1. Field of the Invention
The invention relates to a system for device management. In particular, the invention relates a framework whereby mobile terminals are configured and managed by a central server.
2. Description of the Related Art
Device management (DM) in mobile telecommunications systems allows the mobile network operator to manage and update various aspects of individual mobile terminals, such as mobile phone handsets. For example, configuration settings can be managed and the software and/or firmware can be updated “over-the-air” (OTA).
DM has been implemented in a number of ways. One example of a DM scheme is the scheme developed by the industry standards body OMA (Open Mobile Alliance). The OMA DM specifications introduce the notion of management objects (MOs). MOs are entities that can be manipulated by, or remotely triggered by, management actions. In this scheme, the MOs are logically grouped in a hierarchical structure referred to as a “management tree”.
Each DM-capable mobile terminal is provided with a DM client application: a piece of software that interacts with a management server (located in the mobile telecommunications network) and accepts MOs from the management server. The MOs are used to update the management tree, and in turn the management functions are implemented. The MOs will usually contain configuration settings and/or data for applications and services on the terminal, however the DM specifications do not mandate what data can or cannot be carried in an MO, or what effect that data will have on the terminal. Specifications of permitted data are made as required by any given implementation.
To avoid security issues, a DM client may identify and authenticate a DM server before accepting MOs from the server, and similarly the DM server may identify and authenticate the DM client. The DM client may therefore possess certain credentials and settings to instruct it how to contact the correct DM server and how to correctly handle the mutual authentication required.
Conventionally, a DM agent on a terminal is capable of managing a single main execution environment on a terminal, such as an environment in which applications or other software may be executed, such as the main OS and the applications running above it. In newer terminals, however, it is contemplated that more than one execution environment (EE) may be provided on a terminal. These newer terminals are thereby capable of running applications in a first EE that is effectively separated from a second EE, and also separated from further EEs. This separability is convenient for reasons of security, reliability and possibly efficiency. An example of such a terminal would be a terminal running a rich OS, such as Symbian, (a first EE) and a separate secure EE, where trusted applications or tasks may run in an isolated and trusted environment (a second EE).
Multiple OSs may also coexist on the same platform when the terminal is arranged with a “hypervisor” (or virtualization software) and/or dual processor architecture.
As will readily be appreciated from the foregoing, managing different execution environments on a single device represents a considerable additional burden on the processing capacity of that device. While a DM agent may perform an identical management operation in each EE or OS, the separation of the EEs may necessitate a new hierarchical structure of MOs (management tree) as well as a duplication of DM code, configuration and server authentication data for each EE.
Even where technical restrictions such as isolation do not necessitate the above duplications, there may be circumstances in which the assets in different terminal areas or environments must be managed by different parties, and this may require that two environments need to be managed by different DM servers. Whenever more than one DM server is required to manage different terminal environments and/or assets, multiple management trees and sets of DM configuration and authentication data may be required.