The present invention is related to management software and more specifically to management software for remote clients.
Management software allows an administrator to control, maintain and update files stored on client computer systems in a conventional client-server system. Conventional management software resides on both a server computer system, called a server, and on a client computer system, called a client. Management software in the server can determine which files should be installed on a client. When the client and server are in communication with one another, the server management software can provide any necessary files to the client management software, and direct the client management software to install the files received or use the files received to update files already stored on the client computer system. Additionally, the server management software can direct the client management software to delete any files that should no longer reside on the client.
One way of determining which files should be installed on the client computer system is to have the client management software provide the server management software with some form of identification of the user of the client computer system. For example, the client management software can supply to the server management software a name or a type of a user of the client computer system. The server management software uses the name or type of the user to determine which files that user or type of user should have and then sends the appropriate files or instructions or both to the client management software.
For example, all supervisors of a company may receive updated salary information every Monday morning. The client management software in a particular client computer system used by a supervisor can be preprogrammed with the supervisor""s name or title and the client management software can provide this information to the server management software. The server management software can provide updated salary information to the client management software based on the information it receives from the client management software. In contrast, client management software on a different computer identifying the user as an employee would not receive this updated salary information because the server management software will only send this information to supervisors.
If the client computer system is connected to the server computer system through a conventional LAN connection, management software can perform its operation relatively transparently to the user. For example, a client computer system can be updated by the management software in the background while the user is performing other work. Alternatively, the management software can update the client computer at a time when the user of the computer is not expected to be using the computer, such as after normal business hours. This may be implemented via wake-up timers, wake-on-LAN interfaces and the like so that the user need not perform any action to receive updated files.
Further adding to the transparency of operation of management software for LAN connected client computer systems is the fact that the identity of the user can be automatically supplied by the client computer system. The user does not have to authenticate himself to the management software each time it runs. Although the lack of authentication could allow security breaches to occur, the physical security of the building may be considered sufficient security to make this a suitable option.
If the user uses a computer that does not have a LAN or other similar persistent connection to the server, updating files using management software can be more difficult. For example, if a user occasionally connects (e.g. via a dial-in connection, such as through a Virtual Private Network, or VPN) to the remote network that contains the server, the files must be updated by the management software in the client and server while the user is connected to the remote network. Because updating the user""s files can be a time- and bandwidth-consuming process, and because the user may only connect to the remote network when the user wants to perform other work, the user may not want to allow the management software to update his files when he logs onto the network.
For example, if the user is in a hurry, he may refuse to run, or abort the operation of, the management software when he connects to the remote network. This makes it difficult for a system administrator to control the files on a user""s computer system when the user does not have a LAN or other persistent connection to the network. If the user does not allow the management software to operate, the user may not have files he needs or may be working with out of date files.
There is an additional inconvenience when using management software from a computer without a LAN or other persistent connection into the network containing the server. Because such a computer lacks the security associated with the LAN or other persistent connection, the user must authenticate himself to the management software to prevent unauthorized users from dialing into the company""s network and then receiving sensitive files. Authenticating a user to management software can seem especially inconvenient. This is because users who dial into the company""s network often must first authenticate themselves to the software that will connect them to the remote network, and then reauthenticate themselves to the management software in what seems like a redundant operation.
There is another problem with dial-in users. Because dial in users dial into the company""s network, they may be capable of dialing into other networks, such as those operated by third parties. In some cases, communication with third parties is authorized and safe, but in other cases it can be dangerous.
Authorized communication with third party networks can allow the use of third parties to supply information or services to their users. The remote user must connect to the third party network to receive such information or services. However, allowing the user to connect to any third party can be dangerous. If a user were to connect to a network of an untrusted third party, that third party could obtain access to the storage system of the user""s client computer. Such access might allow the third party to download viruses or other files, upload files that are confidential to the company, or overwrite files, either on purpose or by accident, that should not be overwritten.
To control the networks to which a dial-in or other remote user can access, a xe2x80x9cpass throughxe2x80x9d arrangement may be employed. This pass through arrangement uses an existing connection that is maintained between the third party network and the corporate network to allow users of the corporate network to access the third party. To prevent dial-in users from accessing unauthorized third party networks while allowing access to authorized third party networks, software in the dial-in user""s client computer system is configured to allow dial-in users to dial into the corporate network, but not other networks. These users use the connection between the corporate network and any third party network to communicate with any third party networks.
This xe2x80x9cpass throughxe2x80x9d arrangement allows a system administrator of the company to limit the third party networks to which such dial-in users connect. Users may only connect to third parties that are trusted by the system administrator and therefore have some form of connection with the company network.
Although the arrangement allows the system administrator to remain in control of the third parties to which the user is allowed to connect, it generates traffic and uses resources on the company""s network solely for the purpose of maintaining control over the remote user.
What is needed are a method and apparatus that can enforce the operation of management software when a user logs into a remote network, does not require the user to reauthenticate himself to the management software, and can allow system administration control over a user or software using a third party network without requiring the user to pass through a company network.
A method and apparatus enforces operation of management software after a user logs into a remote network and before the user is allowed to perform other functions on the remote network. Information received from the user to authenticate the user to the remote network may also be used to authenticate the user to the management software, eliminating the need for the user to reauthenticate himself to the management software after authenticating himself to the remote network. A list of trusted third party networks is maintained by the client computer system, and the method and apparatus only allows the user to connect to third party networks on the trusted list, eliminating the need for remote users to pass through the corporate network. The trusted list may be received by the client management software. Access to the user""s system may be controlled to restrict the action of third parties communicating with the user""s system.