DETAILED ACTION

Currently pending claims are 1 – 20.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 01/07/2021 has been entered.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:

A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1 – 4, 6 – 14 and 16 – 20 are rejected under 35 U.S.C.103 as being unpatentable over Anders et al. (U.S. Patent 10,902,072), in view of DI et al. (U.S. Patent 2009/0307746), and in view of Hamlin et al. (U.S. Patent 10,552,590).  


As per claim 1, 11 & 19, Anders teaches a method for performing policy-based user device security checks, the method comprising: 
establishing a trust policy that governs interactions over a plurality of content objects in a collaboration system (Anders: Figure 2 & 4, Col. 7 Line 11 – 16 and Col. 9 Line 3 – 16 / Line 24 – 26 / Line 45 – 55: providing a cloud computing infrastructure (as a collaboration system) that supports and manages content sharing among a plurality of users over a network based on security policies / compliance requirements), wherein the trust policy manages sharing of a content object from the plurality of content objects that is uploaded by a first user from a first user device with a second user at a second user device, the trust policy defining a security condition with regard to the content object uploaded by the first user at the first user device for access by the second user at the second user device based at least in part on characteristics of the second user device (Anders: see above).  
However, Anders does not teach expressly defining a security condition with regard to the content object uploaded by the first user at the first user device for access by the second user at the second user device based at least in part on characteristics of the second user device.
DI (& Anders) teach defining a security condition with regard to the content object uploaded by the first user at the first user device for access by the second user at the second user device based at least in part on characteristics of the second user device (Anders: see above) || (DI: Para [0010] / [0064]: managing security of an access admission control on a connection between user equipments (UE(s)) (i.e. a 1st user device and a 2nd user device based upon, at least, device characteristics of security status (e.g. anti-virus installation status) such that generating a response for preventing the UE without antivirus software from accessing the network according to the the admission control w.r.t. software information of the UE based on (e.g.) a checking whether the software version or configuration of the UE meets the network security requirements or not – this is consistent with the disclosure of the instant specification (SPEC: Para [0028]: checking the user device to determine if an antivirus agent is installed). 
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of generating responses to the interaction events, the responses being generated based at least in part on the security conditions because DI’s teaching can effectively and securely evaluate whether the UE meets the network security requirements or not and preventing the UE without antivirus software from accessing the network in response to the checking (see above) within the Anders’s system of supporting and managing content sharing among a plurality of users over a network based on security policies / compliance requirements (see above). 
the trust policy is directed to interactions for multiple types of devices comprising at least a first type of device and a second type of device, wherein the first type of device comprises managed devices and the second type of device comprises unmanaged devices, wherein a managed device is preauthorized to access the content object and an unmanaged device is not preauthorized to access the content object (Anders: Col. 9 Line 53 – 55 & Col. 10 Line 56 – 65: security can be provided to enable cloud consumers (users) (e.g. a 2nd user device) to access the shared content by using respective security attribute(s) such as identity information for verification so as to protect (e.g. access permission) for data / resource and etc.) || (DI: Para [0010] / [0064]: managing security of an access admission control on a connection between user equipments (i.e. a 1st user device and a 2nd user device) based upon, at least, device characteristics of security status (e.g. anti-virus installation status) such that generating a response for preventing the UE without antivirus software from accessing the network (DI: Para [0010] / [0064]) according to the the admission control w.r.t. software information of the UE based on (e.g.) a checking whether the software version or configuration of the UE meets the network security requirements.
However, Ander as modified does not disclose expressly a distinction between a managed device and an unmangaed device.  
Hamlin teaches a distinction between a managed device and an unmangaed device (Hamlin: Col. 19 Line 62 – 67 and Col. 15 Line 19 – 22 / Line 28 – 32: a device that does not have sufficient confidence security score is qualified as an unmanaged device which is required to provide additional identity credentials for reauthentication to access the sharing resource while another device entity that has security score characteristics greater than (exceeding) a confidence threshold constitutes a managed device that has permission granted for accessing sharing resource – i.e. determining when a device (as an unmanaged device) that does not have sufficient security confidence score exceeding a predetermined security threshold, the access permission cannot be granted and it is required to provide additional identity credentials for reauthentication to access the sharing resource).     
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of distincting a distinction between a managed device and an unmangaed device because Hamlin’s teaching can effectively and securely determine when a device (as an unmanaged device) that does not have sufficient security confidence score exceeding a predetermined security threshold, the access permission cannot be granted and it is required to provide additional identity credentials for reauthentication to access the sharing resource (see above) within the Anders’s system of supporting and managing content sharing among a plurality of users over a network based on security policies / compliance requirements (see above). 
receiving the content object from the first user device, the content object being uploaded to the collaboration system (Anders: see above & Col. 2 Line 64 Col. 3 Line 5: Anders first teaches a first user device can upload data content to a web server for sharing with other user devices (e.g. a second user device) in a cloud computing environment) || (DI: see above); 
configuring access permissions to allow sharing of the content object with the second user (Anders: see above) || (DI: see above); 
gathering, upon receiving an interaction event raised by the second user device of the second user, a set of interaction attributes associated with the interaction event (Anders: see above) || (DI: see above): 
(a) Anders first teaches a first user device can upload data content to a web server for sharing with other user devices (e.g. a second user device) in a cloud computing environment (Anders: Col. 2 Line 64 Col. 3 Line 5), 
(b) when content is shared to a social medium platform, security can be provided to enable cloud consumers (users) (e.g. a 2nd user device) to access the shared content by using respective security attribute(s) such as identity information for verification so as to protect (e.g. access permission) for data / resource and etc. (Anders: Col. 9 Line 53 – 55 & Col. 10 Line 56 – 65) and 
(c) Examiner notes the attributes such as authentication identity as well as device characteristics of security status (e.g. anti-virus installation status) associated with users / devices that can be used to control / manage the interactions between (among) user devices such as resource sharing over the network (e.g. upload / download) constitutes one type of interaction attributes. 
(d) In view of that, DI also teaches managing security of an access admission control on a connection between user equipments (UE(s)) (i.e. a 1st user device and a 2nd user device based upon, at least, device characteristics of security status (e.g. anti-virus installation status) such that generating a response for preventing the UE without antivirus software from accessing the network (DI: Para [0010] / [0064]) according to the the admission control w.r.t. software information of the UE based on (e.g.) a checking whether the software version or configuration of the UE meets the network security requirements or not – this is consistent with the disclosure of the instant specification (SPEC: Para [0028]: checking the user device to determine if an antivirus agent is installed).
applying the trust policy to the set of interaction attributes to determine access permission to the content object by: 
granting access permission, when the second user device of the second user is a managed device, to the content object uploaded by the first user of the first user device (Anders || DI: see a same rationale above w.r.t. a managed device), and 
determining, when the second user device of the second user is an unmanaged device, whether an applicable security condition that correspond to the interaction events is met for permitting access by the second user at the second user device to the content object that was uploaded by the first user at the first user device, wherein permission for access is based at least upon the characteristics of the second user device (Anders || DI: see above || Hamlin: Col. 19 Line 62 – 67 and Col. 15 Line 19 – 22 / Line 28 – 32: a device that does not have sufficient confidence security score is qualified as an unmanaged device which is required to provide additional identity credentials for reauthentication to access the sharing resource while another device entity that has security score characteristics greater than (exceeding) a confidence threshold constitutes a managed device that has permission granted for accessing sharing resource – i.e. determining when a device (as an unmanaged device) that does not have sufficient security confidence score exceeding a predetermined security threshold, the access permission cannot be granted and it is required to provide additional identity credentials for reauthentication to access the sharing resource); and
generating responses to the interaction events, the responses being generated based at least in part on the applicable security conditions (DI: Para [0010] and Para [0064]: (a) managing security of an access admission control on a connection between user equipments (UE(s)) (i.e. a 1st user device and a 2nd user device (DI: Para [0010]), wherein (b) generating a response for preventing the UE without antivirus software from accessing the network (DI: Para [0064]) according to the the admission control w.r.t. software information of the UE based on (e.g.) a checking whether the software version or configuration of the UE meets the network security requirements or not – this is consistent with the disclosure of the instant specification (SPEC: Para [0028]: checking the user device to determine if an antivirus agent is installed).

As per claim 2, 12 and 20, Anders as modified teaches wherein the first user device is associated with a first user in a first enterprise, and wherein the second user device is associated with a second enterprise that is different from the first enterprise (Anders: see above & Col. 7 Line 17 – 16: across several (different) organizations).  

As per claim 3 and 13, Anders as modified teaches comparing user device information to the security conditions to identify one or more unsatisfied conditions, wherein the responses are generated based at least in part on the unsatisfied conditions (Anders: see above: includes (e.g.) the respective attribute(s) such as the identity for verification, protection (e.g. access permission) for data / resource access, and etc. (Anders: Col. 9 Line 53 – 55)) || (DI: see above: preventing the UE without antivirus software from accessing the network (DI: Para [0064]) according to the the admission control w.r.t. software information of the UE based on (e.g.) a checking whether the software version or configuration of the UE meets the network security requirements or not).  

As per claim(s) 4, 6 – 7, 14 and 16 – 17, the claims contain(s) similar limitations to claim(s) 1 and thus is/are rejected with the same rationale

As per claim 9 (& Claim 8) and 18, Anders as modified teaches wherein the security conditions pertain to at least one of, an installed antivirus program, a file encryption capability, a firewall capability, or an analysis within a virtual system (Anders: see above: (e.g.) an analysis within a virtual system) || (DI: Para [0010] and Para [0064]: (a) managing security of an access admission control on a connection between user equipments (UE(s)) (i.e. a 1st user device and a 2nd user device (DI: Para [0010]), wherein (b) the admission control may be performed for the users according to the software information of the UE based on (e.g.) a checking whether the software version or configuration of the UE meets the network security requirements or not – for example, in response to the checking, preventing the UE without antivirus software from accessing the network (DI: Para [0064])).

As per claim 10, Anders as modified teaches wherein the security conditions correspond to one or more trust levels (Anders: see above & Col. 9 Line 53 – 60: (a) at least one security level and/or (b) security requirements w.r.t. Serveice Level Agreement (SLA) constitutes at least two or more trust levels).  

Claims 5 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Anders et al. (U.S. Patent 10,902,072), in view of DI et al. (U.S. Patent 2009/0307746), in view of Hamlin et al. (U.S. Patent 10,552,590), and in view of Palomaki et al. (U.S. Patent 2014/0208425).  

As per claim 5 and 15, Palomaki (& Anders) teaches wherein an instance of a trust agent is delivered to the user device to retrieve the user device information (Palomaki: Para [0020]: implementing and delivering a security agent to operate on behalf of a user device to retrieve the user security credentials so as to extract a list of applications installed on the user device).  
It would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention was made to propose the modification of generating responses to the interaction events, the responses being generated based at least in part on the security conditions because Palomaki’s teaching can effectively and securely implement and deliver a security agent to operate on behalf of a user device to retrieve the user security credentials so as to extract a list of applications installed on the user device (see above) within the Anders’s system of supporting and managing content sharing among a plurality of users over a network based on security policies / compliance requirements (see above). 


Any inquiry concerning this communication or earlier communications from the examiner should be directed to LONGBIT CHAI whose telephone number is (571)272-3788. The examiner can normally be reached Monday - Friday 9:00am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D. Feild can be reached on 571-272-2092. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



---------------------------------------------------
                  /Longbit Chai/
           Longbit Chai E.E. Ph.D.
    Primary Examiner, Art Unit 2431
                   No. #2283 – 2022
---------------------------------------------------