DETAILED ACTION
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This Office Action is in response to the communication filed on 6/20/2019.
Claims 1-35 are pending for consideration.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 6/20/2019 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 


An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 

Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform 
Each VCRE instance configured to … execute one or more policy rules stored in the VCRE instance to the data packet prior to forwarding the data packet in claim 1.
Each VCRE instance configured to … execute one or more policy rules stored in the VCRE instance to the data packet prior to forwarding the data packet in claim 35.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may 
Claims 1-35 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-35 of U.S. Patent No. 10498764.  Although the claims at issue are not identical, they are not patentably distinct from each other because both inventions are directed to a similar routing system within a mobile network is provided that allows an individual or an organization to define routing and/or security policies for one or more mobile devices without the intervention of a mobile network operator.
Furthermore, Examiner notes that each and every limitation of the instant claims appear to be substantially anticipated by the corresponding claims of the patent application.
Therefore, Examiner respectfully submits that the instant claims and the claims of the patent application are not directed to patentably distinct inventions; thus, properly rejected on the grounds of nonstatutory double patenting, as further outlined below.

Instant Application 16447170
Patent application 10498764 
Claim 1:
A PDN Integrated Customized Network Edge Enabler and Controller (PICNEEC), executable by one or more hardware processors, for operation by a mobile at least one Virtual Customized Rules Enforcer (VCRE) instance, each VCRE instance corresponding to a group of mobile devices and defining a set of policies personalized for the group of mobile devices, each VCRE instance configured to, upon receiving a data packet communicated between a packet-based network and a mobile device in the corresponding group via a radio network, the radio network being a cellular-based network, execute one or more policy rules stored in the VCRE instance to the data packet prior to forwarding the data packet, each VCRE instance controlled independently of one another via direct accessing of the VCRE instance by a different customer of the mobile network provider, wherein the one or more policy rules are policy rules designed to be applied to traffic between the VCRE instance and an internal network.

A PDN Integrated Customized Network Edge Enabler and Controller (PICNEEC), executable by one or more hardware processors, for operation by a mobile east one Virtual Customized Rules Enforcer (VCRE) instance, each VCRE instance corresponding to a group of mobile devices and defining a set of policies personalized for the group of mobile devices, each VCRE instance configured to, upon receiving a data packet communicated between a packet-based network and a mobile device in the corresponding group via a radio network, the radio network being a cellular-based network, execute one or more policy rules stored in the VCRE instance to the data packet prior to forwarding the data packet, each VCRE instance controlled independently of one another via direct accessing of the VCRE instance by a different customer of the mobile network provider, wherein the one or more policy rules include a rule used to establish a virtual private network (VPN) between the VCRE instance and an external network.

A method comprising: receiving, at a PICNEEC executable by one or more hardware processors, a data packet sent between a mobile device and a packet-based network via a radio network, the radio network being a cellular-based network; determining, based on information in the data packet, a VCRE instance assigned to the mobile device, the VCRE instance controlled independent of other VCRE instances at the PICNEEC via direct accessing of the VCRE instance by a customer of a mobile network provider operating the PICNEEC; executing one or more policy rules defined in the VCRE instance on the data packet, wherein the one or more policy rules include a rule managing a routing table for routing between the VCRE instance and Internet Protocol (IP) connectivity networks and a policy rule designed to be applied to traffic between the VCRE instance and an internal network; and routing the data packet based on the routing table.

A method comprising: receiving, at a PICNEEC executable by one or more hardware processors, a data packet sent between a mobile device and a packet-based network via a radio network, the radio network being a cellular-based network; determining, based on information in the data packet, a VCRE instance assigned to the mobile device, the VCRE instance controlled independent of other VCRE instances at the PICNEEC via direct accessing of the VCRE instance by a customer of a mobile network provider operating the PICNEEC; executing one or more policy rules defined in the VCRE instance on the data packet, wherein the one or more policy rules include a rule managing a routing table for routing between the VCRE instance and Internet Protocol (IP) connectivity networks and a rule used to establish a virtual private network (VPN) between the VCRE instance and an external network; and routing the data packet based on the routing table.

A PDN Integrated Customized Network Edge Enabler and Controller (PICNEEC) , executable by one or more hardware processors, for operation by a mobile network provider, comprising: at least one Virtual Customized Rules Enforcer (VCRE) instance, each VCRE instance corresponding to a group of mobile devices and defining a set of policies personalized for the group of mobile devices, each VCRE instance configured to, upon receiving a data packet communicated between a packet-based network and a mobile device in the corresponding group via a radio network, the radio network being a cellular-based network, execute one or more policy rules stored in the VCRE instance to the data packet prior to forwarding the data packet, each VCRE instance controlled independently of one another via direct accessing of the VCRE instance by a different customer of the mobile network provide, wherein the one or more policy rules are policy rules designed to be applied to traffic between the VCR instance and an internal network; wherein the PICNEEC is simultaneously connected to a 3G/4G network and a Low Power Wide Area Network (LP WAN).

A PDN Integrated Customized Network Edge Enabler and Controller (PICNEEC), executable by one or more hardware processors, for operation by a mobile network provider, comprising: at least one Virtual Customized Rules Enforcer (VCRE) instance, each VCRE instance corresponding to a group of mobile devices and defining a set of policies personalized for the group of mobile devices, each VCRE instance configured to, upon receiving a data packet communicated between a packet-based network and a mobile device in the corresponding group via a radio network, the radio network being a cellular-based network, execute one or more policy rules stored in the VCRE instance to the data packet prior to forwarding the data packet, each VCRE instance controlled independently of one another via direct accessing of the VCRE instance by a different customer of the mobile network provider, wherein the one or more policy rules include a rule used to establish a virtual private network (VPN) between the VCRE instance and an external network; wherein the PICNEEC is simultaneously connected to a 3G/4G network and a Low Power Wide Area Network (LPWAN).


The dependent claims of the instant application recite language similar to the dependent claims of the patent application and are covered by the patent application.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –




Claims 1 and 29 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Varadhan et al. (US 8316435) (hereinafter Varadhan).
Regarding claim 1, Varadhan teaches a PDN Integrated Customized Network Edge Enabler and Controller (PICNEEC), executable by one or more hardware processors, for operation by a mobile network provider, comprising: a memory (Varadhan: column 13 lines 14-25, “program code having executable instructions fetched from a computer-readable storage medium (not shown). Examples of such media include random access memory (RAM), read-only memory (ROM), non-volatile random access memory (NVRAM), electrically erasable programmable read-only memory (EEPROM), flash memory, and the like”); and at least one Virtual Customized Rules Enforcer (VCRE) instance, each VCRE instance corresponding to a group of mobile devices and defining a set of policies personalized for the group of mobile devices, each VCRE instance configured to, upon receiving a data packet communicated between a packet-based network and a mobile device in the corresponding group via a radio network, the radio network being a cellular-based network, execute one or more policy rules stored in the VCRE instance to the data packet prior to forwarding the data packet (Varadhan: see figure 9 
    PNG
    media_image1.png
    666
    894
    media_image1.png
    Greyscale
; and column 16 lines 10-20, “firewall 208 has been logically partitioned into multiple virtual security systems 240A-240X to provide multi-tenant security services. That is, virtual security systems 240 represent logically partitioned firewall instances providing separate security services, including MPLS-aware zone-based firewall services,that are applied by firewall 208. Router 200 presents virtual security systems 240 as logically independent firewalls that can be independently configured even though the virtual security systems may share computing resources of service cards 224.”), each VCRE instance controlled independently of one another via direct accessing of the VCRE instance by a different customer of the mobile network provider (Varadhan: see figure 11 
    PNG
    media_image2.png
    440
    894
    media_image2.png
    Greyscale
; and column 16 lines 34-45, “Each of virtual security systems 240 is presented to the corresponding VSYS administrator 209 as a unique security domain, and the VSYS administrator 209 for each virtual system 240 can individualize their security domain by defining specific zones and policies to be applied to traffic associated with that virtual system 240. Each virtual security system 240 can be configured to have its own totally separated set of security zones, policy rule set and management domain”), wherein the one or more policy rules are policy rules designed to be applied to traffic between the VCRE instance and an internal network (Varadhan: column 17 lines 20-67, “the administrator may define zones and policies using the keywords "zone" and "policy," as described above, for the particular virtual system 240” … “For the zone "untrust," the administrator has indicated that the zone includes VPN traffic carried by two customer VPNs, VPN-A and VPN-B. For the zone "trust," the administrator has indicated that the zone includes a collection of two interfaces for forwarding traffic to client sites A and B. Further, the administrator has defined a policy for application to traffic received from an interface within the zone untrust and directed to an interface within the zone trust (e.g., 
Regarding claim 29, claim 29 discloses a method claim that is substantially equivalent to the PICNEEC of claim 1.  Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 29 and rejected for the same reasons.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 2-9 and 21-34 are rejected under 35 U.S.C. 103 as being unpatentable over Varadhan in view of DAHOB et al. (US 20120166618) (hereinafter DAHOB).
Regarding claims 2 and 30, Varadhan does not explicitly teach the following limitation which is disclosed by DAHOD, wherein the data packet is routed between a Serving General Packet Radio Service (GPRS) Support Node/Serving (SGSN) and a Gateway GPRS Support Node (GGSN) internal to the PICNEEC (DAHOD: paragraphs 0047, 0058 and 0114, “(SGSN) can be implemented on a gateway 142 with a mobility management entity (MME). The GERAN 138 can communicate through the SGSN functionality on gateway 142 to serving gateway ( SGW) 144 or gateway GPRS support node ( GGSN)/PGW 146”).  Varadhan and DAHOB are analogous art because they are from the same field of endeavor, secure communications.  Before the effective filing date o f the claimed invention, it would have DAHOB : see Abstract).
Regarding claims 3 and 31, Varadhan as modified teaches wherein the data packet is routed between a Serving Gateway (SGW) and a Packet Data Network Gateway (PGW) internal to the PICNEEC (DAHOD: see figure 1; and paragraphs 0039 and 0042, “The SGW sits in the user plane where it forwards and routes packets to and from the eNodeB and PGW”). The same motivation to modify Varadhan in view of DAHOB, as applied in claims 2 and 30 above, applies here.
Regarding claims 4 and 32, Varadhan as modified teaches wherein the data packet is routed between a Serving General Packet Radio Service (GPRS) Support Node/Serving (SGSN) and a Gateway GPRS Support Node (GGSN) external to the PICNEEC, the external GGSN handling data for an Internet Protocol (IP) connectivity access network through the PICNEEC (DAHOD: paragraphs 0043, “The PGW provides connectivity to the UE to external packet data networks by being the point of exit and entry of traffic for the UE. A UE may have simultaneous connectivity with more than one PGW for accessing multiple packet data networks”).  The same motivation to modify Varadhan in view of DAHOB, as applied in claims 2 and 30 above, applies here.
Regarding claims 5 and 33, Varadhan as modified teaches wherein the data packet is routed between a Serving Gateway (SGW) and a PGW external to the PICNEEC, the external PGW handling data for an IP connectivity access network through the PICNEEC (DAHOD: paragraphs 0043, 0058 and 0073, “The PGW provides connectivity to the UE to external packet data networks by being the point of exit and entry of traffic for the UE”).  The same motivation to modify Varadhan in view of DAHOB, as applied in claims 2 and 30 above, applies here.
Regarding claims 6 and 34, Varadhan as modified teaches wherein the data packet is routed through a mobile network serving packet gateway that handles the data packet through the PICNEEC (DAHOD: paragraphs 0043, 0058 and 0073, “The PGW provides connectivity to the UE to external packet data networks by being the point of exit and entry of traffic for the UE”).  The same motivation to modify Varadhan in view of DAHOB, as applied in claims 2 and 30 above, applies here.
Regarding claim 7, Varadhan as modified teaches wherein at least one VCRE instance defines customized access point names (APNs) (DAHOD: paragraphs 0052, 0059, and 0061, “establish a plurality of PDN connections to the AIR-controller 150, in which each PDN connection will have a distinct IP address. The access point name (APN) for the first PDN connection can be a first IP address IP1, and the APN for the second PDN connection can be a second IP address IP2. Once the PDN connections are established, in step 2, the AIR-controller 150 can communicate with policy servers”).  The same motivation to modify Varadhan in view of DAHOB, as applied in claims 2 and 30 above, applies here.
Regarding claim 8, Varadhan as modified teaches wherein at least one VCRE instance is an independent virtual network function (DAHOD: paragraphs 0037 and 0114, “The system can be virtualized to support multiple logical instances of services, such as technology functions (e.g., a SeGW PGW, SGW, MME, HSGW, PDSN, ASNGW, PDIF, HA, or GGSN)”
Regarding claim 9, Varadhan as modified teaches wherein at least one VCRE instance is an independent physical network function (DAHOD: paragraphs 0054 and 0113, “The data traffic through the AIR-controller 150 indicates the default or normal user data traffic independent of the AIR framework.”… “The network processing unit determines packet processing requirements; receives and transmits user data frames to/from various physical interfaces; makes IP forwarding decisions”).  The same motivation to modify Varadhan in view of DAHOB, as applied in claims 2 and 30 above, applies here.
Regarding claim 21, Varadhan as modified teaches wherein a customer defines a corresponding VCRE instance by defining a virtual private network (VPN) between the corresponding VCRE instance and an external network (DAHOD: paragraphs 0120 and 0124, “Virtual private network (VPN) subsystem manages the administrative and operational aspects of VPN-related entities in the network device, which include creating separate VPN contexts, starting IP services within a VPN context, managing IP pools and subscriber IP addresses, and distributing the IP flow information within a VPN context”).  The same motivation to modify Varadhan in view of DAHOB, as applied in claims 2 and 30 above, applies here.
Regarding claim 22, Varadhan as modified teaches wherein a customer defines the corresponding VCRE instance by defining network routing between the corresponding VCRE instance and IP connectivity networks (DAHOD: paragraphs 0068 and 0087, “the AIR-router 154 can detect this inconsistency and inform the AIR-controller 150, which can subsequently provision the AIR-client 152 to modify the policy (AIR protocol) on the AIR-client”).  The same motivation to modify Varadhan in view of DAHOB, as applied in claims 2 and 30 above, applies here.
Regarding claim 23, Varadhan as modified teaches wherein a customer defines the corresponding VCRE instance by defining firewall rules for packet data traffic passing through the corresponding VCRE instance (DAHOD: paragraph 0047, “routing and enhanced services, such as enhanced charging, stateful firewalls, traffic performance optimization”).  The same motivation to modify Varadhan in view of DAHOB, as applied in claims 2 and 30 above, applies here.
Regarding claim 24, Varadhan as modified teaches wherein a customer defines the corresponding VCRE instance by defining network address translation (NAT) rules for packet data traffic passing through the corresponding VCRE instance (DAHOD: paragraph 0051, “the AIR-router can be discovered using a DNS or AAA based discovery procedures, and the security association can be carried out using IKEv2. An AIR-router can also implement charging models, LI, and analytics, and may not require a network address translation (NAT)”).  The same motivation to modify Varadhan in view of DAHOB, as applied in claims 2 and 30 above, applies here.
Regarding claim 25, Varadhan as modified teaches wherein a customer defines the corresponding VCRE instance by defining domain name system (DNS) settings for packet data traffic passing through the corresponding VCRE instance (DAHOD: paragraph 0051, “the AIR-router can be discovered using a DNS or AAA based discovery procedures, and the security association can be carried out using IKEv2.”).  The same motivation to modify Varadhan in view of DAHOB, as applied in claims 2 and 30 above, applies here.
Regarding claim 26, Varadhan as modified teaches wherein a customer defines the corresponding VCRE instance by defining security rules for packet data traffic passing through the corresponding VCRE instance (DAHOD: paragraphs 0049-0050, “policy information for mobile devices, (2) set up and enforce the policies in mobile devices, and (3) manage the loaded policies on mobile devices… For instance, business logic can specify that a first type of data is delivered to a user equipment using a first policy (i.e., delivering voice data using 3G) and a second type of data is delivered using a second policy (i.e., delivering video data using 4G.)).  The same 
Regarding claim 27, Varadhan as modified teaches wherein a customer defines the corresponding VCRE instance by assigning IP addresses to mobile devices (DAHOD: paragraphs 0050, 0052 and 0059, “an AIR-client can implement different policies for different data types. For example, an AIR-client can decide to use one IP address established in accordance with 3G to transfer voice data and another IP address established in accordance with 4G to transfer video data, thereby controlling the QoS for different data types”).  The same motivation to modify Varadhan in view of DAHOB, as applied in claims 2 and 30 above, applies here.
Regarding claim 28, Varadhan as modified teaches wherein a customer defines the corresponding VCRE instance by defining Hypertext Transfer Protocol Header Enrichment (HHE) rules for traffic passing through the corresponding VCRE instance (DAHOD: paragraphs 0064-0065 and 0077-0078, “the AIR-client 152 can perform an Application X control transaction (e.g. HTTP GET operation) to an application server via the AIR-controller 150. The communication takes place over the PDN connection, PDP context or a MIP connection”).  The same motivation to modify Varadhan in view of DAHOB, as applied in claims 2 and 30 above, applies here.

Claims 10-20 are rejected under 35 U.S.C. 103 as being unpatentable over Varadhan in view of Qureshi et al. (US 20140007222) (hereinafter Qureshi).
Regarding claim 10, Varadhan does not teach the following limitation which is taught by Qureshi, wherein at least one VCRE instance is a subset of rules in a larger network function, wherein the customer can only access the specific subset of rules (Qureshi: paragraphs 0057 and 0075, “employees to use a custom-developed enterprise application for accessing cloud-based storage, the enterprise can modify (or have modified) a popular, commercially-available mobile application with which users are already familiar. Further, different versions of a given application (with different authentication methods, encryption levels, etc.) can be created for different types of employees”).  Varadhan and Qureshi are analogous art because they are from the same field of endeavor, access restriction.  Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Varadhan and Qureshi before him or her, to modify the system of Varadhan to include the subset of rules of Qureshi.  The suggestion/motivation for doing so would have been to protect enterprise resources, including confidential and/or sensitive information (Qureshi: paragraph 0006).
Regarding claim 11, Varadhan as modified teaches the following limitation which is disclosed by Qureshi, wherein at least one VCRE instance is created by a customer using a VCRE rules function (RCF) console (Qureshi: paragraph 0175, “A tunneling mediator or related system can include an interface, such as a web console, for viewing, creating, and editing tunnel definitions. The interface can also allow an administrator or other person to view data associated with mobile devices”).  The same motivation to modify Varadhan in view of Qureshi, as applied in claim 10 above, applies here.
Regarding claim 12, Varadhan as modified teaches wherein the RCF console is a Secure Shell (SSH) access (Qureshi: paragraph 0055, “This may be accomplished in part through mobile device software that creates a secure environment or shell in which the enterprise mobile applications can run and store data. This secure environment or shell may, for example, prevent the personal applications installed on a mobile device from accessing the documents and other data stored on the mobile device by the enterprise applications”
Regarding claim 13, Varadhan as modified teaches wherein at least one VCRE instance is created by a customer using a VCRE rules function (RCF) application (Qureshi: paragraph 0175, “A tunneling mediator or related system can include an interface, such as a web console, for viewing, creating, and editing tunnel definitions.”).  The same motivation to modify Varadhan in view of Qureshi, as applied in claim 10 above, applies here.
Regarding claim 14, Varadhan as modified teaches wherein the RCF application is an application program interface (API) (Qureshi: paragraph 0084, “The enterprise agent 320 collects information about the mobile device's configuration using standard operating system APIs and mechanisms, and/or using its own APIs and mechanisms”).  The same motivation to modify Varadhan in view of Qureshi, as applied in claim 10 above, applies here.
Regarding claim 15, Varadhan as modified teaches wherein the RCF application is a website (Qureshi: paragraph 0194, “Using an application tunnel to perform content filtering can be implemented with features related to modifying a pre-existing mobile application, and/or through the use of a secure web browser as described below”).  The same motivation to modify Varadhan in view of Qureshi, as applied in claim 10 above, applies here.
Regarding claim 16, Varadhan as modified teaches wherein the RCF application is a dedicated computer program (Qureshi: paragraph 0195, “The enterprise agent 320 communicates via a wireless network (WIFI, cellular, etc.) with the mobile device management system 126, which may, for example, be implemented on a dedicated server within the enterprise system 110. The mobile device management system 126 illustrated in FIG. 25 includes a web admin console 126a that enables administrators, via a web-based interface, to configure and deploy application tunnels between mobile devices 120 and application servers”
Regarding claim 17, Varadhan as modified teaches wherein the RCF console manages at least one VCRE instance directly (Qureshi: paragraph 0175, “The interface can also allow an administrator or other person to view data associated with mobile devices adapted to connect via application tunnels”).  The same motivation to modify Varadhan in view of Qureshi, as applied in claim 10 above, applies here.
Regarding claim 18, Varadhan as modified teaches wherein the RCF application manages at least VCRE instance directly (Qureshi: paragraph 0175, “The interface can also allow an administrator or other person to view data associated with mobile devices adapted to connect via application tunnels”).  The same motivation to modify Varadhan in view of Qureshi, as applied in claim 10 above, applies here.
Regarding claim 19, Varadhan as modified teaches wherein the RCF console connects to a central RCF that manages at least one of the VCRE instances (Qureshi: paragraph 0175, “The interface can also allow an administrator or other person to view data associated with mobile devices adapted to connect via application tunnels”).  The same motivation to modify Varadhan in view of Qureshi, as applied in claim 10 above, applies here.
Regarding claim 20, Varadhan as modified teaches wherein the RCF application connects to a central RCF that manages at least one of the VCRE instances (Qureshi: paragraph 0175, “The interface can also allow an administrator or other person to view data associated with mobile devices adapted to connect via application tunnels”).  The same motivation to modify Varadhan in view of Qureshi, as applied in claim 10 above, applies here.

Claim 35 is rejected under 35 U.S.C. 103 as being unpatentable over Varadhan in view of Casanova (US 20150356498) (hereinafter Casanova).
Regarding claim 35, Varadhan teaches a PDN Integrated Customized Network Edge Enabler and Controller (PICNEEC) , executable by one or more hardware processors, for operation by a mobile network provider, comprising: at least one Virtual Customized Rules Enforcer (VCRE) instance, each VCRE instance corresponding to a group of mobile devices and defining a set of policies personalized for the group of mobile devices, each VCRE instance configured to, upon receiving a data packet communicated between a packet-based network and a mobile device in the corresponding group via a radio network, the radio network being a cellular-based network, execute one or more policy rules stored in the VCRE instance to the data packet prior to forwarding the data packet (Varadhan: see figure 9 
    PNG
    media_image1.png
    666
    894
    media_image1.png
    Greyscale
; and column 16 lines 10-20, “firewall 208 has been logically partitioned into multiple virtual security systems 240A-240X to provide multi-tenant security services. That is, virtual security systems 240 represent logically partitioned firewall instances providing separate security services, including MPLS-aware zone-based firewall services,that are applied by firewall 208. Router 200 presents virtual security systems 240 as logically independent firewalls that can be independently configured even though the virtual security systems may share computing resources of service cards 224.”), each VCRE instance controlled independently of one another via direct accessing of the VCRE instance by a different customer of the mobile network provide (Varadhan: see figure 11 
    PNG
    media_image2.png
    440
    894
    media_image2.png
    Greyscale
; and column 16 lines 34-45, “Each of virtual security systems 240 is presented to the corresponding VSYS administrator 209 as a unique security domain, and the VSYS administrator 209 for each virtual system 240 can individualize their security domain by defining specific zones and policies to be applied to traffic associated with that virtual system 240. Each virtual security system 240 can be configured to have its own totally separated set of security zones, policy rule set and management domain”), wherein the one or more policy rules are policy rules designed to be applied to traffic between the VCR instance and an internal network (Varadhan: column 17 lines 20-67, “the administrator may define zones and policies using the keywords "zone" and "policy," as described above, for the particular virtual system 240” … “For the zone "untrust," the administrator has indicated that the zone includes VPN traffic carried by two customer VPNs, VPN-A and VPN-B. For the zone "trust," the administrator has indicated that the zone includes a collection of two interfaces for forwarding traffic to client sites A and B. Further, the administrator has defined a policy for application to traffic received from an interface within the zone untrust and directed to an interface within the zone trust (e.g., wherein the PICNEEC is simultaneously connected to a 3G/4G network and a Low Power Wide Area Network (LPWAN) (Casanova: paragraphs 0091 and 0094-0095, “a low power wide area network 248 can be used, such as is provided by SIGFOX, together with SIGFOX enabled devices”).  Varadhan and Casanova are analogous art because they are from the same field of endeavor, secure communications.  Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Varadhan and Casanova before him or her, to modify the system of Varadhan to include the LPWAN of Casanova.  The suggestion/motivation for doing so would have been to support available cellular network requirements (Casanova: paragraph 0092).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is listed on the enclosed PTO-892 form, e.g., Bayar et al. (Us 9055557) discloses techniques are described for programming a set of one or more pre-defined rules within the forwarding plane of a packet gateway of a mobile service provider network and caching, within control plane, a group identifier that identifies the set of programmed, pre-defined rules. The control plane may match quality of service (QoS) information of incoming subscriber service requests with the group identifier and respective subsets of the set of programmed, pre-defined rules to rapidly associate service requests with already-programmed PCC rules and thereafter install, to the forwarding plane, subscriber service-specific actions for the PCC rules.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRANG T DOAN whose telephone number is (571)272-0740.  The examiner can normally be reached on Monday-Friday 7-4 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D Feild can be reached on (571)272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.