DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This action is in response to amendments filed on 5/6/2021.
Claims 2-21 have been examined and are rejected. 


Information Disclosure Statement
The information disclosure statements (IDS) submitted on 3/29/2021, 5/6/2021, and 8/12/2021 are in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statements are being considered by the examiner.


Claim Rejections – 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 2, 6, 12, & 17 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by Nakamoto et al. (US 2014/0304765 A1).
With regard to Claim 2, Nakamoto teaches:
A computer-implemented method comprising: 
receiving, from a client device, a connection to a server system; (a client device transmits user credentials to an authentication server [Nakamoto: 0062; 0120]);
assigning a first policy to the client device in response to the connection; (host credentials may be used for an initial network admission decision process to enable the port for network access, wherein the policy enforcement point (PEP) may restrict full network access until user authentication is successful [Nakamoto: 0063]);
authenticating a user account based on identification information of a user; (obtaining user identity information for authentication, wherein successful authentication results in the device being authorized to communicate on the IBIP network [Nakamoto: 0062; 0066; 0121]);
and assigning a second policy to the client device after authenticating the user account; (once the user is authenticated successfully, loading and enacting policies enforcing role based network access [Nakamoto: 0063; 0073-79]).

With regard to Claim 6, Nakamoto teaches:
The computer-implemented method of claim 2, wherein assigning the first policy enables the client device to access a first set of resource, and assigning the second policy enables the client device to access a second set of resource; (the policy enforcement point (PEP) may restrict full network access until user authentication is successful [Nakamoto: 0063], wherein once the user is authenticated successfully, policies enforcing role based network access are loaded and enacted [Nakamoto: 0063; 0073-79]).

With regard to Claims 12 & 17, they appear substantially similar to the limitations recited by claim 2 and consequently do not appear to teach or further define over the citations provided for said claim. Accordingly, claims 12 & 17 are rejected for the same reasons as set forth in claim 2.


Claim Rejections – 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 3, 7-11, 13-14, 16, & 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over US Nakamoto et al. (US 2014/0304765 A1) in view of Krzyzanowski et al. (US 2012/0303476 A1).
With regard to Claim 3, Nakamoto teaches:

and prior to assigning the second policy, linking the user account to a second account; (escalating to a different role based on authentication and retrieving mapping associated with a privileged user [Nakamoto: 0073; 0076; 0079]).

However, Nakamoto does not explicitly teach (where underlining indicates the portion of each limitation not taught):
a first account with the client device in a first operation mode; and a second account with the client device in a second operation mode.
	
In a similar field of endeavor involving mobile policy enforcement, Krzyzanowski discloses:
a first account with the client device in a first operation mode; (a plurality of profiles where each profile may have different policy management logic associated therewith, wherein a “home” profile may have no policy management logic associated therewith [Krzyzanowski: 0299; 0305; 0337; 0047; Figs. 58-60]);
and a second account with the client device in a second operation mode; (a “work” profile may be managed, may have policy management logic associated therewith to ensure that usage of the mobile electronic device complies with enterprise policies, and have a remote management client associated therewith (i.e. client agent), wherein if it is determined that the mode is the managed mode, then a remote management client (i.e. client agent) is executed to allow a remote entity (i.e. device manager) to manage the second applications [Krzyzanowski: 0299; 0305; 0337; 0047; Figs. 58-60]).


One of ordinary skill in the art would have been motivated to combine Nakamoto with Krzyzanowski as doing so would allow the device to receive lower restriction policies when operating in a managed mode, and higher restriction policies when operating in an unmanaged mode.

With regard to Claim 7, Nakamoto-Krzyzanowski teaches:
The computer-implemented method of claim 3, wherein the first operation mode is a first managed mode managed by a device manager in accordance with the first policy, and the second operation mode is a second managed mode managed by the device manager in accordance with the second policy; (each profile may have different policy management logic associated therewith, wherein the first profile may include first profile policy management logic and second profile may include second profile policy management logic, the policy management logic may comprise logic that enforces enterprise-related policies [Krzyzanowski: 0299; Fig. 57]).

With regard to Claim 8, Nakamoto-Krzyzanowski teaches:
The computer-implemented method of claim 7, wherein: linking the user account to the first account comprises providing access to a first managed account to data stored according to a first protocol, and linking the user account to the second account comprises providing access to a second managed account to data stored according to a second protocol; (storing data associated with the first applications in an unencrypted format and storing data associated with the second applications in an encrypted format [Krzyzanowski: 0043]).

With regard to Claim 9, Nakamoto-Krzyzanowski teaches:
The computer-implemented method of claim 3, wherein the first operation mode is an unmanaged mode associated with the first policy, and the second operation mode is a managed mode associated with the second policy; (each profile may have different policy management logic associated therewith, wherein the first profile may have no policy management logic associated therewith (i.e. unmanaged), and the second profile may include second profile policy management logic, the policy management logic may comprise logic that enforces enterprise-related policies [Krzyzanowski: 0299; Fig. 57]).


With regard to Claim 10, Nakamoto teaches:
The computer-implemented method of claim 2, further comprising: provisioning a remote resource to communicate with the client device; (once the user is authenticated successfully, loading and enacting policies enforcing role based network access [Nakamoto: 0063; 0073-79]).

However, Nakamoto does not teach:
monitoring the client device to detect that the client device is capable of running in a first operation mode and a second operation mode.
	
In a similar field of endeavor involving mobile policy enforcement, Krzyzanowski discloses:
monitoring the client device to detect that the client device is capable of running in a first operation mode and a second operation mode; (determining whether the mobile device is operating in a first managed (e.g. enterprise) mode of operation or a second unmanaged (e.g. residential/personal) mode of operation by determining whether application access is being 

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Nakamoto in view of Krzyzanowski in order to detect that the client device is capable of running in a first operation mode and a second operation mode in the system of Nakamoto. 
One of ordinary skill in the art would have been motivated to combine Nakamoto with Krzyzanowski as doing so would allow the device to receive lower restriction policies when operating in a managed mode, and higher restriction policies when operating in an unmanaged mode.

With regard to Claim 11, Nakamoto teaches the computer-implemented method of claim 2, but does not teach:
receiving a new request to store data associated with the client device; and storing the data associated with the client device in a first operation mode according to a first protocol and with the client device in a second operation mode according to a second protocol.
	
In a similar field of endeavor involving mobile policy enforcement, Krzyzanowski discloses:
receiving a new request to store data associated with the client device; and storing the data associated with the client device in a first operation mode according to a first protocol and with the client device in a second operation mode according to a second protocol; (storing data associated with the first applications in an unencrypted format and storing data associated with the second applications in an encrypted format [Krzyzanowski: 0043]).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Nakamoto in view of Krzyzanowski in order to store data in a first operation mode according to a first protocol and in a second operation mode according to a second protocol in the system of Nakamoto. 
One of ordinary skill in the art would have been motivated to combine Nakamoto with Krzyzanowski as doing so would allow the device to further enhance security when operating in the managed mode by encrypting application data.

With regard to Claims 13-14, 16, & 18-19, they appear substantially similar to the limitations recited by claims 3 & 7-11 and consequently do not appear to teach or further define over the citations provided for said claims. Accordingly, claims 13-14, 16, & 18-19 are rejected for the same reasons as set forth in claims 3 & 7-11.


Claims 4 & 20 are rejected under 35 U.S.C. 103 as being unpatentable over US Nakamoto et al. (US 2014/0304765 A1) in view of Kelly et al. (US 2013/0042295 A1).
With regard to Claim 4, Nakamoto teaches:
The computer-implemented method of claim 2, wherein the first policy enforces restrictions associated with an unauthenticated account; (the policy enforcement point (PEP) may restrict full network access until user authentication is successful [Nakamoto: 0063]).

However, Nakamoto does not explicitly teach (where underlining indicates the portion of each limitation not taught):
wherein the first policy enforces restrictions associated with an unmanaged account.
	

wherein the first policy enforces restrictions associated with an unmanaged account; (if the authentication information is not verifiable (i.e. the device is operating in an unmanaged mode), access is denied to the secure virtual environment [Kelly: 0049; Fig. 5]).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Nakamoto in view of Kelly in order to enforce restrictions associated with an unmanaged account in the system of Nakamoto. 
One of ordinary skill in the art would have been motivated to combine Nakamoto with Kelly as doing so would provide the corporate entity with necessary document security.

With regard to Claim 20, it appears substantially similar to the limitations recited by claim 4 and consequently does not appear to teach or further define over the citations provided for said claim. Accordingly, claim 20 is rejected for the same reasons as set forth in claim 4.


Claims 5, 15, & 21 are rejected under 35 U.S.C. 103 as being unpatentable over US Nakamoto et al. (US 2014/0304765 A1) in view of Hannel et al. (US 2011/0231443 A1).
With regard to Claim 5, Nakamoto teaches the computer-implemented method of claim 2 including providing an API to connect to external sources such as LDAP and activity directory servers [Nakamoto: 0073], but does not teach: 
binding the user account to a directory service associated with a plurality of access rights, wherein the user account corresponds to a network account provided by the directory service.
	

binding the user account to a directory service associated with a plurality of access rights, wherein the user account corresponds to a network account provided by the directory service; (receives the custom authentication type's name, here LDAP Bind, that defines a custom authentication method which authenticates a user based on an entry for the user in a directory accessible via LDAP [Hannel: 0515; Fig. 46]).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Nakamoto in view of Hannel in order to provide the bind the user account to a directory service associated with a plurality of access rights in the system of Nakamoto. 
One of ordinary skill in the art would have been motivated to combine Nakamoto with Hannel as doing so would utilize LDAP which is a well-known protocol running over TCP/IP for accessing directories of people or other entities. 

With regard to Claims 15 & 21, they appear substantially similar to the limitations recited by claim 5 and consequently do not appear to teach or further define over the citations provided for said claim. Accordingly, claims 15 & 21 are rejected for the same reasons as set forth in claim 5.


Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
Bryce et al. (US 8,615,786 B1) which teaches using the information stored in Windows Active Directory to determine whether an authenticated user's Active Directory security group membership would cause different administrator, call center director, sales manager, or agent rulesets to be selected for the user [Bryce: 7:41-59].

In the case of amendments, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and support, for ascertaining the metes and bounds of the claimed invention.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AUSTIN MOREAU whose telephone number is (571) 272-5179.  The examiner can normally be reached on Monday to Thursday and alternate Fridays.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Brian Gillis can be reached at (571) 272-7952.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call (800) 786-9199 (IN USA OR CANADA) or (571) 272-1000.

/AUSTIN J MOREAU/Primary Examiner, Art Unit 2446