DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
1. 	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
2. 	Applicant’s arguments with respect to claims 1-20 have been considered but are moot because the new ground of rejection. 


Claim Rejections - 35 USC § 103
3. 	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


4. 	Claims 1-5, 8-12, and 15-18 are rejected under 35 U.S.C. 103 as being unpatentable over Goverdhan (US 2017/0288883 A1) and Dudziak (US 7890084 B1) in view of Anderson (US 2017/0085372 A1).

5. 	Regarding Claim 1, Goverdhan disclose, a system, comprising: a computing device comprising a processor and a memory (Goverdhan, Claim 1, a computing device comprising a processor and a memory); and machine-readable instructions stored in the memory that, when executed by the processor, cause the computing device to at least: receive an enrollment request from a client device (Goverdhan, ¶[0057], machine readable instructions stored in the memory of the management server 103 that, when executed by a processor of the management server 103, cause the management server  ¶[0040], during the enrollment or registration process, the management agent 166 can be installed on the client device 113); send a key request to a certificate provider, the key request comprising a user identifier (Goverdhan, ¶[0037], the CA 149 causes the certificate server 109 to send the certificate to the PKI broker 106. The CA 149 can also cause the certificate server 109 to record the device identifier 133 of the client device 113 and the certificate identifier 159); 
Goverdhan does not explicitly disclose the following limitations that Dudziak teaches:
send a skeleton payload to an enterprise gateway (Dudziak, Col. 11,lines 25-27 the enterprise server 37 uses the appropriate AES key to encrypt the payload and sends the payload back to the gateway 29); 
Goverdhan and Dudziak does not explicitly disclose the following limitations that Anderson teaches:
receive an encrypted profile from the enterprise gateway, the encrypted profile comprising the skeleton payload with an encryption key inserted by the enterprise gateway into the skeleton payload (Anderson, Abstract, an encryption gateway configured to receive TLS (or an equivalent security) encrypted data in a payload from a client application. [0036], a payload and encrypts the extracted data with authentication (using an encryption key from a key manager). A TLS connection is set-up to a cloud or data server, and the encrypted authenticated data is inserted into a TLS cloud payload with key association information. ); 
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed to invention to send a payload to the gateway to encrypt the payload with the encryption code that is inserted into the gateway to enhance security features.

and send the encrypted profile to the client device (Goverdhan, ¶[0023], a server can request that the CA 149 validate a certificate issued to a client device 113 to confirm the identity of the client device 113 before initiating an encrypted connection with the server.).  

6. 	Regarding Claim 2, Goverdhan, Dudziak and Anderson disclose, the system of claim 1, wherein the machine-readable instructions further cause the computing device to at least insert the user identifier into the skeleton payload (Goverdhan, ¶[0017], The SCEP payload 136 can represent information that a client device 113 would need to generate a valid SCEP request for a certificate. The information included in a SCEP payload 136 can include a SCEP challenge, a SCEP end point, and a user account identifier).  

7. 	Regarding Claim 3, Goverdhan, Dudziak and Anderson, the system of claim 1, wherein the machine-readable instructions further cause the computing device to at least send the user identifier to the enterprise gateway (Goverdhan, ¶[0041], As part of the creation process, the management service 119 can assign the serial number or MAC address of the client device 113 as the device identifier 133 for the device profile 129. In other instances, the management service 119 can create its own unique device identifier 133, which is stored as part of the device profile 129, and then provide the created device identifier 133).  

8. 	Regarding Claim 4, Goverdhan, Dudziak and Anderson disclose, the system of claim 1, wherein the encrypted profile further comprises a certificate included in the skeleton payload and the certificate comprises the encryption key (Goverdhan Claim 15, comprising machine readable instructions for relaying simple certificate enrollment protocol (SCEP) payloads using derived credentials that, when executed by a processor of a computing device, cause the computing device to at least:¶[0021], The payload overrides 146 can include, for example, values for a SCEP challenge, a SCEP endpoint, user specific data (such as subject name, subject alternate name, certificate uses, encryption key uses, and other data specific to a user), and other data fields in the SCEP payload 136.).  

9. 	Regarding Claim 5, Goverdhan, Dudziak and Anderson disclose, the system of claim 4, wherein the certificate is a Secure / Multipurpose Internet Mail Extensions (S/MIME) certificate (Goverdhan, ¶[0027],  the client application 163 can include a web browser, email application, virtual private network client, messaging application. The client application 163 can further be configured to use a certificate issued by the CA 149 to perform its functions. For example, a web browser or VPN client can be configured to use a certificate to authenticate the identity of the client device 113 with a web server or a VPN gateway. As another example, an email application, messaging application, network file access application, or VoIP application can be configured to use a certificate issued by the CA 149 to encrypt data e.g., encrypt an email).  

10. Regarding Claim 8, Goverdhan, Dudziak and Anderson disclose, a method, comprising: receiving an enrollment request from a client device(Goverdhan, ¶[0057], machine readable instructions stored in the memory of the management server 103 that, when executed by a processor of the management server 103, cause the management server  ¶[0040], during the enrollment or registration process, the management agent 166 can be installed on the client device 113); sending a key request to a certificate provider, the key request comprising a user identifier (Goverdhan, ¶[0037], the CA 149 causes the certificate server 109 to send the certificate to the PKI broker 106. The CA 149 can also cause the certificate server 109 to record the device identifier 133 of the client device 113 and the certificate identifier 159); 
Goverdhan does not explicitly disclose the following limitations that Dudziak teaches:

sending a skeleton payload to an enterprise gateway (Dudziak, Col. 11,lines 25-27 the enterprise server 37 uses the appropriate AES key to encrypt the payload and sends the payload back to the gateway 29); 
Goverdhan and Dudziak does not explicitly disclose the following limitations that Anderson teaches:
receiving an encrypted profile from the enterprise gateway, the encrypted profile comprising the skeleton payload with an encryption key inserted by the enterprise gateway into the skeleton payload (Anderson, Abstract, an encryption gateway configured to receive TLS (or an equivalent security) encrypted data in a payload from a client application. [0036], a payload and encrypts the extracted data with authentication (using an encryption key from a key manager). A TLS connection is set-up to a cloud or data server, and the encrypted authenticated data is inserted into a TLS cloud payload with key association information. ); and sending the encrypted profile to the client device (Goverdhan, ¶[0023], a server can request that the CA 149 validate a certificate issued to a client device 113 to confirm the identity of the client device 113 before initiating an encrypted connection with the server.)..  

11. 	Regarding Claim 9, Goverdhan, Dudziak and Anderson disclose, the method of claim 8, further comprising inserting the user identifier into the skeleton payload (Goverdhan, ¶[0017], The SCEP payload 136 can represent information that a client device 113 would need to generate a valid SCEP request for a certificate. The information included in a SCEP payload 136 can include a SCEP challenge, a SCEP end point, and a user account identifier).  

12. 	Regarding Claim 10, Goverdhan, Dudziak and Anderson  disclose, the method of claim 8, further comprising sending the user identifier to the enterprise gateway (Goverdhan, ¶[0041], As part of the creation process, the management service 119 can assign the serial number or MAC address of the client device 113 as the device identifier 133 for the device profile 129. In other instances, the management service 119 can create its own unique device identifier 133, which is stored as part of the device profile 129, and then provide the created device identifier 133).  

13. 	Regarding Claim 11, Goverdhan, Dudziak and Anderson disclose, the method of claim 8, wherein the encrypted profile further comprises a certificate included in the skeleton payload and the certificate comprises the encryption key (Goverdhan, Claim 15, comprising machine readable instructions for relaying simple certificate enrollment protocol (SCEP) payloads using derived credentials that, when executed by a processor of a computing device, cause the computing device to at least:¶[0021], The payload overrides 146 can include, for example, values for a SCEP challenge, a SCEP endpoint, user specific data (such as subject name, subject alternate name, certificate uses, encryption key uses, and other data specific to a user), and other data fields in the SCEP payload 136.).  

14. Regarding Claim 12, Goverdhan, Dudziak and Anderson disclose, the method of claim 11, wherein the certificate is a Secure/Multipurpose Internet Mail Extensions (S/MIME) certificate (Goverdhan, ¶[0027],  the client application 163 can include a web browser, email application, virtual private network client, messaging application. The client application 163 can further be configured to use a certificate issued by the CA 149 to perform its functions. For example, a web browser or VPN client can be configured to use a certificate to authenticate the identity of the client device 113 with a web server or a VPN gateway. As another example, an email application, messaging application, network file access application, or VoIP application can be configured to use a certificate issued by the CA 149 to encrypt data e.g., encrypt an email).  

15. 	Regarding Claim 15, Goverdhan, Dudziak and Anderson disclose, a non-transitory, computer-readable medium, comprising machine-readable instructions that, when executed by a processor of a computing device, cause the computing device to at least: receive an enrollment request from a client device (Goverdhan, ¶[0057], machine readable instructions stored in the memory of the management server 103 that, when executed by a processor of the management server 103, cause the management server  ¶[0040], during the enrollment or registration process, the management agent 166 can be installed on the client device 113); send a key request to a certificate provider, the key request comprising a user identifier (Goverdhan, ¶[0037], the CA 149 causes the certificate server 109 to send the certificate to the PKI broker 106. The CA 149 can also cause the certificate server 109 to record the device identifier 133 of the client device 113 and the certificate identifier 159);
Goverdhan does not explicitly disclose the following limitations that Anderson teaches:
 send a skeleton payload to an enterprise gateway Dudziak, Col. 11,lines 25-27 the enterprise server 37 uses the appropriate AES key to encrypt the payload and sends the payload back to the gateway 29); 
Goverdhan and Dudziak does not explicitly disclose the following limitations that Anderson teaches:
receive an encrypted profile from the enterprise gateway, the encrypted profile comprising the skeleton payload with an encryption key inserted by the enterprise gateway into the skeleton payload (Anderson, Abstract, an encryption gateway configured to receive TLS (or an equivalent security) encrypted data in a payload from a client application. [0036], a payload and encrypts the extracted data with authentication (using an encryption key from a key manager). A TLS connection is set-up to a cloud or data server, and the encrypted authenticated data is inserted into a TLS cloud payload with key association information. ); and send the encrypted profile to the client device (Goverdhan, ¶[0023], a server can request that the CA 149 validate a certificate issued to a client device 113 to confirm the identity of the client device 113 before initiating an encrypted connection with the server.).  
  
16. 	Regarding Claim 16, Goverdhan, Dudziak and Anderson disclose, the non-transitory, computer-readable medium of claim 15, wherein the machine- readable instructions further cause the computing device to at least insert the user identifier into the skeleton payload (Goverdhan, ¶[0017], The SCEP payload 136 can represent information that a client device 113 would need to generate a valid SCEP request for a certificate. The information included in a SCEP payload 136 can include a SCEP challenge, a SCEP end point, and a user account identifier).    

17. 	Regarding Claim 17, Goverdhan, Dudziak and Anderson disclose, the non-transitory, computer-readable medium of claim 15, wherein the encrypted profile further comprises a certificate included in the skeleton payload and the certificate comprises the encryption key (Goverdhan, Claim 15, comprising machine readable instructions for relaying simple certificate enrollment protocol (SCEP) payloads using derived credentials that, when executed by a processor of a computing device, cause the computing device to at least:¶[0021], The payload overrides 146 can include, for example, values for a SCEP challenge, a SCEP endpoint, user specific data (such as subject name, subject alternate name, certificate uses, encryption key uses, and other data specific to a user), and other data fields in the SCEP payload 136.).  

18. 	Regarding Claim 18, Goverdhan, Dudziak and Anderson disclose, the non-transitory, computer-readable medium of claim 17, wherein the certificate is a Secure / Multipurpose Internet Mail Extensions (S/MIME) certificate (Goverdhan, ¶[0027],  the client application 163 can include a web browser, email application, virtual private network client, messaging application. The client application 163 can further be configured to use a certificate issued by the CA 149 to perform its functions. For example, a web browser or VPN client can be configured to use a certificate to authenticate the identity of the client device 113 with a web server or a VPN gateway. As another example, an email application, messaging application, network file access application, or VoIP application can be configured to use a certificate issued by the CA 149 to encrypt data e.g., encrypt an email).  

19. 	Claims 6, 13 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Goverdhan (US 2017/0288883 A1), Dudziak (US 7890084 B1) and Anderson(US 2017/0085372 A1) in view of Tenenboym (US 2014/0149735 A1)

20. 	Regarding Claim 6, Goverdhan, Dudziak, Anderson and Teneboym disclose, 
Goverdhan, Dudziak and Anderson does not explicitly disclose the following limitations that Teneboym teaches: 
the system of claim 1, wherein the machine-readable instructions further cause the computing device to sign the encrypted profile with a signing certificate (Tenenboyem, ¶[0023], The client device 110 may transmit the encrypted hash value to the signing system 200. A signature module 250 may be used to combine the encrypted hash value, returned by transmission from the client device 110, with a set of verified certificates and a set of unauthenticated attributes to produce the digital signature.).  
	It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include signing certificate that signs the encrypted profile into the computing device that enhances security features. 

21. 	Regarding Claim 13, Goverdhan, Dudziak, Anderson and Teneboym disclose, the method of claim 8, further comprising signing the encrypted profile with a signing certificate (Tenenboyem, ¶[0023], The client device 110 may transmit the encrypted hash value to the signing system 200. A signature module 250 may be used to combine the encrypted hash value, returned by transmission from the client device 110, with a set of verified certificates and a set of unauthenticated attributes to produce the digital signature.).  

22. 	2Regarding Claim 19, Goverdhan, Dudziak, Anderson and Teneboym disclose,  the non-transitory, computer-readable medium of claim 15, wherein the machine- readable instructions further cause the computing device to sign the encrypted profile with a signing certificate (Tenenboyem, ¶[0023], The client device 110 may transmit the encrypted hash value to the signing system 200. A signature module 250 may be used to combine the encrypted hash value, returned by transmission from the client device 110, with a set of verified certificates and a set of unauthenticated attributes to produce the digital signature.).  

23. 	Claims 7, 14, 20 and are rejected under 35 U.S.C. 103 as being unpatentable over Goverdhan (US 2017/0288883 A1), Dudziak (US 7890084 B1) and Anderson (Us 2017/0085372 A1) in view of Samdani (US 10158982 B2).

24. 	Regarding Claim 7, Goverdhan, Dudziak, Anderson and Samdani disclose, 
Goverdhan, Dudziak and Anderson does not explicitly disclose the following limitations that Samdani teaches: 
the system of claim 1, wherein the enrollment request comprises the user identifier (Samdani, Col. 10 lines, 47-48, The enrollment application 178 can further search the data store 173 to identify a user identifier).  
It would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to include an enrollment device into the system device that contains a user identifier to enhance security features.

25. 	Regarding Claim 14, Goverdhan, Dudziak, Anderson and Samdani disclose, the method of claim 8, wherein the enrollment request comprises the user identifier (Samdani, Col. 10 lines, 47-48, The enrollment application 178 can further search the data store 173 to identify a user identifier). 

26. 	Regarding Claim 20, Goverdhan, Dudziak, Anderson and Samdani disclose, the non-transitory, computer-readable medium of claim 15, wherein the enrollment request comprises the user identifier (Samdani, Col. 10 lines, 47-48, The enrollment application 178 can further search the data store 173 to identify a user identifier).  


Conclusion
27.	 Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAYASA SHAAWAT whose telephone number is (571)272-3939.  The examiner can normally be reached on M-F, 8 AM TO 5 PM. If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, JEFFREY PWU can be reached on (571)272-6789. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MAYASA SHAAWAT/
Examiner, Art Unit 2433


/JEFFREY C PWU/Supervisory Patent Examiner, Art Unit 2433