Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

EXAMINER'S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.

Authorization for this examiner’s amendment was given in an interview with Al Fasulo on May 25, 2021.

The application has been amended as follows: 












(Currently Amended) A method comprising:
at an authorized local domain service deployed in a local network and authorized to provision endpoint devices in the local network with a cloud-based service on behalf of an organization, the cloud-based service configured with trust information indicating a trusted certificate authority to issue certificates to the endpoint devices and a trusted local domain service:
receiving, from a local domain service deployed in the local network and configured to connect with and register the endpoint devices 
in a local network account database having entries for accounts associated with identities of the endpoint devices, identifying for the organization an account associated with the identity of the endpoint device; 
in a cloud-based account database of the cloud-based service that has parallel accounts for the accounts in the local network account database, automatically creating for the organization an association between the identity of the endpoint device and a parallel account for the account for the endpoint device; and 
notifying the endpoint device via the local domain service to onboard against the cloud-based service for access to the cloud-based service; and
at the cloud-based service: 
receiving from the endpoint device, over a network connection, endpoint device information that indicates the local domain service, a certificate authority that issued a certificate to the endpoint device, and the identity of the endpoint device; and
upon determining that the endpoint device is trusted based on comparisons between the trust information and the endpoint device information, authorizing the endpoint device to access the cloud-based service, otherwise, not authorizing the endpoint device for the access.

(Currently Amended) The method of claim 1, 



wherein the account is an individual account and the parallel account is a parallel individual account.

(Currently Amended) The method of claim [[2]] 1, wherein the authorizing includes issuing, to the endpoint device, one or more access tokens to be used by the endpoint device to access services of the cloud-based service. 

(Currently Amended) The method of claim [[2]] 1, wherein the determining includes: 
testing whether (i) the trusted certificate authority issued the certificate to the endpoint device, (ii) the endpoint device is connected to the trusted local domain service, and (iii) the identity of the endpoint device is associated with the account; and
determining the endpoint device is trusted when tests (i), (ii), and (iii) all pass, otherwise, determining the endpoint device is not trusted. 

(Currently Amended) The method of claim [[2]] 1, further comprising, at the local domain service: 
establishing an endpoint device-initiated Transport Layer Security (TLS) connection with the endpoint device over which the endpoint device registers with the local domain service; and
issuing to the endpoint device over the TLS connection a certificate for the local domain service, 
wherein the receiving from the endpoint device the endpoint device information includes receiving from the endpoint device the certificate for the local domain service.

(Currently Amended) The method of claim [[2]] 1, further comprising, at the cloud-based service: 
establishing the network connection with the endpoint device as an endpoint device-initiated Transport Layer Security (TLS) connection.

(Previously Amended) The method of claim 1, further comprising, at the cloud-based service:
prior to automatically creating the association, receiving trust information to cause the cloud-based service to trust the authorized local domain service to perform actions, including automatically creating the association, on the cloud-based service on behalf of the organization.


(Previously Presented) The method of claim 1, wherein:
the receiving includes receiving the identity of the endpoint device as a media access control (MAC) address of the endpoint device; and
automatically creating includes creating the association as an association between the parallel account and the MAC address. 

(Previously Presented) The method of claim 1, further comprising, at the authorized local domain service:
prior to automatically creating the association, determining whether the parallel account exists in the cloud-based account database of the cloud-based service; and
if the parallel account does not exist in the cloud-based account database, creating the parallel account in the cloud-based account database, and then performing automatically creating the association.

(Previously Presented) The method of claim 1, wherein:
automatically creating includes creating a shared parallel account in the cloud-based account database of the cloud-based service for multiple users or multiple endpoint devices. 

(Currently Amended) A system comprising:
a cloud-based service configured with trust information indicating a trusted certificate authority to issue certificates to endpoint devices in a local network and a trusted local domain service for an organization;
an authorized local domain service deployed in [[a]] the local network and authorized to communicate with the cloud-based service on behalf of [[an]] the organization; and
a local domain service deployed in the local network to register the endpoint devices for communications on behalf of the organization; 
wherein the authorized local domain service is configured to: 
receive, from the local domain service, an identity of an endpoint device among the endpoint devices that is acquired by the local domain service when the endpoint device registered with the local domain service; 
in a local network account database having entries for accounts associated with identities of the endpoint devices, identify for the organization, an account associated with the identity;
in a cloud-based account database of the cloud-based service that has parallel accounts for the accounts in the local network account database, automatically create for the organization an association between the identity of the endpoint device and a parallel account for the account for the endpoint device; and
notify the endpoint device via the local domain service to onboard against the cloud-based service for access to the cloud-based service; and
wherein the cloud-based service is configured to:
receive from the endpoint device, over a network connection, endpoint device information that indicates the local domain service, a certificate authority that issued a certificate to the endpoint device, and the identity of the endpoint device; and
upon determining the endpoint device is trusted based on comparisons between the trust information and the endpoint device information, authorize the endpoint device to access the cloud-based service, otherwise, not authorize the endpoint device for the access.

(Currently Amended) The system of claim 11, wherein the 



account is an individual account and the parallel account is a parallel individual account.

(Currently Amended) The system of claim [[12]] 11, wherein the cloud-based service is configured to determine by: 
testing whether (i) the trusted certificate authority issued the certificate to the endpoint device, (ii) the endpoint device is connected to the trusted local domain service, and (iii) the identity is associated with the account; and
determining the endpoint device is trusted when tests (i), (ii), and (iii) all pass, otherwise, determining the endpoint device is not trusted. 

(Currently Amended) The system of claim [[12]] 11, wherein the local domain service is configured to: 
establish an endpoint device-initiated Transport Layer Security (TLS) connection with the endpoint device over which the endpoint device registers with the local domain service; and
issue to the endpoint device over the TLS connection a certificate for the local domain service, 
wherein the cloud-based service is configured to receive from the endpoint device the endpoint device information to include the certificate for the local domain service.

(Currently Amended) The system of claim [[12]] 11, wherein the cloud-based service is further configured to: 
establish the network connection with the endpoint device as an endpoint device-initiated Transport Layer Security (TLS) connection.

(Previously Presented) The system of claim 11, wherein the cloud-based service is further configured to:
prior to when the authorized local domain service is configured to automatically create the association, receive trust information to cause the cloud-based service to trust the authorized local domain service to perform actions, including automatically create the association, on the cloud-based service on behalf of the organization.

(Previously Presented) The system of claim 11, wherein the authorized local domain service is further configured to:
prior to when the authorized local domain service is configured to automatically create the association, determine whether the parallel account exists in the cloud-based account database of the cloud-based service; and
if the parallel account does not exist in the cloud-based account database, create the parallel account in the cloud-based account database, and then automatically create the association between the parallel account and the identity.

(Currently Amended) Non-transitory computer readable storage media encoded with instructions that, when executed by one or more processors, cause the one or more processors to perform operations including:
at an authorized local domain service deployed in a local network and authorized to provision endpoint devices in the local network with a cloud-based service on behalf of an organization, the cloud-based service configured with trust information indicating a trusted certificate authority to issue certificates to the endpoint devices and a trusted local domain service:
receiving, from a local domain service deployed in the local network and configured to connect with and register the endpoint devices 
in a local network account database having entries for accounts associated with identities of the endpoint devices, identifying for the organization an account associated with the identity of the endpoint device; 
in a cloud-based account database of the cloud-based service that has parallel accounts for the accounts in the local network account database, automatically creating for the organization an association between the identity of the endpoint device and a parallel account for the account for the endpoint device; and 
notifying the endpoint device via the local domain service to onboard against the cloud-based service for access to the cloud-based service; and
at the cloud-based service: 
receiving from the endpoint device, over a network connection, endpoint device information that indicates the local domain service, a certificate authority that issued a certificate to the endpoint device, and the identity of the endpoint device; and
upon determining that the endpoint device is trusted based on comparisons between the trust information and the endpoint device information, authorizing the endpoint device to access the cloud-based service, otherwise, not authorizing the endpoint device for the access.

(Currently Amended) The non-transitory computer readable storage media of claim 18, 



wherein the account is an individual account and the parallel account is a parallel individual account.

(Currently Amended) The non-transitory computer readable storage media of claim [[19]] 18, wherein the instructions to cause the one or more processors to perform the determining include instructions to cause the one or more processors to perform: 
testing whether (i) the trusted certificate authority issued the certificate to the endpoint device, (ii) the endpoint device is connected to the trusted local domain service, and (iii) the identity of the endpoint device is associated with the account; and
determining the endpoint device is trusted when tests (i), (ii), and (iii) all pass, otherwise, determining the endpoint device is not trusted. 





















Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRANDON S HOFFMAN whose telephone number is (571)272-3863.  The examiner can normally be reached on Monday-Friday 8:30AM-5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on (571)272-6798.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/BRANDON S HOFFMAN/Primary Examiner, Art Unit 2433