US 12,489,736 B2
Secure certificate or key distribution for synchronous mobile device management (MDM) clients
Jonathon Deriso, Suwanee, GA (US); Sagar Date, Atlanta, GA (US); Rahul Parwani, Atlanta, GA (US); Jinsong Liu, Atlanta, GA (US); Senthil Parthasarathy, Atlanta, GA (US); and Shravan Shantharam, Cumming, GA (US)
Assigned to Omnissa, LLC, Mountain View, CA (US)
Filed by Omnissa, LLC, Mountain View, CA (US)
Filed on Feb. 28, 2020, as Appl. No. 16/804,824.
Prior Publication US 2021/0273920 A1, Sep. 2, 2021
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 9/40 (2022.01); H04L 9/32 (2006.01); H04L 12/66 (2006.01); H04L 67/146 (2022.01)
CPC H04L 63/0428 (2013.01) [H04L 9/3247 (2013.01); H04L 9/3263 (2013.01); H04L 12/66 (2013.01); H04L 67/146 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A system, comprising:
a computing device comprising a processor and a memory; and
machine-readable instructions stored in the memory that, when executed by the processor, cause the computing device to at least:
receive, by a management service on the computing device, an enrollment request from a client device, wherein the client device has stored therein a client device key pair comprising a client device public key and a respective client device private key, and wherein the enrollment request comprises the client device public key;
send a key request from the management service to a certificate provider to provide an encryption key to an enterprise gateway to store locally, the key request comprising a user identifier;
send a query from the management service to the enterprise gateway to determine if the enterprise gateway has a locally stored copy of the encryption key associated with the user identifier;
receive, by the management service, a reply to the query, the reply indicating that the enterprise gateway has the locally stored copy of the encryption key associated with the user identifier;
in response to receipt of the reply to the query, send a skeleton payload and the client device public key from the management service to the enterprise gateway;
receive, by the management service, an encrypted profile from the enterprise gateway, the encrypted profile comprising the skeleton payload with the encryption key inserted by the enterprise gateway into the skeleton payload, wherein the encrypted profile is encrypted by the enterprise gateway using the client device public key, wherein the management service does not have access to the client device private key to decrypt the encrypted profile; and
relay the encrypted profile from the management service to the client device, wherein the client device decrypts the encrypted profile using the client device private key to obtain access to the encryption key in the skeleton payload.