DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
1. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
2. 	Applicant’s arguments with respect to claims 1-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.


Claim Rejections - 35 USC § 103
3. In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

4. Claims 1-2, 7, 9 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over Shaw (US 7,299,291 B1) in view of Boysen (AU 2015202661 A1) and further in view of Kinagi (US 2018/0006821 A1).

5. Regarding Claim 1, Shaw discloses, a method to enable a managed client device operating off of an enterprise network to obtain access to an enterprise resource, comprising: configuring, by a service provider, a recursive Domain Name System (DNS) service on behalf of the enterprise(Shaw, Col. 4, lines 40-50, , the content delivery service comprises a preferably global content delivery network (CDN) 100 of content delivery server regions 102 a-n, a domain name service (DNS) system 104, and a content modification or “initiator” tool 106 that allows content to be tagged for inclusion on the network. DNS system 104 receives network mapping data from a map maker 107, which receives inputs from monitoring agents 109 distributed throughout the Internet. Agents typically perform various tests and monitor traffic conditions to identify Internet congestion problems), the recursive DNS service including a resolver associated with the enterprise (Shaw, Col. 5, lines 39-46, When an Internet user visits a CDN customer's site (e.g., origin server 115) and selects on a link to view or hear streaming media, the user's system resolves the domain in the ARL to an IP address. In particular, because the content has been tagged for delivery by the CDN, the URL modification, transparent to the user, cues the Internet's standard Domain Name Service (DNS) to query a CDN name server (or hierarchy of name servers) 104 to identify the appropriate media server from which to obtain the stream.); receiving at the resolver a DNS query from the managed client device (Shaw, Col.3 lines 50-52, In a preferred embodiment, the query is a DNS SRV lookup and includes an identification of the client player.), the DNS query having been configured to act as a local proxy for off enterprise network DNS requests (Shaw, Col.3 lines 48-54, A client machine includes a media player provisioned to perform a query to a CDNSP name server having a network map of Internet traffic conditions. In a preferred embodiment, the query is a DNS SRV lookup and includes an identification of the client player. The query is made asking for a particular service (e.g., RTSP) via a particular protocol (TCP) in a particular CDNSP domain.), upon a determination that the authorization token is allowed, returning a response to the DNS query, wherein the response to the DNS query is based on applying the policy to the DNS query (Shaw, Col. 7 lines 32-46, DNS SRV query is made asking for a particular service (in this case, RTSP) via a particular protocol (TCP) in a particular domain. The name server responds to the query with a set of tokens 315 a-n. Each token 315 provides a distinct answer to the query and defines a machine or, in the preferred embodiment, a group of machines, from which the client should seek to obtain the stream (identified by the URL).):
Shaw does not explicitly disclose the following limitations that Boysen teaches:
the DNS query having been extended to encode an authorization token, the authorization token including a unique device identifier associated with the managed client device by the service provider (Boysen, ¶[0079], the Issuer Server 140 queries backend systems with the user's User-ID for a set of token identifiers that is associated with and identifies 25 the authenticator(s) (e.g. Token Manager 100, hardware token 110) that have been assigned to the user. The backend systems know the relationship between each user's User-ID and the token identifier of each of the user's authenticator(s) since the authenticators were either issued to the user by the Issuer associated with the Issuer Server 140, or were issued to the user.), the unique device identifier having been encrypted and digitally-signed with a key to generate the authorization token (Boysen, ¶[0045],the Activation Server 150 may also generate a pseudo-random code, such as a Server One-Time-Password (SOTP) using the One-Time-Password application 533, and sign the server pseudo-random code using the Activation Server's 20 private encryption key ASPrivK. ¶[0046] The Activation Server 150 may then generate an encrypted activation message by encrypting the signed session token (and the signed server pseudo-random code, if generated) with the Distribution Public Certificate DPubC);
	It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the invention of Shaw with the teaching in Boysen to include the idea to extend the DNS query to encode the authorization token with client devices.  
Shaw in view of Boysen do not explicitly disclose the following limitations that Kinagi teaches:
determining at the resolver, but without access to a unique device identifier encoded in the authorization token (Kinagi, [0071], At step S1, after the goods or services are selected, the access device 125 (e.g, a merchant terminal such as a POS terminal) may generate and display a unique QR code on a display. [0018], The POS terminal may then generate and send an authorization request message that includes at least some of the information encoded), 
Shaw in view of Boysen do not explicitly disclose the following limitations that Kinagi teaches:
whether the authorization token is allowed for the enterprise, wherein a determination is based at least in part on a policy for the enterprise (Kinagi, [0031], in some embodiments, the token format may be configured to allow the entity receiving the token to identify it as a token and recognize the entity that issued the token. [0074], the system may determine whether the transaction amount in the QR code is more than the threshold transaction amount set by the authorizing entity (e.g., an issuer) operating the authorizing computer 160 and/or the user 110)); 
Shaw in view of Boysen do not explicitly disclose the following limitations that Kinagi teaches:
and forwarding the authorization token to a log service, the log service having access to a decryption key, the decryption key being available to recover the unique device identifier (Kinangi, [0045],a transaction processing computer may generate or forward the authorization response message to the merchant. [0083], The transaction processing computer 150 may then decrypt the cryptogram and may also determine the real account identifier from token.).
	It would have been obvious to a person or ordinary skill in the art before the effective filing date of the invention to modify the invention of Shaw in view of Boysen and Kinagi to include the idea to access the identifier in the authorization token and to forward the authorization token to the log service to a decryption key. 

6. Regarding Claim 2, Shaw, Boysen and Kinagi and further in view of Kinagi discloses, 
Shaw does not explicitly disclose the following limitations that Boysen teaches:
the method as described in claim 1 wherein the DNS query also includes a customer identifier (Boysen, ¶[0080], the Issuer Server 140 queries backend systems with the user's User-ID for a set of token identifiers).
	It would have been obvious to a person of ordinary skill in the art before the effective filing date of the invention to modify the invention of Shaw with the teachings in Boysen to include the idea of the DNS query and customer identifier.

7. Regarding Claim 7, Shaw in view of Boysen and further in view of Wang discloses, the method as described in claim 6 wherein the request for the test domain also includes the authorization token (Shaw, Col 7, lines 39-42, In this embodiment, a DNS SRV query is made asking for a particular service (in this case, RTSP) via a particular protocol (TCP) in a particular domain. The name server responds to the query with a set of tokens 315 a-n.).  

8. Regarding Claim 9, Shaw, Boysen and Kinagi disclose, 
Shaw does not explicitly disclose the following limitations that Boysen teaches:
the method as described in claim 1 wherein the authorization token is updated after a given time period (Boysen, ¶[0051],the session token that was received from the Activation Server 150, a ValidFrom time/date and a ValidTo time/date, and the distinguished name (DN) of the Distribution Public Certificate DPubC. The ValidFrom and ValidTo time/date provides the Session Certificate SCert with a lifespan that is no longer than the lifespan of the Distribution Public Certificate DPubC of the Token Manager 100). 
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to have modified Shaw to incorporate the teachings of Boysen to authorize the token after a time period. 

9. Regarding Claim 10, Shaw, Boysen, and Kinagi disclose, the method as described in claim 1 wherein the resolver executes in association with a content delivery network (CDN) (Shaw, Col. 5, lines 13-19, High-performance content delivery is provided by directing requests for web objects (e.g., graphics, images, streaming media, HTML and the like) to the content delivery service network. In one known technique, known as Akamai FreeFlow Streaming content delivery, content is first tagged for delivery by the tool 106, which, for example, may be executed by a content provider.)

10. Regarding Claim 12, Shaw, Boysen and Kinagi disclose, the method as described in claim 11 further including using the recovered unique device identifier for one of: reporting, and analytics (Shaw, Col. 5, lines 3-11, The content provider may also have access to a monitoring suite 114 that includes tools for both real-time and historic analysis of customer data. One tool is a traffic analyzer that provides multiple monitoring views that enable quick access to network and customer-specific traffic information. A reporter allows for viewing of historical data.).  

11. 	Claims 3 is rejected under 35 U.S.C. 103 as being unpatentable over Shaw (US 7,299,291 B1), Boysen (AU 2015202661 A1) and Kinagi (US 2018/0006821 A1) in view of Mahaffey (US 2014/0189808 A1).

12. Regarding Claim 3, Shaw, Boysen, Kinagi and Mahaffey disclose, 
Shaw, Boysen, and Kinagi does not explicitly disclose the following limitations that Mahaffey teaches:
the method as described in claim 1 wherein the unique device identifier is encrypted and signed by the service provider (Mahaffey, ¶[0077], The authorizing client may request information from the proximity security device or request that the proximity security device perform a digital signature or other cryptographic operation.).
	It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Shaw in view of Boysen to incorporate the teachings of Mahaffey to include the unique device is encrypted and signed by service provider.  

13. 	Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Shaw (US 7,299,291 B1), Boysen (AU 2015202661 A1), Kinagi (US 2018/0006821 A1) and Mahaffey (US 2014/0189808 A1), in view of Seleznev (US 2013/0167253 A1).

14.	 Regarding Claim 4, Shaw, Boysen, Kinagi, and Mahaffey Seleznev discloses, 
Shaw, Boysen, Kinagi, and Mahaffey do not explicitly disclose the following limitations that Seleznev teaches:
the method as described in claim 3 further including generating and providing the authorization token to the managed client device during a registration of the managed client device (Seleznev, [0011], In accordance with further another aspect of the present invention, a method for providing a Digital Rights Management (DRM) service in a network is provided. The method includes receiving, from a user device having an authorization token for device registration related to DRM, a request message for device registration, the request message including the authorization token; and recording, based on the received authorization token, registration information including information about a DRM solution that the user device intends to use.).
It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Shaw, Boysen, Kinagi and Maffahey to incorporate the teachings of Seleznev to include the authorization token to manage the client device throughout the registration procedure. 

15. 	Claim 5 and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Shaw (US 7,299,291 B1) in view of Boysen (AU 2015202661 A1) and further in view of Kinagi (US 2018/0006821 A1) Dulce (US 20160381023 A1).

16.	 Regarding Claim 5, Shaw, Boysen, Kinagi and Dulce disclose, 
Shaw, Boysen, and Kinagi do not explicitly disclose the following limitations that Dulce teaches:
the method as described in claim 1 wherein the DNS query including the authorization token is received following the managed client device having determined that it is operating off of the enterprise network (Dulce, [0064], an apparent enterprise resource, and thus, the request 152 could comprise a Domain Name System (DNS) query. Claim 10, the managed client end station is within an enterprise network when the token is caused to be placed with the existing user data on the managed client end station).  
	It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Shaw, Boysen, and Kinagi to incorporate the teachings of Dulce to include the DNS query where the authorization token is received. 

17.	 Regarding Claim 11, Shaw, Boysen, Kinagi and 
Dulce disclose, 
Shaw, Boysen, Kinagi do not explicitly disclose the following limitations that Dulce teaches:
the method as described in claim 1 wherein the managed client device is one of: a laptop, a mobile phone, a tablet, and a network-accessible device (Dulce, [0036],  managed client end station 120 and an unmanaged client end station 122 of an authorized user 116. Each of these client end stations can be a computing device operable to execute one or more applications 126 or 126′. There are a wide variety of types of client end stations, including but not limited to workstations/PCs, laptops, netbooks, mobile phones, smartphones, multimedia phones, smart watches, Voice Over Internet Protocol (VOIP) phones, user equipment (UE), terminals, portable media players, Global Positioning System (GPS) units, gaming systems, wearable computing devices, set-top boxes, etc.).  
		It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Shaw, Boysen, Dulce to incorporate the teachings of Dulce where the managed client is an accessible device to the network. 


18. 	Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Shaw (US 7,299,291 B1), Boysen (AU 2015202661 A1), Kinagi (US 2018/0006821 A1) and Dulce (US 20160381023 A1)
in view of Timariu (US 9414225 B2).

19.	 Regarding Claim 6, Shaw, Boysen, Kinagi, Dulce and Timariu disclose,
Shaw in view of Boysen do not explicitly disclose the following limitations that Timariu teaches:
the method as described in claim 5 wherein a determination that the managed client device is operating off of the enterprise network includes receiving at the resolver a request for a test domain, and providing a response to the request for the test domain (Timariu, Col. 12, lines 16-22, the STUN algorithm includes a sequence of network tests that can be employed to identify NAT types based on the outcome of one or more network operations as illustrated in FIG. 5. For example, using the STUN algorithm, a network client (e.g., mobile device 420 and/or one or more mobile devices attempting to connect to the mobile device 420) can perform a sequence of network operations—such as, for example, request an echo from a same IP address and/or same port and determine if it was received,).  
	It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Shaw, Boysen, Kinagi and Dulce to incorporate the teachings of Timariu to include the managed client device within the operating network and to receive the resolver request for a test domain. 

20. 	Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Shaw (US 7,299,291 B1), Boysen (AU 2015202661 A1) and Kinagi (US 2018/0006821 A1) in view of Pouzzner (WO 2001/090955 A2).

22. Regarding Claim 8, Shaw, Boysen, Kinagi and Pouzzner discloses, 
Shaw, Boysen, Kinagi do not explicitly disclose the following limitations that Pouzzner teaches:
the method as described in claim 1 wherein the DNS query is extended to include the authorization token using an edns(0) extension (Pouzzner, Pg. 37 lines 15-17, an extension of the DNS into a multilingual- and symbols-based system with adjustments made on both the client side and the server side. Pg. 35 lines 29-31, an extension mechanism based on EDNS which enables the use of IDN without causing harm to the current DNS. Pg. 80 lines 13-14, authentication and authorization systems, and other devices that work with host names within the bounds of the DNS).  
	It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Shaw, Boysen and Kinagi to incorporate the teachings of Pouzzner to extend the authorization token using extension’s to the DNS query. 


21. 	Claims 13-15 and 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over Shaw (US 7,299,291 B1), Boysen (AU 2015202661 A1) and Timariu (US 9414225 B2) in view of Mahaffey (US 2014/00189808 A1).

22. Regarding Claim 13, Shaw discloses, a mobile device managed by an enterprise and comprising: a hardware processor, and computer program code in a non-transitory computer-readable medium, the computer program 
Shaw in view of Boysen do not explicitly disclose the following limitations that Timariu teaches:
Timariu, Col. 15 lines 15, Mobile device 720.1 also includes Domain Name System (DNS) proxy);

Shaw in view of Boysen do not explicitly disclose the following limitations that Timariu teaches:
  code that determines whether the mobile device is executing off an enterprise network (Timariu, Col. 9 lines 15-18, the processor circuitry 340 can be configured to execute one or more operations of one or more of the components of the mobile device 420—such as the web browser 425, IMS client 430, WWPF 435, RTC media function 445, TURN proxy);

Shaw in view of Boysen do not explicitly disclose the following limitations that Timariu teaches: 
the authentication token including a unique device identifier associated with the mobile device (Timariu, Col. 10, lines 57-58, the authentication and/or authorization of the web browser 425 of the mobile device ), 
It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Shaw in view of Boysen to incorporate the teachings of Timariu to code the configured hardware process in a mobile device. One of ordinary skill in the art would have been to make this modification in order to instantiate a DNS proxy and to encrypt the device.

Shaw, Boysen and Timariu do not explicitly disclose the following limitations that Mahaffey teaches:
the unique device identifier having been encrypted and digitally-signed with a key to generate the authorization token (Mahaffey, [0067], The trusted data may be intended to be consumed by the user or a client, or both (e.g., a picture may be consumed by a user, but a cryptographic signature may be only consumed by a client and both may be present in a given authorization requet); 
	It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Shaw in view of Boysen to incorporate the teachings of Mahaffey to code the configured hardware process in a mobile device. One of ordinary skill in the art would have been to make this modification in order to encrypt the digital signature with the use of the authorization token to enhance security.

and code responsive to a determination that the mobile device is executing off the enterprise network to issue a DNS query from the DNS proxy to a resolver (Shaw, Col.10 lines 14-24, a set of servers provides a best quality of service for the stream. This is step 404. That server is then used to retrieve the stream, which is step 406. At step 408, a test is performed to determine whether the client player is still receiving the stream. If not, the routine ends. If, however, the client player is still receiving the stream, the routine continues at step 410 with the client player code repeating the DNS SRV query during playback to determine whether there is a better source for the stream. The “period” over which the query is repeated is variable and is dependent on the bandwidth available between the client and the network), the resolver operating as a recursive Domain Name System (DNS) service on behalf of the enterprise, the DNS query having been extended to encode an authorization token (Shaw, Col.4 lines 42-55, content delivery server regions 102 a-n, a domain name service (DNS) system 104, and a content modification or “initiator” tool 106 that allows content to be tagged for inclusion on the network. DNS system 104 receives network mapping data from a map maker 107, which receives inputs from monitoring agents 109 distributed throughout the Internet. Agents typically perform various tests and monitor traffic conditions to identify Internet congestion problems. The map maker 107 takes the data generated from the agents and generates one or more maps detailing Internet traffic conditions. Generally, the content delivery service allows the network of content delivery server regions 102 a-n to serve a large number of clients efficiently.), the response having been generated at the resolver upon a determination at the resolver that the authorization code is allowed for the enterprise (Shaw, Col.2 lines 55-59, The request-routing mechanism allocates servers in the content delivery infrastructure to requesting clients in a way that, for web content delivery, minimizes a given client's response. Claim 7, the code executable by the processor determines that the given server has a response time),  
Shaw does not explicitly disclose the following limitations that Boysen teaches:
and code receiving a response to the DNS query (Boysen, ¶[00146], Therefore, the Issuer Server 140 attempts to correlate the transaction pointer with a transaction code by querying its 10 database with the transaction pointer for a credential that is currently associated with a corresponding transaction code), the determination having been carried out by the resolver without access to a unique device identifier encoded in the authentication token (Boysen, ¶[0079],  the Issuer Server 140 queries backend systems with the user's User-ID for a set of token identifiers that is associated with and identifies 25 the authenticator(s) (e.g. Token Manager 100, hardware token 110) that have been assigned to the user. The backend systems know the relationship between each user's User-ID and the token identifier of each of the user's authenticator(s) since the authenticators were either issued to the user by the Issuer associated with the Issuer Server 140,), together with application by the resolver of a policy associated with the enterprise(Boysen, ¶[0079],  the Issuer Server 140 queries backend systems with the user's User-ID for a set of token identifiers that is associated with and identifies 25 the authenticator(s) (e.g. Token Manager 100, hardware token 110) that have been assigned to the user. The backend systems know the relationship between each user's User-ID and the token identifier of each of the user's authenticator(s) since the authenticators were either issued to the user by the Issuer associated with the Issuer Server 140,).  
	It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Shaw to incorporate the teachings of Boysen to receive a code to the response. One of ordinary skill in the art would have been able to include the resolver without having access to the device that is encoded. 

23. Regarding Claim 14, Shaw, Boysen, Timariu and Mahaffey disclose, 
Shaw, Boysen, Timariu does not explicitly disclose the following limitations that Mahaffey teaches:
the mobile device as described in claim 13 wherein the code configured to determine whether the mobile device is executing off the enterprise network issues to the resolver a DNS query to a test domain, the DNS query to the test domain including the authorization token (Mahaffey, Abstract, a system and method for authenticating a user of a client computer making a request to a server computer providing access to a network resource through an authentication platform that issues a challenge in response to the request requiring authentication of the user identity through a reply from the client computer, determining one or more items of context information related to at least one of the user, the request). 
	
24. Regarding Claim 15, Shaw, Boysen, Timariu and Mahaffey disclose, 
Shaw does not explicitly disclose the following limitations that Boysen teaches:
the mobile device as described in claim 13 wherein the DNS query to the resolver also includes a customer identifier associated with the enterprise (Boysen, ¶[0080], the Issuer Server 140 queries backend systems with the user's User-ID for a set of token identifiers).
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to have modified Shaw to incorporate the teachings of Boysen to include the resolver and a customer identifier within the enterprise of the DNS query. 

25. Regarding Claim 17, Shaw in view of Boysen and further in view of Wang discloses , 
Shaw in view of Boysen do not explicitly disclose the following limitations that Wang teaches:
the mobile device as described in claim 13 further including code configured to register the mobile device for off-net access to the resolver, wherein the unique device identifier is generated in response to registration of the mobile device (Mahaffey, ¶[0138], In general, a server may set a cookie associated with a particular domain whenever an HTTP request is sent by a user's browser to that domain, even if the user is visiting a page not on that domain.[0185],  In each of these systems, some or all of the executables and/or data reside at the server, and not on the mobile device).  
	It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Shaw in view of Boysen to incorporate the teachings of Mahaffey to include registering the mobile device with an off-net access to generate the device.

32. Regarding Claim 18, Shaw, Boysen, Timariu, and Mahaffey disclose, 
Shaw does not explicitly disclose the following limitations that Boysen teaches:
the mobile device as described in claim 13 further including code configured to request an updated authorization token after a given time period (Boysen, ¶[0051],the session token that was received from the Activation Server 150, a ValidFrom time/date and a ValidTo time/date, and the distinguished name (DN) of the Distribution Public Certificate DPubC. The ValidFrom and ValidTo time/date provides the Session Certificate SCert with a lifespan that is no longer than the lifespan of the Distribution Public Certificate DPubC of the Token Manager 100). 
	It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to have modified Shaw to incorporate the teachings of Boysen to authorize the token after a time period. 

26. 	Claims 16 are rejected under 35 U.S.C. 103 as being unpatentable over Shaw (US 7,299,291 B1), Boysen (AU 2015202661 A1), Timariu (US 9414225 B2) and Mahaffey (US 2014/00189808 A1) in view of Pouzzner (WO 2001/090955 A2).

30. Regarding Claim 16, Shaw, Boysen, Timariu, Mahaffey and Pouzzner, 
Shaw, Boysen, Timariu and Mahaffey does not explicitly disclose the following limitations that Pouzzner teaches:
the mobile device as described in claim 13 wherein the DNS query to the resolver is extended to include the authorization token using an edns(0) extension (Pouzzner, Pg. 37 lines 15-17, an extension of the DNS into a multilingual- and symbols-based system with adjustments made on both the client side and the server side. Pg. 35 lines 29-31, an extension mechanism based on EDNS which enables the use of IDN without causing harm to the current DNS. Pg. 80 lines 13-14, authentication and authorization systems, and other devices that work with host names within the bounds of the DNS).  

27. 	Claim 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Shaw (US 7,299,291 B1, Boysen (AU 2015202661 A1),Timariu (US 9414225 B2) and Mahaffey (US 2014/0189808 A1) in view of Kinagi (US 2018/0006821 A1).

28. Regarding Claim 19, Shaw, Boysen, Timariu, Mahaffey and Kinagi,  disclose, a system, comprising one or more computing machines that include computer hardware comprising: a log service executing on a computing machine; a recursive resolver executing on a computer machine and providing a recursive Domain Name System (DNS) service on behalf of an enterprise (Shaw, Col.4 lines 38-45, The invention may likewise be implemented with other known or later-designed or built content delivery services or systems. In the illustrative embodiment, the content delivery service comprises a preferably global con tent delivery network (CDN) 100 of content delivery server regions 102a-n, a domain name service (DNS) system 104, and a content modification or “initiator” tool 106 that allows content to be tagged for inclusion on the network.); code responsive to a determination that the mobile device is executing off-net to issue a DNS query from the DNS proxy to the recursive resolver(Shaw, Col.10 lines 14-24, a set of servers provides a best quality of service for the stream. This is step 404. That server is then used to retrieve the stream, which is step 406. At step 408, a test is performed to determine whether the client player is still receiving the stream. If not, the routine ends. If, however, the client player is still receiving the stream, the routine continues at step 410 with the client player code repeating the DNS SRV query during playback to determine whether there is a better source for the stream. The “period” over which the query is repeated is variable and is dependent on the bandwidth available between the client and the network), the DNS query having been extended to encode an authorization token (Shaw, Col.4 lines 42-55, content delivery server regions 102 a-n, a domain name service (DNS) system 104, and a content modification or “initiator” tool 106 that allows content to be tagged for inclusion on the network. DNS system 104 receives network mapping data from a map maker 107, which receives inputs from monitoring agents 109 distributed throughout the Internet. Agents typically perform various tests and monitor traffic conditions to identify Internet congestion problems. The map maker 107 takes the data generated from the agents and generates one or more maps detailing Internet traffic conditions. Generally, the content delivery service allows the network of content delivery server regions 102 a-n to serve a large number of clients efficiently.), to return to the mobile device client application a response to the DNS query, wherein the response to the DNS query is based on applying the policy to the DNS query (Shaw, Col.3 lines 50-58, In a preferred embodiment, the query is a DNS SRV lookup and includes an identification of the client player. The query is made asking for a particular service (e.g., RTSP) via a particular protocol (TCP) in a particular CDNSP domain. In response, the name server returns a set of one or more tokens, with each token defining a machine or, in the preferred embodiment, a group of machines, from which the player should seek to obtain given content (e.g., a stream)),
Shaw, Boysen, Mahaffey does not explicitly disclose the following limitations that Timariu teaches:
 a mobile device client application that instantiates a DNS proxy on a mobile device (Timariu, Col. 15 lines 15, Mobile device 720.1 also includes Domain Name System (DNS) proxy), 
Shaw, Boysen, Mahaffey does not explicitly disclose the following limitations that Timariu teaches:
the authentication token including a unique device identifier associated with the mobile device (Timariu, Col. 10, lines 57-58, the authentication and/or authorization of the web browser 425 of the mobile device ), 
	It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Shaw, Boysen, Kinagi to incorporate the teachings of Timariu to code the configured hardware process in a mobile device. One of ordinary skill in the art would have been to make this modification in order to instantiate a DNS proxy and to encrypt the device.

Shaw, Boysen, Kinagi and Timariu does not explicitly disclose the following limitations that Mahaffey teaches:
the unique device identifier having been encrypted and digitally-signed with a key to generate the authorization token((Mahaffey, [0067], The trusted data may be intended to be consumed by the user or a client, or both (e.g., a picture may be consumed by a user, but a cryptographic signature may be only consumed by a client and both may be present in a given authorization request); 
It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Shaw, Boysen, Kinagi, and Timariu to incorporate the teachings of Mahaffey to code the configured hardware process in a mobile device. One of ordinary skill in the art would have been to make this modification in order to encrypt the digital signature with the use of the authorization token to enhance security.
Shaw, Boysen, Timariu and Mahaffey does not expliclty disclose the following limitations that Kinagi teaches:
 determines whether the authorization token is allowed for the enterprise, wherein the determination is based at least in part on a policy for the enterprise (Kinagi, [0031], in some embodiments, the token format may be configured to allow the entity receiving the token to identify it as a token and recognize the entity that issued the token. [0074], the system may determine whether the transaction amount in the QR code is more than the threshold transaction amount set by the authorizing entity (e.g., an issuer) operating the authorizing computer 160 and/or the user 110); 
Shaw, Boysen, Kinagi and Timariu does not explicitly disclose the following limitations that Mahaffey teaches:
the recursive resolver further operative upon a determination that the authorization token is allowed (Mahaffey, [0041], as a correct response to a given authorization challenge, such as a username/password, token, or similar data element or object as described in more detail in the description that follows. The term “authorization” means an indication (e.g. yes/no, true/false) of whether the action is allowed, or a token that grants access or is proof of allowance of an access, and which can be provided to any system that needs proof that a given user is authorized for a particular action, or a callback to a system indicating that the user is authorized), 
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify if the authorization token is allowed to enhance security.

Shaw, Boysen, TImariu and Mahaffey does not expliclty disclose the following limitations that Kinagi teaches:
the recursive resolver further operative to forward the authorization token to the log service, the log service recovering and using the unique device identifier (Kinangi, [0045],a transaction processing computer may generate or forward the authorization response message to the merchant. [0083], The transaction processing computer 150 may then decrypt the cryptogram and may also determine the real account identifier from token.),
It would have been obvious for one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Shaw in view of Boysen to incorporate the teachings of Kinagi to authenticate the tokens using a unique device where the device has been encrypted. One of ordinary skill in the art would have been to make this modification to forward the authorization token by using a unique device identifier. 
Shaw does not expliclty disclose the following limitations that Boysen teaches:

the client application including code to determine whether the mobile device is operating off-net with respect to a protected enterprise network (Boysen, ¶[0006], The hardware cryptographic token that stores the public/private encryption keys is usually protected by a password that is input to the user's computer user. This password can be easily stolen by rogue software running on 10 the user's computer, thereby reducing the security of the private encryption keyss.), 
Shaw does not expliclty disclose the following limitations that Boysen teaches:
wherein the recursive resolver receives the DNS query and, without access to a unique device identifier encoded in the authorization token (Boysen, ¶[00186], the Issuer Server 140 validates the transaction code with the transaction pointer by (i) computing a hash of the transaction pointer, hardware token 5 number and expiry date information (as received from the Relying Party Server 135), (ii) querying its database with the hash value for the associated transaction code, Token Manager random number, and hardware token internal card counter number, (iii) computing a Dynamic Card Validation Value from the Token Manager random number, and hardware token internal card counter number retrieved by the database query, and 10 (iv) comparing the Dynamic Card Validation Value against the transaction code retrieved as part of the database query), 
It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to have modified Shaw to incorporate the teachings of Boysen to include the client application code by determining whether the device is protected using an enterprise network and to receive the DNS query without access to the device identifier. 

29. Regarding Claim 20, Shaw, Boysen, Kinagi Timarui and Mahaffey disclose,
Shaw does not explicitly disclose the following limitations that Boysen teaches:
the system as described in claim 19 wherein the mobile device client application registers the mobile device for off-net access to the protected enterprise network, wherein the unique device identifier is generated upon registration (Boysen, ¶[0006], The hardware cryptographic token that stores the public/private encryption keys is usually protected by a password that is input to the user's computer user. ¶[0079], The Registration Process is initiated, at step S600, when a user starts a new session of the web browser 400, successfully logs in to a Issuer Server 140 (typically over a server side SSL/TLS encrypted communication channel), and requests Registration of the Token Manager 100. In response, the Issuer Server 140 queries backend systems with the user's User-ID for a set of token identifiers that is associated with and identifies 25 the authenticator(s) (e.g. Token Manager 100, hardware token 110) that have been assigned to the user)
	It would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to have modified Shaw to incorporate the teachings of Boysen to register the mobile device for off-net access to the protected network where the device generates upon registration. 

Conclusion
30. Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAYASA SHAAWAT whose telephone number is (571)272-3939.  The examiner can normally be reached on M-F, 8 AM TO 5 PM. If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, JEFFREY PWU can be reached on (571)272-6789. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MAYASA SHAAWAT/
Examiner, Art Unit 2433

/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433