公开(公告)号：US11514157B2

公开(公告)日：2022-11-29

申请号：US16853608

申请日：2020-04-20

Applicant: Apple Inc.

Inventor： Andrew S. Terry ,  Kelly B. Yancey ,  Pierre-Olivier J. Martel ,  Richard L. Hagy ,  Timothy P. Hannon ,  Alastair K. Fettes

IPC: G06F21/53 ,  G06F21/00 ,  G06F16/18 ,  G06F21/62

Abstract: Some embodiments provide a method for a device having multiple users. The method identifies a process installed on the device that requires an isolated storage in a file system of the device. For each of a set of the users of the electronic device, the method assigns at least one container for use by the process within a user-specific section of the file system. The containers assigned to the process in a section of the file system specific to a particular user are only accessible by the process when the particular user is logged into the device. The method assigns at least one container for use by the process within a non-user-specific section of the file system. The containers assigned to the process within the non-user-specific section of the file system are accessible by the process irrespective of which user is logged into the device.

公开(公告)号：US10216928B2

公开(公告)日：2019-02-26

申请号：US15663432

申请日：2017-07-28

Applicant: Apple Inc.

Inventor： Pierre-Olivier J. Martel ,  Kelly B. Yancey ,  Richard L. Hagy

IPC: G06F17/00 ,  H04L29/06 ,  G06F21/53 ,  G06F21/62

Abstract: In response to a request for launching an application within an operating system of a data processing system, one or more extended entitlements are extracted from the application, where the one or more extended entitlements specify one or more resources the application is entitled to access. One or more security profile extensions corresponding to the one or more extended entitlements are dynamically generated. A security profile specifically for the application is created based on the one or more security profile extensions and a base security profile that has been previously compiled, where the base security profile specifies a list of a plurality of base resources. The application is then launched in a sandboxed operating environment that is configured based on the security profile specifically generated for the application.

公开(公告)号：US20170053113A1

公开(公告)日：2017-02-23

申请号：US15162449

申请日：2016-05-23

Applicant: Apple Inc.

Inventor： Pierre-Olivier J. Martel ,  Kelly B. Yancey ,  Richard L. Hagy

IPC: G06F21/53 ,  G06F21/62

CPC classification number: G06F21/53 ,  G06F21/6218 ,  G06F2221/03 ,  G06F2221/034

Abstract: In response to a request for launching an application within an operating system of a data processing system, one or more extended entitlements are extracted from the application, where the one or more extended entitlements specify one or more resources the application is entitled to access. One or more security profile extensions corresponding to the one or more extended entitlements are dynamically generated. A security profile specifically for the application is created based on the one or more security profile extensions and a base security profile that has been previously compiled, where the base security profile specifies a list of a plurality of base resources. The application is then launched in a sandboxed operating environment that is configured based on the security profile specifically generated for the application.

Abstract translation: 响应于在数据处理系统的操作系统内启动应用程序的请求，从应用程序中提取一个或多个扩展授权，其中一个或多个扩展授权指定应用程序有权访问的一个或多个资源。 动态地生成与一个或多个扩展授权相对应的一个或多个安全简档扩展。 基于一个或多个安全配置文件扩展和先前已经编译的基本安全配置文件，其中基本安全配置文件指定多个基本资源的列表来创建专用于该应用的安全配置文件。 然后，应用程序将在基于为应用程序专门生成的安全配置文件配置的沙箱操作环境中启动。

公开(公告)号：US20140229958A1

公开(公告)日：2014-08-14

申请号：US14179966

申请日：2014-02-13

Applicant: Apple Inc.

Inventor： Kevin J. Van Vechten ,  Damien Pascal Sorresso ,  Richard L. Hagy ,  Ivan Krstic

IPC: G06F9/54

CPC classification number: G06F21/629 ,  G06F9/44521 ,  G06F9/468 ,  G06F9/541 ,  G06F9/542 ,  G06F21/52

Abstract: When an application is launched, a framework scanning module scans a plurality of frameworks linked against by the application to generate a list of available services. When the application makes a request of a particular service, a service verification module compares the requested service to the list of available services and if the requested service is found in the list of available services, sends a signal to the application, the signal allowing access to the requested service for the application. Otherwise, access to the requested service is denied.

Abstract translation: 当启动应用程序时，框架扫描模块扫描由应用程序链接的多个框架以生成可用服务的列表。 当应用程序请求特定服务时，服务验证模块将所请求的服务与可用服务的列表进行比较，并且如果在可用服务的列表中找到所请求的服务，则向应用发送信号，允许访问的信号 到应用程序的请求服务。 否则，拒绝对请求的服务的访问。

公开(公告)号：US20250005195A1

公开(公告)日：2025-01-02

申请号：US18731009

申请日：2024-05-31

Applicant: Apple Inc.

Inventor： Daniel P. Shepard ,  Michael P. Dal Santo ,  Ping-Ko Chiu ,  Kumar Gaurav Chhokra ,  Yannick L. Sierra ,  Andrew M. Pace ,  Richard L. Hagy ,  Lindsey McAllister ,  Dharini Sitaraman ,  Andrew N. Khoury ,  Richard Bower Warren ,  Brent M. Ledvina ,  Siva Ganesh Movva ,  Ronald Keryuan Huang ,  Robert W. Mayor ,  Stacey F. Lysik ,  Areeba Kamal ,  Ryan D. Shelby ,  Elizabeth Caroline Furches Cranfill ,  Kanika Malhotra ,  Gillian T. Verga

IPC: G06F21/62 ,  G06Q50/26 ,  H04L9/32

Abstract: Embodiments of the present disclosure are directed to, among other things, monitoring a user device to determine whether a user associated with the device is safe. In some examples, a user (which may be referred to herein as an “initiator” establishes a device monitoring session (which may be referred to herein as “session”) with a user, or a group of users, so that the user(s) are notified either when the initiator has safely ended the device monitoring session or receives access to session data that was collected during the session. In some configurations, the session can be handed off from a first user device that is currently active to a different user device. Instead of the first user device always being the device that interacts with the server, a different first user device may be selected as the active device to interact with the server.

公开(公告)号：US12158911B2

公开(公告)日：2024-12-03

申请号：US18130395

申请日：2023-04-03

Applicant: Apple Inc.

Inventor： Matthew J. Dickoff ,  Jessica Aranda ,  Patrick Coffman ,  Richard L. Hagy ,  Stephen J. Rhee ,  Nicole R. Ryan ,  Adam C. Swift ,  Gavin B. Thomson ,  Brandon J. Van Ryswyk

IPC: G06F3/0482 ,  G06F16/535 ,  G06F16/54 ,  G06F21/10

Abstract: Described herein are techniques to enable limited access to a photos library by enabling application specific virtual photo libraries. When an application requests access to the photos library, the user can select an option to enable or configure a virtual photos library, and then select specific assets (e.g., photos, videos) within the photos library to be selected for inclusion into an application specific virtual photos library.

公开(公告)号：US11620329B2

公开(公告)日：2023-04-04

申请号：US17183071

申请日：2021-02-23

Applicant: Apple Inc.

Inventor： Matthew J. Dickoff ,  Jessica Aranda ,  Patrick Coffman ,  Richard L. Hagy ,  Stephen J. Rhee ,  Nicole R. Ryan ,  Adam C. Swift ,  Gavin B. Thomson ,  Brandon J. Van Ryswyk

IPC: G06F3/0482 ,  G06F16/54 ,  G06F16/535

Abstract: Described herein are techniques to enable limited access to a photos library by enabling application specific virtual photo libraries. When an application requests access to the photos library, the user can select an option to enable or configure a virtual photos library, and then select specific assets (e.g., photos, videos) within the photos library to be selected for inclusion into an application specific virtual photos library.

公开(公告)号：US09734327B2

公开(公告)日：2017-08-15

申请号：US15162449

申请日：2016-05-23

Applicant: Apple Inc.

Inventor： Pierre-Olivier J Martel ,  Kelly B. Yancey ,  Richard L. Hagy

IPC: G06F17/00 ,  H04L29/06 ,  G06F21/53 ,  G06F21/62

CPC classification number: G06F21/53 ,  G06F21/6218 ,  G06F2221/03 ,  G06F2221/034

Abstract: In response to a request for launching an application within an operating system of a data processing system, one or more extended entitlements are extracted from the application, where the one or more extended entitlements specify one or more resources the application is entitled to access. One or more security profile extensions corresponding to the one or more extended entitlements are dynamically generated. A security profile specifically for the application is created based on the one or more security profile extensions and a base security profile that has been previously compiled, where the base security profile specifies a list of a plurality of base resources. The application is then launched in a sandboxed operating environment that is configured based on the security profile specifically generated for the application.

公开(公告)号：US20170199883A1

公开(公告)日：2017-07-13

申请号：US15273665

申请日：2016-09-22

Applicant: Apple Inc.

Inventor： Andrew S. Terry ,  Kelly B. Yancey ,  Pierre-Olivier J. Martel ,  Richard L. Hagy ,  Timothy P. Hannon ,  Alastair K. Fettes

IPC: G06F17/30

CPC classification number: G06F21/53 ,  G06F21/00

Abstract: Some embodiments provide a method for a device having multiple users. The method identifies a process installed on the device that requires an isolated storage in a file system of the device. For each of a set of the users of the electronic device, the method assigns at least one container for use by the process within a user-specific section of the file system. The containers assigned to the process in a section of the file system specific to a particular user are only accessible by the process when the particular user is logged into the device. The method assigns at least one container for use by the process within a non-user-specific section of the file system. The containers assigned to the process within the non-user-specific section of the file system are accessible by the process irrespective of which user is logged into the device.

公开(公告)号：US09361454B2

公开(公告)日：2016-06-07

申请号：US14292712

申请日：2014-05-30

Applicant: Apple Inc.

Inventor： Pierre-Olivier J. Martel ,  Kelly B. Yancey ,  Richard L. Hagy

IPC: G06F17/00 ,  H04L29/06 ,  G06F21/53

CPC classification number: G06F21/53 ,  G06F21/6218 ,  G06F2221/03 ,  G06F2221/034

Abstract: In response to a request for launching an application within an operating system of a data processing system, one or more extended entitlements are extracted from the application, where the one or more extended entitlements specify one or more resources the application is entitled to access. One or more security profile extensions corresponding to the one or more extended entitlements are dynamically generated. A security profile specifically for the application is created based on the one or more security profile extensions and a base security profile that has been previously compiled, where the base security profile specifies a list of a plurality of base resources. The application is then launched in a sandboxed operating environment that is configured based on the security profile specifically generated for the application.

Abstract translation: 响应于在数据处理系统的操作系统内启动应用程序的请求，从应用程序中提取一个或多个扩展授权，其中一个或多个扩展授权指定应用程序有权访问的一个或多个资源。 动态地生成与一个或多个扩展授权相对应的一个或多个安全简档扩展。 基于一个或多个安全配置文件扩展和先前已经编译的基本安全配置文件，其中基本安全配置文件指定多个基本资源的列表来创建专用于该应用的安全配置文件。 然后，应用程序将在基于为应用程序专门生成的安全配置文件配置的沙箱操作环境中启动。