Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
The IDS of 9/17/2019 was received and considered.
Claims 1-20 are pending.

Election/Restrictions
Applicant’s remarks (7/27/2021) regarding the restriction requirement are persuasive.  

Claim Objections
Claim 4 is objected to because of the following informalities:  In claim 4, “sandboxed use account” should be replaced with “sandboxed user account”.  Appropriate correction is required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 6 and 11-12 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter 
Regarding claim 6, the limitation “the enterprise application client” lacks sufficient antecedent basis.
Regarding claim 11, line 2, the limitation “the first session” lacks sufficient antecedent basis.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 15-17 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by US 2020/0250300 A1 to Carson.
Regarding claim 15, Carson discloses a non-transitory storage medium that stores machine executable instructions that, when executed by a machine, cause the machine to: inhibit access to a memory space associated with an application to prevent credentials injected into the application by a single sign on (SSO) tool from being revealed (process attempts to access memory address and the attempt is intercepted, ¶100), wherein inhibiting access to the memory space comprises: registering a 
Regarding claim 16, Carson discloses wherein the instructions, when executed by the machine, cause the machine to use the kernel driver to prevent at least one of a memory dump of the application or debugging of the application (suspending thread, ¶130).
Regarding claim 17, Carson discloses wherein the instructions, when executed by the machine, cause the machine to use the kernel driver to perform at least one of terminating the application or a thread associated with the application, terminating an access right of the user to the application, or suspending the application or a thread associated with the application (suspending thread, ¶130).  

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-2, 7-9 and 18-20 are rejected under 35 U.S.C. 103 as being unpatentable over US 2007/0050369 A1 to Stiegler et al. (Stiegler) US 2015/0089645 A1 to Vandergeest and US 2008/0301816 A1 to Ting et al. (Ting).
Regarding claim 1, Stiegler discloses creating, by a computer, a sandboxed user account on the computer, wherein creating the sandboxed user account comprises generating credentials for the sandboxed user account (creating a restricted user account with fewer privileges, ¶26, ¶36); creating, by the computer, an operating system session (user is engaging with an operating system, ¶40) and in response to a request associated with another user account to start up an application (user launches application 102, ¶42), the computer: authorizing use of the application by the other user account based on credentials associated with the other user account (user has logged in to user login account, ¶36, ¶46); and starting up the application (launching application, ¶43), such that the application is executed in association with the sandboxed user account (launched application within restricted user account, ¶¶42-43).  Stiegler lacks executing a single sign on (SSO) tool in the operating system session in association with the sandboxed user account, wherein starting up the application comprises using the SSO tool to inject SSO credentials for the other user account based on policy authorization into the application.  However, Ting teaches that it was known to utilize an SSO tool (SSO agent) to inject credentials to enable a user to sign on to an application without manually entering credentials (¶25, ¶28).  Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Stiegler, as modified above, to include executing a single sign on (SSO) tool in the operating system session in association with the sandboxed user account, wherein starting up the application comprises using the SSO tool to inject SSO credentials for the other user account based on policy authorization into the application.  One of ordinary skill in the art would have been motivated to perform such a modification to utilize known methods of SSO to enable the application executing in the restricted account access to user services, as taught by Ting.

Regarding claim 7, Stiegler lacks wherein creating the sandboxed user account occurs in response to installation of an SSO agent on the computer.  However, Ting teaches installing an SSO agent on a computer (SSO agent, Fig. 1, 132; see also ¶28) to support SSO for an application.  Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Stiegler to include installing an SSO agent on the computer.  One of ordinary skill in the art would have been motivated to perform such a modification to enable SSO for an application, as discussed above and as taught by Ting.  In combination, Stiegler lacks creating the sandboxed user account (restricted account) occurs in response to installation of the SSO agent (after).  However, a skilled artisan would have found it obvious to create the sandboxed user account (restricted account in Stiegler) after installation of the SSO agent, as the restricted account is utilized when launching the application in Stiegler for monitoring the application and thus after installation of the appropriate supporting modules.  Therefore, the skilled artisan would have found it obvious to install the necessary system files prior to executing the combined system.    
Regarding claim 8, Stiegler, as modified above, teaches wherein using the SSO tool to inject the SSO credentials comprises using the SSO tool to provide the SSO credentials to a graphical user interface (GI)-based log in prompt provided by the application (as modified above by Ting, ¶28).
Regarding claim 9, Stiegler lacks wherein the SSO tool injecting the SSO credentials comprises the SSO tool communicating with an agent of a credentials vault, wherein the agent is associated with the computer, and the credentials vault is associated with a remote computer.  However, Ting teaches an SSO tool and an agent of a credentials vault (SSO Agent, Fig. 1, 132; see ¶29) associated with the computer (client, Fig. 1, 104) communicating with a credentials value associated with a remote computer (SSO database, Fig. 1, 124; see also ¶22).  Therefore, it would have been obvious to one 
Regarding claims 18 and 19, Stiegler discloses an apparatus comprising: a processor; and a memory to store instructions that, when executed by the processor, cause the processor to (¶57): inhibit access associated with an application (create restricted user account and launch application under restricted user account, ¶27), and wherein inhibiting access comprises in response to a request associated with a first user account to start up the application, executing the application in association with a second user account (executing under a second user account having fewer privileges, ¶36), but lacks wherein the second user account is associated with credentials to restrict access to a memory associated with the application, and wherein the first user account is associated with credentials that allow access to the memory associated with the application.  However, Vandergeest teaches an agent that can evaluate whether a process has appropriate privileges to allow attachment of a debug utility to a process and can limit such attachment to prevent exploitation of vulnerabilities (¶102).  Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Stiegler such that the restricted user account would restrict attachment of a debug utility and hence to modify Stiegler such that the second user account is associated with credentials to restrict access to a memory associated with the application, and wherein the first user account is associated with credentials that allow access to the memory associated with the application.  One of ordinary skill in the art would have been motivated to perform such a modification to utilize the 
Regarding claim 20, Stiegler discloses wherein the processor and the memory are part of a computer, and the application is installed on the computer (¶57).  

Claims 3 and 5 are rejected under 35 U.S.C. 103 as being unpatentable over Stiegler and Ting, as applied to claim 1 above, in view of US 2015/0089645 A1 to Vandergeest.
Regarding claim 3, Stiegler, as modified above, lacks wherein the sandboxed user account has inhibited access to a memory space of the application.  However, Vandergeest teaches an agent that can evaluate whether a process has appropriate privileges to allow attachment of a debug utility to a process and can limit such attachment to prevent exploitation of vulnerabilities (¶102).  Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Stiegler such that the restricted user account would restrict attachment of a debug utility and hence to modify Stiegler such that the sandboxed user account has inhibited access to a memory space of the application.  One of ordinary skill in the art would have been motivated to perform such a modification to utilize the restricted account to restrict known vulnerabilities, as taught by Vandergeest 
. 

Claim 4 is rejected under 35 U.S.C. 103 as being unpatentable over Stiegler, Vandergeest and Ting, as applied to claim 1 above, in view of “Protecting the LSASS.EXE process with RunAsPPL” by Couch.  
	Regarding claim 4, Stiegler lacks wherein the sandboxed use account is prohibited from accessing a memory dump option for the application.  However, Couch teaches that it was known to protect a process in the Windows operating system using LSA protection which prevents a user account from executing a memory dump (p. 1).  Note also that Stiegler specifically discusses a restricted user account with fewer privileges than an administrator account (¶46) and teaches that one of the goals of the invention is to prevent viruses from spreading (¶38).  Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Stiegler, as modified above, such that the sandboxed use account is prohibited from accessing a memory dump option for the application.  One of ordinary skill in the art would have been motivated to perform such a modification to utilize a known method of restricting an application (preventing a memory dump, as per Couch) to create the restricted account of Stiegler.

Claims 11, 12 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Stiegler, Vandergeest and Ting, as applied to claim 1 above, in view of US 2020/0250300 A1 to Carson.
Regarding claim 11, Stiegler discloses associating an application with a first session (launching an application, ¶41), providing a system hook to detect start-up of the second application (launching within restricted user account, ¶42), but lacks performing an action to prevent the second application from accessing a memory space associated with the first application and lacks wherein the application allows starting of a second application such that the second application and performing the acts while the first application is being executed.  However, Carson teaches a kernel driver monitoring a launched application to ensure that the application does not access memory outside its own address range (¶100, ¶102).  Further, Carson teaches that it was known to execute multiple application processes on a computer (¶3).  Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify Stiegler, as modified above, to include performing an action to prevent the second application from accessing a memory space associated with the first application, wherein the application allows starting of a second application such that the second application and performing the acts while the first application is being executed.  One of ordinary skill in the art would have been motivated to perform such a modification to prevent malicious activity by the second application, as taught by Carson. 
	Regarding claim 12, Stiegler, as modified above, teaches wherein providing the system hook comprises registering a kernel driver with an operating system of the computer such that the kernel driver is executed in response to an attempted (driver 220 installed to intercept resource access attempts, ¶100) start-up of the second application (potential malware), and the execution of the kernel driver performs the action to prevent the second application from accessing the memory space of the 
	Regarding claim 14, Stiegler, as modified above, teaches performing one or more of the following in response to the start-up of the second application: terminating the first application or a thread associated with the application, terminating an access right of a user to the application, or suspending the application or a thread associated with the application (suspending thread, Carson, ¶130).

Allowable Subject Matter
Claims 10 and 13 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MICHAEL J SIMITOSKI whose telephone number is (571)272-3841.  The examiner can normally be reached on Monday - Friday, 7:00-3:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Carl Colin can be reached on 571-272-3862.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


/Michael Simitoski/               Primary Examiner, Art Unit 2493                                                                                                                                                                                         
September 28, 2021