user equipment can be shown to user.Physical terminal is used Family equipment can receive the selection by the user for the one or more orders for being shown to user in warning.Physical terminal user sets It is standby then to solve to conflict using the order of one or more selections.In some embodiments, based on one or more Selected order, physical terminal user equipment can send order or message into pseudo-device and/or MDM service provider It is one or more.In response, physical terminal user equipment can be from pseudo-device and/or one or more MDM service providers One or more orders are received, are used wherein such order can be configured once operation associated with order by physical terminal Family equipment application then solves to conflict.

In step 1625, pseudo-device can solve to rush by sending miniature erasing order to physical terminal user equipment It is prominent.For example, pseudo-device can send miniature erasing order to physical terminal user equipment, wherein miniature wiping in step 1625 Except at least one subset that order can be configured as the data for making to lead to a conflict is deleted.For example, it is received miniature to be based on institute Erasing order, physical terminal user equipment can delete application, mention with the associated data of application, one or more MDM service Resource data for quotient or any other data for causing conflict.

In some embodiments, deleted data can be sent to pseudo-device with backed up or be stored in In the associated memory of pseudo-device.When data can be pushed or be sent to physical terminal user equipment without creating again When building conflict, pseudo-device can send the Backup Data initially deleted by physical terminal user equipment to physical terminal user equipment At least some of.

In some embodiments, once or when physical terminal user equipment executes the conflict for solving to be discussed herein When one (for example, one or more of 1615,1620, and/or 1625 the step of) in option, pseudo-device, which can be verified, to be known Other conflict is solved.For example, pseudo-device can send request to physical terminal user equipment and from physical terminal user equipment Receive the current device status information of the physical terminal user equipment in relation to the conflict identified.Pseudo-device, which may then based on, works as Preceding device status information come determine conflict whether be solved.If conflict is not solved, pseudo-device can execute solution again Any method certainly to conflict comprising, for example, one or more the step of 1615,1620 and 1625.

In some embodiments, indicate that the second pseudo-device of the second physical terminal user equipment can be between recognition strategy Conflict.For example, the second pseudo-device can identify the strategy of the first MDM service provider and the plan of the 2nd MDM service provider Conflict between slightly.Second pseudo-device can identify the Conflict Strategies from identical MDM service provider.Second pseudo-device can To solve to conflict by executing one or more of following movement: the second pseudo-device can be applied from KBS Knowledge Based System Determining solution, the second pseudo-device can send the warning including at user option order to solve to conflict and/or Two pseudo-devices can send miniature erasing order to the second physical terminal user equipment so that the second physical terminal user equipment can To delete the subset for the data for causing the conflict.Then second pseudo-device can verify the conflict and be solved.

In some embodiments, only one configuration file is movable at physical terminal user equipment every time.Separately Outside or optionally, multiple configuration files can be simultaneously movable at physical terminal user equipment.In such an example, scheme The conflict that 16 method can be applied at physical terminal user equipment while generate between movable multiple configuration files.Example Such as, can about simultaneously at physical terminal user equipment two or more movable configuration files come execute for identification and Solve any step of the 1605-1625 of conflict.

In one or more embodiments, multiple pseudo-devices can be established in cloud computing environment.It is set in first group of puppet Each of standby pseudo-device indicates identical first physical terminal user equipment.Indicate the first physical terminal user equipment Each of pseudo-device can be arranged for being used together with each MDM service provider.For example, indicating the first physics First pseudo-device of end user device can be arranged for being used together with the first MDM service provider.Indicate the first object Second pseudo-device of reason end user device can be arranged for (being different from the first MDM to service with the 2nd MDM service provider Provider) it is used together.First pseudo-device, which can be configured as, to be represented the first physical terminal user equipment and mentions from the first MDM service One or more orders are received for quotient.Second pseudo-device, which can be configured as, represents the first physical terminal user equipment from second MDM service provider receives one or more orders.

In some embodiments, the first pseudo-device can receive the first order from the first MDM service provider.First is pseudo- Equipment can send received first order of institute to the first physical terminal user equipment or be ordered based on first different the Two orders.Then first pseudo-device can be received from the first physical terminal user equipment and be responded.First pseudo-device can send sound That answers or modify is responsive to the first MDM service provider.

Similarly, in some embodiments, the second pseudo-device can receive third life from the 2nd MDM service provider It enables.Second pseudo-device can be sent to the first physical terminal user equipment received third order or based on third order The 4th different orders.Then second pseudo-device can be received from the first physical terminal user equipment and be responded.Second pseudo-device can It is responded with transmission or that modifies is responsive to the 2nd MDM service provider.

In some embodiments, third pseudo-device and the 4th pseudo-device can be established and indicate in cloud computing environment Second physical terminal user equipment.Each of the pseudo-device for indicating the second physical terminal user equipment can be arranged for It is used together with each MDM service provider.For example, indicating that the third pseudo-device of the second physical terminal user equipment can be set It sets for being used together with the first MDM service provider.Indicate that the 4th pseudo-device of the second physical terminal user equipment can be by It is arranged for being used together with the 2nd MDM service provider.Third pseudo-device, which can be configured as, represents the second physical terminal use Family equipment receives one or more orders from the first MDM service provider.4th pseudo-device, which can be configured as, represents the second object It manages end user device and receives one or more orders from the 2nd MDM service provider.Third pseudo-device and the 4th pseudo-device can With reception as discussed herein order, order is sent, response is received, and/or sends response.

In some embodiments, the first pseudo-device can be arranged for being used together with the first MDM service provider. Specifically, indicate that the first pseudo-device of the first physical terminal user equipment can send the first registration request and service to the first MDM Provider.First pseudo-device can receive the strategy execution configuration of the first MDM service provider from the first MDM service provider File.Then the strategy execution configuration file of first MDM service provider can be stored in and set with the first puppet by the first pseudo-device In standby associated memory.Once being arranged for being used together with the first MDM service provider, the first pseudo-device can be visited Ask the corporate resources of the first MDM service provider.First pseudo-device can also receive one or more from the first MDM service provider A order is to manage the first physical terminal user equipment.

In some embodiments, the second pseudo-device can be arranged for being used together with the 2nd MDM service provider. Specifically, indicate that the second pseudo-device of the first physical terminal user equipment can send the second registration request and service to the 2nd MDM Provider.Second pseudo-device can receive the strategy execution configuration of the 2nd MDM service provider from the 2nd MDM service provider File.Then the strategy execution configuration file of 2nd MDM service provider can be stored in and set with the second puppet by the second pseudo-device In standby associated memory.Once being arranged for being used together with the 2nd MDM service provider, the second pseudo-device can be visited Ask the corporate resources of the 2nd MDM service provider.Second pseudo-device can receive order from the 2nd MDM service provider to manage First physical terminal user equipment.In some embodiments, indicate that the third pseudo-device of the second physical terminal user equipment can To be set in a similar manner.In some embodiments, indicate that the 4th pseudo-device of the second physical terminal user equipment can To be set in a similar manner.

In some embodiments, indicate that the first pseudo-device of the first physical terminal user equipment can take from the first MDM Business provider receives the first order.In response, the first pseudo-device may determine whether to send out to the first physical terminal user equipment It loses one's life and enables (for example, second order).In response to sending the determination of the second order, the first pseudo-device can be used to the first physical terminal Family equipment sends the second order.First pseudo-device can be received from the first physical terminal user equipment and be responded.First pseudo-device can It is responded with transmission or that modifies is responsive to the first MDM service provider.The response may include behaviour associated with the first order Make the instruction being completed.

As explained above, the various aspects of the disclosure are related to providing mobile device management function.However, in other realities It applies in scheme, concepts discussed herein can be in calculating equipment (e.g., desktop computer, server, the control of any other type Platform processed, set-top box etc.) in realize.Therefore, although with this master of the language description for structure feature and/or method behavior Topic, it should be understood that, theme defined in the appended claims is not necessarily limited to above-described specific features or step Suddenly.On the contrary, certain examples that above-mentioned specific characteristic and behavior is described as following following claims are implemented.

Claims (21)

1. a kind of method of mobile device management, comprising:

The pseudo-device of expression thing reason end user device is established in cloud computing environment；

The pseudo-device is supplied for being used together with one or more mobile device managements (MDM) service provider, wherein The pseudo-device is configured as representing the physical terminal user equipment reception if being supplied from one or more of One or more orders of MDM service provider；

The of the first MDM service provider from one or more of MDM service providers is received at the pseudo-device One order, wherein first order executes operation for the physical terminal user equipment；

Determine whether that the physical terminal user equipment sends first order；And

In response to not sending the determination of first order to the physical terminal user equipment, from the pseudo-device to described the One MDM service provider sends the response to first order, described in sending to the physical terminal user equipment First order, wherein the response to first order includes that operation associated with first order is whole by the physics The instruction that end user device is completed.

2. according to the method described in claim 1, further include:

The first MDM service provider from one or more of MDM service providers is received at the pseudo-device Second order；And

Third order, the third life are sent from the pseudo-device to the physical terminal user equipment based on second order It enables and is different from second order.

3. according to the method described in claim 1,

Wherein, one or more of MDM service providers include two or more MDM service providers, and

Wherein, the pseudo-device is supplied to include: for being used together with the two or more MDM service providers

The is sent from the pseudo-device to the first MDM service provider of the two or more MDM service providers One registration request；

The first strategy execution configuration file from the first MDM service provider is received at the pseudo-device；

The first strategy execution configuration file is stored at the pseudo-device, the method also includes:

The pseudo-device is supplied for the 2nd MDM service provider one with the two or more MDM service providers It rises and uses, comprising:

The is sent from the pseudo-device to the 2nd MDM service provider of the two or more MDM service providers Two registration requests, the 2nd MDM service provider are different from the first MDM service provider；

Receive the second strategy execution configuration file from the 2nd MDM service provider at the pseudo-device, described the Two strategy execution configuration files are different from the first strategy execution configuration file；And

The second strategy execution configuration file is stored at the pseudo-device.

4. according to the method described in claim 1,

Wherein, one or more of MDM service providers include two or more MDM service providers, and

Wherein, supplying the pseudo-device includes the first MDM supplied for the two or more MDM service providers The pseudo-device of service provider, the method also includes:

The different pseudo-devices for indicating the physical terminal user equipment are established in the cloud computing environment；And

Supply the different pseudo-device for the 2nd MDM service provider, wherein the 2nd MDM service provider is not It is same as the first MDM service provider, and wherein, the different pseudo-device is configured as representing institute if being supplied It states physical terminal user equipment and receives one or more orders from the 2nd MDM service provider.

5. according to the method described in claim 1, where it is determined whether sending described first to the physical terminal user equipment Order further include:

Querying command is sent to the physical terminal user equipment, the querying command requests the physical terminal user equipment Status information；

Determine whether the status information of the physical terminal user equipment matches desired status information；And

The determination of the desired status information is matched in response to the status information of the physical terminal user equipment, is generated The determination of first order is not sent to the physical terminal user equipment.

6. according to the method described in claim 1,

Wherein, one or more of MDM service providers include two or more MDM service providers,

The method also includes:

The first MDM from the two or more MDM service providers is received at the pseudo-device, and offer is provided The second order of quotient,

Wherein, it is described second order wherein with the 2nd MDM service provider of the two or more MDM service providers Associated strategy execution configuration file is received during being the movable period on the physical terminal user equipment, described 2nd MDM service provider is different from the first MDM service provider.

7. according to the method described in claim 1, further include:

The first MDM service provider's phase with one or more of MDM service providers is received at the pseudo-device Associated resource data；

When strategy execution configuration file associated with the resource data is not lived on the physical terminal user equipment currently When dynamic, the resource data is cached at the pseudo-device；And

When the strategy execution configuration file is currently on the physical terminal user equipment it is movable when, from the pseudo-device to The physical terminal user equipment pushes the resource data.

8. according to the method described in claim 1, further include:

The first MDM service provider from one or more of MDM service providers is received at the pseudo-device Second order；

First order is modified to generate the order of modification；And

The physical terminal user equipment is sent to from the pseudo-device by the order of the modification.

9. according to the method described in claim 1, further include:

It is sent to the physical terminal user equipment from the pseudo-device by selective erasing order,

Wherein, the selective erasing order is configured as making described first with one or more of MDM service providers At least one of the subset of the associated application of MDM service provider and data associated with the subset of application quilt It deletes, and

Wherein, the selective erasing order be configured as making individual application, data associated with the individual application and Strategy execution configuration file associated with the first MDM service provider is not deleted.

10. according to the method described in claim 1,

Wherein, one or more of MDM service providers include two or more MDM service providers,

The method also includes:

In response to received at the pseudo-device it is from the physical terminal user equipment, based on user input or the object Reason end user device is located to be limited by the first MDM service provider of the two or more MDM service providers The first geography fence in instruction in one come the request initiated, by the first strategy of the first MDM service provider The application data for executing configuration file and the first MDM service provider are deployed to the physical terminal use from the pseudo-device Family equipment；

First geography is no longer at based on another user input or the physical terminal user equipment in response to receiving One in instruction in fence is recalled the first MDM from the physical terminal user equipment come another request initiated The first strategy execution configuration file of service provider and the described of the first MDM service provider apply data；With And

In response to received at the pseudo-device it is from the physical terminal user equipment, based on new user's input or institute State physical terminal user equipment be located at limited by the 2nd MDM service provider of the two or more MDM service providers The second geography fence in instruction in one come the new request initiated, by the second of the 2nd MDM service provider The application data of strategy execution configuration file and the 2nd MDM service provider are deployed to the physics end from the pseudo-device End user device.

11. according to the method described in claim 10, further include:

Identify that the first MDM service provider's of the two or more MDM service providers is tactful and described two Or more conflict between the strategy of the 2nd MDM service provider of MDM service provider；

The conflict is solved by executing one of the following:

Using the solution determined from the KBS Knowledge Based System of the cloud computing environment；

It sends and alerts to the physical terminal user equipment, the warning includes one or more at user option orders to solve The certainly described conflict；And

Miniature erasing order is sent to the physical terminal user equipment, wherein the miniature erasing order is configured as at least making The subset of the data of the conflict is caused to be deleted.

12. a kind of device of mobile device management, comprising:

Processor；And

The memory of the one or more instructions of storage, makes the dress when one or more of instructions are executed by the processor Set the following operation of execution:

The pseudo-device of expression thing reason end user device is established in cloud computing environment；

The pseudo-device is supplied for being used together with one or more mobile device managements (MDM) service provider, wherein The pseudo-device is configured as representing the physical terminal user equipment reception if being supplied from one or more of One or more orders of MDM service provider；

The of the first MDM service provider from one or more of MDM service providers is received at the pseudo-device One order, wherein first order executes operation for the physical terminal user equipment；

Determine whether that the physical terminal user equipment sends first order；And

In response to not sending the determination of first order to the physical terminal user equipment, from the pseudo-device to described the One MDM service provider sends the response to first order, described in sending to the physical terminal user equipment First order, wherein the response to first order includes that operation associated with first order is whole by the physics The instruction that end user device is completed.

13. device according to claim 12, wherein institute is worked as in the one or more other instructions of memory storage Stating when one or more other instructions are executed by the processor also makes described device execute following operation:

The first MDM service provider from one or more of MDM service providers is received at the pseudo-device Second order；And

Third order, the third life are sent from the pseudo-device to the physical terminal user equipment based on second order It enables and is different from second order.

14. device according to claim 12,

Wherein, one or more of MDM service providers include two or more MDM service providers, and

Wherein, the one or more other instructions of memory storage, when one or more of other instructions are by described Processor also makes described device execute following operation when executing:

The is sent from the pseudo-device to the first MDM service provider of the two or more MDM service providers One registration request；

The first strategy execution configuration file from the first MDM service provider is received at the pseudo-device；

The first strategy execution configuration file is stored at the pseudo-device；

Second is sent to the 2nd MDM service provider of the two or more MDM service providers from the pseudo-device to step on Note request, the 2nd MDM service provider are different from the first MDM service provider；

Receive the second strategy execution configuration file from the 2nd MDM service provider at the pseudo-device, described the Two strategy execution configuration files are different from the first strategy execution configuration file；And

The second strategy execution configuration file is stored at the pseudo-device.

15. device according to claim 12,

Wherein, one or more of MDM service providers include two or more MDM service providers, and

Wherein, supplying the pseudo-device includes the first MDM supplied for the two or more MDM service providers The pseudo-device of service provider, and wherein, the one or more other instructions of memory storage, when one Or multiple other instructions also make when being executed by the processor described device execute following operation:

The different pseudo-devices for indicating the physical terminal user equipment are established in the cloud computing environment；And

Supply the different pseudo-device for the 2nd MDM service provider, wherein the 2nd MDM service provider is not It is same as the first MDM service provider, and wherein, the different pseudo-device is configured as representing institute if being supplied It states physical terminal user equipment and receives one or more orders from the 2nd MDM service provider.

16. device according to claim 12, wherein institute is worked as in the one or more other instructions of memory storage Stating when one or more other instructions are executed by the processor also makes described device execute following operation:

Querying command is sent to the physical terminal user equipment, the querying command requests the physical terminal user equipment Status information；

Determine whether the status information of the physical terminal user equipment matches desired status information；And

The determination of the desired status information is matched in response to the status information of the physical terminal user equipment, is generated The determination of first order is not sent to the physical terminal user equipment.

17. device according to claim 12,

Wherein, one or more of MDM service providers include two or more MDM service providers, and

Wherein, the one or more other instructions of memory storage, when one or more of other instructions are by described Processor also makes described device execute following operation when executing:

The first MDM from the two or more MDM service providers is received at the pseudo-device, and offer is provided The second order of quotient,

Wherein, it is described second order wherein with the 2nd MDM service provider of the two or more MDM service providers Associated strategy execution configuration file is received during being the movable period on the physical terminal user equipment, described 2nd MDM service provider is different from the first MDM service provider.

18. device according to claim 12, wherein institute is worked as in the one or more other instructions of memory storage Stating when one or more other instructions are executed by the processor also makes described device execute following operation:

The first MDM service provider's phase with one or more of MDM service providers is received at the pseudo-device Associated resource data；

When strategy execution configuration file associated with the resource data is not lived on the physical terminal user equipment currently When dynamic, the resource data is cached at the pseudo-device；And

When the strategy execution configuration file is currently on the physical terminal user equipment it is movable when, from the pseudo-device to The physical terminal user equipment pushes the resource data.

19. device according to claim 12, wherein institute is worked as in the one or more other instructions of memory storage Stating when one or more other instructions are executed by the processor also makes described device execute following operation:

It is sent to the physical terminal user equipment from the pseudo-device by selective erasing order,

Wherein, the selective erasing order is configured as making described first with one or more of MDM service providers At least one of the subset of the associated application of MDM service provider and data associated with the subset of application quilt It deletes, and

Wherein, the selective erasing order be configured as making individual application, data associated with the individual application and Strategy execution configuration file associated with the first MDM service provider is not deleted.

20. device according to claim 12,

Wherein, one or more of MDM service providers include two or more MDM service providers, and

Wherein, the one or more other instructions of memory storage, when one or more of other instructions are by described Processor also makes described device execute following operation when executing:

In response to received at the pseudo-device it is from the physical terminal user equipment, based on user input or the object Reason end user device is located to be limited by the first MDM service provider of the two or more MDM service providers The first geography fence in instruction in one come the request initiated, by the first strategy of the first MDM service provider The application data for executing configuration file and the first MDM service provider are deployed to the physical terminal use from the pseudo-device Family equipment；

First geography is no longer at based on another user input or the physical terminal user equipment in response to receiving One in instruction in fence is recalled the first MDM from the physical terminal user equipment come another request initiated The first strategy execution configuration file of service provider and the described of the first MDM service provider apply data；With And

In response to received at the pseudo-device it is from the physical terminal user equipment, based on new user's input or institute State physical terminal user equipment be located at limited by the 2nd MDM service provider of the two or more MDM service providers The second geography fence in instruction in one come the new request initiated, by the second of the 2nd MDM service provider The application data of strategy execution configuration file and the 2nd MDM service provider are deployed to the physics end from the pseudo-device End user device.

21. device according to claim 12,

Wherein, one or more of MDM service providers include two or more MDM service providers, and

Wherein, the one or more other instructions of memory storage, when one or more of other instructions are by described Processor also makes described device execute following operation when executing:

Identify that the first MDM service provider's of the two or more MDM service providers is tactful and described two Or more conflict between the strategy of the 2nd MDM service provider of MDM service provider；

The conflict is solved by executing one of the following:

Using the solution determined from the KBS Knowledge Based System of the cloud computing environment；

It sends and alerts to the physical terminal user equipment, the warning includes one or more at user option orders to solve The certainly described conflict；And

Miniature erasing order is sent to the physical terminal user equipment, wherein the miniature erasing order is configured as at least making The subset of the data of the conflict is caused to be deleted.