There is a staggering growth of endpoint mobile devices in enterprises. With this influx, Information Technology (IT) administrators can no longer ignore these mobile devices as simply outside their scope of responsibility. Correspondingly, there has been an unprecedented growth in the cloud services that are made available by an enterprise to its employees. Traditionally, enterprises have deployed one secure application for each service for each platform, but this has eventually failed to scale with the growth of mobility in IT. There are myriad numbers of cloud-based services that are being accessed from unmanaged endpoint mobile devices across diverse operating systems, uncontrolled network topologies and vaguely understood mobile geographies. Typically, enterprises have deployed applications for a specific service, applications to access corporate resources that themselves vary for different network conditions, and applications to secure the endpoints itself.
Conventionally, for each application, the enterprise user must perform numerous steps. For example, the end user must contact an enterprise administrator (i.e., in person or web portal) to configure the mobile device to use the end-point application for a corresponding service. The end user must enroll in each application to access a service, and the enterprise administrator has to undertake to the complex tasks of tracking, deploying and managing individual apps on each endpoint mobile device. Accordingly, it would be advantageous to eliminate the multiple applications for various enterprise functions, to enable a user to connect to multiple cloud services.
Normally, to securely access multiple network resources concurrently, the end user has to connect to multiple applications, such as a corporate VPN for accessing enterprise's internal resources (intranet) and a private VPN or a network filtering application for accessing internet resources. This is not only perplexing for the end user but also creates several compatibility issues between different applications which compete for network access at different layers of networking. For instance, the service of a Virtual Private Network (VPN) application to securely connect to an enterprise network is affected by a web security firewall application running on the device which monitors and forbids any network interface changes. The situation is further exacerbated by the fact that the user needs to reconfigure each application depending upon the changes in network conditions such as moving from one subnet to another and that there is no indication to the user to perform such a change. All such service transitions must then be performed manually by the user with every network change. This is analogous to the situation where a user must statically configure Internet Protocol (IP) address configuration on a network interface for every network change. This problem was overcome by Dynamic Host Configuration Protocol (DHCP) that discovers configuration for the interface such as IP Address, Subnet Mask, Default Gateways and Domain Name System (DNS) servers. With the advent of mobility and explosion in the number of cloud services and mobile applications, there is a similar need for unified service discovery and secure availability.
Additionally, most mobile applications (“apps”) on mobile devices are designed to communicate with dedicated servers making them agnostic of the network path and network devices along their communication path. These mobile apps inevitably fail in network stringent enterprise environments which are heavily militarized using firewalls, packet filters, proxies, and network access controls. These enterprise security measures impose several constraints on the network traffic that often disrupt a mobile application communication channel. The situation is further exacerbated by the fact that there is no indication to the user that the app's network connectivity has been denied for enterprise policy reasons.
For example, a mobile application client communicating to a server over some random port is blocked in the enterprise firewall without giving the user any indication that the app has been blocked and what are the potential remediation steps that the user may adopt. In another example, a mobile app network connectivity is hampered by the presence of captive portal which requires user intervention to accept terms and conditions. Mobile apps thus fail miserably at processing network events that are generated at various nodes in the network topology, especially those that require advanced input from the user. Such application-level inabilities to comply with and adapt to enterprise network architecture not only results in employee frustration but also a severe loss of productivity.
One approach includes addressing this problem through an out of band notification channel to the client application using a push notification cloud, but this is limited in scope. Although it does notify the user that something in the application went wrong, the latency incurred in the operation itself often destroys the user context making the system less meaningful and less engaging as the user never comes to know immediately when the network access was blocked but must wait indefinitely for an out of band notification to arrive to gain some perspective. Further notifications that require a user action such as “Proceed with Caution” cannot be supported using this system, reducing the significance. Additionally, the approach is tightly coupled to the Operating system's ability to provide and support push notifications, making it vulnerable to platform level whimsicalities.