Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
2.	EXAMINER’S NOTE: The claims have been reviewed and considered under the new guidance pursuant to the 2019 Revised Patent Subject Matter Eligibility Guidance (PEG 2019) issued January 7, 2019.
3.	This communication is in response to Applicant’s RCE amendment filed on 09 October 2020. Claims 1, 8, and 15 have been amended. Claims 1-20 remain pending.

Continued Examination Under 37 CFR 1.114
4.	A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 09 October 2020 has been entered.
 
Response to Arguments
5.	Applicant's arguments, see pages 8-11 filed 09 October 2020, with respect to the rejections of claims 1-20 in view of Angal have been fully considered, but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument. The newly added claim limitation – “obtain a request to generate a management token 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Angal (Pub No. 2014/0020070) in view of Iyer et al. (Pub No. 2016/0286394).
Referring to the rejection of claim 1, Angal discloses a system for applying a device policy onto a client device, comprising: (See Angal, para. 56)
 Please note that in this example, the service provider may utilize a policy regarding resource access control to issue the application token (e.g., AppScoped Token), to determine whether the requested scope to the requested resource is in violation of the policy, and, if determines so, decline the access or modify the scope (e.g., upgrade or downgrade).
at least one computing device comprising a processor and a memory; (See Angal, para. 126)
Please note that in this example, a computer system, item 600 comprises a processor, item 602 and a main memory, item 604.
and a management token generator executed by the at least one computing device, the management token generator causing the at least one computing device to at least; (See Angal, para. 22, 32, and 41)
Please note that in this example, the user device security manager executing at a user device may identify (or detect) a first request issued from an application to access remote resources associated with the web service and the security manager provides device identification, authentication mechanisms until it is activated on the client machine and based on identifying a valid user token associated with the SMID which is an ID associated with the company and used for verifying the apparatus in response to the identifying of the first request. 
generate a device record corresponding to the client device in a data store accessible to the management token generator; (See Angal, para. 60)
Please note that in this example, the device records corresponding to the user device are described as user artifacts (i.e. QR code, or unique identity of the user attributes) which are generated by the security management server.
embed an indication of the at least one device policy within the management token; (See Angal, para. 56 and 119)
Please note that in this example, an application token may be generated and transmitted by the security management server module to the user device and the service provider utilize a policy to determine whether the requested scope to the requested resource is in violation of the policy, and, if determines so, decline the access or modify the scope (e.g., upgrade or downgrade).
encrypt the management token; (See Angal, para. 57)
Please note that in this example, the user device security manager encrypt the application token with the nonce received from the application and forwards the encrypted application token to the application.
provide the management token for transmission to the client device; (See Angal, para. 106)
Please note that in this example, the encrypted token may be decrypted by the application, wherein the application may decrypt the encrypted token using the nonce transmitted along with the encrypted token.
obtain a response token from the client device; (See Angal, para. 38)
Please note that in this example, the security manager identifier (SMID) may be generated in the form of QR Code (Quick Response Code) and a token (e.g., AuthN Token) may be assigned to the user device security manager wherein the token comprise information that is unique to the specific instance of the user device security manager installed on the user's mobile device.
extract identifying information associated with the client device from the response token; (See para. 83)
Please note that in this example, the security manager client module (e.g., the verification module) may prevent the apparatus from prompting the user with one or more user authentication pages based on identifying a valid user token associated with the user from the SMID.
and associate the identifying information with the device record. (See Angal, para. 86)
Please note that in this example, the security manager server module may assign a persona associated with persona symbols to a user or his user device as identifying information which are user artifacts and attributes.
Angal does not explicitly disclose obtaining a request to generate a management token for the client device, the request comprising a facility identifier that identifies premises associated with an enterprise and identifying at least one device policy for enforcement on the client device based at least in part on the facility identifier. 
Iyer et al. discloses a method and system for policy-based techniques to enable mobile devices to enforce restricted area security. 
Iyer et al. discloses obtain a request to generate a management token for the client device, the request comprising a facility identifier that identifies premises associated with an enterprise. (See Iyer et al., para. 39 and 49)
Please note that in this example, a request submitted by the client to obtain entry by generating a management token disclosed as a QR code for the client’s mobile device. The QR code is provided by the enterprise which is associated with the facility for identifying the premises of the restricted area disclosed as the facility, location, environment, etc.  
(See Iyer et al., para. 48, 52, 63, 67, and 72)
Please note that in this example, identifying a device security policy for enforcement on the client’s mobile device based in part on the facility identifier for the enterprise wherein enforcing a device security policy is used for entry and exit into restricted areas.
Therefore, it would have been obvious before the effective filing date of the invention, to combine Angal’s system and method for authenticating and authorizing a user for web services using user devices modified with Iyer et al.’s method and system for policy-based techniques to enable mobile devices to enforce restricted area security. Motivation for such an implementation would enable an enterprise to use mobile device management platforms to mage mobile device users will be permitted to access and use their mobile devices within a restricted security area. (Iyer et al., para. 40)

Referring to the rejection of claims 2, 9, and 16, (Angal modified by Iyer et al.) discloses wherein the management token is encrypted with a symmetric key and the symmetric key is accessible to a management application executed by the client device. (See Angal, para. 57)
Please note that in this example, the user device security manager encrypts the application token with the nonce received from the application using symmetric encryption and forwarding the encrypted application token to the application.
(See Angal, para. 49-50)
Please note that in this example, the mobile user device can authenticate the identity of the sender of the token from the user device security manager wherein downloadable applications are each signed by a private key of the developer, and the signatures may be verified by a public key corresponding to the private key. The private keys are not compromised and the signatures cannot be spoofed.

Referring to the rejection of claims 4 and 11, (Angal modified by Iyer et al.) discloses wherein the management token generator further causes the at least one computing device to at least: 
obtain a request to release the client device from the at least one device policy; (See Angal, para. 56)
Please note that in this example, the service provider utilizes a policy regarding resource access control to issue the application token to determine whether the requested scope to the requested resource is in violation of the policy.
generate a removal token authorizing removal of the at least one device policy from the client device; (See Angal, para. 83)
Please note that in this example, the security manager client module (e.g., the verification module) may prevent the apparatus from prompting the user with one or more user authentication pages based on identifying a valid user token associated with the user from the SMID.
and provide the removal token to the client device, wherein the client device is configured to authenticate the sender of the removal token prior to removing the at least one device policy from the client device. (See Angal, para. 41)
Please note that in this example, to verify authenticity of its identification, the user device security manager running in the background of the client machine in an inactive state (to the user), may send user-related artifacts retrieved from the activation information (e.g., SMID).

Referring to the rejection of claims 5, 12, and 18, (Angal modified by Iyer et al.) discloses wherein the response token comprises at least one of a user identifier associated with the client device or a compliance status associated with the client device with respect to the at least one device policy. (See Angal, para. 38)
Please note that in this example, the security manager identifier (SMID) may be generated in the form of QR Code (Quick Response Code) and a token (e.g., AuthN Token) may be assigned to the user device security manager wherein the token comprise information that is unique to the specific instance of the user device security manager installed on the user's mobile device.

(See Angal, para. 57)
Please note that in this example, the user device security manager encrypts the application token with the nonce received from the application using symmetric encryption method and forwards the encrypted application token to the application.

Referring to the rejection of claims 7, 14, and 20, (Angal modified by Iyer et al.) discloses wherein the management token is provided to a management application installed on the client device, the management application being configured as a device administrator on the client device. (See Angal, para. 51-52)
Please note that in this example, a trust relationship is established between the device security manager and the client machine via download/installation, registration, and activation wherein the user device security manager authorize or authenticate an application to be executed on the client machine. A user may download an application and install it on the client machine and the user device security manager facilitates authentication or authorization of the application to access resources provided by the service provider.

Referring to the rejection of claim 8, (Angal modified by Iyer et al.) discloses a method for applying a device policy on a client device, comprising: (See Angal, para. 56)
 Please note that in this example, the service provider may utilize a policy regarding resource access control to issue the application token (e.g., AppScoped Token), to determine whether the requested scope to the requested resource is in violation of the policy, and, if determines so, decline the access or modify the scope (e.g., upgrade or downgrade).
generating a device record corresponding to the client device in a data store accessible to the management token generator; (See Angal, para. 60)
Please note that in this example, the device records corresponding to the user device are described as user artifacts (i.e. QR code, or unique identity of the user attributes) which are generated by the security management server.
embedding an indication of the at least one device policy within the management token; (See Angal, para. 56 and 119)
Please note that in this example, an application token may be generated and transmitted by the security management server module to the user device and the service provider utilize a policy to determine whether the requested scope to the requested resource is in violation of the policy, and, if determines so, decline the access or modify the scope (e.g., upgrade or downgrade).
encrypting the management token; (See Angal, para. 57)
Please note that in this example, the user device security manager encrypt the application token with the nonce received from the application and forwards the encrypted application token to the application.
providing the management token for transmission to the client device; (See Angal, para. 106)
Please note that in this example, the encrypted token may be decrypted by the application, wherein the application may decrypt the encrypted token using the nonce transmitted along with the encrypted token.
obtaining a response token from the client device; (See Angal, para. 38)
Please note that in this example, the security manager identifier (SMID) may be generated in the form of QR Code (Quick Response Code) and a token (e.g., AuthN Token) may be assigned to the user device security manager wherein the token comprise information that is unique to the specific instance of the user device security manager installed on the user's mobile device.
extracting identifying information associated with the client device from the response token; (See Angal, para. 83)
Please note that in this example, the security manager client module (e.g., the verification module) may prevent the apparatus from prompting the user with one or more user authentication pages based on identifying a valid user token associated with the user from the SMID.
and associating the identifying information with the device record. (See Angal, para. 86)
Please note that in this example, the security manager server module may assign a persona associated with persona symbols to a user or his user device as identifying information which are user artifacts and attributes.
Angal does not explicitly disclose obtaining a request to generate a management token for the client device, the request comprising a facility identifier that identifies 
Iyer et al. discloses a method and system for policy-based techniques to enable mobile devices to enforce restricted area security. 
Iyer et al. discloses obtaining a request to generate a management token for the client device, the request comprising a facility identifier that identifies premises associated with an enterprise. (See Iyer et al., para. 39 and 49)
Please note that in this example, a request submitted by the client to obtain entry by generating a management token disclosed as a QR code for the client’s mobile device. The QR code is provided by the enterprise which is associated with the facility for identifying the premises of the restricted area disclosed as the facility, location, environment, etc.  
Iyer et al. discloses and identifying at least one device policy for enforcement on the client device based at least in part on the facility identifier. (See Iyer et al., para. 48, 52, 63, 67, and 72)
Please note that in this example, identifying a device security policy for enforcement on the client’s mobile device based in part on the facility identifier for the enterprise wherein enforcing a device security policy is used for entry and exit into restricted areas.
The rationale for combining Angal in view of Iyer et al. is the same as claim 1.

Referring to the rejection of claim 15, Angal discloses a non-transitory computer-readable medium comprising machine-readable instructions for generating a device (See Angal, para. 56 and 124)
Please note that in this example, the service provider may utilize a policy regarding resource access control to issue the application token (e.g., AppScoped Token), to determine whether the requested scope to the requested resource is in violation of the policy, and, if determines so, decline the access or modify the scope (e.g., upgrade or downgrade).
generate a device record corresponding to the client device in a data store accessible to the management token generator; (See Angal, para. 60)
Please note that in this example, the device records corresponding to the user device are described as user artifacts (i.e. QR code, or unique identity of the user attributes) which are generated by the security management server.
embed an indication of the at least one device policy within the management token; (See Angal, para. 56 and 119)
Please note that in this example, an application token may be generated and transmitted by the security management server module to the user device and the service provider utilize a policy to determine whether the requested scope to the requested resource is in violation of the policy, and, if determines so, decline the access or modify the scope (e.g., upgrade or downgrade).
encrypt the management token; (See Angal, para. 57)
Please note that in this example, the user device security manager encrypt the application token with the nonce received from the application and forwards the encrypted application token to the application.
provide the management token for transmission to the client device; (See Angal, para. 106)
Please note that in this example, the encrypted token may be decrypted by the application, wherein the application may decrypt the encrypted token using the nonce transmitted along with the encrypted token.
obtain a response token from the client device; (See Angal, para. 38)
Please note that in this example, the security manager identifier (SMID) may be generated in the form of QR Code (Quick Response Code) and a token (e.g., AuthN Token) may be assigned to the user device security manager wherein the token comprise information that is unique to the specific instance of the user device security manager installed on the user's mobile device.
extract identifying information associated with the client device from the response token; (See Angal, para. 83)
Please note that in this example, the security manager client module (e.g., the verification module) may prevent the apparatus from prompting the user with one or more user authentication pages based on identifying a valid user token associated with the user from the SMID.
and associate the identifying information with the device record. (See Angal, para. 86)
Please note that in this example, the security manager server module may assign a persona associated with persona symbols to a user or his user device as identifying information which are user artifacts and attributes.
Angal does not explicitly disclose obtaining a request to generate a management token for the client device, the request comprising a facility identifier that identifies premises associated with an enterprise and identifying at least one device policy for enforcement on the client device based at least in part on the facility identifier. 
Iyer et al. discloses a method and system for policy-based techniques to enable mobile devices to enforce restricted area security. 
Iyer et al. discloses obtain a request to generate a management token for the client device, the request comprising a facility identifier that identifies premises associated with an enterprise. (See Iyer et al., para. 39 and 49)
Please note that in this example, a request submitted by the client to obtain entry by generating a management token disclosed as a QR code for the client’s mobile device. The QR code is provided by the enterprise which is associated with the facility for identifying the premises of the restricted area disclosed as the facility, location, environment, etc.  
Iyer et al. discloses and identify at least one device policy for enforcement on the client device based at least in part on the facility identifier. (See Iyer et al., para. 48, 52, 63, 67, and 72)
Please note that in this example, identifying a device security policy for enforcement on the client’s mobile device based in part on the facility identifier for the enterprise wherein enforcing a device security policy is used for entry and exit into restricted areas.
The rationale for combining Angal in view of Iyer et al. is the same as claim 1.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to COURTNEY D FIELDS whose telephone number is (571)272-3871.  The examiner can normally be reached on IFP M-F 8am-4:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, SHEWAYE GELAGAY can be reached on (571)272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 






/COURTNEY D FIELDS/Examiner, Art Unit 2436                                                                                                                                                                                                        April 14, 2021

/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436