DETAILED ACTION

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 11/05/2020 has been entered.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
Applicant’s claim for the benefit of a prior-filed application under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, 365(c), or 386(c) is acknowledged. Applicant has not complied with one or more conditions for receiving the benefit of an earlier filing date under 35 U.S.C. 112(a) or pre-AIA  35 U.S.C. 112, first paragraph as follows:
The later-filed application must be an application for a patent for an invention which is also disclosed in the prior application (the parent or original nonprovisional application or provisional application). The disclosure of the invention in the parent application and in the later-filed application must be sufficient to comply with the requirements of 35 U.S.C. 112(a) or the first paragraph of pre-AIA  35 U.S.C. 112, except for the best mode requirement.  See Transco Products, Inc. v. Performance Contracting, Inc., 38 F.3d 551, 32 USPQ2d 1077 (Fed. Cir. 1994)
The disclosure of the prior-filed applications, Application No. 61/508,404, 13/217,484, and 14/686,769 fails to provide adequate support or enablement in the manner provided by 35 

The instant application, which has a filing date on or after March 16, 2013, is considered a transition application because the application claims domestic benefit of Application No. 61/508,404, 13/217,484, and 14/686,769, which have a filing date prior to March 16, 2013. Although the instant application does not contain a 37 CFR 1.55/1.78 statement indicating that this application should be examined under the AIA  (First Inventor to File), a review of the disclosures of both the instant application and the parent application, by the examiner, reveals that at least one claim presented or that has ever been presented in the instant application appears to be drawn to an invention having an effective filing date on or after March 16, 2013 as the claims fail to have support in the earlier-filed application. More specifically, claims 1-20 lack support in the earlier filed application because the earlier filed application fails to disclose the subject matter claimed in claims 1-20 and thus the effective filing date of at least one claim in the application appears to be August 29, 2015. Accordingly, this application is being examined under the AIA  (First Inventor to File) statutory framework. Therefore, all forthcoming Office actions on the merits will be labeled “AIA  (First Inventor to File) Status: Yes” (see upper right box on form PTOL-37/37D and/or PTOL- 326/326AE).

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:


Claims 1-20 rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. 

Regarding claim 1, claim 1 recites upon determining that the indication is an authorized unlocking indication, transmitting client device credentials to a desktop management server, wherein the desktop management server is configured to apply an enterprise credential policy to determine, based on the transmitted client device credentials, whether the client device is authorized to access an enterprise system including the desktop; upon the client device being determined to be authorized to access the enterprise system, determining whether the client device is authorized to access the desktop for unlocking; and upon determining that the client device is authorized to access the desktop for unlocking, transmitting the authorized unlocking indication and the client device credentials to the desktop for unlocking the desktop, wherein the desktop is configured to determine whether the client device is registered to access the desktop based on the client device credentials, before unlocking the desktop.  As described in the specification:

[0029] Users may use a mobile device, which is shown and referred to as client device 104, to interact with a desktop management server 102 to access a user's remote desktop 106


[0035] Gateway authenticator 304 may use different methods of authenticating the credentials. In one example, based on the administrative policy, the user may be asked to use a two-factor authentication. For example, the user may be required to first provide a Rivest, Shamir, and Adelman (RSA) SECURID.RTM. or another token and then provides active directory credentials. In some examples, the administrative policy controls the access to the remote desktop 106 based on criteria established by an administrator. As an example, the client device 104 is prevented from authenticating the remote desktop 106 without a new token, issued daily to authorized client devices 104 by the remote desktop gateway 118

[0048] If the indication is authorized on the client device 104, then in some examples the credentials of the client device 104 are transmitted to the gateway authenticator 120. The transmitted credentials include, as an example, a token previously provided by the desktop management server 102 to indicate that the client device 104 is authorized to access the enterprise system. If the authorized indication is not detected, then access is denied at 614. In some examples an administrator is notified if access is denied

[0049] In an example where credentials are transmitted to the gateway authenticator 120, the gateway authenticator 120 verifies that the client device 104 is authorized to access the enterprise system at 606. If the client device 104 is not authorized, then access is denied at 614. In some examples, the gateway authenticator 120 compares the client device 104 and the access details with an administrative policy such as an enterprise credential policy to determine . 

[0051] The authentication mechanism on the client device receives an indication (e.g., an attempt is made to access the client device 104 through the authentication mechanism). If the indication is authorized, then the authorized indication is passed to the remote desktop 106, and in some examples the desktop management server 102. Based, in some examples, upon administrative policies, the desktop management server 102 allows or denies access to the remote desktop by the mobile device authentication system. The remote desktop 106 is then locked or unlocked based upon the authorized indication (emphasis added)

The specification does disclose transmitting client device credentials to a desktop management server, wherein the desktop management server is configured to apply an enterprise credential policy to determine, based on the transmitted client device credentials, whether the client device is authorized to access an enterprise system.  However, the specification does not describe a step of determining whether the client device is authorized to access the desktop for unlocking; and upon determining that the client device is authorized to access the desktop for unlocking, transmitting the authorized unlocking indication and the client device credentials to the desktop for unlocking the desktop, wherein the desktop is configured to determine whether the client device is registered to access the desktop based on the client device credentials, before unlocking the desktop.  As described, once the client device 104 is authorized for enterprise access by the gateway authenticator 120, the receipt of the authorized indication is transmitted to the desktop.  The remote desktop 106 is then locked or unlocked based upon the authorized indication.

Regarding claims 9 and 15, claims 9 and 15 contain substantially similar limitations to those found in claim 1.  Consequently, claims 9 and 15 are rejected for the same reasons.  Claims 2-8, 10-14, and 16-20 are also rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as being dependent on parent claims failing to comply with the written description requirement.

Regarding claim 3, claim 3 recites wherein determining whether the client device is registered to access the desktop based on the client device credentials comprises determining whether a particular address of the client device is stored on the desktop.  As described in the specification:

[0040] Registration agent 114 registers the client device 104 (e.g., mobile devices) with the remote desktop 106 for mobile device authentication. This process is described in more detail in FIG. 5. To do so, registration agent 114 may identify and store a particular address (e.g., MAC, Internet Protocol (IP), or other device identifiers) of the client device 104 to be used for authentication of the remote desktop 106 (see also registration process discussed in [0044-0046])

The specification does disclose storing a particular address; however, the client device credentials are previously recited in parent claim 1 to be sent to the desktop management server.  There is no disclosure in the specification of a client device credential comprising a particular address that is sent to the server and stored in the desktop.  As discussed in the rejection of claim 1, the specification lacks support for determining whether the client device is authorized to access the desktop for unlocking; and upon determining that the client device is authorized to access the desktop for unlocking, transmitting the authorized unlocking indication 

Regarding claim 11, claim 11 contains substantially similar limitations to those found in claim 3.  Consequently, claim 11 is rejected for the same reasons.

Regarding claim 7, claim 7 recites receiving the indication and the client device credentials on a smart watch; transmitting the indication and the client device credentials to a smart phone or a mobile tablet; and transmitting the indication and the client device credentials from the smart phone or the mobile tablet to the desktop to unlock the desktop.  As described in the specification:

[0023] One particular example uses the authentication performed on a user's smart watch (e.g., Samsung Watch, APPLE WATCH, etc.), either directly or through a paired mobile device (e.g., smart phone or mobile tablet), to unlock or lock the screen of a desktop. To do so, some examples use the smart watch communicatively paired with a mobile device (e.g., smart phone or tablet). In such examples, an indication of the user's authentication on the smart watch is transmitted from the watch to the paired mobile device (e.g., smart phone or tablet) and then from the paired mobile device to the desktop, which in turn uses the smart-watch-captured and paired-watch-relayed authentication indication to unlock or lock the desktop screen. For example, a user may use a fingerprint scanner or watch passcode to authenticate the user on an Apple Watch, and the Apple Watch may transmit that authentication to a paired IPHONE that then transmits the indication of the authentication that occurred on the watch to a desktop for unlocking or locking of the desktop's screen. Such an example uses the Apple Watch and the 

The specification does disclose receiving the indication a smart watch, transmitting the indication to a smart phone or a mobile tablet, and transmitting the indication to the desktop to unlock the desktop.  However, there is no disclosure of receiving the client device credentials on a smart watch, transmitting the client device credentials to a smart phone or a mobile tablet, and transmitting the client device credentials from the smart phone or the mobile tablet to the desktop to unlock the desktop.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 6, 8, 9, 10, 12, and 14-17 are rejected under 35 U.S.C. 103 as being unpatentable over Friedl et al. (US 20130191902 A1, published 07/25/2013), hereinafter Friedl, in view of Shanmugam et al. (US 20150257004 A1, published 09/10/2015), hereinafter Shanmugam.

Regarding claim 9, Friedl teaches the claim comprising:
A system, comprising: one or more memories storing computer-executable instructions; and one or more processors operationally coupled to the one or more memories and configured to execute the computer-executable instructions to (Friedl Figs. 1-9; [0082], methodologies in accordance with example embodiments will be better appreciated with reference to FIGS. 7-9; [0049], logic may also be fully embodied as software stored on a non-transitory, tangible medium which performs a described function when executed by a processor; [0073], computer system 500 is suitable for implementing the functionality described herein for networked devices 102, 104 and authentication server 106; [0075-0076], network mediated multi-device shared authentication is provided by computer system 500 in response to processor 504 executing one or more sequences of one or more instructions contained in main memory 506; such instructions may be read into main memory 506 from another computer-readable medium, such as storage device 510; see also claim 20): 
receive an indication, on a client device, corresponding to an authentication mechanism for authenticating a user on a client device to unlock a desktop (Friedl Figs. 1-9; [0014], authentication logic provides data to the at least one neighboring device indicating that the user associated with the user device has been authenticated, to enable access to the at least one neighboring device; [0020], at the user's work station, the user may have a desk phone, computing device and/or VDI (Virtual Desktop Interface) endpoint; the mobile communication device can initiate a network authentication for/with the end user (e.g., the person carrying the mobile communication device) and the work station devices; [0031], networked device 104 may be a desktop computer and/or a VDI computer terminal; [0033], wireless device 108, is employed to authenticate the user associated with the device with networked devices 102, 104; wireless device 108 may provide a username to networked device 102 which can respond by sending a challenge to wireless device 108; networked device 102 can request a username and password from wireless device 108; [0034], networked device 102 employs an authentication ; 
upon determining that the indication is an authorized unlocking indication, wherein the desktop management server is configured to apply an enterprise credential policy to determine, based on the transmitted client device credentials, whether the client device is authorized to access an enterprise system including the desktop (Friedl Figs. 1-9; [0027], a network service can be employed to provide increased security to a user and an enterprise (see also [0020], [0052], work stations and work areas); [0031], networked device 104 may be a desktop computer and/or a VDI computer terminal; [0095], FIG. 9 is a block diagram of a methodology 900 performed by an authentication server; [0096], at 902, a request to authenticate a user and/or a device associated with a user is received from a networked device; [0096], a response to the challenge (such as a password, key, credential or other predefined data) may be received (determining whether client is authorized to access desktop based on credentials); [0098], if, at 906, the determination is made that the user and/or device associated with the user is only accessing the network from a single location (NO), access to the network is allowed); 
upon the client device being determined to be authorized to access the enterprise system, determine whether the client device is authorized to access the desktop for unlocking; and upon determining that the client device is authorized to access the desktop for unlocking, transmit the authorized unlocking indication and the client device credentials to the desktop for unlocking the desktop (Friedl Figs. 1-9; [0030], networked devices 102, 104 authenticates with 
wherein the desktop is configured to determine whether the client device is registered to access the desktop based on the client device credentials, before unlocking the desktop (Friedl Figs. 1-9; [0047], networked device 200 is suitably adaptable for performing the functionality of networked device-1 102 and/or networked device-n 104 in FIG. 1; [0031], networked device 104 may be a desktop computer and/or a VDI computer terminal; [0034], authentication server 106 broadcasts a message to other networked devices such as networked device 104 indicating that wireless device 108 is now authenticated; this message could also include authentication information such as credentials; [0055], upon authenticating a user device, the authentication logic 204 provides data identifying the user device to neighboring devices that have an established a trust relationship with networked device 200; the data identifying the user device may be a telephone number and/or a media access control (MAC) address associated with the user device; [0056], the authentication logic 204 receives data representative of an authenticated user from and/or user device from a neighboring device having a trust relationship with networked device 200 via communication interface 202; because of the established trust relationship, the authenticated user and/or user is allowed access based on the data received from the neighboring device (before unlocking, a locked desktop network device waits to receive client credentials to determine whether the client device is registered with network to access the desktop based on receiving the client device credentials))
However, Friedl fails to expressly disclose receive an indication, on a client device, corresponding to an authentication mechanism for authenticating a user on a client device to unlock a desktop; upon determining that the indication is an authorized unlocking indication, 
receive an indication, on a client device, corresponding to an authentication mechanism for authenticating a user on a client device to unlock a desktop; upon determining that the indication is an authorized unlocking indication, transmit client device credentials of the client device to a desktop management server (Shanmugam Figs. 1-8; [0058], in response to the presentation of the fingerprint unlock screen 460, User 1 applies, at 467, a fingerprint to a fingerprint sensor (not shown) of the mobile device 13 to provide a fingerprint input to unlock the mobile device 13; the mobile device 13 OS at 470 analyzes the fingerprint input and either successfully verifies or fails to verify User 1's fingerprint input; [0062], if the mobile device 13 OS at 470 successfully verifies the User 1 fingerprint input as belonging to an authorized user, the mobile device 13 OS unlocks the device (473) in response to a verified user signal; in response to receiving the verified (i.e., authorized) user signal, the authentication routine 440 forwards authentication information (described in more detail below with respect to FIG. 5) to the authentication server 310; [0070], the authentication information includes an authentication key, and an identifier of the mobile device 13; the identifier of the mobile device 13 may be one or more of the MDN, the ICCID and the IMEID of the mobile device 13; [0075], when the authentication server 310 receives the identifiers and secure authentication key, the authentication server 310 performs the authentication process; [0120], the described examples can also be used as a remote authentication device for non-biometric enabled devices; a mobile device equipped with a fingerprint scanner (or other biometric input mechanism (e.g., retinal scanner, voice print recognizer, or the like) may be configured to allow a user attempting to access an application on a device other than the mobile device (i.e., a laptop, desktop, or kiosk) to authenticate themselves as a valid user via an example of the mobile application 130; workstation)


Regarding claim 1, claim 1 contains substantially similar limitations to those found in claim 9, the only difference being A method, comprising (Friedl Figs. 1-9; [0082], methodologies in accordance with example embodiments will be better appreciated with reference to FIGS. 7-9).  Consequently, claim 1 is rejected for the same reasons.

Regarding claim 15, claim 15 contains substantially similar limitations to those found in claim 9, the only difference being A non-transitory computer-storage memory embodied with instructions executable by one or more processors to enable remote authentication of a desktop by a client device, said instructions comprising (Friedl Figs. 1-9; [0082], methodologies in 

Regarding claim 2, Friedl in view of Shanmugam teaches all the limitations of claim 1.  Shanmugam further teaches:
wherein the client device credentials include a token previously provided by the desktop management server that is used to determine whether the client device is authorized to access the enterprise system (Shanmugam Figs. 1-8; [0032], FIG. 2 is a high-level block diagram illustrating an example of a registration process for registering a user with the mobile application biometric authentication service; [0045], the mobile device application 130 exchanges the identifier information with the authentication server at step 275; the authentication server, such as authentication server 310 of FIG. 3, performs a registration process; the authentication server 310, for example, returns an authentication key that may be used when User 1 wants to access the mobile application 130 using the biometric login; [0050], when the authentication server 310 receives the identifiers, the authentication server 310 computes an authentication 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have incorporated wherein the client device credentials include a token previously provided by the desktop management server that is used to determine whether the client device is authorized to access the enterprise system as suggested in Shanmugam into Friedl.  Doing so would be desirable because users often need to enter complex usernames and/or passwords manually on mobile devices that often have a small screen size. In addition, password authentication also presents a security limitation as the application needs to store the password and possibly the user name somewhere on the mobile device for verification (see Shanmugam [0005]).  A need exists for a mobile application-level biometric authentication system and method that uses biometric technology offered on a mobile device in the same manner that a smartphone allows users to unlock their mobile device and establish device ownership or authorized use of the mobile device (see Shanmugam [0007]).  The disclosed mobile device application biometric authentication service offers an easy and 

Regarding claims 10 and 16, claims 10 and 16 contain substantially similar limitations to those found in claim 2.  Consequently, claims 10 and 16 are rejected for the same reasons.

Regarding claim 6, Friedl in view of Shanmugam teaches all the limitations of claim 1.  Shanmugam further teaches:
wherein the indication includes a sequence of a plurality of related events (Shanmugam Figs. 1-8; [0055], user 1 logs into the mobile device via the device login prompt 415; this login involves a device-level biometric authentication; after successfully logging into the mobile device, User 1 may be presented on a display of the mobile device 13 with a menu; in response to a selection of mobile app 130 from the displayed menu or screen, the mobile application 130 launches (420); after launch, the mobile application 130 presents a menu 435 that prompts the user to select a login option; [0057], in response to the User 1 selection of the fingerprint login option, the mobile application 130 interacts with the mobile device 13 OS via an API (as described with reference to FIG. 2, element 145) by requesting or instructing (at 455) the mobile device 13 OS to lock the mobile device (462) and generate the fingerprint unlock prompt screen (460); [0058], in response to the presentation of the fingerprint unlock screen 460, User 1 applies, at 467, a fingerprint to a fingerprint sensor (not shown) of the mobile device 13 to provide a fingerprint input to unlock the mobile device 13; the mobile device 13 OS at 470 analyzes the fingerprint input and either successfully verifies or fails to verify User 1's fingerprint input; [0062], if the mobile device 13 OS at 470 successfully verifies the User 1 fingerprint input as belonging to an authorized user, the mobile device 13 OS unlocks the device (473) in response to a verified user signal; in response to receiving the verified (i.e., authorized) user signal, the authentication routine 440 forwards authentication information (described in more 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have incorporated wherein the indication includes a sequence of a plurality of related events as suggested in Shanmugam into Friedl.  Doing so would be desirable because users often need to enter complex usernames and/or passwords manually on mobile devices that often have a small screen size. In addition, password authentication also presents a security limitation as the application needs to store the password and possibly the user name somewhere on the mobile device for verification (see Shanmugam [0005]).  A need exists for a mobile application-level biometric authentication system and method that uses biometric technology offered on a mobile device in the same manner that a smartphone allows users to unlock their mobile device and establish device ownership or authorized use of the mobile device (see Shanmugam [0007]).  The disclosed mobile device application biometric authentication service offers an easy and secure method that not only performs authentication at the device level but also at the application level (see Shanmugam [0018]).

Regarding claim 12, claim 12 contains substantially similar limitations to those found in claim 6.  Consequently, claim 12 is rejected for the same reasons.

Regarding claim 8, Friedl in view of Shanmugam teaches all the limitations of claim 1. Shanmugam further teaches:
wherein authenticating a user on a client device includes receiving authentication data comprising one or more of voice recognition information and facial recognition information (Shanmugam Figs. 1-8; [0018], examples of a biometric are a person's fingerprint, a sample of a 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have incorporated wherein authenticating a user on a client 

Regarding claim 14, claim 14 contains substantially similar limitations to those found in claim 8.  Consequently, claim 14 is rejected for the same reasons.

Regarding claim 17, Friedl in view of Shanmugam teaches all the limitations of claim 1, further comprising:
wherein the instructions further cause disabling of the client device from locking or unlocking the desktop on condition that the client device credentials are determined to be unauthorized (Friedl Figs. 1-9; [0027], a network service can be employed to provide increased security to a user and an enterprise (see also [0020], [0052], work stations and work areas); [0031], networked device 104 may be a desktop computer and/or a VDI computer terminal; [0095], FIG. 9 is a block diagram of a methodology 900 performed by an authentication server; [0096], at 902, a request to authenticate a user and/or a device associated with a user is 

Claims 3 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Friedl in view of Shanmugam in further view of Matsuoka (US 8,396,452 B1, published 03/12/2013).

Regarding claim 3, Friedl in view of Shanmugam teaches all the limitations of claim 1.  However Friedl in view of Shanmugam fails to expressly disclose wherein determining whether the client device is registered to access the desktop based on the client device credentials comprises determining whether a particular address of the client device is stored on the desktop.  In the same field of endeavor, Matsuoka teaches:
wherein determining whether the client device is registered to access the desktop based on the client device credentials comprises determining whether a particular address of the client device is stored on the desktop (Matsuoka Figs. 1-4; col. 3 [line 18], FIG. 1 shows an example of a mobile device 110 in close proximity to a computer 120;  the mobile device 110 may automatically log into the computer 120 on behalf of the user 130 when the mobile device 110 is brought into close proximity to the computer 120 (e.g., by sending user credentials to the computer 120 via a wireless link); the computer 120 may be a desktop computer; col. 4 [line 48], the computer 120 may store a device identifier of the mobile device 110 in memory; the device identifier may include a media access control (MAC) address; when the mobile device 110 initially communicates with the computer 120, the mobile device 110 may send its device 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have incorporated wherein determining whether the client device is registered to access the desktop based on the client device credentials comprises determining whether a particular address of the client device is stored on the desktop as suggested in Matsuoka into Friedl in view of Shanmugam.  Doing so would be desirable because the user may find it inconvenient to have to manually log into a computer each time the user wants to use the computer and to manually log off the computer each the user leaves the computer (see Matsuoka col. 2 [line 41]).  Additionally, storing a particular address would enable the computer to automatically log the user into the computer. This is because the computer may use the device address to identify the mobile device 110 as belonging to the user (see Matsuoka col. 4 [line 48]).

Regarding claim 11, claim 11 contains substantially similar limitations to those found in claim 3.  Consequently, claim 11 is rejected for the same reasons.

Claims 4 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Friedl in view of Shanmugam in further view of Hsu et al. (US 20150326578 A1, published 11/12/2015), hereinafter Hsu.

Regarding claim 4, Friedl in view of Shanmugam teaches all the limitations of claim 1, further comprising:
wherein the enterprise credential policy includes rules (Friedl Figs. 1-9; [0027], a network service can be employed to provide increased security to a user and an enterprise (see also 
  However Friedl in view of Shanmugam fails to expressly disclose wherein the enterprise credential policy includes rules associated with one or more of an access level and an access frequency.  In the same field of endeavor, Hsu teaches:
rules associated with one or more of an access level and an access frequency (Hsu Figs. 1-7; [0026], shown in FIG. 2, the environment 200 comprises a computing device/server 201 responsible for authentication and authorization, and a computing device/server 202 responsible for providing resources; [0027], client application 203 may send an authentication request to the first device 201 responsible for authentication and authorization; [0033], the first device 201 may determine whether to allow the access of the requested resource; if a user requesting resource access is determined to have a record of violating the rules of use for the resource, a security level may be raised that may impose stricter authentication requirements for that user; [0035], different resources may have different security levels; if the security level of the requested resource is low, the user may only be required to provide a password. Alternately, if the security level of the requested resource is high, the user may be required to provide additional information; [0042], the first device 201 may generate an access token; the access token indicates the client application 203 is authorized to access the resource provided by the second device 202; [0043], the access token may be customized using an access constraint, for the requested access, to provide additional controls on the access to the resource; [0044], the 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have incorporated wherein the enterprise credential policy includes rules associated with one or more of an access level and an access frequency as suggested in Hsu into Friedl in view of Shanmugam.  Doing so would be desirable because current third-party authentication and authorization solutions may not provide enough control granularity nor provide enough controllable aspects to reduce improper use of resources, privacy divulgence, etc. through their authentication and authorization services. Current third-party authentication and authorization solutions may be tightly coupled with the resource provider such that they cooperate and operate strictly in accordance with a predetermined protocol or rule to complete authentication of a user identity, authentication of a client application, and authentication of an access token. Such a closely coupled mechanism causes inflexibility of authentication and authorization, preventing, for example, the authentication server from performing a pertinent authentication and authorization process to a different resource and/or a different resource owner (see Hsu [0004]).  

Regarding claim 18, claim 18 contains substantially similar limitations to those found in claim 4.  Consequently, claim 18 is rejected for the same reasons.

Claims 5, 13, 19, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Friedl in view of Shanmugam in further view of Tharappel et al. (US 20150186636 A1, published 07/02/2015), hereinafter Tharappel.

Regarding claim 5, Friedl in view of Shanmugam teaches all the limitations of claim 1.  However Friedl in view of Shanmugam fails to expressly disclose wherein the authentication mechanism includes one or more of: a thermogram, hand geometry, and gait recognition.  In the same field of endeavor, Tharappel teaches:
wherein the authentication mechanism includes one or more of: a thermogram, hand geometry, and gait recognition (Tharappel Figs. 1-11; [0017], apparatuses, methods, and systems relating to extending user authentication across a trust group of smart devices; [0021], examples of smart devices can include certain desktops and laptops; [0034], a biometric sensor, such as 49 and 29, can be configured to sense a particular biometric characteristic of a user; a hand sensor can be used to sense hand measurements/geometry; [0035], in smart device 20, enrollment module 28, in conjunction with biometric sensor 29, enables a user to generate one or more biometric credentials and enroll his biometric characteristics with wearable device 40 to form a trust group; enrollment module 28 may be configured to receive and process biometric input data indicative of user biometric input that was sensed by biometric sensor 29; user biometric input is the biometric characteristic (e.g., voice, fingerprint, eye, hand, pulse, etc.) provided by the user that is sensed by biometric sensor 29; enrollment module 28 can generate a biometric credentials file that can be pushed to wearable device 40; [0038], security proxy 22 may be configured to unlock the operating system of smart device 20, as indicated by OS unlock 26, when a trusted request is received from wearable device 40; [0046], biometric sensor 49, in conjunction with biometric authentication module 42 and biometric credential files 43, enable a user to provide biometric input (e.g., voice input, fingerprint input, eye input, hand input, pulse input, etc.); if the biometric input data corresponds to the biometric credentials, then the biometric input data (and user) is successfully authenticated; see also [0098], hand geometry sensor)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have incorporated wherein the authentication mechanism 

Regarding claims 13 and 19, claims 13 and 19 contain substantially similar limitations to those found in claim 5.  Consequently, claims 13 and 19 are rejected for the same reasons.

Regarding claim 20, Friedl in view of Shanmugam in further view of Tharappel teaches all the limitations of claim 19.  Shanmugam further teaches:
wherein authenticating a user on a client device includes receiving authentication data comprising one or more of voice recognition information and facial recognition information (Shanmugam Figs. 1-8; [0018], examples of a biometric are a person's fingerprint, a sample of a person's voice, a facial image, a retinal image, and the like; [0034], the user biometric may be one or more of a fingerprint, voice password, retinal scan, facial recognition of the user that is to be using the mobile application; [0035], for ease of explanation and illustration, only the fingerprint biometric will be discussed and illustrated in the figures, but the other biometrics (e.g., voice or face recognition) may be similarly used in the registration process and for any subsequent authentication process; [0037], the mobile application 130 may prompt the User 1 to select a specific type of preferred biometric login setting, such as a fingerprint recognition login, a facial recognition login, a voice recognition login; [0055], in response to receiving the input 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have incorporated wherein authenticating a user on a client device includes receiving authentication data comprising one or more of voice recognition information and facial recognition information as suggested in Shanmugam into Friedl.  Doing so would be desirable because users often need to enter complex usernames and/or passwords manually on mobile devices that often have a small screen size. In addition, password authentication also presents a security limitation as the application needs to store the password and possibly the user name somewhere on the mobile device for verification (see Shanmugam [0005]).  A need exists for a mobile application-level biometric authentication system and method that uses biometric technology offered on a mobile device in the same manner that a .

Claim 7 is rejected under 35 U.S.C. 103 as being unpatentable over Friedl in view of Shanmugam in further view of Tharappel et al. (US 20150186636 A1, published 07/02/2015), hereinafter Tharappel in further view of Kitane (US 2016/0224779 A1, published 08/04/2016).

Regarding claim 7, Friedl in view of Shanmugam teaches all the limitations of claim 1.  However Friedl in view of Shanmugam fails to expressly disclose receiving the indication and the client device credentials on a smart watch; transmitting the indication and the client device credentials.  In the same field of endeavor, Tharappel teaches:
receiving the indication and the client device credentials on a smart watch; transmitting the indication and the client device credentials (Tharappel Figs. 1-11; [0038], security proxy 22 may be configured to unlock the operating system of smart device 20, as indicated by OS unlock 26, when a trusted request is received from wearable device 40; [0043], a communication sent to security proxy 22 by wearable device 40 includes an authentication result indicating whether biometric input data from a user was successfully authenticated (passed) or not successfully authenticated (failed); [0039], a wearable electronic watch may have voice authentication capabilities to enable voice authentication of a user; if the watch also has a touch screen display, then after the user is authenticated, the watch may allow touch input from the user to communicate with a smart device to which it is connected; [0054], a secure wireless connection can be established by first `pairing` two electronic device and storing a link key/shared secret on both devices; [0082], flow 900 may begin at 902, where a smart device 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have incorporated receiving the indication and the client device credentials on a smart watch; transmitting the indication and the client device credentials as suggested in Tharappel into Friedl in view of Shanmugam.  Doing so would be desirable because typically, the user has to separately log-in to each of the multiple electronic devices in the ecosystem to use the devices, which can increase inconvenience for the user. Hence, there is a desire to improve the means for logging-in to multiple electronic devices in the ecosystem (see Tharappel [0002]).  An electronic device as shown and described herein, overcomes many of these problems and provides a solution for users who desire secure, convenient access to multiple smart electronic devices (see Tharappel [0025]).  Additionally, a smart watch would provide a convenient device for a user to input an indication.
However, Friedl in view of Shanmugam in further view of Tharappel fails to expressly disclose receiving the indication and the client device credentials on a watch; transmitting the indication and the client device credentials to a smart phone or a mobile tablet; and transmitting the indication and the client device credentials from the smart phone or the mobile tablet to the desktop to unlock the desktop.  In the same field of endeavor, Kitane teaches:
receiving the indication and the client device credentials on a watch; transmitting the indication and the client device credentials to a smart phone or a mobile tablet; and transmitting the indication and the client device credentials from the smart phone or the mobile tablet to the desktop to unlock the desktop (Kitane Figs. 1-4, 8-10; [0048], the smartphone is used as the portable device 101; [0065], a biometric authentication device may be configured to be a wearable biometric authentication device 106 that is in a form worn by a user, such as a watch; [0066], FIG. 3 is a conceptual diagram of the wearable biometric authentication device 106 (see watch 106, which is in communication with portable device 101, where portable device 101 further communicates with control objects devices 102-104); [0035], when a user inputs a living body into the biometric authentication device 100 in this state, the biometric authentication device 100 measures biometric information of the living body input thereto to create authentication biometric data, and performs biometric authentication; success of the authentication is transmitted to the portable device wirelessly; [0036], in a case where the biometric authentication is successful, the portable device 101 that has received the success of authentication starts emitting an unlock signal for switching a control object device from a locked state to an unlocked state; [0029], examples of a control object are login control of a PC 102; [0041], upon receiving the unlock signal, the control object device starts authentication of the portable device; when the unlock signal has been determined to be the one for the control object device, the authentication is successful, so that the control object device saves its authentication context therein (S904 to S906); in this authentication, the control object device can further communicate with the portable device 101 to request information [0052], in a case of the PC 102, the portable device 101 in the state of emitting the unlock signal approaches to the PC 102 that is in a logout state, the PC 102 and the portable device 101 are connected to each other by wireless communication, and the PC 102 is placed into a logon state at a time of completion of mutual authentication)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have incorporated receiving the indication and the client device credentials on a watch; transmitting the indication and the client device credentials to a smart .

Response to Arguments
The Examiner acknowledges the Applicant’s amendments to claims 1-20.
The amendments to correct claims 1 and 9 are approved and the previous objections to claims 1 and 9 are withdrawn.
The amendments to correct claims 3, 11, and 18 are approved and the rejections to claims 1-20 under 35 U.S.C. 112(b) are withdrawn.
Applicant’s arguments with respect to claim 1, 9, and 15 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Bye (US 8,494,576 B1) col. 1 [line 40] - col. 2 [line 39].
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOHN T REPSHER III whose telephone number is (571)272-7487.  The examiner can normally be reached on Monday - Friday, 8AM-5PM EST.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jennifer To can be reached on (571) 272-7212.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/JOHN T REPSHER III/            Primary Examiner, Art Unit 2143