Patent Grant
9232012
The present description relates to methods and systems for data usage accounting and more particularly, to methods and systems for data usage accounting in computing devices with secure enterprise applications and personal applications.
In an effort to increase productivity, many employers allow their workers to conduct business related to the employer on their personal mobile devices. In some cases, employers also provide some of their employees with company-issued mobile devices. In either arrangement, an employer understands that a single device may include sensitive data related to that employer in addition to data that is personal to the employee. Several advances have been made in an effort to protect an employer's data in these circumstances. For example, OpenPeak Inc. of Boca Raton, Fla. has developed solutions that enable a mobile device to include both enterprise and personal data but that isolate the enterprise data from the personal data. As part of these solutions, an employee may download secure applications that may be used to conduct transactions related to the enterprise.
Because the employee's device may include both personal and secure applications, it may be necessary to bifurcate the process of data usage accounting. In particular, the employer may wish to receive an accounting of the data usage associated with the secure applications that have been installed on the employee's device on behalf of the employer. This accounting may be separate from data accounting that may be attributable to unsecure applications that the employee may have installed for personal use. Unfortunately, there is no solution available for tracking data usage with respect to certain system services that may be requested by the secure applications.
A method of data usage accounting is described herein. This method may be particularly applicable in a setting that includes both secure applications and unsecure applications, although it is not limited to such a configuration. Via one of the secure applications, a request to access data can be received in which the request is intended for a content provider via a system service. The request that is intended for the content provider via the system service can be intercepted and modified to cause the system service to direct the request back to the secure application instead of the content provider. Further, a connection can be established with the content provider for the request through the secure application to enable data usage accounting of data that is returned by the content provider. An amount of data that is carried over the established connection and that is associated with the secure application can be determined. As an example, the amount of data that is determined in relation to the secure application can be separate from an amount of data that is determined on behalf of one or more unsecure applications.
Establishing the connection with the content provider can include establishing a secure connection with the content provider through the secure application. As an example, the secure connection with the content provider can be a virtual private network (VPN) connection that is individual to the secure application. The method can also include the steps of receiving content from the content provider at the secure application and forwarding the received content from the content provider to the system service for processing. As another example, modifying the intercepted request can include modifying an original uniform resource identifier (URI) of the request by changing the URI associated with the content provider.
In another embodiment, the method can also include the steps of receiving data from the content provider over the established connection and reading the data to determine whether a redirect from the content provider is present. If (or when) a redirect from the content provider is detected, the redirect from the content provider can be modified to ensure that the system service will direct the redirect to the secure application. Receiving data from the content provider may include receiving from the content provider a playlist that includes a plurality of original URIs, and modifying the redirect can include modifying at least some of the URIs of the playlist. In one non-limiting example, the system service can be a media playback service, and the media playback service is a system application that is also an unsecure application.
Another method of data usage accounting in a computing device that has one or more secure applications installed thereon is presented herein. This method can include the steps of receiving an original URI request through one of the secure applications, intercepting the original URI request and modifying the original URI request such that the modified original URI request is to be directed back to the secure application once the modified original URI request has been initially processed by a system service. The method can also include the step of tracking data usage associated with the modified original URI request.
In one embodiment, the modified original URI request can be converted back to the original URI request and a connection can be established between the secure application and a content provider for the original URI request. The computing device can also have one or more unsecure applications installed thereon. Tracking data usage associated with the modified original URI can include tracking data usage associated with the modified original URI through the secure application. The method can also include the step of segregating the data usage tracking associated with the modified original URI from data usage tracking associated with the unsecure applications. Moreover, establishing the connection between the secure application and the content provider can include establishing a secure connection between the secure application and the content provider. As an example, the secure connection can be individual to the secure application.
Yet another method of data usage accounting on a computing device is described herein. On a computing device that has secure applications and unsecure applications installed thereon, multiple sessions of the secure applications can be conducted. An amount of data that is consumed during the sessions of the secure applications can be determined. A data usage total can be tallied for the secure application sessions such that the data usage total for the secure applications is separate from a data usage total associated with the unsecure applications.
A computing device is also described herein. The computing device can include a display that is configured to display both secure and unsecure applications that are installed on the computing device. The device can also include a processing unit that is communicatively coupled to the display. The processing unit can be configured to receive a data access request through one of the secure applications in which the data request is supported by an unsecure application that is a system service of the computing device. The processing unit can also be configured to cause the data access request to be intercepted prior to processing by the unsecure application and to cause the data access request to be modified. Such a modification can cause the unsecure application to direct the data access request to the secure application instead of an intended location of the data access request. The processing unit can also be configured to cause a connection between the secure application and the intended location of the data access request to be established. The computing device may also include a calculation unit communicatively coupled to the processing unit. The calculation unit can be configured to determine an amount of data that is associated with the data access request through the secure application.
As an example, the connection between the secure application and the intended location of the data access request can be a VPN connection that is individual to the secure application. As another example, the data access request can be a uniform resource locator (URL) based on hypertext transfer protocol (HTTP) or hypertext transfer secure protocol secure (HTTPS). The computing device can also include memory that can be associated with the secure application and can be configured to store the data access request for mapping the data access request to the modified data access request. In one embodiment, the processing unit can be further configured to convert the modified data access request back to its original form to establish the connection between the secure application and the intended location.
Further features and advantage, as well as the structure and operation of various embodiments, are described in detail below with reference to the accompanying drawings. It is noted that this description is not limited to the specific embodiments presented herein. Such embodiments are provided for illustrative purposes only. Additional embodiments will be apparent to persons skilled in the relevant art(s) based on the teachings contained herein.
The accompanying drawings, which are incorporated herein and form part of the specification, illustrate embodiments of the subject matter described herein and, together with the description, further serve to explain the principles of such subject matter and to enable a person skilled in the relevant art(s) to make and use the subject matter.
The features and advantages of the embodiments herein will become more apparent from the detailed description set forth below when taken in conjunction with the drawings, in which like reference characters identify corresponding elements throughout. In the drawings, like reference numbers generally indicate identical, functionally similar, and/or structurally similar elements.
The following detailed description refers to the accompanying drawings that illustrate exemplary embodiments; however, the scope of the present claims is not limited to these embodiments. Thus, embodiments beyond those shown in the accompanying drawings, such as modified versions of the illustrated embodiments, may nevertheless be encompassed by the present claims.
References in the specification to “one embodiment,” “an embodiment,” “an example embodiment,” “one arrangement,” “an arrangement” or the like, indicate that the embodiment or arrangement described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment or arrangement. Furthermore, when a particular feature, structure, or characteristic is described in connection with an embodiment or arrangement, it is submitted that it is within the knowledge of one skilled in the art to implement such feature, structure, or characteristic in connection with other embodiments or arrangements whether or not explicitly described. The word “among,” as it is used throughout this description, should not necessarily be interpreted as requiring exchanges or interaction among three or more applications, irrespective of grammar rules. The word “a” is not necessarily limited to a singular instance of something, as it may mean one or more.
Several definitions that apply throughout this document will now be presented. The term “exemplary” as used herein is defined as an example or an instance of an object, apparatus, system, entity, composition, method, step or process. The term “communicatively coupled” is defined as a state in which two or more components are connected such that communication signals are able to be exchanged (directly or indirectly) between the components on a unidirectional or bidirectional (or multi-directional) manner, either wirelessly, through a wired connection or a combination of both. A “computing device” is defined as a component that is configured to perform some process or function for a user and includes both mobile and non-mobile devices. The term “computer readable storage medium” is defined as one or more components that are configured to store instructions that are to be executed by one or more processing units.
An “application” is defined as a program or programs that perform one or more particular tasks on a computing device. Examples of an application include programs that may present a user interface for interaction with a user or that may run in the background of an operating environment that may not present a user interface while in the background. The term “operating system” is defined as a collection of software components that directs a computing device's operations, including controlling and scheduling the execution of other programs and managing storage, input/output and communication resources. A “processing unit” or “processor” is defined as one or more components that execute sets of instructions, and the components may be disparate parts or part of a whole unit and may not necessarily be located in the same physical location.
The terms “memory,” “memory element” or “repository” are defined as one or more components that are configured to store data, either on a temporary or persistent basis. The term “shared memory” is memory, a memory element or a repository that is accessible (directly or indirectly) by two or more applications or other processes. An “interface” is defined as a component or a group of components that enable(s) a device to communicate with one or more different devices, whether through hard-wired connections, wireless connections or a combination of both. An “input/output device” is defined as a device that is configured to at least receive input from a user or a machine that is intended to cause some action or other effect on a component with which the input device is associated. A “display” is defined as an apparatus that presents information in visual form and may or may not receive input through a touch screen.
The term “file system” is defined as an abstraction that is used to organize, store and retrieve data. The term “secure application” is defined as an application that has been modified from its original form to restrict communications between the application and unauthorized programs, applications or devices and to restrict operation of the application based on policy or to alter, augment or add features associated with the operation of the application (or any combination thereof) or—in the case of the application not being modified—an application that is part of a secure workspace that is protected from data exchanges with applications that are part of a personal or an unsecure workspace. A “target application” is defined as an application that has been selected for conversion into a secure application. An “unsecure application” is defined as an application that has not undergone the modification required to convert the application into a secure application and, as such, is unable to obtain data from a secure application in view of an obfuscation scheme employed by that secure application or is an application that is not part of a secure workspace and is restricted from accessing data from the secure workspace. A “virtual machine” is defined as a platform-independent execution environment that emulates a physical machine.
The term “personal workspace” is defined as a workspace, profile or partition that is configured to contain the personal content and unsecure applications or other unsecure programs associated with a user of a computing device on which the personal workspace sits. The term “secure workspace” is defined as a workspace, profile or partition that is configured to contain secure content, secure applications and other secure programs and requires some form of authentication to be accessed.
The term “content provider” is defined as a site that offers data for consumption by a computing device. The term “system service” is defined as an application or a set of applications on a computing device that offer one or more features for access by an unsecure application or a secure application. A “secure connection” is defined as a connection in which at least some portion of the data that is exchanged over the connection is encrypted or otherwise obfuscated from unauthorized parties, entities or processes. To “consume data” means to receive data from a source, transmit data to a recipient or both.
As explained earlier, solutions have been developed that enable a mobile device to include both personal and enterprise data. Accordingly, it may be useful to segregate data usage accounting associated with the enterprise side from usage associated with the personal space. This process can enable an enterprise to determine how much data that is consumed by the mobile device is the responsibility of the enterprise.
In view of this need, a method and system for data usage accounting are described herein. As an example, the method can be practiced in a setting that includes both secure applications and unsecure applications. Via one of the secure applications, a request to access data can be received in which the request is intended for a content provider via a system service. The request that is intended for the content provider via the system service can be intercepted and modified, which can cause the system service to direct the request back to the secure application instead of the content provider. In addition, a connection can be established with the content provider for the request through the secure application to enable data usage accounting of data that is returned by the content provider.
Through this arrangement, data tracking can be conducted for virtually any secure application or otherwise any application associated with an enterprise. This tracking can also be kept apart from any accounting performed for a user's personal usage. Accordingly, an enterprise can accurately determine its accountability for data usage by a computing device that includes both enterprise and personal data.
Referring to
In one arrangement, the hardware layer 20 may include any number and type of hardware components, such as one or more displays 55, one or more input/output (I/O) devices 60, one or more processing units 65 and any suitable type and number of memory devices 70 and interfaces 75. Examples of the I/O devices 60 include speakers, microphones, physical keypads, etc. In addition, the display 55 can serve as an I/O device 60 in the form of a touch-screen display. The interfaces 75 can be configured to support various types of communications, including wired or wireless and through any suitable type of standards and protocols. In one arrangement, the hardware layer 20 may also include a calculation unit 77, which can be configured to calculate or determine (or at least assist in the determination or calculation of) data usage totals associated with any type of session conducted on the computing device 15, including those originating from the application layer 50. The calculation unit 77 may be a separate component or may be part of the processing unit 65. In another arrangement, the calculation unit 77 may be remotely located such that it is external to the computing device 15. In such a case, information regarding the sessions may be sent to a remote location that supports the calculation unit 77, and the unit 77 can perform its calculation functions once it receives the information.
In addition, the runtime environment 35 can support any suitable number of virtual machines 80 and core libraries 85, although a virtual machine may not be needed in other arrangements, such as where native code is employed. The system server 40 can serve as an abstraction for the underlying layers for the applications in the application layer 50 and can provide numerous system services for the applications. In this example, the application layer 50 may include any number of unsecure applications 90 and any number of secure applications 95, one of which may be a core secure application 100. The secure framework 45 can function in a manner similar to that of a conventional framework, but the secure framework 45 can facilitate the encapsulation of a number of secure applications 95 to selectively restrict their data exchanges with the unsecure applications 90. In particular, the secure framework 45 can be configured to intercept and modify certain calls from the secure applications 95, prior to passing them to the system server 40.
In many cases, the unsecure applications 90 are associated with the personal data of a user of the computing device 15. In contrast, the secure applications 95 are typically associated with confidential or otherwise sensitive information that belongs to or is associated with an enterprise or some other organization, and the user of the device 15 may work for such an entity. In one arrangement, a virtual partition or workspace may be created on the computing device 15 in which the secure applications 95 (and the core secure application 100) are part of a secure workspace 105, and the unsecure applications 90 are part of a personal workspace 110. In certain cases, a user may be required to provide authentication information, such as a password, PIN or biometric data, to gain access to the secure workspace 105 or to any individual or group of secure applications 95.
In some cases, some of the unsecure applications 90 may be system services 115 that provide features or functionality that is associated with the type of operating system that is installed on the computing device 15. In some cases, the system service 115 may be an application or a set of applications that live in the background and support different tasks associated with the operating system of the device 15. System services 115 may facilitate the exposure of low-level functions of the hardware layer 20 and the kernel layer 25 to the higher-level application layer 50. Many system services 115 may operate with elevated privileges, in comparison to other applications. For example, a common system service 115 that is typically found on computing devices 15 is a media player, which processes and presents media data for a user. Another example of a system service 115 may be a photo viewer, which presents digital images for the user. As those skilled in the art will appreciate, the examples listed here are not meant to be limiting, and there are other system services 115 that may be available on the computing device 15.
In another embodiment, the system services 115 may be trusted unsecure applications 90 that secure applications 95 are permitted to share or otherwise exchange data with. An example of a trusted unsecure application 90 may be an unsecure application 90 that is by default installed on the computing device 15, such as by the manufacturer of the device 15 or a wireless carrier or other entity that provides services to the device 15. Another example of a trusted unsecure application 90 may be an unsecure application 90 that is listed on an application whitelist for one or more secure applications 95. By being part of the application whitelist, the trusted unsecure application 90 may be preapproved for data exchange with the relevant secure application(s) 95. Additional information on application whitelisting can be found in U.S. patent application No. 61/973,898, filed on Apr. 2, 2014, which is incorporated by reference herein in its entirety.
As noted above, the secure applications 95 and the system architecture may be configured to enable at least some of the calls to the system server 40 to be intercepted. There are several processes available for such a process. For example, U.S. patent application No. 62/033,142, which was filed on Aug. 5, 2014 and is herein incorporated by reference in its entirety, describes a method and system in which some of the system classes are overridden by classes associated with the core secure application 100, which can allow runtime hooks to be applied against certain system calls. Based on this technique, some of the calls that the secure applications 95 make to the system services 115 can be intercepted and modified, a process that will described below.
As another example, U.S. patent application Ser. No. 14/205,661, which was filed on Mar. 12, 2014, and U.S. patent application Ser. No. 14/205,686, which was also filed on Mar. 12, 2014, each of which is herein incorporated by reference in its entirety, present methods and systems by which target applications are encapsulated as secure applications for distribution. Once installed and initiated on a computing device 15, the encapsulated application described in these references is loaded into memory, and runtime hooks are set to enable application programming interface (API) calls from the secure application to be intercepted. Similar to the description above, at least some of the calls to the system services 115 from the secure applications 95 can be modified once they are intercepted. Other information on the process of intercepting certain functions of secure applications can be found in U.S. Pat. No. 8,695,060, issued on Apr. 8, 2014, which is also herein incorporated by reference in its entirety.
As described in these incorporated references, a secure application 95 can be configured to provide additional features that may not have been otherwise available prior to it being converted into a secure application 95. As an example, a secure application 95 can be arranged to track the amount of data that it uses for a particular session. This process enables an administrator to determine data usage on a per-application basis. Of course, secure applications 95 may be managed in accordance with many other policies or configurations, as is known in the art.
While many applications (or target applications) are able to be converted into secure applications 95, there are some applications that may not be so modified. For example, many system services 115 are default applications that are provided as part of the base configuration of the computing device 15. The developer of the operating system that provides these system services 115 may not permit the system services 115 to be converted into secure applications 95. As such, many system services 115 may remain as unsecure applications 90 on the computing device 15. Accordingly, the operation of a system service 115 may not be amenable to being controlled or managed, as is the case with secure applications 95. The relevance of this condition will be explained below.
Referring to
When operating the computing device 15, a user may wish to access data from any one of the remote servers 205. In some cases, the data access request may originate from an unsecure application 90. In the standard flow, the unsecure application 90 may sometimes forward the request to a relevant system service 115. For example, if a user wishes to view a video associated with one of the remote servers 205 through an unsecure application 90, the unsecure application 90 passes the request to a media player of the computing device 15. The media player then retrieves the data from the appropriate server 205 and presents such data to the user.
In the case of a secure application 95, a similar request would normally be passed to the media player, as well. In addition, the media player would conventionally establish a connection with the relevant remote server 205 and would present the requested data to the user. But because the system services 115 are typically not permitted to be converted into secure applications 95, implementing the feature of data accounting in them, as can be done with secure applications 95, may not be possible. In this instance, difficulties are presented in determining the percentage of data usage that is associated with secure applications 95 in comparison to the consumption of data by unsecure applications 90.
A solution is described here, however, that enables such an accounting to take place. In particular, the initial data request from the secure application 95 can be intercepted and modified prior to being passed to the media player. In view of the modification, the media player (or other system service 115) can direct the request back to the secure application 95, and a connection can be established between the secure application 95 and the appropriate remote server 205 to facilitate the exchange of data between the secure application 95 and the remote server 205. This redirection of the request through the secure application 95 can enable an accounting of the amount of data that is associated with this particular session, a feature that can be incorporated into secure applications 95. Accordingly, an accurate accounting of data usage associated with at least some or all secure applications 95 on the computing device 15 is now possible.
This arrangement can enable an entity to determine the percentage of data usage that is attributable to it and to the user on a personal basis. Because data usage may be segregated between enterprise use and personal use, the enterprise may be able to craft more accurate data plans with wireless carriers or other similar entities. Moreover, the user, who may own the computing device 15, would understand that the user would not be charged for data usage associated with that user's work or business and that the user would only be paying for personal data consumption.
Referring to
At step 305, in a setting that includes both secure applications and unsecure applications, a request to access data can be received via one of the secure applications in which the request is intended for a content provider via a system service. The request intended for the content provider via the system service can be intercepted, as shown at step 310. At step 315, the intercepted request can be modified, which can cause the system service to direct the request back to the secure application instead of the content provider. A connection can be established with the content provider for the request through the secure application to enable data usage accounting of data that is returned by the content provider, as shown at step 320. Additionally, at step 325, content from the content provider can be received at the secure application, and the received content from the content provider can be forwarded to the system service for processing, as shown at step 330. An amount of data that is carried over the established connection associated with the secure application can be determined, as shown at step 335.
Referring to
In
Based on conventional techniques, the uniform resource indicator (URI) related to this data request may be a uniform resource locator (URL) with the associated content available via the hypertext transfer protocol (HTTP) or the hypertext transfer protocol secure (HTTPS). As part of the modification process, the URL may be changed prior to being passed to the system service 115. The modification of the URL, in one embodiment, may be based on a port number that is provided by the operating system. For example, the secure application 95 may create a listening socket on a loopback interface by requesting a socket and port number from the operating system. As is known in the art, the loopback interface can support inter-process or inter-app communications on the computing device 15. The requested port may be a predetermined value or may be simply a request to the operating system to provide an available port number. Continuing with the example, the URL may be converted into a local-host URL that includes the assigned port number and the rest of the information from the original URL. The modified URL may then be passed across to the system service 115, in this case, the media player. As will be explained later, multiple listening sockets and ports may be requested from the operating system as part of this process.
Consider the following specific but non-limiting example. A user may select a link through a secure application 95, which may have the following exemplary URL associated with it:
http://www.youtube.com/watch?v=uWHRqspFke0
As noted earlier, the secure application 95 may request a socket and port value from the operating system, and the port value can factor into the modified URL. In this example, the original URL may be transformed into the following local-host URL:
http://localhost:4444?t=www.youtube.com&p=watch&r=v=uWHRqspFke0
Here, the port value “4444” is now part of the URL string, which can cause the system service 115 to point back to this port created by the secure application 95. In addition, as can be seen, the original hostname can be encoded in the “t=” parameter, the original path can be encoded in the “p=” parameter and the original parameters can be encoded in the “r=” parameter. Thus, the modified URL can include the port value, and the remote information can be added as parameters in the modified URL. A similar example for an HTTPS request will be presented below.
In some arrangements, as part of this process, the secure application 95 can create a proxy when the data is initially requested through the secure application 95. The proxy can act as the intermediary between the system service 115 and the remote server 205. In doing so, the proxy may listen in on any sockets that were created for the overall modification of the data access request. As an example, each secure application 95 can be individually configured to generate the proxy for relevant data requests that it receives.
In another arrangement, the secure application 95 may record a copy of the information associated with the original data request and can map that information to the redirect address that has been created. For example, in the example above, the secure application 95 may record the information associated with the original URL in any suitable database, such as the memory 70 of
Moving back to
As previously noted, the secure application 95 may be configured to track data usage. In this case, the secure application 95 can determine an amount of data that is carried over the connection that is established with the remote server 205. This can include both incoming (i.e., from remote server 205 to secure application 95) and outgoing (i.e., from secure application 95 to remote server 205) content. For example, the calculation unit 77 of
If the secure applications 95 are associated with an enterprise, the enterprise can determine the amount of data usage that is tied to each of its secure applications 95. This feature can enable the enterprise to determine data usage on the device 15 that is solely attributable to it. As a result, data usage tracking associated with the secure applications can be segregated from data usage that originates from the unsecure applications.
In one embodiment, the connection that is established between the secure application 95 and the remote server 205 can be a secure connection. For example, as is known in the art, the secure application 95 can be configured to establish virtual private network (VPN) connections with remote locations. Such a VPN connection is individual to the secure application 95 and is different from a system-level VPN. If desired, however, the connection between the secure application 95 and the remote server 205 is not required to be a secure connection. In addition, in another embodiment, the secure application 95 may use a system-level VPN.
The description above may apply to other protocols that facilitate the exchange of data. For example, HTTPS traffic may also be tracked in accordance with the procedures presented herein. In one embodiment, additional steps can be taken when dealing with HTTPS traffic to ensure accurate and complete accounting. For example, if a user is accessing an HTTPS link through the secure application 95, the original URL may be modified similar to the HTTP examples above, but the connection between the system service 115 and the secure application 95 may be left in the open.
Consider the following example. If an HTTPS request is generated, the secure application 95 can convert the HTTPS request to an HTTP request when the secure application 95 modifies the URL for purposes of directing the system service 115 back to the secure application 95. That is, the secure application 95 can change the connection type of the data request from a secure connection to an open connection when the data request is modified. Referring back to the URL example above, the following HTTPS URL may be received:
https://www.youtube.com/watch?v=uWHRqspFke0
The secure application 95 can determine that this is an HTTPS request and can modify the URL. An exemplary conversion is presented here:
http://localhost:4444?s=www.youtube.com&p=watch&r=v=uWHRqspFke0
As reflected in the string, the HTTPS request is converted to an HTTP request. As a result, the connection between the system service 115 and the secure application 95 can be out in the open. As will be explained below, this feature can enable the secure application 95 to handle re-directs from the remote server 205.
As can also be seen in the string, the “s=” parameter can provide an indication that the original URL was an HTTPS request. Accordingly, when the secure application 95 establishes the connection between it and the remote server 205, an HTTPS connection can be created. In other words, the system service 115 may not be responsible for establishing the HTTPS connection, and the secure application 95 may be in control of any security-related handshaking and getting the encryption keys in place. The session between the secure application 95 and the remote server 205 can be a transport layer security (TLS) connection, which can terminate at the secure application 95.
As explained earlier, the secure application 95 may be configured to arrange VPN connections in an individual manner. Such an application-level VPN can support any type of traffic that is exchanged between the secure application 95 and the remote server 205, including both HTTP and HTTPS streams. In other words, the ability of the secure application 95 to provide an application-level VPN does not impede the ability of the secure application 95 to modify data access requests and then convert them back to their original form, as described above. Further, these techniques can be practiced if the secure application 95 is using a system-level VPN or is not relying on a VPN connection at all.
As is known in the art, some initial data access requests are answered with a re-direct, which instructs the requesting source to another destination to retrieve the desired content. For example, in the case of an HTTP request, the requesting device may receive an HTTP re-direct from the server, which causes the device to generate another HTTP request based on the re-direct destination. In addition, in some cases, a URL playlist may be sent from the server, which may include a plurality of URLs. This particular feature may support HTTP live-streaming, a protocol that enables a client to select from a number of different alternate streams containing the same material encoded at a variety of data rates, which can allow the streaming session to adapt to the available data rate.
In one arrangement, the secure application 95 may be configured to account for these re-directs. For example, if the initial data request is an HTTP request and the remote server 205 returns an HTTP re-direct, the secure application 95 may transform that HTTP re-direct in accordance with the modification process described above. By doing so, the secure application 95 can ensure that the system service 115 establishes the new re-direct connection with the secure application 95. As such, when the secure application 95 detects a re-direct, the secure application 95 can request another socket and port from the operating system to account for the new destination that originates from the re-direct. The secure application 95 can then open a connection between itself and the new (and appropriate) remote server 205. This process can be expanded to account for re-direct playlists, such that socket/port pairs are generated when needed for the URLs that make up the playlists.
As can be gleaned from this example, the secure application 95 may be required to detect the re-directs in the incoming streams. If the original data access request is not based on a secure protocol, like HTTPS, then the secure application 95 is easily able to detect the re-directs. If the original request is based on a secure protocol, however, complications may arise because the traffic being streamed to the system service may be encrypted. As noted above, when dealing with a secure protocol, the termination point for the secure connection can be placed at the secure application 95, not the system service 115. As a result, the secure application 95 can decrypt the incoming traffic and can detect the re-directs, similar to how it would for an unsecure protocol. Thus, as an example, re-directs can be handled for both HTTP and HTTPS.
In some cases, other components may assist in the calculation of data for purposes of usage accounting. For example, some system services 115 may offer notifications based on certain events that may be related to data usage. In one particular example, the secure applications 95 can register for certain callbacks from the system services 115 that are equipped to provide such notifications. As an example, if a data session is initiated through a secure application 95, the system service 115 can provide one or more notifications that inform the secure application 95 of the start of the session and its eventual ending. Statistics related to the amount of data that was consumed during the session can be incorporated into the notifications, which the secure application 95 can use to track its data usage. The overall total usage related to all or at least some of the secure applications 95 can be determined, which can allow the segregation of data consumption between secure and personal profiles, as described earlier. In this case, however, the modification of the data access requests is not required, and the system service may fetch data in its conventional manner. When available with the system services 115, this feature may be useful for data accounting, particularly when application-level VPNs are not incorporated into the secure applications 95.
The description herein has been presented primarily in terms of a secure application 95 handling the modification of data requests and the data usage tracking. The description, however, is not so limited. In particular, these features can be implemented into an unsecure application such that data usage can be tracked for these types of applications on an individual basis. Similarly, the system service that is involved in this process is not limited to a media player. In fact, any system service that is involved in the exchange of data with a remote location may be applicable to the description provided herein. For example, other system services that apply here may include a texting application, a dialer or any other application that facilitates or otherwise supports voice communications, a video or camera application, or a map application or other application that supports mapping features. In fact, the description herein may apply to any type of application, whether secure or unsecure, that may involve the consumption of content or the use of services in which it may be necessary to distinguish between personal use of such content and services and secure or workspace or enterprise use of the content and services.
While various embodiments have been described above, it should be understood that they have been presented by way of example only, and not limitation. It will be understood by those skilled in the relevant art(s) that various changes in form and details may be made therein without departing from the spirit and scope of the subject matter as defined in the appended claims. Accordingly, the breadth and scope of the present subject matter should not be limited by any of the above-described exemplary embodiments, but should be defined only in accordance with the following claims and their equivalents.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved.
This patent application is a continuation of U.S. patent application Ser. No. 14/478,066, filed on Sep. 5, 2014, which is incorporated herein by reference in its entirety.
| Number | Name | Date | Kind |
|---|---|---|---|
| 5265951 | Kumar | Nov 1993 | A |
| 5294782 | Kumar | Mar 1994 | A |
| 5357585 | Kumar | Oct 1994 | A |
| 5381348 | Ernst et al. | Jan 1995 | A |
| 5386106 | Kumar | Jan 1995 | A |
| 5484989 | Kumar et al. | Jan 1996 | A |
| 5489001 | Yang | Feb 1996 | A |
| 5489773 | Kumar | Feb 1996 | A |
| 5519783 | Kumar | May 1996 | A |
| 5521369 | Kumar | May 1996 | A |
| 5548477 | Kumar et al. | Aug 1996 | A |
| 5548478 | Kumar | Aug 1996 | A |
| 5616906 | Kumar | Apr 1997 | A |
| 5632373 | Kumar et al. | May 1997 | A |
| 5638257 | Kumar et al. | Jun 1997 | A |
| 5648760 | Kumar | Jul 1997 | A |
| 5696496 | Kumar | Dec 1997 | A |
| 5708560 | Kumar et al. | Jan 1998 | A |
| 5774869 | Toader | Jun 1998 | A |
| 5872699 | Nishii et al. | Feb 1999 | A |
| 5902991 | Kumar | May 1999 | A |
| 5925873 | Kumar | Jul 1999 | A |
| 6023721 | Cummings | Feb 2000 | A |
| 6027021 | Kumar | Feb 2000 | A |
| 6052709 | Paul | Apr 2000 | A |
| 6072401 | Kumar | Jun 2000 | A |
| 6084769 | Moore et al. | Jul 2000 | A |
| 6104451 | Matsuoka et al. | Aug 2000 | A |
| 6151606 | Mendez | Nov 2000 | A |
| 6181553 | Cipolla et al. | Jan 2001 | B1 |
| 6223815 | Shibasaki | May 2001 | B1 |
| 6266539 | Pardo | Jul 2001 | B1 |
| 6275983 | Orton et al. | Aug 2001 | B1 |
| 6276448 | Maruno | Aug 2001 | B1 |
| 6397246 | Wolfe | May 2002 | B1 |
| 6449149 | Ohashi et al. | Sep 2002 | B1 |
| 6457030 | Adams et al. | Sep 2002 | B1 |
| 6473768 | Srivastava et al. | Oct 2002 | B1 |
| 6571221 | Stewart et al. | May 2003 | B1 |
| 6647103 | Pinard et al. | Nov 2003 | B2 |
| 6674640 | Pokharna et al. | Jan 2004 | B2 |
| 6681238 | Brice, Jr. et al. | Jan 2004 | B1 |
| 6708221 | Mendez et al. | Mar 2004 | B1 |
| 6799277 | Colvin | Sep 2004 | B2 |
| 6952617 | Kumar | Oct 2005 | B1 |
| 6952671 | Kolesnik et al. | Oct 2005 | B1 |
| 6983311 | Haitsuka et al. | Jan 2006 | B1 |
| 7039041 | Robohm et al. | May 2006 | B2 |
| 7058088 | Tomita et al. | Jun 2006 | B2 |
| 7120462 | Kumar | Oct 2006 | B2 |
| 7130193 | Hirafuji et al. | Oct 2006 | B2 |
| 7149543 | Kumar | Dec 2006 | B2 |
| 7184801 | Farcasiu | Feb 2007 | B2 |
| 7236770 | Sankaramanchi | Jun 2007 | B2 |
| 7243163 | Friend et al. | Jul 2007 | B1 |
| 7275073 | Ganji et al. | Sep 2007 | B2 |
| 7301767 | Takenoshita et al. | Nov 2007 | B2 |
| 7392531 | Thurston et al. | Jun 2008 | B2 |
| 7447799 | Kushner | Nov 2008 | B2 |
| 7552196 | Levi et al. | Jun 2009 | B2 |
| 7574177 | Tupman et al. | Aug 2009 | B2 |
| 7574200 | Hassan et al. | Aug 2009 | B2 |
| 7577462 | Kumar | Aug 2009 | B2 |
| 7620001 | Ganji | Nov 2009 | B2 |
| 7620392 | Maurya et al. | Nov 2009 | B1 |
| 7627343 | Fadell et al. | Dec 2009 | B2 |
| 7688952 | Light et al. | Mar 2010 | B2 |
| 7702322 | Maurya et al. | Apr 2010 | B1 |
| 7778035 | Huang et al. | Aug 2010 | B2 |
| 7788382 | Jones et al. | Aug 2010 | B1 |
| 7821984 | Wilson | Oct 2010 | B2 |
| 7823214 | Rubinstein et al. | Oct 2010 | B2 |
| 7869789 | Hassan et al. | Jan 2011 | B2 |
| 7885645 | Postma et al. | Feb 2011 | B2 |
| 7890091 | Puskoor et al. | Feb 2011 | B2 |
| 7912994 | Cornwell et al. | Mar 2011 | B2 |
| 7958245 | Thomas et al. | Jun 2011 | B2 |
| 7970386 | Bhat et al. | Jun 2011 | B2 |
| 7992084 | Ozawa | Aug 2011 | B2 |
| 8000736 | Forstall et al. | Aug 2011 | B2 |
| 8010701 | Wilkinson et al. | Aug 2011 | B2 |
| 8012219 | Mendez et al. | Sep 2011 | B2 |
| 8015432 | Vaidya | Sep 2011 | B1 |
| 8054211 | Vidal | Nov 2011 | B2 |
| 8060074 | Danford et al. | Nov 2011 | B2 |
| 8078157 | Maurya et al. | Dec 2011 | B2 |
| 8078739 | Somasundaram et al. | Dec 2011 | B1 |
| 8086332 | Dorogusker et al. | Dec 2011 | B2 |
| 8099090 | Postma et al. | Jan 2012 | B2 |
| 8099541 | Serebrin | Jan 2012 | B2 |
| 8180893 | Spertus | May 2012 | B1 |
| 8181264 | Linn et al. | May 2012 | B2 |
| 8185149 | Forstall et al. | May 2012 | B2 |
| 8199507 | Shohet et al. | Jun 2012 | B2 |
| 8254902 | Bell et al. | Aug 2012 | B2 |
| 8272048 | Cooper et al. | Sep 2012 | B2 |
| 8375369 | Mensch et al. | Feb 2013 | B2 |
| 8484728 | De Atley et al. | Jul 2013 | B2 |
| 8549656 | Blaisdell et al. | Oct 2013 | B2 |
| 8601579 | Kristic et al. | Dec 2013 | B2 |
| 8693358 | Hodges | Apr 2014 | B2 |
| 8695060 | Wade et al. | Apr 2014 | B2 |
| 8831517 | Shankaranarayanan | Sep 2014 | B2 |
| 8832652 | Mueller et al. | Sep 2014 | B2 |
| 8850424 | Friedman et al. | Sep 2014 | B2 |
| 8869235 | Qureshi et al. | Oct 2014 | B2 |
| 8893261 | Fainkichen et al. | Nov 2014 | B2 |
| 8893298 | Roark et al. | Nov 2014 | B2 |
| 8924970 | Newell | Dec 2014 | B2 |
| 8938547 | Roberge et al. | Jan 2015 | B1 |
| 8955068 | Venkataramani et al. | Feb 2015 | B1 |
| 8955152 | Enderwick et al. | Feb 2015 | B1 |
| 8959579 | Barton et al. | Feb 2015 | B2 |
| 8966574 | Kiehtreiber et al. | Feb 2015 | B2 |
| 8977842 | McCorkendale et al. | Mar 2015 | B1 |
| 8978110 | Dabbiere et al. | Mar 2015 | B2 |
| 8984657 | Nerger et al. | Mar 2015 | B2 |
| 8990116 | Ferino et al. | Mar 2015 | B2 |
| 8990901 | Aravindakshan et al. | Mar 2015 | B2 |
| 20010047363 | Peng | Nov 2001 | A1 |
| 20020013852 | Janik | Jan 2002 | A1 |
| 20020032609 | Wilkman | Mar 2002 | A1 |
| 20020103879 | Mondragon | Aug 2002 | A1 |
| 20020131404 | Mehta et al. | Sep 2002 | A1 |
| 20020133534 | Forslow | Sep 2002 | A1 |
| 20020172336 | Postma et al. | Nov 2002 | A1 |
| 20030002637 | Miyauchi et al. | Jan 2003 | A1 |
| 20030083988 | Reith | May 2003 | A1 |
| 20030090864 | Kuo | May 2003 | A1 |
| 20030130984 | Quinlan et al. | Jul 2003 | A1 |
| 20030177207 | Nagasaka et al. | Sep 2003 | A1 |
| 20030229718 | Tock et al. | Dec 2003 | A1 |
| 20040019675 | Hebeler et al. | Jan 2004 | A1 |
| 20040030887 | Harrisville-Wolff et al. | Feb 2004 | A1 |
| 20040034853 | Gibbons et al. | Feb 2004 | A1 |
| 20040047348 | O'Neill et al. | Mar 2004 | A1 |
| 20040052343 | Glaser et al. | Mar 2004 | A1 |
| 20040060687 | Moss, II | Apr 2004 | A1 |
| 20040078812 | Calvert | Apr 2004 | A1 |
| 20040083125 | Almeida et al. | Apr 2004 | A1 |
| 20040098449 | Bar-Lavi et al. | May 2004 | A1 |
| 20040128665 | Gouleau et al. | Jul 2004 | A1 |
| 20040139170 | Shen et al. | Jul 2004 | A1 |
| 20040162092 | Marsico et al. | Aug 2004 | A1 |
| 20040190256 | Genova et al. | Sep 2004 | A1 |
| 20050107114 | Ocock | May 2005 | A1 |
| 20050120331 | Asare et al. | Jun 2005 | A1 |
| 20050131885 | Komatsu et al. | Jun 2005 | A1 |
| 20050144445 | Yeap et al. | Jun 2005 | A1 |
| 20050149726 | Joshi et al. | Jul 2005 | A1 |
| 20050177506 | Rissanen | Aug 2005 | A1 |
| 20050188318 | Tamir et al. | Aug 2005 | A1 |
| 20050213331 | Lewis | Sep 2005 | A1 |
| 20060030341 | Pham | Feb 2006 | A1 |
| 20060085645 | Bangui | Apr 2006 | A1 |
| 20060121880 | Cowsar et al. | Jun 2006 | A1 |
| 20060143250 | Peterson et al. | Jun 2006 | A1 |
| 20060184788 | Sandhu et al. | Aug 2006 | A1 |
| 20060200658 | Penkethman | Sep 2006 | A1 |
| 20060277209 | Kral et al. | Dec 2006 | A1 |
| 20060277311 | Franco et al. | Dec 2006 | A1 |
| 20070041536 | Koskinen et al. | Feb 2007 | A1 |
| 20070080823 | Fu et al. | Apr 2007 | A1 |
| 20070093243 | Kapadekar et al. | Apr 2007 | A1 |
| 20070150388 | Mendiratta et al. | Jun 2007 | A1 |
| 20070156870 | McCollum | Jul 2007 | A1 |
| 20070165654 | Chai et al. | Jul 2007 | A1 |
| 20070169105 | Amberny et al. | Jul 2007 | A1 |
| 20070183772 | Baldwin et al. | Aug 2007 | A1 |
| 20070209061 | Dekeyzer et al. | Sep 2007 | A1 |
| 20070239878 | Bowers et al. | Oct 2007 | A1 |
| 20070294380 | Natarajan et al. | Dec 2007 | A1 |
| 20080060085 | Samzelius et al. | Mar 2008 | A1 |
| 20080070495 | Stricklen et al. | Mar 2008 | A1 |
| 20080115225 | Jogand-Coulomb et al. | May 2008 | A1 |
| 20080125079 | O'Neil et al. | May 2008 | A1 |
| 20080126736 | Heil | May 2008 | A1 |
| 20080134325 | Kim et al. | Jun 2008 | A1 |
| 20080140969 | Lawrence | Jun 2008 | A1 |
| 20080201453 | Assenmacher | Aug 2008 | A1 |
| 20080222621 | Knight et al. | Sep 2008 | A1 |
| 20080271014 | Serebrin et al. | Oct 2008 | A1 |
| 20080281953 | Blaisdell | Nov 2008 | A1 |
| 20080287096 | Aaltonen et al. | Nov 2008 | A1 |
| 20080297481 | Higginson | Dec 2008 | A1 |
| 20080299989 | King et al. | Dec 2008 | A1 |
| 20090126017 | Chahal | May 2009 | A1 |
| 20090132828 | Kiester et al. | May 2009 | A1 |
| 20090150970 | Hinds et al. | Jun 2009 | A1 |
| 20090187726 | Serebrin et al. | Jul 2009 | A1 |
| 20090219899 | Dostal et al. | Sep 2009 | A1 |
| 20100004959 | Weingrad | Jan 2010 | A1 |
| 20100008337 | Bajko | Jan 2010 | A1 |
| 20100042478 | Reisman | Feb 2010 | A1 |
| 20100042990 | Kinder | Feb 2010 | A1 |
| 20100077035 | Li et al. | Mar 2010 | A1 |
| 20100115113 | Short et al. | May 2010 | A1 |
| 20100157543 | Shohet et al. | Jun 2010 | A1 |
| 20100157989 | Krzyzanowski et al. | Jun 2010 | A1 |
| 20100157990 | Krzyzanowski et al. | Jun 2010 | A1 |
| 20100159898 | Krzyzanowski et al. | Jun 2010 | A1 |
| 20100180276 | Jiva | Jul 2010 | A1 |
| 20100192207 | Raleigh | Jul 2010 | A1 |
| 20100222097 | Gisby et al. | Sep 2010 | A1 |
| 20100235233 | Goldberg et al. | Sep 2010 | A1 |
| 20100328064 | Rogel | Dec 2010 | A1 |
| 20100330953 | Rogel et al. | Dec 2010 | A1 |
| 20100330961 | Rogel | Dec 2010 | A1 |
| 20100332635 | Rogel et al. | Dec 2010 | A1 |
| 20100333088 | Rogel et al. | Dec 2010 | A1 |
| 20110004941 | Mendez et al. | Jan 2011 | A1 |
| 20110029779 | Sekiya et al. | Feb 2011 | A1 |
| 20110038120 | Merz et al. | Feb 2011 | A1 |
| 20110040607 | Shkedi | Feb 2011 | A1 |
| 20110058052 | Bolton et al. | Mar 2011 | A1 |
| 20110082789 | Boyd | Apr 2011 | A1 |
| 20110082900 | Nagpal et al. | Apr 2011 | A1 |
| 20110093583 | Piemonte et al. | Apr 2011 | A1 |
| 20110145932 | Nerger et al. | Jun 2011 | A1 |
| 20110178863 | Daigle | Jul 2011 | A1 |
| 20110179483 | Paterson et al. | Jul 2011 | A1 |
| 20110208838 | Thomas et al. | Aug 2011 | A1 |
| 20110215949 | Yarnold et al. | Sep 2011 | A1 |
| 20110225252 | Bhat et al. | Sep 2011 | A1 |
| 20120005746 | Wei et al. | Jan 2012 | A1 |
| 20120066223 | Schentrup et al. | Mar 2012 | A1 |
| 20120070017 | Dorogusker et al. | Mar 2012 | A1 |
| 20120079423 | Bender et al. | Mar 2012 | A1 |
| 20120084184 | Raleigh et al. | Apr 2012 | A1 |
| 20120088481 | Postma et al. | Apr 2012 | A1 |
| 20120096364 | Wilkinson et al. | Apr 2012 | A1 |
| 20120096365 | Wilkinson et al. | Apr 2012 | A1 |
| 20120102564 | Schentrup et al. | Apr 2012 | A1 |
| 20120102574 | Schentrup et al. | Apr 2012 | A1 |
| 20120117274 | Lydon et al. | May 2012 | A1 |
| 20120144050 | Shah | Jun 2012 | A1 |
| 20120151464 | Koren et al. | Jun 2012 | A1 |
| 20120158829 | Ahmavaara et al. | Jun 2012 | A1 |
| 20120159567 | Toy et al. | Jun 2012 | A1 |
| 20120184282 | Malkamaki et al. | Jul 2012 | A1 |
| 20120185767 | Schlegel | Jul 2012 | A1 |
| 20120185879 | Van Vechten et al. | Jul 2012 | A1 |
| 20120210443 | Blaisdell et al. | Aug 2012 | A1 |
| 20120246484 | Blaisdell et al. | Sep 2012 | A1 |
| 20120246731 | Blaisdell et al. | Sep 2012 | A1 |
| 20120296744 | Cue et al. | Nov 2012 | A1 |
| 20120302204 | Gupta et al. | Nov 2012 | A1 |
| 20120304280 | Hayashida | Nov 2012 | A1 |
| 20120304310 | Blaisdell | Nov 2012 | A1 |
| 20120309348 | De Atley et al. | Dec 2012 | A1 |
| 20120311697 | Swingler et al. | Dec 2012 | A1 |
| 20120311702 | Krstic et al. | Dec 2012 | A1 |
| 20120324057 | Macris | Dec 2012 | A1 |
| 20130055341 | Cooper et al. | Feb 2013 | A1 |
| 20130091543 | Wade | Apr 2013 | A1 |
| 20130091557 | Gurrapu | Apr 2013 | A1 |
| 20130117805 | Kent et al. | May 2013 | A1 |
| 20130130652 | Deasy et al. | May 2013 | A1 |
| 20130132854 | Raleigh et al. | May 2013 | A1 |
| 20130132941 | Lindeman et al. | May 2013 | A1 |
| 20130145278 | Newell et al. | Jun 2013 | A1 |
| 20130145448 | Newell | Jun 2013 | A1 |
| 20130226669 | Chiang et al. | Aug 2013 | A1 |
| 20130247147 | Pontillo et al. | Sep 2013 | A1 |
| 20130254401 | Marshall et al. | Sep 2013 | A1 |
| 20130260713 | Toy et al. | Oct 2013 | A1 |
| 20130260730 | Toy et al. | Oct 2013 | A1 |
| 20130316703 | Girard et al. | Nov 2013 | A1 |
| 20140006237 | Chiang et al. | Jan 2014 | A1 |
| 20140007222 | Qureshi et al. | Jan 2014 | A1 |
| 20140047532 | Sowatskey | Feb 2014 | A1 |
| 20140059525 | Jawa et al. | Feb 2014 | A1 |
| 20140059573 | Jawa et al. | Feb 2014 | A1 |
| 20140059703 | Hung et al. | Feb 2014 | A1 |
| 20140082641 | Clark | Mar 2014 | A1 |
| 20140089376 | Caldas et al. | Mar 2014 | A1 |
| 20140089487 | Debate | Mar 2014 | A1 |
| 20140173747 | Govindaraju | Jun 2014 | A1 |
| 20140177839 | Wagner et al. | Jun 2014 | A1 |
| 20140181518 | Kim et al. | Jun 2014 | A1 |
| 20140181803 | Cooper et al. | Jun 2014 | A1 |
| 20140208397 | Peterson | Jul 2014 | A1 |
| 20140230008 | Feroz et al. | Aug 2014 | A1 |
| 20140230011 | Drewry et al. | Aug 2014 | A1 |
| 20140250505 | Kim et al. | Sep 2014 | A1 |
| 20140279454 | Raman et al. | Sep 2014 | A1 |
| 20140280934 | Reagan et al. | Sep 2014 | A1 |
| 20140280955 | Stuntebeck et al. | Sep 2014 | A1 |
| 20140282828 | Stunebeck | Sep 2014 | A1 |
| 20140282829 | Dabbiere et al. | Sep 2014 | A1 |
| 20140282846 | DeWeese et al. | Sep 2014 | A1 |
| 20140282869 | Dabbiere | Sep 2014 | A1 |
| 20140282894 | Manton | Sep 2014 | A1 |
| 20140282897 | Stuntebeck | Sep 2014 | A1 |
| 20140282929 | Tse | Sep 2014 | A1 |
| 20140317679 | Wade et al. | Oct 2014 | A1 |
| 20140337528 | Barton et al. | Nov 2014 | A1 |
| 20150033324 | Fainkichen et al. | Jan 2015 | A1 |
| 20150109967 | Hogan et al. | Apr 2015 | A1 |
| Number | Date | Country |
|---|---|---|
| 00984639 | Jun 2006 | KR |
| 9705551 | Feb 1997 | WO |
| 2010080498 | Jul 2010 | WO |
| 2010080500 | Jul 2010 | WO |
| 2012024418 | Feb 2012 | WO |
| 2012037064 | Mar 2012 | WO |
| 2012061046 | May 2012 | WO |
| 2012061047 | May 2012 | WO |
| 2012064870 | May 2012 | WO |
| 2013050602 | Apr 2013 | WO |
| Entry |
|---|
| International Search Report for Int'l Appln. No. PCT/US2011/38184, mailed on Aug. 26, 2011, 2 pages. |
| International Search Report and Written Opinion for Int'l Appln. No. PCT/US2011/060023, mailed on May 25, 2012, 10 pages. |
| International Search Report and Written Opinion for Int'l Appln. No. PCT/US2011/048109, mailed on Dec. 12, 2011, 10 pages. |
| International Search Report and Written Opinion for Int'l Appln. No. PCT/US2012/045923, mailed on Oct. 4, 2012, 8 pages. |
| A Closer Look at Horizon App Manager Printout from Website: http://www.horizonmanager.com/?page—id=211 Copyright 2011 VMware, Inc. |
| Fulton, S.M., “Xerox Goes Up Against RIM in ‘BYOD’ Mobile Device Management,” dated Feb. 22, 2012 [retrieved Aug. 2, 2012] retrieved from the Internet: <http://www.readwriteweb.com/cloud/2012/02/xerox-goes-up-against-rim-in-b.php>, 4 pgs. |
| International Search Report and Written Opinions for International Patent Application No. PCT/US2012/058689, mailed on Mar. 21, 2013, 13 pages. |
| Non-Final Office Action for U.S. Appl. No. 13/626,470, dated Jan. 6, 2014, 7 pages. |
| Amendment and Reply for U.S. Appl. No. 13/626,470, mailed Jan. 16, 2014, 21 pages. |
| U.S. Appl. No. 14/608,662, filed Jan. 29, 2015, 42 pages. |
| U.S. Appl. No. 14/641,795, filed Mar. 9, 2015, 61 pages. |
| U.S. Appl. No. 14/658,998, filed Mar. 16, 2015, 41 pages. |
| U.S. Appl. No. 14/615,799, filed Feb. 6, 2015, 50 pages. |
| International Search Report and Written Opinion for International Application No. PCT/US2009/068475, mailed on Apr. 23, 2010, 17 pages. |
| International Search Report and Written Opinion for International Application No. PCT/US2009/068482, mailed on Feb. 23, 2010, 12 pages. |
| International Search Report and Written Opinion for International Application No. PCT/US2011/051302, mailed on Jan. 26, 2012, 2 pages. |
| International Search Report and Written Opinion for International Application No. PCT/US2011/057351, mailed on May 9, 2012, 10 pages. |
| International Search Report and Written Opinion for International Application No. PCT/US2011/057354, mailed on May 9, 2012, 10 pages. |
| Jack Madden, “Good Technology will soon let you bundle mobile data with their email app”, Brian Madden, dated Jul. 31, 2014, 2 pages. |
| Jack Madden, “After mobile app management, the next step for BYOD can be split phone numbers and split billing”, Brian Madden, dated Jan. 27, 2015, 2 pages. |
| Non-Final Office Action for U.S. Appl. No. 14/615,799, Feb. 6, 2015, mailed 9, 2015, 17 pages. |
| Non-Final Office Action for U.S. Appl. No. 14/658,998, Mar. 16, 2015, mailed 19, 2015, 21 pages. |
| Notice of Allowance and Examiners Amendment for U.S. Appl. No. 14/669,120, mailed Jun. 25, 2015, 31 pages. |
| IBM, “Application Protection Inside an Untrusted OS,” Feb. 9, 2010, 7 pages. |
| Non-Final Office Action for U.S. Appl. No. 14/205,686, mailed Dec. 5, 2014, 12 pages. |
| Non-Final Office Action for U.S. Appl. No. 14/205,661, mailed Dec. 22, 2014, 12 pages. |
| International Search Report and Written Opinion for International Application No. PCT /US2014/060657, mailed Jan. 29, 2015, 10 pages. |
| ‘Multifaceted Resource Management for Dealing with Heterogeneous Workloads in Virtualized Data Centers’, 11th IEEE/ACM International Conference on Grid Computing, 2010 pp. 25-32. See abstract and sections I-II. |
| Extended European Search Report and Search Opinion for European Application No. 12839583.7, mailed Apr. 9, 2015, 6 pages. |
| International Search Report and Written Opinion for International Application No. PCT/US2014/060838, mailed Apr. 23, 2015, 15 pages. |
| Amendment and Reply for U.S. Appl. No. 14/205,686, filed May 1, 2015, 11 pages. |
| Amendment and Reply for U.S. Appl. No. 14/205,661, filed May 1, 2015, 10 pages. |
| Non-Final Office Action for U.S. Appl. No. 14/641,795, dated May 15, 2015, 16 pages. |
| U.S. Appl. No. 14/710,208, filed May 12, 2015, 80 pages. |
| Non-Final Office Action for U.S. Appl. No. 14/608,662, mailed Jun. 4, 2015, 19 pages. |
| Number | Date | Country | |
|---|---|---|---|
| Parent | 14478066 | Sep 2014 | US |
| Child | 14573601 | US |
