DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the application 16/918022 filed on 07/01/2020.
Claims 1-20 have been examined and are pending in this application. Receipt of the 

Information Disclosure Statement
The information disclosure statement (IDS), submitted on 07/01/2020 and 11/01/2021, is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 17-18 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Regarding claim 17; Claim 17 is found indefinite because the claim recites both system and method claims.  The claim 17 is directed to a method (i.e., including the steps of intercepting …, modifying …; and sending …); however, the claim also recite system/device embodiments (i.e., a server [] configured to generate…).  A claim is considered indefinite under 35 U.S.C. 112(b) or 35 U.S.C. § 112 (pre-AIA ), second paragraph, if it does not reasonably apprise those skilled in the art of its scope. See MPEP 2173.05(p) and IPXL Holdings, 430 F.3d at 1384; See also In re Katz Interactive Call Processing Patent Litig., 639 F.3d 1303 (Fed. Cir. 2011) and Ex Parte Lyell, 17 USPQ2d 1548 (BPAI 1990) at 1550-51.") for details.
Regarding claim 18; claim 18 is dependent on claim 17, and therefore inherit 35 U.S.C. 112(b) or 35 U.S.C. § 112 (pre-AIA ), second paragraph, issues of the independent claim.

The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

The following is a quotation of pre-AIA  35 U.S.C. 112, fourth paragraph:
Subject to the following paragraph [i.e., the fifth paragraph of pre-AIA  35 U.S.C. 112], a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.


Claim 2 is rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which 
Regarding claims 3, 8-10 and 13-14; claims 3, 8-10 and 13-14 are dependent on claim 2, and therefore inherit 35 U.S.C. 112(d) or 35 U.S.C. 112 (pre-AIA ), fourth paragraph of the independent claim.


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person.


Claims 1, 4, 6-7, 11, 15-16 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Gummaraju et al. (“Gummaraju,” US 2018/0034858) in view of Romano et al. (“Romano,” US 2014/0007215).

Regarding claim 1: Gunnaraju discloses a computing device, comprising:
at least one processor (Gunnaraju: fig. 5; ¶0069 a processing unit 520 (e.g., a processor));
memory storying computer-readable instructions (Gunnaraju: fig. 5; ¶0069 a system memory 525 (e.g., a computer-readable storage device)) that, when executed by the at least one processor, cause the computing device to:
intercept a request, the request being to access a remote resource (Gummaraju: ¶0040 a client agent 152 intercepts one or more network communications (e.g., outgoing requests to access or use a destination resource 124));
modify future network communications between the computing device and the remote resource to include a token or a client certificate (Gummaraju: ¶0040 a client agent 152 [] injects one or more tokens 222 into the network communications during transit. The client agent 152 may include, for example, an injection mechanism 240 that enhances the network communication using one or more tokens 222 associated with the client agent 152), wherein the token or the client certificate is an identifier that enables the future network communications to be routed to the remote resource for a given computing session without use of data from the remote resource or data indicative of a connection of the remote resource in which to receive the future network communications (Gummaraju: ¶0040 the injection mechanism 240 identifies one or more appropriate tokens 222 (e.g., identity token 224 associated with the client resource 122 and access token 226 associated with the destination resource 124) and injects the tokens 222 into the network communication; ¶0036 an access token 226 associated with a destination resource 124 may be used to direct a network communication toward the destination resource 124 and allow its sender (e.g., client resource 122, client agent 152) to access or use a protected resource on the destination resource 124); and
send the future network communications to the remote resource to enable action to be taken on behalf of the computing device in response to receipt of the future network communications (Gummaraju: ¶0027 a client resource 122 transmits a network communication (e.g., network request) to a destination resource 124 over a network 110; ¶0058 the destination component 420 may monitor the destination resource 124, intercept one or more incoming network requests (e.g., network requests transmitted to the destination resource 124), extract one or more tokens 222 from the network requests, and determine whether the tokens 222 satisfy a predetermined destination security threshold).
Gunnaraju does not explicitly disclose request from an application executable on the computing device.
However, Romano discloses request from an application executable on the computing device (Romano: ¶0039 any requests made by applications within the application browser 114).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Romano with the system/method of Gunnaraju to include request from an application executable on the computing device.
One would have been motivated to provide a mobile applications platform including a container application to facilitate secure access to enterprise data and services (Romano: ¶0004).

Regarding claim 4: Gummaraju in view of Romano discloses the computing device of claim 1.
Gummaraju further discloses wherein the token includes one or more of: a user identifier, an identifier of the computing device, time information, or endpoint information (Gummaraju: ¶0035 identity tokens 224 enable a network member 120 to be identified and authenticated; ¶0064 the tokens 122 enable the client agent 152 to locate and/or approach the destination resource 124 in accordance with one or more security policies 132 associated with the destination resource 124).

Regarding claim 6: Gummaraju in view of Romano discloses the computing device of claim 1.
Gummaraju further discloses wherein the token enables one or more of: single sign-on authentication or multi-factor authentication between the computing device and the remote resource (Gummaraju: ¶0049 multiple authentication factors may be presented to the controller 140, for example, to obtain one or more tokens 222 from the service identity platform 212).

Regarding claim 7: Gummaraju in view of Romano discloses the computing device of claim 1.
Gummaraju further discloses wherein the token enables the remote resource to identify one or more of: a physical location or other endpoint information of the computing device (Gummaraju: ¶0017 the tokens may include one or more security policies (e.g., network access rules, credentials, resource level controls) that may be used to determine whether a networked service is allowed to access).

Regarding claim 11: Gummaraju in view of Romano discloses the computing device of claim 1.
Gummaraju further discloses wherein the data comprises a cookie and wherein the connection comprises one or more of an internet protocol (IP) address for the remote resource or a secure sockets layer (SSL) session identifier for the remote resource (Gummaraju: ¶0017 the tokens may include one or more security policies; ¶0085 The control system 200 is also configurable to operate for encrypted connections that use, for example, IP Security (IPsec) or Transport Layer Security (TLS)/Secure Sockets Layer (SSL)).

Regarding claim 15: Gummaraju in view of Romano discloses the computing device of claim 1.
Romano further discloses wherein modifying the future network communications to include the client certificate comprises modifying the future network communications to include the client certificate during a handshake between the computing device and the remote resource (Romano: ¶0029 requests for a web application 154 originating from the mobile device 110 may be communicated via private network 130 and carry an application browser 114 identity certificate 212).
The motivation is the same that of claim 1 above.

Regarding claim 16: Gunnaraju discloses a method comprising:
at a computing device comprising at least one processor (Gunnaraju: fig. 5 item 520 a processing unit (e.g., a processor)), a communication interface (Gunnaraju: fig. 4; item 410 an interface component), and a memory (Gunnaraju: fig. 5 item 525 a system memory 525):
intercepting a request, the request being to access a remote resource (Gummaraju: ¶0040 a client agent 152 intercepts one or more network communications (e.g., outgoing requests to access or use a destination resource 124));
modifying future network communications between the computing device and the remote resource to include a token or a client certificate (Gummaraju: ¶0040 a client agent 152 [] injects one or more tokens 222 into the network communications during transit. The client agent 152 may include, for example, an injection mechanism 240 that enhances the network communication using one or more tokens 222 associated with the client agent 152), wherein the token or the client certificate is an identifier that enables the future network communications to be routed to the remote resource for a given computing session without use of data from the remote resource or data indicative of a connection of the remote resource in which to receive the future network communications (Gummaraju: ¶0040 the injection mechanism 240 identifies one or more appropriate tokens 222 (e.g., identity token 224 associated with the client resource 122 and access token 226 associated with the destination resource 124) and injects the tokens 222 into the network communication; ¶0036 an access token 226 associated with a destination resource 124 may be used to direct a network communication toward the destination resource 124 and allow its sender (e.g., client resource 122, client agent 152) to access or use a protected resource on the destination resource 124); and
sending the future network communications to the remote resource to enable action to be taken on behalf of the computing device in response to receipt of the future network communications (Gummaraju: ¶0027 a client resource 122 transmits a network communication (e.g., network request) to a destination resource 124 over a network 110; ¶0058 the destination component 420 may monitor the destination resource 124, intercept one or more incoming network requests (e.g., network requests transmitted to the destination resource 124), extract one or more tokens 222 from the network requests, and determine whether the tokens 222 satisfy a predetermined destination security threshold).
Gunnaraju does not explicitly disclose request from an application executable on the computing device.
However, Romano discloses request from an application executable on the computing device (Romano: ¶0039 any requests made by applications within the application browser 114).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Romano with the system/method of Gunnaraju to include request from an application executable on the computing device.
One would have been motivated to provide a mobile applications platform including a container application to facilitate secure access to enterprise data and services (Romano: ¶0004).

Regarding claim 19: Claim 19 is similar in scope to claim 4, and is therefore rejected under similar rationale.

Regarding claim 20: Gummaraju discloses a method comprising:
intercepting, by a computing device, a request, the request being to access a remote resource (Gummaraju: ¶0040 a client agent 152 intercepts one or more network communications (e.g., outgoing requests to access or use a destination resource 124));
modifying, by the computing device, the request to include credentials of a user of the computing device (Gummaraju: ¶0040 a client agent 152 [] injects one or more tokens 222 into the network communications during transit. The client agent 152 may include, for example, an injection mechanism 240 that enhances the network communication using one or more tokens 222 associated with the client agent 152), the credentials being an identifier that enables the request to be routed to the remote resource for a given computing session without use of data from the remote resource or data indicative of a connection of the resource in which to receive the request (Gummaraju: ¶0040 the injection mechanism 240 identifies one or more appropriate tokens 222 (e.g., identity token 224 associated with the client resource 122 and access token 226 associated with the destination resource 124) and injects the tokens 222 into the network communication; ¶0036 an access token 226 associated with a destination resource 124 may be used to direct a network communication toward the destination resource 124 and allow its sender (e.g., client resource 122, client agent 152) to access or use a protected resource on the destination resource 124); and
providing, by the computing device, the request to the remote resource to enable action to be taken on behalf of the computing device in response to receipt of the request Gummaraju: ¶0027 a client resource 122 transmits a network communication (e.g., network request) to a destination resource 124 over a network 110; ¶0058 the destination component 420 may monitor the destination resource 124, intercept one or more incoming network requests (e.g., network requests transmitted to the destination resource 124), extract one or more tokens 222 from the network requests, and determine whether the tokens 222 satisfy a predetermined destination security threshold).
Gunnaraju does not explicitly disclose request from an application executable on the computing device.
However, Romano discloses request from an application executable on the computing device (Romano: ¶0039 any requests made by applications within the application browser 114).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Romano with the system/method of Gunnaraju to include request from an application executable on the computing device.
One would have been motivated to provide a mobile applications platform including a container application to facilitate secure access to enterprise data and services (Romano: ¶0004).

Claims 2, 9-10 and 17 are rejected under 35 U.S.C. 103 as being unpatentable over Gummaraju et al. (“Gummaraju,” US 2018/0034858) in view of Romano et al. (“Romano,” US 2014/0007215) and Patel (US 2021/0336787).

Regarding claim 2: Gummaraju in view of Romano discloses the computing device of claim 1.
Romano further discloses wherein a server, corresponding to a first enterprise organization and configured to affect behavior of the application, is configured to generate the token based on an enrollment communication between the computing device and the server (Romano: ¶0019 the proxy server 152 may be part of an enterprise information technology system 150; ¶0030 a user of the mobile device 110 may be required to register and activate the application browser 114 in order to connect to the proxy server 152 [] each instance of the application browser 114 may be given a unique identifier called an app token).
The motivation is the same that of claim 1 above.
Gummaraju in view of Romano does not explicitly disclose wherein the token comprises one of: a set of randomly generated bits mapped, in a mapping table, by the server to an identity of the computing device or a hash of the identity of the computing device.
However, Patel discloses wherein the token comprises one of: a set of randomly generated bits mapped, in a mapping table, by the server to an identity of the computing device or a hash of the identity of the computing device (Patel: ¶0036 at block 211, a hashed device ID is created in order to render the device ID anonymous).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Patel with the system/method of Gummaraju and Romano to include the token comprises a hash of the identity of the computing device.
Patel: ¶0002).

Regarding claim 9: Gummaraju in view of Romano and Patel discloses the computing device of claim 2.
Gummaraju further discloses wherein the remote resource is affiliated with a second enterprise organization, different than the first enterprise organization (Gummaraju: ¶0076 the client component 420 [] identify a communication transmitted from the first service and directed to a second service [] and/or automatically transmit the communication to the second service in accordance with one or more security policies associated with the second service).

Regarding claim 10: Gummaraju in view of Romano and Patel discloses the computing device of claim 2.
Romano further discloses request, using a local framework, in response to launching the application, and from the server, the token or the client certificate, wherein the local framework is deployed by the server and used to affect the behavior of the application (Romano: ¶0033 the application browser 114 will use the subject supplied from the passcode/word validation request along with the private key created earlier to generate a certificate signing request (CSR). The CSR is submitted to the Security Gateway along with the app token generated by the application browser 114), and
Romano: ¶0033 the application browser platform 256 then contacts the enterprise certificate authority via certificate management protocol (CMP) and signs the CSR to generate the X.509 identity certificate. The identity certificate is return to the app browser).
The motivation is the same that of claim 1 above.

Regarding claim 17: Claim 17 is similar in scope to claim 2, and is therefore rejected under similar rationale.

Claims 3 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Gummaraju et al. (“Gummaraju,” US 2018/0034858) in view of Romano et al. (“Romano,” US 2014/0007215), Patel (US 2021/0336787) and Modi et al. (“Modi,” US 2021/0392136).

Regarding claim 3: Gummaraju in view of Romano and Patel discloses the computing device of claim 2.
Romano further discloses wherein the computing device is unable to parse the token, and the server is configured to look up the identity of the computing device in the mapping table (Romano: ¶0040 where no App Token is attached validating an App Token against the local white list).
The motivation is the same that of claim 1 above.
Gummaraju in view of Romano and Patel does not explicitly disclose the server is unable to decrypt the token.
Modi: ¶0061 if the authorization component 114 is unable to decrypt the encrypted token 208).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Modi with the system/method of Gummaraju, Romano and Patel to include the server is unable to decrypt the token.
One would have been motivated to desirably managing authorization and authentication with regard to accessing of a service and associated application component by a communication device and/or an associated user (Modi: ¶0015).

Regarding claim 18: Claim 18 is similar in scope to claim 3, and is therefore rejected under similar rationale.

Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Gummaraju et al. (“Gummaraju,” US 2018/0034858) in view of Romano et al. (“Romano,” US 2014/0007215) and GANGAWANE et al. (“Gangawane,” US 2018/0077144).

Regarding claim 5: Gummaraju in view of Romano discloses the computing device of claim 1.
Gummaraju in view of Romano does not explicitly disclose wherein modifying the future network communications to include the token comprises modifying the future network communications to include the token as an additional HTTP header.
Gangawane: ¶0089 the application first requests an access token from the IDCS OAuth2 Service. After acquiring the token, the application sends the access token to the IDCS API by including it in the HTTP authorization header).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Gangawane with the system/method of Gummaraju and Romano to include modifying the future network communications to include the token as an additional HTTP header.
One would have been motivated to protecting a docketing application in an enterprise cloud by adding a header to the request and the request is then forwarded on to the origin server (Gangawane: ¶0020).

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Gummaraju et al. (“Gummaraju,” US 2018/0034858) in view of Romano et al. (“Romano,” US 2014/0007215), Patel (US 2021/0336787) and Banerjee et al.(“ Banerjee,” US 2021/0075853).

Regarding claim 8: Gummaraju in view of Romano and Patel discloses the computing device of claim 2.
Gummaraju in view of Romano and Patel does not explicitly disclose send a request to the server requesting a list of server endpoints for which communication should 
However, Banerjee discloses send a request to the server requesting a list of server endpoints for which communication should be modified (Banerjee: ¶0026 call an API that requests the network analysis platform generate the final ranked list of servers and return the final ranked list); and
- 39 -B&W Ref.: 007737.01212receive, from the server, the list of server endpoints for which communication should be modified, wherein the list of server endpoints for which communication should be modified includes the remote resource (Banerjee: ¶0026 obtain the final ranked list of servers from the network analysis platform via an API call).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Banerjee with the system/method of Gummaraju, Romano and Patel to include send/receive a request to the server requesting a list of server endpoints for which communication should be modified.
One would have been motivated to orchestrating the provisioning of instances of services across physical servers at locations that improve performance of the services (Banerjee: ¶0001).


Claim 12 is rejected under 35 U.S.C. 103 as being unpatentable over Gummaraju et al. (“Gummaraju,” US 2018/0034858) in view of Romano et al. (“Romano,” US 2014/0007215) and Meyer et al. (“Meyer,” US 2020/0204381).

Regarding claim 12: Gummaraju in view of Romano discloses the computing device of claim 1.
Gummaraju in view of Romano does not explicitly disclose wherein the future network communications are directed to the remote resource via a load balancer, wherein the load balancer may route the future network communications to the remote resource based on the token.
However, Meyer discloses wherein the future network communications are directed to the remote resource via a load balancer, wherein the load balancer may route the future network communications to the remote resource based on the token (Meyer: ¶0172 the load balancers 710 [] of the CMS 700 show in FIG. 7 may send workload-based requests to compute engines to evenly distribute workload across compute engines).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Meyer with the system/method of Gummaraju and Romano to include network communications are directed to the remote resource via a load balancer.
One would have been motivated to providing system may include one or more load balancers to perform operations comprising distributing at least one request to the one or more compute engines based on a health measurement of the one or more compute engines (Meyer: ¶0010.
Claims 13 and 14 are rejected under 35 U.S.C. 103 as being unpatentable over Gummaraju et al. (“Gummaraju,” US 2018/0034858) in view of Romano et al. (“Romano,” US 2014/0007215), Patel (US 2021/0336787) and Meyer et al. (“Meyer,” US 2020/0204381).

Regarding claim 13: Gummaraju in view of Romano and Patel discloses the computing device of claim 2.
Romano further discloses wherein the client certificate includes one or more of: a user identifier or a device identifier (Romano: ¶0031 the user identification that is associated with the passcode/word will be returned to the application browser 114 to be used as the subject in the certificate signing request required for the identity certificate), 
The motivation is the same that of claim 1 above.
Gummaraju in view of Romano and Patel does not explicitly disclose wherein the client certificate is generated by the server based on an enrollment communication between the computing device and the server.
However, Meyer discloses wherein the client certificate is generated by the server based on an enrollment communication between the computing device and the server (Meyer: fig. 5; ¶0123 requests from the registration authority 420 to issue enrollment certificates to end-user devices; ¶0126 at 535, the distributor appliance 108 receives the enrollment certificate [] the distributor appliance 108 may provision the enrollment certificate to a device (e.g., device 106a)).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Meyer 
One would have been motivated to providing systems, methods and devices for securely generating and providing certain types of digital assets such as security credentials and digital certificates (Meyer: ¶0009).

Regarding claim 14: Gummaraju in view of Romano and Patel discloses the computing device of claim 2.
Gummaraju in view of Romano and Patel does not explicitly disclose the server is configured with a root certificate, the root certificate enables the server to generate the client certificate and the remote resource is configured with a public key for the root certificate that enables the remote resource to validate the client certificate.
However, Meyer discloses the server is configured with a root certificate (Meyer: ¶0058 the DAMS 110 may include the following main elements: a root certificate authority (CA)),
the root certificate enables the server to generate the client certificate (Meyer: ¶0077 the DAMS 110 may create or generate requested digital security asset (s), such as public and private key pairs as well as an enrollment certificate(s) and a pseudonym certificate(s) for the device 106a),
the remote resource is configured with a public key for the root certificate that enables the remote resource to validate the client certificate (Meyer: ¶0083 the device 106a would run special code with the system 100’s root public key in it to validate the certificate that the distributor appliance 108 sends to it).
Therefore, it would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention to combine the teachings of Meyer with the system/method of Gummaraju, Romano and Patel to include generate the client certificate with a public key for the root certificate that enables the remote resource to validate the client certificate.
One would have been motivated to providing systems, methods and devices for securely generating and providing certain types of digital assets such as security credentials and digital certificates (Meyer: ¶0009).


Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to Fahimeh Mohammadi whose telephone number is (571)270-7857. The examiner can normally be reached Monday - Friday 9:00 - 5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/FAHIMEH MOHAMMADI/ Examiner, Art Unit 2439                                                                                                                                                                                                        


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439