1. Field of the Invention
This invention is direct to a method and device to control user session as it connects to a remote desktop or application, using a device state server to facilitate the exchange of device state between the connecting device and the remote desktop or application server. Further, the invention continues to monitor the state of the device for as long as it connected to the remote desktop or application.
2. Description of the Related Art
In the following a general term definition is provided which is used within the application documents:
Device—A laptop, physical desktop, thin client, tablet, mobile phone used by a user such as an employee, contractor or supplier to connect to a remote desktop or remote application.
Thin Client—A corporate owned physical desktop dedicated to accessing a remote desktops or remote applications.
Connected Device—Same as device, although with emphasis on the fact that the device is connected to the remote desktop or application.
Connecting Device—Same as device, although while the device is actively establishing a connection with the remote desktop or application.
Device State—The state of the device, including the state of the physical device, the operating system that runs on it, and the logged in user session. The state can be defined by one or more of the following parameters: Anti-Virus enabled, Firewall enabled, Wi-Fi connectivity/security, Installed Applications, Running Applications, User Security, Group membership, User Privileges, Geographical Location, Geographical Elevation, and others.Remote Desktop—A Windows (or other) desktop, running on a server within a corporate data center or on the internet (cloud), allowing user to launch one or more applications which run within a remote user session and is delivered via a remoting protocol to a device.Remote Application—A single Windows (or other) application, offering a user interface that runs in a remote session and is delivered via a remoting protocol to a device. In comparison to the remote desktop only the relevant application data is transmitted and not the complete desktop, so that the application although running remote is integrated into the local desktop.Access Token—An access token is an Operating System concept which describes the security context of an application, and determines the access that the operating system grants to the process. The access token consists of a set of security groups, privileges and claims which the operating system uses to control access to securable objects, such as files and folders and the Windows Registry. This Access Token is also used by the invention to control the access.Remote Desktop or Application Server—A server, either physical or virtual, that is configured to allow remote access to either the desktop or one or more applications.Remoting Protocol—A network protocol used to capture graphics, audio, clipboard or storage from a remote session and deliver it to a device where it can be reconstructed to give the illusion that the remote desktop or application is running on the local device.Remoting Protocol Service—An application launched by the Operating System which implements the server side of the Remoting Protocol.Gateway Server—A server which facilitates the connection between the Connecting Device and the Remote Desktop or Application Server. The gateway server may choose to allow or deny the connection based upon the configuration. It may also connect the network of the Connecting Device to the Remote Desktop or Application Server using technologies such as a Virtual Private Network (VPN).Virtual Channel—Provided by the remoting protocol, the virtual channel allows third parties (or the remoting protocol vendor) to implement communicate between software running on the remoting client and software running on the remote desktop server.Remoting Client—An application that runs on a device, implementing the client end of the remoting protocol and presents to the user either a remote desktop or remote application.User Session—An abstract concept of an operating system to represent an authenticated and logged in user, their desktop, and the applications that they are running either on virtual desktop or virtual machine providing a virtual desktop.Remote User Session—A user session running on a remote computer, and is delivered over the internet or intranet by communications using a remoting protocol. In contrast to that is the local session when the user is logged into the user session with the keyboard, mouse and monitor physically connected to the remote desktop or application server.Windows Registry—A hierarchical database of settings for the Microsoft Windows Operating System and Microsoft Windows applications.Environment Variables—A set of name/value pairs that can affect the way applications run. Environment Variables can be global, or specific to a user or user session.Administrative Scripts—Written in one of many high level programming languages, Administrative Scripts are written by IT departments to manipulate the behavior of the Operating System to increase the user experience, or to enforce corporate policy.Third Party Tools—Much like the Administrative Scripts, a number of third party tools exist written by the OS vendor or independent software vendors, allowing IT departments to manipulate the behavior of the Operating System to increase the user experience, or to enforce corporate policy.Operating System—Software that runs on a computer to manage computer hardware and software, and provide a common set of services to applications.Internet—A global system of interconnected networks connecting billions of devices around the world.Intranet—A private network accessible only to the employees of an organization.Jailbroken—A jailbroken device is one that has been deliberately compromised to remove software restrictions enforced by the manufacturer, allowing applications to be run that are not available to a non-jailbroken device.Cloud—Also known as Cloud Computing or on-demand computing, is a model for enabling on-demand access to a shared pool of configurable computing resources, effectively enabling a data center within the internet.Application Sandbox—A security feature of the Operating System, an Application Sandbox allows third party applications to run within a secure environment with a tightly controlled set of resources preventing them from influencing the Operating System or other applications running on the device.Push Notification—A service offered by Operating System vendors to communicate to an application on a device, where that application typically runs within an application sandbox. A push notification token is used to identify the application and the device and is sent to the push notification service along with some notification content. When received by the device, the application which may be in a frozen state running in the background is awoken to handle the contents of the notification.
The increase in capability of portable devices, combined with the increase in availability of high speed internet has created an environment where employees now expect to be able to work from anywhere using a variety of devices. Those devices can be owned by the business, the employee or someone external. Therefore these devices are managed and maintained not exclusively by the own IT department but also by the employee itself or by the external user. These differently owned devices will have different statuses e.g. their security state (Anti-virus, Firewall etc.). All these devices will be used as connecting devices to connect to a corporate remote desktop or application hosted in the datacenter. To provide a compliant and secure corporate workspace, the IT department needs to consider the current status of the device connected to the corporate workspace.
Microsoft Remote Desktop Services is a widely used technology that allows users to access a remote desktop or application from either a session-based, or virtual desktop infrastructure-based server. In the following the term session is used for both session base or virtual desktop infrastructure based server. The server may be running on a data center within a corporate network, or from the internet. Users access the remote desktop or application using a Remote Desktop Client available on all mainstream devices including desktop platforms such as Windows and Mac OSX, and also mobile platforms such as Windows Phone, iOS, and Android. The Remote Desktop Client uses Remote Desktop Protocol (RDP) to deliver a high fidelity remoting experience, by transporting high quality graphics, audio, clipboard, storage and printers from the data center to the Remote Desktop Client. This ensures that as long as the user has connectivity to the data centre, they can access their desktop or application from any device, and wherever they are physically located.
Citrix XenApplication and XenDesktop is another widely adopted technology that aims to deliver both desktops and applications from the data center to the user. Citrix provides a Citrix Receiver product which delivers the remote desktop or applicate to a variety of devices, including desktop platforms such as Windows, Mac OSX, Linux and Chrome OS, and also mobile platforms such as Windows Phone, iOS, Android and Blackberry. Citrix Receiver uses the Citrix Independent Computing (ICA) remoting protocol to deliver high fidelity remoting experience to the user.
VMware Horizon is another adopted technology that aims to deliver both desktops and applications from the data center to the user. VMware provides a product which delivers the remote desktop or applicate to a variety of devices, including desktop platforms such as Windows, Mac OSX, Linux and Chrome OS, and also mobile platforms such as Windows Phone, iOS, Android and Blackberry. VMware uses the PCoIP remoting protocol to deliver high fidelity remoting experience to the user.
In addition there are a couple of other vendors offering solutions to provide a desktop or an application from the datacenter to the user. The majority of the businesses using Microsoft, Citrix or VMware.
Desktop as a Service (DaaS) is an emerging technology, where both applications and desktops are delivered from the cloud. This places additional pressure on IT to ensure that connected devices remain compliant with business policy.
Both Microsoft RDP and Citrix ICA offer Virtual Channels for some platforms allowing a developer to extend the remoting protocol with additional information. Microsoft RDP offer Virtual Channels for the Windows platform. Citrix ICA offer Virtual Channels for Windows, Linux and MAC OSX platforms.
Patent [ref: Application_15516JSMPTEP] uses Virtual Channels to communicate the state of the connected device to the remote desktop or application server. However, Virtual Channels are not available for all platforms. This invention provides a solution when Virtual Channels are not available.
There is an industry trend for applications to run in an application sandbox, with little or no capability to extend an application using plugins such as that required to extend the remoting client and/or the remoting protocol with Virtual Channels. These sandboxed applications are the only techniques available on platforms such as Apple's iOS and Google Android. Additionally, both Microsoft Windows and Apple's Mac OSX have introduced support for the newer sandboxed applications, with remote client applications available for both Microsoft Windows and Apple's Mac OSX which do not offer extensibility with Virtual Channel's. The lack of an extensible Virtual Channel prohibits a remote desktop or application server from establishing a direct network communication back to the connected device.
Mobile devices such as Apple's iOS and Google's Android also offer additional constraints to ensure consistent battery life. Without the possibility to extend the foreground application, a background application may provide the solution, however restrictions are imposed by the Operating System on background applications to minimize the impact on battery life. These sandboxed application platforms typically offer a push notification service, allowing a background application on a device to be awoken to handle the notification.