DETAILED ACTION
This Office Action is in response to the communication filed on 08/09/2019.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Examiner's Amendment
An Examiner's amendment to the record appears below. Should the changes and/or additions be unacceptable to applicants, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this Examiner's amendment was given in a discussion with Levi Brown (Reg. No. 72,533) on 06/14/2021.
The application has been amended as follows:
1. (Currently Amended) A client device comprising:
a processor; and
a computer-readable hardware storage device having stored computer-executable instructions that are executable by the processor to cause the client device to enforce policy received from an external policy server by at least performing the following:
first application that is identified as being safe to access a resource maintained on a resource server and an entry specifying a second application that is identified as being unsafe and that causes the client device to configure an operating system of the client device in response to the policy to prevent the second application from accessing the resource maintained on the resource server;
determining that a first particular application, which is executing on the client device, implements the policy based, at least in part, on the first particular application being specified in the policy as being safe;
determining that a second particular application, which is also executing on the client device, does not implement the policy based, at least in part, on the second  particular application being specified in the policy as being unsafe;
storing an access credential, which is required to access the resource maintained on the resource server, within a credential store maintained by [[an]]the operating system of the client device;
in response to the determining that the first particular application implements the policy and based on the policy, providing, from the credential store, a particular access credential to the first particular application, the first particular application to access the resource maintained on the resource server[[.]]; 
determining that the second particular application does not implement the policy and is not allowed to use the particular access credential; and
denying the second particular application from accessing the resource.
2. (Currently Amended) The client device of claim 1, wherein the first application is identified as being safe as a result of said first application being configured to prevent a copy operation from being performed on the client device, the copy operation comprising copying resource data to a clipboard.
3. (Currently Amended) The client device of claim 1, wherein the first application is identified as being safe as a result of said first application being configured to prevent a screenshot operation from being performed on the client device, the screenshot operation comprising a screenshot of displayed data being taken on the client device.
4. (Currently Amended) The client device of claim 1, wherein the operating system further determines that the first particular application implements the policy based on metadata associated with the resource.
first particular application implements the policy based on a classification of the resource.
6. (Currently Amended) The client device of claim 1, wherein the operating system further determines that the first particular application implements the policy based on an identified owner of the resource.
11. (Currently Amended) A client device comprising:
a processor; and
a computer-readable hardware storage device having stored computer-executable instructions that are executable by the processor to cause the client device to enforce policy received from an external policy server by at least performing the following:
receiving, from the external policy server, the policy including an entry specifying a[[n]] first application that is identified as being unsafe and that causes the client device to configure an operating system of the client device in response to the policy to prevent the first application from accessing a resource maintained on a resource server and an entry specifying a second application that is identified as being safe to access the resource maintained on the resource server;
first particular application, which is executing on the client device, does not implement the policy based, at least in part, on the first particular application being specified in the policy as being unsafe;
determining that a second particular application, which is executing on the client device, implements the policy based, at least in part, on the second particular application being specified in the policy as being safe;
storing an access credential within a credential store maintained by the operating system, the access credential being a credential required by the resource server to access resources maintained on the resource server, including said resource;
in response to the determining that the first particular application does not implement the policy and based on the policy, determining that the first particular application is not allowed to use a particular access credential from the credential store, wherein the particular access credential is configured to enable access to the resource maintained on the resource server, and wherein, as a result of the first particular application not being allowed to use the particular access credential, the first particular application is denied from accessing the resource[[.]]; and
in response to the determining that the second particular application implements the policy, providing, from the credential store, the particular access credential to the second particular application, the particular access credential being configured to enable the second particular application to access the resource maintained on the resource server.
13. (Currently Amended) The client device of claim 11, wherein determining that the first particular application does not implement the policy is based on one or more of: a classification of the resource, an owner of the resource, or metadata of the resource.
14. (Currently Amended) The client device of claim 11, wherein the operating system further determines that the first particular application does not implement the policy based on metadata associated with the resource.
15. (Currently Amended) The client device of claim 11, wherein the operating system further determines that the first particular application does not implement the policy based on a classification of the resource.
16. (Currently Amended) The client device of claim 11, wherein the operating system further determines that the first particular application does not implement the policy based on an identified owner of the resource.

determine that a second resource is not subject to the policy;
determine that the second resource still requires a second access credential to access the second resource even though the second resource is not subject to the policy; and
provide, from the credential store, the second access credential to the first particular application to enable the first particular application to access the second resource.
20. (Currently Amended) A client device comprising:
a processor; and
a computer-readable hardware storage device having stored thereon computer-executable instructions that are executable by the processor to cause the client device to enforce policy received from an external policy server by at least performing the following:
receiving, from the external policy server, the policy including (i) a first set of entries specifying a first set of applications that are identified as being safe to access a resource maintained on a resource server and (ii) a second set of entries specifying a second set of applications that are identified as being unsafe to  and that cause the client device to configure an operating system of the client device in response to the policy to prevent the second set of  applications from accessing the resource maintained on the resource server;
determining that a first application, which is executing on the client device, implements the policy based, at least in part, on the policy specifying the first application as being safe;
determining that a second application, which is also executing on the client device, does not implement the policy based, at least in part, on the policy specifying the second application as being unsafe;
storing an access credential within a credential store maintained by the operating system, the access credential being a credential required by the resource server to access resources maintained on the resource server, including said resource;
in response to the determining that the first  application implements the policy, providing, from the credential store, a particular access credential to the first application for use by the first application to access the resource, the particular access credential being configured to enable access to the resource maintained on the resource server; and
in response to the determining that the second application does not implement the policy, denying use of the particular access credential by the second application[[.]], wherein as a result of the second application being denied use of the particular access credential, the second particular application is denied from accessing the resource.
Allowable Subject Matter
Claims 1-20 are allowed.
Prior art found:
US 2007/0289001 discloses a method, apparatus and computer program product for controlling access to host access credentials required to access a host computer system by a client application is provided. The host access credentials are stored in a restricted access directory. The method comprises authenticating directory access credentials received from a client application. The authenticated client application then requests the host access credentials and a determination as to whether the authenticated client process is authorized to access the requested host access credentials, and, if authorized, these are provided to the client application.
US 2006/0191017 discloses an information distribution unit transmits a policy ID for specifying an access policy to be applied to a terminal device. An 
US 2013/0054803 discloses a method comprising receiving, by an operating system of the first computing device and from a client application executing on the first computing device, a first request for accessing a set of data associated with a user of the first computing device, wherein the set of data is managed by a second computing device; sending, by the operating system and to the second computing device, a second request for accessing the set of data; receiving, by the operating system and from the second computing device, a response to the second request; and if the response to the second request grants the client application access to the set of data, then forwarding, by the operating system and to the client application, an access token to be used by the client application for accessing the set of data with the second computing device.

The following is an examiner's statement of reasons for allowance:
Regarding independent claim 1: None of the prior art of record discloses, individually or in a reasonable combination, the following combination of limitations as recited in claim 1: "receiving, from the external policy server, the policy including an entry specifying a first application that is identified as being safe to access a resource maintained on a resource server and an entry specifying a second application that is identified as being unsafe and that causes the client device to configure an operating system of the client device in response to the policy to prevent the second application from accessing the resource maintained on the resource server…in response to the determining that the first particular application implements the policy and based on the policy, providing, from the 
Regarding independent claim 11: None of the prior art of record discloses, individually or in a reasonable combination, the following combination of limitations as recited in claim 11: "receiving, from the external policy server, the policy including an entry specifying a first application that is identified as being unsafe and that causes the client device to configure an operating system of the client device in response to the policy to prevent the first application from accessing a resource maintained on a resource server and an entry specifying a second application that is identified as being safe to access the resource maintained on the resource server…in response to the determining that the first particular application does not implement the policy and based on the policy, determining that the first particular application is not allowed to use a particular access credential from the credential store, wherein the particular access 
Regarding independent claim 20: None of the prior art of record discloses, individually or in a reasonable combination, the following combination of limitations as recited in claim 20: "receiving, from the external policy server, the policy including (i) a first set of entries specifying a first set of applications that are identified as being safe to access a resource maintained on a resource server and (ii) a second set of entries specifying a second set of applications that are identified as being unsafe to access the resource and that cause the client device to configure an operating system of the client device in response to the policy to prevent the second set of  applications from accessing the resource maintained 
Regarding dependent claims: Dependent claims are allowed as they depend from allowable independent claims.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance."
Conclusion

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, GELAGAY SHEWAYE can be reached on (571)272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service 






/AMIE C. LIN/Primary Examiner, Art Unit 2436