US 12,238,085 B1
Using a certificate-based protocol to enforce compliance of devices with specifications
Justin Paul Yancey, Seattle, WA (US); Jack A. Drooger, Seattle, WA (US); and Sanjay Dey, Issaquah, WA (US)
Assigned to Amazon Technologies, Inc., Seattle, WA (US)
Filed by Amazon Technologies, Inc., Seattle, WA (US)
Filed on Sep. 30, 2019, as Appl. No. 16/588,980.
Int. Cl. H04L 9/40 (2022.01)
CPC H04L 63/0823 (2013.01) [H04L 63/0272 (2013.01); H04L 63/1433 (2013.01); H04L 63/20 (2013.01)] 19 Claims
OG exemplary drawing
 
1. A system, comprising:
one or more computing devices of a provider network to implement a device management service, wherein the device management service is configured to:
for a remote device of a plurality of remote devices managed by the device management service, wherein the remote devices are configured to establish connections with services implemented by the provider network or other networks by providing respective client certificates according to a certificate-based protocol:
receive, by the device management service of the provider network from the remote device, an indication that a configuration of the remote device is no longer compliant with specifications for the remote device,
wherein the indication received by the provider network that the configuration of the remote device is no longer compliant with the specifications is based on a previous determination made by an agent implemented by the remote device according to a schedule, using data that is also obtained according to the schedule by the agent at the remote device indicating the configuration of the remote device, that the configuration of the remote device is no longer compliant with the specifications for the remote device;
based on the reception, by the device management service of the provider network from the remote device, of the indication that the configuration of the remote device is no longer compliant with the specifications for the remote device as previously determined by the agent implemented by the remote device, determine, by the device management service of the provider network, that the configuration of the remote device is no longer compliant with the specifications for the remote device; and
in response to the determination, by the device management service of the provider network, that the configuration of the remote device is no longer compliant with the specifications for the remote device as previously determined by the agent of the remote device:
send from the device management service of the provider network to a certificate-based identity provider of the provider network a notification that the remote device is not compliant with the specifications to cause the certificate-based identity provider to prevent further connections from the remote device with the services;
wherein the remote device comprises one or more managed applications installed by the device management service and one or more other applications not installed by the device management service, and wherein the device management service is configured to:
in response to the determination that the configuration of the remote device is no longer compliant with the specifications for the remote device:
prevent subsequent use of the client certificate by the one or more other applications; and
disable the one or more managed applications installed by the device management service.