DETAILED ACTION
Information Disclosure Statement
IDSes filed 10/09/2020 and 12/11/2020 have been considered and entered.

Response to Arguments
The arguments are moot in view of the allowance herein.

 
EXAMINER'S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

Authorization for this examiner’s amendment was given in an interview with Armon Shahdadi on 3/9/2021.

The application has been amended as follows: 

1.	(Currently Amended) A system for providing single sign-on using a management application, comprising:
a computing device including a plurality of managed applications installed thereon, each of the plurality of managed applications signed by one of a plurality of certificates, the computing device in communication with a device management service executing on a server remote from the computing device, the device management service managing a plurality of compliance rules for the computing device and configuring the management application with the plurality of compliance rules for enforcement by the management application; [[and]]
that executes on the computing device when launched by a user of the computing device and
a user interface that is rendered on the computing device upon the launch of the management application;
the management application configured to cause the computing device to at least:
receive, at the management application, a single sign-on request from a client application executed by the computing device;
send, from the management application to the [[a]] device management service the plurality of managed application the [[a]] user interface by the user 
in an instance where the device management service determines that the credentials are valid, receive the management credential at the management application from the device management service, wherein 
receiving the management credential is contingent on a determination by the device management service that the user is authenticated and that the management application is in an authenticated state with the device management service; and 
wherein the user may access each of the plurality of managed applications using the received management credential to be automatically authenticated with any of the plurality of managed applications without re-entering the entered credentials;
provide, by the management application, the received management credential to the client application,
establish a corresponding access-restricted storage area for each of the plurality of managed applications; and
establish a secure communications link that conveys data comprising a plurality of data portions from the device management service to the computing device, each of the data portions for storage in one of the corresponding access-restricted storage areas,
wherein the stored data portions are accessible only by a respective managed application corresponding to the corresponding access-restricted storage area storing the stored data portion and any of the other of the plurality of managed applications signed with the same one of the plurality of certificates that signed the respective managed application which corresponds to the corresponding access-restricted storage area storing the stored data portion;
wherein a first compliance rule of the plurality of compliance rules restricts the user from capturing, sharing, or otherwise removing the conveyed data from the access-restricted storage areas, and
wherein a second compliance rule of the plurality of compliance rules instructs the computing device to erase the conveyed data from the access-restricted storage areas in an instance where the client device is lost or stolen.



4. (Currently Amended) The system of claim 1, wherein the management application is further configured to cause the computing device to at least: communicate with the device management service 

11. (Currently Amended) A method for providing single sign-on using a management application, comprising: 
authenticating, by the management application executed in a computing device, with a device management service , [[;]] 
the computing device:
including a plurality of managed applications installed thereon, each of the plurality of managed applications signed by one of a plurality of certificates, 

including a plurality of compliance rules managed by the device management service,

in communication with the device management service executing on a server remote from the computing device,  and

rendering a user interface upon launch of the management application;

receiving, by the management application and from the device management service, configuration to enforce the plurality of compliance rules;
	
by the management application, causing the computing device to at least:
receive, at the management application, a single sign-on request from a client application executed by the computing device;

send, from the management application to the device management service, a request for a management credential that allows the management application to provide access to the plurality of managed application, wherein the request includes credentials entered into the user interface by the user ; 

in an instance where the device management service determines that the credentials are valid, receive the management credential at the management application from the device management service, wherein: 
receiving the management credential is contingent on a determination by the device management service that the user is authenticated and that the management application is in an authenticated state with the device management service; and 

wherein the user may access each of the plurality of managed applications using the received management credential to be automatically authenticated with any of the plurality of managed applications without re-entering the entered credentials;

provide, by the management application, the received management credential to the client application,

establish a corresponding access-restricted storage area for each of the plurality of managed applications; and

establish a secure communications link that conveys data comprising a plurality of data portions from the device management service to the computing device, each of the data portions for storage in one of the corresponding access-restricted storage areas,

wherein the stored data portions are accessible only by a respective managed application corresponding to the corresponding access-restricted storage area storing the stored data portion and any of the other of the plurality of managed applications signed with the same one of the plurality of certificates that signed the respective managed application which corresponds to the corresponding access-restricted storage area storing the stored data portion;

wherein a first compliance rule of the plurality of compliance rules restricts the user from capturing, sharing, or otherwise removing the conveyed data from the access-restricted storage areas, and

wherein a second compliance rule of the plurality of compliance rules instructs the computing device to erase the conveyed data from the access-restricted storage areas in an instance where the client device is lost or stolen






 

14. (Currently Amended) The method of claim 11, further comprising: receiving an indication from the device management service 

16. (Currently Amended) A non-transitory computer-readable medium embodying a program comprising a management application executable in a client device, the program, when executed by the client device, being configured to cause the client device to at least: 6Application No. 15/875,236 Docket No. W205.02.C1 

authenticate with a device management service 

receive, at the management application from the device management service, configuration to enforce a plurality of compliance rules;

receive, at the management application, a single sign-on request from a client application executed by the computing device, 
the computing device:
including a plurality of managed applications installed thereon, each of the plurality of managed applications signed by one of a plurality of certificates, 

including the plurality of compliance rules managed by the device management service,

in communication with the device management service executing on a server remote from the computing device,  and

rendering a user interface upon launch of the management application;

send, from the management application to the device management service, a request for a management credential that allows the management application to provide access to the plurality of managed application, wherein the request includes credentials entered into the user interface by the user; 

in an instance where the device management service determines that the credentials are valid, receive the management credential at the management application from the device management service, wherein: 
receiving the management credential is contingent on a determination by the device management service that the user is authenticated and that the management application is in an authenticated state with the device management service; and 

wherein the user may access each of the plurality of managed applications using the received management credential to be automatically authenticated with any of the plurality of managed applications without re-entering the entered credentials;
provide, by the management application, the received management credential to the client application,

establish a corresponding access-restricted storage area for each of the plurality of managed applications; and

establish a secure communications link that conveys data comprising a plurality of data portions from the device management service to the computing device, each of the data portions for storage in one of the corresponding access-restricted storage areas,

wherein the stored data portions are accessible only by a respective managed application corresponding to the corresponding access-restricted storage area storing the stored data portion and any of the other of the plurality of managed applications signed with the same one of the plurality of certificates that signed the respective managed application which corresponds to the corresponding access-restricted storage area storing the stored data portion;

wherein a first compliance rule of the plurality of compliance rules restricts the user from capturing, sharing, or otherwise removing the conveyed data from the access-restricted storage areas, and

wherein a second compliance rule of the plurality of compliance rules instructs the computing device to erase the conveyed data from the access-restricted storage areas in an instance where the client device is lost or stolen





 

Allowable Subject Matter
Claims 1, 2, 4 – 12, 14 – 17, and 19-20 are allowed.

The following is an examiner’s statement of reasons for allowance:
Bhimanaik (US 9106642) teaches:
computing device Fig 2 103, management application  Fig 2 257, user interface 239/251, and device management service Fig 218

and further Bhimanaik teaches a plurality of managed applications Fig 2 242, 245, and 248 which operate to allow access from an authenticated user based on a token which may be shared between applications resulting in a single sign on experience see  Column 7 20 – 63 and Fig 3A

Borzycki et al(US 8613070) teaches:
a plurality of managed applications Fig 3 514 communicating with access to resources 504 using respective secure channels 554 and  a single-sign on authentication process as described in Column 20  26 – 50.  

and further Borzycki teaches memory areas Fig 5 534, 538, and 542 each having different security and access levels as further described in Column 19 line 53 through Column 20  line 50.  

and further Borzycki teaches management policies that govern mobile applications see Column 18 lines 9 – 25 wherein  policies include:
selective wiping and deleting see Column 20 lines 1 – 25.
copy prevention see  Column 24 lines 18  - 21

	DeTreville (US 2006/0036851) teaches in [0013] that the authenticity of an application executing in secure 
memory can be verified using a certificate.

The prior art of record does not explicitly disclose in light of the other features recited in the independent claims, 

establish a secure communications link that conveys data comprising a plurality of data portions from the device management service to the computing device, each of the data portions for storage in one of the corresponding access-restricted storage areas

the stored data portions are accessible only by a respective managed application corresponding to the corresponding access-restricted storage area storing the stored data portion and any of the other of the plurality of managed applications signed with the same one of the plurality of certificates that signed the respective managed application which corresponds to the corresponding access-restricted storage area storing the stored data portion

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”


Conclusion



Any inquiry concerning this communication or earlier communications from the examiner should be directed to RICHARD A MCCOY whose telephone number is (313)446-6520.  The examiner can normally be reached on M - F 10 - 6.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on 571 272 2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/RICHARD A MCCOY/Examiner, Art Unit 2431