[go: up one dir, main page]

CN109842600B - A method, terminal device and MDM device for realizing mobile office - Google Patents

A method, terminal device and MDM device for realizing mobile office Download PDF

Info

Publication number
CN109842600B
CN109842600B CN201711226652.7A CN201711226652A CN109842600B CN 109842600 B CN109842600 B CN 109842600B CN 201711226652 A CN201711226652 A CN 201711226652A CN 109842600 B CN109842600 B CN 109842600B
Authority
CN
China
Prior art keywords
mdm
terminal
module
vpn
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201711226652.7A
Other languages
Chinese (zh)
Other versions
CN109842600A (en
Inventor
王鑫
王国栋
鲁青
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Hangzhou Information Technology Co Ltd
China Mobile Group Shanxi Co Ltd
Original Assignee
China Mobile Hangzhou Information Technology Co Ltd
China Mobile Group Shanxi Co Ltd
China Mobile Communications Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Hangzhou Information Technology Co Ltd, China Mobile Group Shanxi Co Ltd, China Mobile Communications Corp filed Critical China Mobile Hangzhou Information Technology Co Ltd
Priority to CN201711226652.7A priority Critical patent/CN109842600B/en
Publication of CN109842600A publication Critical patent/CN109842600A/en
Application granted granted Critical
Publication of CN109842600B publication Critical patent/CN109842600B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Mobile Radio Communication Systems (AREA)
  • Telephonic Communication Services (AREA)

Abstract

本发明实施例提供一种实现移动办公的方法、终端设备及MDM设备,用以解决现有技术中存在实现移动办公时的安全性较低的技术问题。当检测到终端用户针对MDM模块进行登录操作的登录信息时,向MDM设备发送登录信息及终端设备的硬件识别信息,登录信息由终端用户的用户身份信息确定;接收MDM设备基于登录信息及硬件识别信息对终端用户进行身份校验后的校验结果;若校验结果表明终端用户的身份校验通过,则完成登录并基于SIM模块启动VPN单元以实现移动办公。

Figure 201711226652

The embodiments of the present invention provide a method, a terminal device and an MDM device for realizing mobile office, so as to solve the technical problem of low security when realizing mobile office in the prior art. When detecting the login information of the terminal user's login operation for the MDM module, send the login information and the hardware identification information of the terminal device to the MDM device. The login information is determined by the user identification information of the end user; the receiving MDM device is based on the login information and hardware identification information. The information is the verification result of the terminal user's identity verification; if the verification result indicates that the terminal user's identity verification is passed, the login is completed and the VPN unit is activated based on the SIM module to realize mobile office.

Figure 201711226652

Description

Method for realizing mobile office, terminal equipment and MDM equipment
Technical Field
The invention relates to the technical field of computers, in particular to a method for realizing mobile office, terminal equipment and MDM equipment.
Background
With the continuous development of science and technology, people can work more conveniently. By utilizing mobile informatization software of the mobile phone, an enterprise software application system for interconnection and intercommunication between the mobile phone and the computer can be established, so that office workers can process any things related to business at any time and any place, and further can carry out portable company management and communication at any time, thereby realizing mobile office.
In the prior art, a Virtual Private Network (VPN) client and an Office Automation (OA) client are usually installed on a mobile terminal. When an enterprise OA client needs to be logged in, a VPN client needs to be opened first, the VPN client is logged in a user name and password mode, and the VPN server can be successfully connected after verification is passed; and then, opening the OA client of the enterprise, logging in by means of a user name and a password, and accessing the content of the OA client to realize the function of mobile office.
However, the above solutions in the prior art have the following disadvantages:
firstly, the mobile development of electronic office, government system data are presented on a mobile intelligent terminal. Compared with the security protection level of the data center, the general security protection level of the mobile terminal is lower. The mobile intelligent terminal is easy to carry and lose, sensitive information can be leaked, and great threat is formed to data security. In addition, mobile terminals are susceptible to unauthorized use by others, creating the risk of copying, downloading, or printing internal sensitive data. In addition, except for distributing special equipment, users of some access units use free equipment to access an external network, and due to the mixing of office and personal application, the reliability of the system is greatly reduced, and safety risks are introduced, so that data loss or equipment function failure is caused. When a user accesses an external network service system in a remote access mode, important data is easily leaked manually or unintentionally, and a great information safety hidden danger exists.
And secondly, accessing a service system of the government affair outer network from the Internet environment by an outer network Access user through a WIreless Fidelity (WIFI), a 3G/4G and an Access Point Name (APN) network, wherein a transmission channel is a public network, the security is low, and data is intercepted, attacked and tampered to cause the security risk of the Access channel. The device and the application are used as a service display carrier, and if the device and the application carry viruses or trojans and the like, the viruses or the trojans can be automatically transmitted to the extranet network in the access process of the device and the application, so that the security of the extranet network is greatly threatened, and the risk of data leakage can also be caused.
Third, most of the existing mobile office clients open the VPN connection in a user name and password manner by installing a separate VPN client, and once the user name and password are leaked or stolen, the problem of malicious access by an unauthorized user exists. And the user can carry out remote VPN access on any terminal provided with a VPN client through the user name and the password, thereby causing great potential safety hazard to the whole mobile office system.
In summary, the prior art has the technical problem of low safety when mobile office work is realized.
Disclosure of Invention
The embodiment of the invention provides a method for realizing mobile office, terminal equipment and MDM equipment, which are used for solving the technical problem of low safety in the process of realizing mobile office in the prior art.
First aspect
The embodiment of the invention provides a method for realizing mobile office, which is applied to terminal equipment, wherein the terminal equipment comprises a mobile terminal management MDM module and a user identity identification SIM module, the MDM module is integrated with a virtual private network VPN unit, and the terminal equipment is in communication connection with the MDM equipment through the MDM module, and the method comprises the following steps:
when login information of a terminal user for performing login operation on the MDM module is detected, the login information and hardware identification information of the terminal device are sent to the MDM device, and the login information is determined by user identity information of the terminal user;
receiving a verification result of the MDM equipment after the MDM equipment carries out identity verification on the terminal user based on the login information and the hardware identification information;
and if the verification result shows that the identity verification of the terminal user passes, finishing login and starting the VPN unit based on the SIM module so as to realize mobile office.
In one possible implementation manner, before sending the login information and the hardware identification information of the terminal device to the MDM device, the method further includes:
acquiring a digital certificate applied by a terminal user, wherein the digital certificate is used for establishing a VPN channel between the VPN unit and a VPN platform;
and writing the digital certificate into the SIM module.
In one possible implementation, the starting the VPN unit based on the SIM module includes:
acquiring a data packet from the VPN platform through the VPN unit;
determining authentication data from the SIM module based on the data packet and sending the authentication data to the VPN platform, the authentication data including the digital certificate;
receiving a response result of the VPN platform for verifying the authentication data;
and starting the VPN unit based on the response result.
In one possible implementation, after completing login and starting the VPN unit to implement mobile office, the method further includes:
determining an operation log of the MDM module, wherein the operation log comprises a plurality of business operation records of the terminal user for the MDM module, and each business operation record comprises one or any combination of a factory identifier of the terminal device, a user name and operation time of the terminal user;
and sending the operation log to the MDM equipment based on a preset period.
Second aspect of the invention
The embodiment of the invention provides another method for realizing mobile office, which is applied to an MDM device, wherein the MDM device is in communication connection with a terminal device, and the method comprises the following steps:
receiving login information sent by the terminal equipment and hardware identification information of the terminal equipment, wherein the login information is determined by user identity information of a terminal user;
verifying the login information and the hardware identification information based on a preset corresponding relationship, determining the identity of the terminal user, and obtaining a verification result, wherein the preset corresponding relationship is used for indicating the one-to-one corresponding relationship between the login information and the hardware identification information;
and sending the verification result to the terminal equipment so that the terminal equipment completes login and starts VPN to realize mobile office based on the verification result.
In a possible implementation manner, before checking the login information and the hardware identification information based on a preset correspondence and determining the identity of the terminal user, the method further includes:
acquiring user identity information input by the terminal user;
and generating and storing the login information based on the user identity information, and binding the login information with hardware identification information of the terminal equipment of the terminal user to determine the preset corresponding relationship.
In a possible implementation manner, the verifying the login information and the hardware identification information based on a preset correspondence, determining the identity of the terminal user, and obtaining a verification result includes:
and determining whether the login information is matched with the hardware identification information or not based on a preset corresponding relation, and obtaining a verification result, wherein the verification result is used for indicating that the identity verification of the terminal user passes or fails.
In a possible implementation manner, if the failure times of the identity verification failure are greater than the preset verification times, the method further includes:
and sending a locking instruction to the terminal equipment so that the terminal equipment executes the locking instruction to lock the terminal equipment after receiving the locking instruction.
In a possible implementation manner, after sending the verification result to the terminal device, the method further includes:
acquiring and storing an operation log sent by the terminal device, wherein the operation log comprises a plurality of business operation records of the terminal user for the MDM module, and each business operation record comprises one or any combination of a factory identifier of the terminal device, a user name and operation time of the terminal user;
and when the query operation for indicating query of the target business record is detected, determining the business operation record corresponding to the query operation from the operation log based on the query operation, and feeding back.
Third aspect of the invention
The embodiment of the invention provides a terminal device, which is in communication connection with an MDM device, and comprises:
the MDM module is integrated with a Virtual Private Network (VPN) unit and used for sending login information and hardware identification information of the terminal equipment to the MDM equipment when login information of a terminal user for performing login operation on the MDM module is detected, wherein the login information is determined by user identity information of the terminal user;
the receiving module is used for receiving a verification result of the MDM equipment after the MDM equipment carries out identity verification on the terminal user based on the login information and the hardware identification information;
and the processing module is used for finishing login and starting the VPN unit based on the SIM module to realize mobile office if the verification result shows that the identity verification of the terminal user passes.
In one possible implementation, the MDM module is further configured to:
before the logging information and the hardware identification information of the terminal device are sent to the MDM device, a digital certificate applied by a terminal user is obtained, wherein the digital certificate is used for establishing a VPN channel between the VPN unit and a VPN platform;
and writing the digital certificate into the SIM module.
In one possible implementation, the processing module is configured to:
acquiring a data packet from the VPN platform through the VPN unit;
determining authentication data from the SIM module based on the data packet and sending the authentication data to the VPN platform, the authentication data including the digital certificate;
receiving a response result of the VPN platform for verifying the authentication data;
and starting the VPN unit based on the response result.
In one possible implementation, the processing module is further configured to:
after logging in and starting a VPN unit to realize mobile office, determining an operation log of the MDM module, wherein the operation log comprises a plurality of business operation records of the terminal user for the MDM module, and each business operation record comprises one or any combination of a factory identifier of the terminal device, a user name and operation time of the terminal user;
and sending the operation log to the MDM equipment based on a preset period.
Fourth aspect of the invention
The embodiment of the invention provides an MDM device, which is in communication connection with a terminal device, and comprises:
the receiving module is used for receiving login information sent by the terminal equipment and hardware identification information of the terminal equipment, wherein the login information is determined by user identity information of a terminal user;
the processing module is used for verifying the login information and the hardware identification information based on a preset corresponding relationship, determining the identity of the terminal user and obtaining a verification result, wherein the preset corresponding relationship is used for indicating the one-to-one corresponding relationship between the login information and the hardware identification information;
and the sending module is used for sending the verification result to the terminal equipment so that the terminal equipment completes login based on the verification result and starts VPN to realize mobile office.
In one possible implementation, the processing module is further configured to:
the login information and the hardware identification information are verified based on a preset corresponding relation, and before the terminal user identity is determined, user identity information input by the terminal user is obtained;
and generating and storing the login information based on the user identity information, and binding the login information with hardware identification information of the terminal equipment of the terminal user to determine the preset corresponding relationship.
In one possible implementation, the processing module is further configured to:
and determining whether the login information is matched with the hardware identification information or not based on a preset corresponding relation, and obtaining a verification result, wherein the verification result is used for indicating that the identity verification of the terminal user passes or fails.
In one possible implementation manner, the sending module is further configured to:
and if the failure times of the identity verification failure are greater than the preset verification times, sending a locking instruction to the terminal equipment so that the terminal equipment executes the locking instruction to lock the terminal equipment after receiving the locking instruction.
In one possible implementation manner, the receiving module is further configured to:
after the verification result is sent to the terminal device, acquiring and storing an operation log sent by the terminal device, wherein the operation log comprises a plurality of business operation records of the terminal user for the MDM module, and each business operation record comprises one or any combination of a factory identifier of the terminal device, a user name and operation time of the terminal user;
and when the query operation for indicating query of the target business record is detected, determining the business operation record corresponding to the query operation from the operation log based on the query operation, and feeding back.
Fifth aspect of the invention
An embodiment of the present invention provides a computer apparatus, where the computer apparatus includes:
at least one processor, and
a memory communicatively coupled to the at least one processor, a communication interface;
wherein the memory stores instructions executable by the at least one processor, and the at least one processor performs the method of the first aspect or the second aspect using the communication interface by executing the instructions stored by the memory.
Sixth aspect
An embodiment of the present invention provides a computer-readable storage medium storing computer instructions, which, when executed on a computer, cause the computer to perform the method according to the first aspect or the second aspect.
One or more of the above technical solutions have at least the following technical effects or advantages:
the method for realizing mobile office work is applied to terminal equipment, and comprises the steps of sending login information and hardware identification information of the terminal equipment to MDM equipment when login information of a terminal user for logging in an MDM module is detected, receiving a verification result after the MDM equipment verifies the identity of the terminal user based on the login information and the hardware identification information, finishing login and starting a VPN unit based on an SIM module to realize mobile office work if the verification result shows that the identity of the terminal user passes verification, so that the technical problem of low safety when mobile office work is realized in the prior art is solved, and the safety when the terminal equipment performs mobile office work is improved.
Secondly, in the embodiment of the invention, when receiving the login information and the hardware identification information sent by the terminal equipment, the MDM equipment verifies the login information and the hardware identification information based on the preset corresponding relation so as to determine the identity of the terminal user and obtain a verification result, and then sends the verification result to the terminal equipment, so that the terminal equipment completes login based on the verification result and starts the VPN to realize mobile office, and the login safety of the terminal equipment is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments of the present invention will be briefly described below, and it is obvious that the drawings described below are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a general technical framework diagram of a design in an embodiment of the present invention;
fig. 2 is a schematic flow chart of a method for implementing mobile office in the embodiment of the present invention;
fig. 3 is a schematic flowchart of starting a VPN unit based on a SIM module according to an embodiment of the present invention;
FIG. 4 is a schematic flow chart illustrating another method for implementing mobile office according to an embodiment of the present invention;
FIG. 5 is a block diagram of a terminal device according to an embodiment of the present invention;
FIG. 6 is a schematic block diagram of an MDM device in an embodiment of the invention;
FIG. 7 is a block diagram of a computer device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention.
In the embodiment of the invention, the OA office application can be pushed and installed in a mode of issuing by a safety Management platform in a mode of integrating the VPN unit through a Mobile terminal Management (MDM) module, thereby providing a safe and reliable Mobile office platform.
In the following, some terms in the embodiments of the present invention will be described first for those skilled in the art to understand.
Mobile office: an electronic Mobile office System (Mobile E-coverage System) can access an office System for online office work at any time and any place through a wireless network by utilizing terminal equipment.
The MDM device: management of the whole life cycle from registration, activation, use to abandonment, etc. can be provided for the terminal device, such as configuration management, security management, asset management, etc. of the terminal device.
VPN: virtual private networks may establish a private communication link between two or more intranets located at different locations via a specially encrypted communication protocol. The VPN in the embodiment of the present invention may be a Secure Sockets Layer (SSL) VPN, or the like.
Next, a brief description will be given of the overall technical framework of the design in the embodiment of the present invention.
Fig. 1 is a general technical framework diagram of a design scheme in an embodiment of the present invention. In fig. 1, the terminal device may be in communication connection with a government affair network through a VPN channel, where the terminal device may include an MDM module and an SIM module, and the MDM module may integrate a VPN unit, a Mobile Application Management (MAM) unit, and a Mobile Content Management (MAM) unit, which may implement functions of identity authentication, data storage, security protection, and isolation of operating environment.
The government affair network can comprise the MDM equipment, the MDM equipment can integrate the functions of the MAM platform and the MCM platform, and the functions of accessing an authentication gateway, pre-positioning applications and the like can be realized.
The terminal equipment can be mobile phones, notebook computers, tablets and other equipment; the communication network of the VPN channel may be a cellular network, the internet or a private network, a local area network, WIFI, and Wireless local area network Authentication and Privacy Infrastructure (WAPI), etc.; modules such as a firewall, an access authentication module, an application front-end module and the like, a mobile application system, a government office system and the like can be arranged under the government affair network.
Based on the above general framework, embodiments of the present invention provide a method for implementing mobile office, where when login information of a terminal user performing login operation on an MDM module is detected, the login information and hardware identification information of the terminal device are sent to the MDM device, then a verification result obtained after the MDM device performs identity verification on the terminal user based on the login information and the hardware identification information is received, and if the verification result indicates that the identity verification of the terminal user passes, login is completed and a VPN unit is started based on an SIM module to implement mobile office, thereby solving the technical problem of low security when mobile office is implemented in the prior art, and improving security when the terminal device performs mobile office.
Preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
Example one
Referring to fig. 2, an embodiment of the present invention provides a method for implementing mobile office, which may be applied to a terminal device, where an implementation process of the method may be described as follows:
s201: when login information of a terminal user for performing login operation on an MDM module is detected, the login information and hardware identification information of the terminal device are sent to the MDM device, and the login information is determined by user identity information of the terminal user;
s202: receiving a verification result obtained after the MDM equipment carries out identity verification on the terminal user based on the login information and the hardware identification information;
s203: and if the verification result shows that the identity verification of the terminal user passes, finishing login and starting the VPN unit based on the SIM module to realize mobile office.
In the embodiment of the invention, the terminal equipment can acquire the digital certificate applied by the terminal user and store the digital certificate into the appointed directory of the terminal equipment, and the instruction directory can be set by the terminal user in a self-defining way. Then, the terminal device can write the digital certificate into the SIM module of the terminal device through the certificate write function of the MDM module.
Specifically, a digital certificate technology based on SIM shield storage is adopted, and the SIM shield is applied and loaded on an SIM/USIM (hereinafter referred to as SIM) module, provides secure storage capacity and operation processing capacity to the outside, can store user private key and user certificate information, and can perform operations such as public and private key generation, RSA encryption and decryption operation, signature/signature verification, hash operation, and the like. Government users need to download the certificates to the local storage firstly; when the administration terminal is started, the SIM shield application can be called to write the certificate into the local SIM module, so that the secret storage of the certificate is realized.
Due to the adoption of the MDM module, the terminal equipment has the management function of the mobile terminal equipment, and the terminal equipment can be remotely controlled at the MDM equipment side, so that the functions of positioning the terminal equipment, applying, sending messages and files, erasing remote data, binding the equipment and a user and the like are realized.
The terminal user can open an account on the MDM equipment side and input user identity information, such as an identification number, a telephone number, personal related data and the like. The MDM device may create login information, such as a user name and a password, which may be used for logging in the MDM module at the terminal device side according to the user identity information. Then, the MDM device may issue the login information to the terminal device in a short message, email, or the like.
Further, S201 may be entered, that is, when the terminal device detects login information of a terminal user performing a login operation on the MDM module, the terminal device may send the login information and hardware Identification information of the terminal device to the MDM module, where the hardware Identification information may include an International Mobile Equipment Identity (IMEI) code, an International Mobile Subscriber Identity (IMSI) code, and the like.
IMEI: an "electronic serial number" consisting of 15 digits corresponds one-to-one to each terminal device, and the code is unique worldwide. Each terminal device will be given a globally unique set of numbers after assembly is complete, which will be recorded by the manufacturer from production to delivery.
IMSI: the identification for distinguishing the terminal user, stored in the SIM module, can be used to distinguish the valid information of the terminal user.
After the login information and the hardware identification information are sent to the MDM device, the MDM device enters S302, and receives a verification result sent by the MDM device after verifying the terminal user based on the login information and the hardware identification information, that is, the MDM device can verify the legality of the terminal user according to the login information and the hardware identification information reported by the terminal device, and can bind the relationship between the hardware identification information of the terminal device and the terminal user.
In S203, if the verification result received by the terminal device indicates that the identity verification of the terminal user passes, the MDM module may be logged in, and the VPN unit is started based on the SIM module, so as to implement mobile office.
In one possible implementation, please refer to fig. 3, the process of starting the VPN unit based on the SIM module may be described as follows:
s301: acquiring a data packet from a VPN platform through a VPN unit, wherein the data packet can comprise interactive data requesting connection authentication; then, the process proceeds to S302;
s302: determining authentication data from the SIM module based on the data packet, and sending the authentication data to the VPN platform, wherein the authentication data comprises a digital certificate;
s303: receiving a response result of the VPN platform for verifying the authentication data;
s304: and establishing a VPN channel based on the response result to start the VPN unit.
In the embodiment of the invention, the MDM module integrates the VPN unit, stores the digital certificate by adopting a mode based on the SIM module, and establishes safe connection with a remote server by adopting a certificate authentication mode, so that the authentication safety at a financial level is ensured, and the safety level is greatly higher than that of the traditional identity authentication mode based on a user name and a password. And the VPN unit starting scheme based on the SIM module simplifies the operation of establishing the VPN by the terminal user and improves the usability and the safety of the VPN.
In a possible implementation manner, after logging in and starting the VPN unit to implement mobile office, the terminal device may determine an operation log of the MDM module, where the operation log includes a plurality of service operation records of the terminal user for the MDM module, and each service operation record includes one or any combination of a factory identifier of the terminal device, a user name of the terminal user, and operation time;
and sending an operation log to the MDM equipment based on a preset period.
All business operation records of the terminal equipment side can be completely recorded and can be periodically sent to the MDM equipment for storage, and enterprise management personnel can track the access condition of the terminal equipment side at any time according to the operation logs to prevent risks.
In summary, one or more technical solutions of the embodiments of the present invention have at least the following technical effects or advantages:
the method for realizing mobile office work is applied to terminal equipment, and comprises the steps of sending login information and hardware identification information of the terminal equipment to MDM equipment when login information of a terminal user for logging in an MDM module is detected, receiving a verification result after the MDM equipment verifies the identity of the terminal user based on the login information and the hardware identification information, finishing login and starting a VPN unit based on an SIM module to realize mobile office work if the verification result shows that the identity of the terminal user passes verification, so that the technical problem of low safety when mobile office work is realized in the prior art is solved, and the safety when the terminal equipment performs mobile office work is improved.
Secondly, as the terminal equipment comprises the MDM module, the terminal equipment has the management function of the mobile terminal equipment, and the terminal equipment can be remotely controlled at the MDM equipment side, so that the functions of positioning the terminal equipment, applying, sending messages and files, erasing remote data, binding the equipment and a user and the like are realized.
Thirdly, the secure access of the VPN is carried out based on a VPN channel constructed by the digital certificate stored in the SIM module, so that the transmission security of the terminal equipment accessing the government affair network from the public wireless network is ensured.
Fourthly, when the terminal equipment side detects the login information of the terminal user, the login information and the hardware identification information of the terminal equipment are sent to the MDM equipment to carry out user identity authentication, and login is allowed after verification is passed, namely, only the appointed terminal user is allowed to log in the MDM module on the currently activated terminal equipment, so that remote login or simultaneous login of multiple terminal equipments is forbidden, and the login safety is improved.
Example two
Referring to fig. 4, another method for implementing mobile office according to an embodiment of the present invention may be applied to an MDM device, where the MDM device and a terminal device may be communicatively connected. Because the terminal equipment can be in communication connection with the MDM equipment through the MDM module, the MDM equipment can remotely control the terminal equipment and can remotely control the terminal equipment to perform the functions of locking, unlocking, positioning, ringing, erasing data, recovering factory settings, removing the SIM module binding of the terminal equipment and the like.
The implementation process of the method can be described as follows:
s401: receiving login information sent by terminal equipment and hardware identification information of the terminal equipment, wherein the login information is determined by user identity information of a terminal user;
s402: verifying the login information and the hardware identification information based on a preset corresponding relationship, determining the identity of a terminal user, and obtaining a verification result, wherein the preset corresponding relationship is used for indicating the one-to-one corresponding relationship between the login information and the hardware identification information;
s403: and sending a verification result to the terminal equipment so that the terminal equipment completes login based on the verification result and starts the VPN to realize mobile office.
The MDM equipment can acquire user identity information, such as an identification number, a telephone number, personal related data and the like, which is accessed when a terminal user opens an account. The MDM device may create login information, such as a user name and a password, which may be used for logging in the MDM module at the terminal device side according to the user identity information. Then, the MDM device may issue the login information to the terminal device in a short message, email, or the like.
Meanwhile, the MDM device can store login information and bind the login information of the terminal user and the hardware identification information of the terminal device to determine a preset corresponding relationship.
In S401, the MDM device may receive login information sent by the terminal device and hardware identification information of the terminal device, and then proceed to S402.
The MDM equipment can verify the login information and the hardware identification information according to a preset corresponding relation, determine the identity of the terminal user and obtain a verification result, wherein the preset corresponding relation is used for indicating the one-to-one corresponding relation between the login information and the hardware identification information.
In a possible implementation manner, the MDM device may determine whether the login information is matched with the hardware identification information according to a preset corresponding relationship, and obtain a verification result, where the verification result is used to indicate that the identity verification of the terminal user passes or fails.
Then, the process goes to S403, that is, the MDM device may feed back the verification result to the terminal device, so that the terminal device may complete login of the MDM module according to the verification result and start the VPN unit based on the SIM module to implement mobile office.
In a possible implementation manner, in order to avoid the problem of data loss caused by terminal device loss, if the MDM device determines that the number of failures of the identity verification of the terminal user is greater than the preset number of times of verification, the MDM device may send a locking instruction to the terminal device, so that the terminal device executes the locking instruction to lock the terminal device after receiving the locking instruction.
In a possible implementation manner, after sending the verification result to the terminal device, the method may further include: acquiring and storing an operation log sent by terminal equipment, wherein the operation log comprises a plurality of service operation records of a terminal user aiming at an MDM module, and each service operation record comprises one or any combination of a factory identifier of the terminal equipment, a user name of the terminal user and operation time;
and when the query operation for indicating the query target business record is detected, determining the business operation record corresponding to the query operation from the operation log based on the query operation, and feeding back.
In practical applications, the MDM device may periodically or periodically obtain operation logs sent by the terminal device, and then store the operation logs.
When the MDM device detects a query operation, for example, an enterprise administrator inputs a terminal device ID of an end user or a user name of the end user on the MDM device, the MDM device may determine a corresponding business operation record from a stored operation log according to the query operation, and then the business operation record may be displayed on a display unit of the MDM device for a user to view, or may be sent to a terminal device corresponding to the query operation in a short message or mail manner.
The MDM equipment can send the installation package to the terminal equipment through the established VPN channel in a mode of pushing the OA application, and the MDM equipment can forcibly install or uninstall the specified OA application, so that the leakage risk when the OA application is distributed or downloaded through other channels is avoided.
In summary, one or more technical solutions of the embodiments of the present invention have at least the following technical effects or advantages:
first, in the embodiment of the present invention, when receiving login information and hardware identification information sent by a terminal device, an MDM device verifies the login information and the hardware identification information based on a preset correspondence to determine the identity of a terminal user to obtain a verification result, and then sends the verification result to the terminal device, so that the terminal device completes login based on the verification result and starts a VPN to implement mobile office, thereby improving the login security of the terminal device.
Secondly, in order to avoid the problem of data loss caused by the loss of the terminal equipment, if the MDM equipment determines that the failure times of the identity verification failure of the terminal user is greater than the preset verification times, a locking instruction can be sent to the terminal equipment, so that the terminal equipment executes the locking instruction to lock the terminal equipment after receiving the locking instruction.
It should be noted that, in practical applications, the method for implementing mobile office provided in the first embodiment or the second embodiment may be separately used for implementing mobile office, or the mobile office may also be implemented by combining the technical solutions of the first embodiment and the second embodiment, and the embodiments of the present invention are not limited in particular.
EXAMPLE III
Referring to fig. 5, based on the same inventive concept, an embodiment of the present invention provides a terminal device, where the terminal device is communicatively connected to an MDM device, and the terminal device includes:
the MDM module 51 is integrated with a virtual private network VPN unit, and configured to send login information and hardware identification information of the terminal device to the MDM device when login information of a terminal user performing a login operation on the MDM module 51 is detected, where the login information is determined by user identity information of the terminal user;
a receiving module 52, configured to receive a verification result obtained after the MDM device performs identity verification on the terminal user based on the login information and the hardware identification information;
and the processing module 53 is configured to complete login and start the VPN unit based on the SIM module to implement mobile office if the verification result indicates that the identity verification of the terminal user passes.
In one possible implementation, the MDM module 51 is further configured to:
before the logging information and the hardware identification information of the terminal device are sent to the MDM device, a digital certificate applied by a terminal user is obtained, wherein the digital certificate is used for establishing a VPN channel between the VPN unit and a VPN platform;
and writing the digital certificate into the SIM module.
In one possible implementation manner, the processing module 53 is configured to:
acquiring a data packet from the VPN platform through the VPN unit;
determining authentication data from the SIM module based on the data packet and sending the authentication data to the VPN platform, the authentication data including the digital certificate;
receiving a response result of the VPN platform for verifying the authentication data;
and starting the VPN unit based on the response result.
In a possible implementation manner, the processing module 53 is further configured to:
after logging in and starting a VPN unit to realize mobile office, determining an operation log of the MDM module, wherein the operation log comprises a plurality of business operation records of the terminal user for the MDM module, and each business operation record comprises one or any combination of a factory identifier of the terminal device, a user name and operation time of the terminal user;
and sending the operation log to the MDM equipment based on a preset period.
Example four
Referring to fig. 6, based on the same inventive concept, an embodiment of the present invention provides an MDM device, where the MDM device is communicatively connected to a terminal device, and the MDM device includes:
a receiving module 61, configured to receive login information sent by the terminal device and hardware identification information of the terminal device, where the login information is determined by user identity information of a terminal user;
a processing module 62, configured to verify the login information and the hardware identification information based on a preset correspondence, determine the identity of the terminal user, and obtain a verification result, where the preset correspondence is used to indicate a one-to-one correspondence between the login information and the hardware identification information;
and a sending module 63, configured to send the verification result to the terminal device, so that the terminal device completes login based on the verification result and starts a VPN to implement mobile office.
In one possible implementation, the processing module 62 is further configured to:
the login information and the hardware identification information are verified based on a preset corresponding relation, and before the terminal user identity is determined, user identity information input by the terminal user is obtained;
and generating and storing the login information based on the user identity information, and binding the login information with hardware identification information of the terminal equipment of the terminal user to determine the preset corresponding relationship.
In one possible implementation, the processing module 62 is further configured to:
and determining whether the login information is matched with the hardware identification information or not based on a preset corresponding relation, and obtaining a verification result, wherein the verification result is used for indicating that the identity verification of the terminal user passes or fails.
In a possible implementation manner, the sending module 63 is further configured to:
and if the failure times of the identity verification failure are greater than the preset verification times, sending a locking instruction to the terminal equipment so that the terminal equipment executes the locking instruction to lock the terminal equipment after receiving the locking instruction.
In a possible implementation manner, the receiving module 61 is further configured to:
after the verification result is sent to the terminal device, acquiring and storing an operation log sent by the terminal device, wherein the operation log comprises a plurality of business operation records of the terminal user for the MDM module, and each business operation record comprises one or any combination of a factory identifier of the terminal device, a user name and operation time of the terminal user;
and when the query operation for indicating query of the target business record is detected, determining the business operation record corresponding to the query operation from the operation log based on the query operation, and feeding back.
EXAMPLE five
Referring to fig. 7, based on the same inventive concept, an embodiment of the present invention provides a computer apparatus, which includes at least one processor 71, and a memory 72 and a communication interface 73 communicatively connected to the at least one processor 71, where fig. 7 illustrates one processor 71 as an example.
Wherein the memory 72 stores instructions executable by the at least one processor 71, and the at least one processor 71 executes the instructions stored in the memory 72 to perform the method according to the first embodiment or the second embodiment using the communication interface 73.
EXAMPLE six
Based on the same inventive concept, embodiments of the present invention provide a computer-readable storage medium storing computer instructions that, when executed on a computer, cause the computer to perform the method according to embodiment one or embodiment two.
In particular implementations, the computer-readable storage medium includes: various storage media capable of storing program codes, such as a Universal Serial Bus flash drive (USB), a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, and an optical disk.
The above-described embodiments of the apparatus are merely illustrative, wherein units/modules illustrated as separate components may or may not be physically separate, and components shown as units/modules may or may not be physical units/modules, may be located in one place, or may be distributed over a plurality of network units/modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (18)

1. A method for realizing mobile office is applied to terminal equipment, and is characterized in that the terminal equipment comprises a mobile terminal management MDM module and a user identity identification SIM module, the MDM module is integrated with a virtual private network VPN unit, and the terminal equipment is in communication connection with the MDM equipment through the MDM module, and the method comprises the following steps:
acquiring a digital certificate applied by a terminal user, wherein the digital certificate is used for establishing a VPN channel between the VPN unit and a VPN platform;
writing the digital certificate to the SIM module;
when login information of a terminal user for performing login operation on the MDM module is detected, the login information and hardware identification information of the terminal device are sent to the MDM device, and the login information is determined by user identity information of the terminal user; the MDM equipment stores a preset corresponding relation, and the preset corresponding relation is used for indicating a one-to-one corresponding relation between login information and hardware identification information;
receiving a verification result sent by the MDM equipment, wherein the verification result is a verification result obtained after the MDM equipment verifies the login information and the hardware identification information based on the preset corresponding relation and determines the identity of the terminal user;
and if the verification result shows that the identity verification of the terminal user passes, completing login and starting the VPN unit based on a response result of the digital certificate in the SIM module to realize mobile office, wherein the response result is sent after the VPN platform verifies the digital certificate.
2. The method of claim 1, wherein said initiating the VPN unit based on the result of the response of the digital certificate in the SIM module comprises:
acquiring a data packet from the VPN platform through the VPN unit;
determining authentication data from the SIM module based on the data packet and sending the authentication data to the VPN platform, the authentication data including the digital certificate;
receiving a response result of the VPN platform for verifying the authentication data;
and starting the VPN unit based on the response result.
3. The method of claim 1 or 2, wherein after completing login and initiating a VPN unit to implement mobile office, the method further comprises:
determining an operation log of the MDM module, wherein the operation log comprises a plurality of business operation records of the terminal user for the MDM module, and each business operation record comprises one or any combination of a factory identifier of the terminal device, a user name and operation time of the terminal user;
and sending the operation log to the MDM equipment based on a preset period.
4. A method for realizing mobile office is applied to MDM equipment and is characterized in that the MDM equipment is in communication connection with terminal equipment, the terminal equipment comprises a mobile terminal management MDM module and a user identity identification SIM module, the MDM module is integrated with a virtual private network VPN unit, a digital certificate is stored in the SIM module of the terminal equipment, and the digital certificate is used for establishing a VPN channel between the VPN unit and a VPN platform; the method comprises the following steps:
receiving login information sent by the terminal equipment and hardware identification information of the terminal equipment, wherein the login information is determined by user identity information of a terminal user;
verifying the login information and the hardware identification information based on a preset corresponding relationship, determining the identity of the terminal user, and obtaining a verification result, wherein the preset corresponding relationship is used for indicating the one-to-one corresponding relationship between the login information and the hardware identification information;
and sending the verification result to the terminal equipment so that the terminal equipment completes login based on the verification result and starts a VPN based on a response result to realize mobile office, wherein the response result is sent after the VPN platform verifies the digital certificate.
5. The method of claim 4, wherein before checking the login information and the hardware identification information based on a predetermined correspondence to determine the end user identity, the method further comprises:
acquiring user identity information input by the terminal user;
and generating and storing the login information based on the user identity information, and binding the login information with hardware identification information of the terminal equipment of the terminal user to determine the preset corresponding relationship.
6. The method according to claim 4 or 5, wherein the verifying the login information and the hardware identification information based on the preset correspondence, determining the identity of the end user, and obtaining a verification result comprises:
and determining whether the login information is matched with the hardware identification information or not based on a preset corresponding relation, and obtaining a verification result, wherein the verification result is used for indicating that the identity verification of the terminal user passes or fails.
7. The method of claim 6, wherein if the number of failures of the identity verification failure is greater than a predetermined number of times, the method further comprises:
and sending a locking instruction to the terminal equipment so that the terminal equipment executes the locking instruction to lock the terminal equipment after receiving the locking instruction.
8. The method of claim 4 or 7, wherein after sending the verification result to the terminal device, the method further comprises:
acquiring and storing an operation log sent by the terminal device, wherein the operation log comprises a plurality of business operation records of the terminal user for the MDM module, and each business operation record comprises one or any combination of a factory identifier of the terminal device, a user name and operation time of the terminal user;
and when the query operation for indicating query of the target business record is detected, determining the business operation record corresponding to the query operation from the operation log based on the query operation, and feeding back.
9. A terminal device, wherein the terminal device is communicatively coupled to an MDM device, the terminal device comprising:
a subscriber identity module SIM;
the MDM module is integrated with a Virtual Private Network (VPN) unit and is used for acquiring a digital certificate applied by a terminal user, and the digital certificate is used for establishing a VPN channel between the VPN unit and a VPN platform; and writing the digital certificate to the SIM module;
the MDM module is further used for sending login information and hardware identification information of the terminal equipment to the MDM equipment when login information of a terminal user for performing login operation on the MDM module is detected, wherein the login information is determined by user identity information of the terminal user; the MDM equipment stores a preset corresponding relation, and the preset corresponding relation is used for indicating a one-to-one corresponding relation between login information and hardware identification information;
a receiving module, configured to receive a verification result sent by the MDM device, where the verification result is a verification result obtained after the MDM device verifies the login information and the hardware identification information based on the preset corresponding relationship and determines the identity of the terminal user;
and the processing module is used for finishing login and starting the VPN unit based on a response result of the digital certificate in the SIM module to realize mobile office if the verification result shows that the identity of the terminal user passes the verification, wherein the response result is sent after the VPN platform verifies the digital certificate.
10. The terminal device of claim 9, wherein the processing module is to:
acquiring a data packet from the VPN platform through the VPN unit;
determining authentication data from the SIM module based on the data packet and sending the authentication data to the VPN platform, the authentication data including the digital certificate;
receiving a response result of the VPN platform for verifying the authentication data;
and starting the VPN unit based on the response result.
11. The terminal device of claim 9 or 10, wherein the processing module is further configured to:
after logging in and starting a VPN unit to realize mobile office, determining an operation log of the MDM module, wherein the operation log comprises a plurality of business operation records of the terminal user for the MDM module, and each business operation record comprises one or any combination of a factory identifier of the terminal device, a user name and operation time of the terminal user;
and sending the operation log to the MDM equipment based on a preset period.
12. An MDM device is characterized in that the MDM device is in communication connection with a terminal device, the terminal device comprises a mobile terminal management MDM module and a user identity identification SIM module, the MDM module is integrated with a Virtual Private Network (VPN) unit, a digital certificate is stored in the SIM module of the terminal device, and the digital certificate is used for establishing a VPN channel between the VPN unit and a VPN platform; the MDM device includes:
the receiving module is used for receiving login information sent by the terminal equipment and hardware identification information of the terminal equipment, wherein the login information is determined by user identity information of a terminal user;
the processing module is used for verifying the login information and the hardware identification information based on a preset corresponding relationship, determining the identity of the terminal user and obtaining a verification result, wherein the preset corresponding relationship is used for indicating the one-to-one corresponding relationship between the login information and the hardware identification information;
and the sending module is used for sending the verification result to the terminal equipment so that the terminal equipment completes login based on the verification result and starts a VPN to realize mobile office based on a response result of the digital certificate in the SIM module, and the response result is sent after the VPN platform verifies the digital certificate.
13. The MDM device of claim 12, wherein the processing module is further to:
the login information and the hardware identification information are verified based on a preset corresponding relation, and before the terminal user identity is determined, user identity information input by the terminal user is obtained;
and generating and storing the login information based on the user identity information, and binding the login information with hardware identification information of the terminal equipment of the terminal user to determine the preset corresponding relationship.
14. The MDM device of claim 12 or 13, wherein the processing module is further to:
and determining whether the login information is matched with the hardware identification information or not based on a preset corresponding relation, and obtaining a verification result, wherein the verification result is used for indicating that the identity verification of the terminal user passes or fails.
15. The MDM device of claim 14, wherein the transmitting module is further to:
and if the failure times of the identity verification failure are greater than the preset verification times, sending a locking instruction to the terminal equipment so that the terminal equipment executes the locking instruction to lock the terminal equipment after receiving the locking instruction.
16. The MDM device of claim 12 or 15, wherein the receiving module is further to:
after the verification result is sent to the terminal device, acquiring and storing an operation log sent by the terminal device, wherein the operation log comprises a plurality of business operation records of the terminal user for the MDM module, and each business operation record comprises one or any combination of a factory identifier of the terminal device, a user name and operation time of the terminal user;
and when the query operation for indicating query of the target business record is detected, determining the business operation record corresponding to the query operation from the operation log based on the query operation, and feeding back.
17. A computer device, the computer device comprising:
at least one processor, and
a memory communicatively coupled to the at least one processor, a communication interface;
wherein the memory stores instructions executable by the at least one processor, the at least one processor performing the method of any of claims 1-8 with the communications interface by executing the instructions stored by the memory.
18. A computer-readable storage medium having stored thereon computer instructions which, when executed on a computer, cause the computer to perform the method of any one of claims 1-8.
CN201711226652.7A 2017-11-29 2017-11-29 A method, terminal device and MDM device for realizing mobile office Active CN109842600B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711226652.7A CN109842600B (en) 2017-11-29 2017-11-29 A method, terminal device and MDM device for realizing mobile office

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711226652.7A CN109842600B (en) 2017-11-29 2017-11-29 A method, terminal device and MDM device for realizing mobile office

Publications (2)

Publication Number Publication Date
CN109842600A CN109842600A (en) 2019-06-04
CN109842600B true CN109842600B (en) 2021-08-17

Family

ID=66882164

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711226652.7A Active CN109842600B (en) 2017-11-29 2017-11-29 A method, terminal device and MDM device for realizing mobile office

Country Status (1)

Country Link
CN (1) CN109842600B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111651746B (en) * 2020-06-01 2023-03-10 支付宝(杭州)信息技术有限公司 Login data processing method, device, equipment and system
CN114650140A (en) * 2020-12-21 2022-06-21 国民科技(深圳)有限公司 Mobile terminal, server, and method of executing electronic signature

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101789968A (en) * 2010-01-08 2010-07-28 深圳市沟通科技有限公司 Safe enterprise mobile working application delivery method
CN102215560A (en) * 2010-04-08 2011-10-12 中兴通讯股份有限公司 Method and system for managing M2M (machine to machine) terminal
CN104754582A (en) * 2013-12-31 2015-07-01 中兴通讯股份有限公司 Client and method for maintaining BYOD (Bring Your Own Device) safety
CN105743650A (en) * 2014-12-11 2016-07-06 卓望数码技术(深圳)有限公司 Mobile office identity authentication method, platform and system, and mobile terminal
CN107124422A (en) * 2017-05-12 2017-09-01 北京明朝万达科技股份有限公司 A kind of terminal admittance control method and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105099706A (en) * 2015-08-25 2015-11-25 华为技术有限公司 Data communication method, user equipment and server

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101789968A (en) * 2010-01-08 2010-07-28 深圳市沟通科技有限公司 Safe enterprise mobile working application delivery method
CN102215560A (en) * 2010-04-08 2011-10-12 中兴通讯股份有限公司 Method and system for managing M2M (machine to machine) terminal
CN104754582A (en) * 2013-12-31 2015-07-01 中兴通讯股份有限公司 Client and method for maintaining BYOD (Bring Your Own Device) safety
CN105743650A (en) * 2014-12-11 2016-07-06 卓望数码技术(深圳)有限公司 Mobile office identity authentication method, platform and system, and mobile terminal
CN107124422A (en) * 2017-05-12 2017-09-01 北京明朝万达科技股份有限公司 A kind of terminal admittance control method and system

Also Published As

Publication number Publication date
CN109842600A (en) 2019-06-04

Similar Documents

Publication Publication Date Title
EP2314090B1 (en) Portable device association
JP6262278B2 (en) Method and apparatus for storage and computation of access control client
US9032493B2 (en) Connecting mobile devices, internet-connected vehicles, and cloud services
JP6009083B2 (en) Method for providing secure app ecosystem with key and data exchange according to corporate information management policy, non-transitory computer readable medium, and mobile computing device
US20120252405A1 (en) Connecting mobile devices, internet-connected hosts, and cloud services
CN109992949B (en) Device authentication method, air card writing method and device authentication device
CN107426174B (en) Access control method of trusted execution environment
US20100197293A1 (en) Remote computer access authentication using a mobile device
CN103716785B (en) A kind of mobile Internet safety service system
US20100040233A1 (en) Protocol for device to station association
US10579830B1 (en) Just-in-time and secure activation of software
JP2018533864A (en) Remote control method, device and portable terminal
CN102143492B (en) VPN connection establishing method, mobile terminal and server
CN103188677A (en) Client software authentication method and client software authentication device and client software authentication system
CN111614686A (en) Key management method, controller and system
CN109842600B (en) A method, terminal device and MDM device for realizing mobile office
CN112805702B (en) Counterfeit APP identification method and device
KR101680536B1 (en) Method for Service Security of Mobile Business Data for Enterprise and System thereof
CN115906196A (en) Mobile storage method, device, equipment and storage medium
CN112514323A (en) Electronic device for processing digital key and operation method thereof
KR101619928B1 (en) Remote control system of mobile
CN107846390B (en) Authentication method and device for application program
KR101331575B1 (en) Method and system blocking for detour hacking of telephone certification
CN112084485A (en) Data acquisition method, device, equipment and computer storage medium
CN104683979A (en) An authentication method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant