Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant’s arguments, see Applicant Arguments pages 6-7, with respect to the rejection(s) of the independent claim(s) 1, 13 and 19, and the rejection(s) of the dependent claim(s) under 35 U.S.C. 103 have been fully considered and are persuasive.
Terminal Disclaimer
The terminal disclaimer filed on 01/22/2022 disclaiming the terminal portion of any patent granted on this application which would extend beyond the expiration date of any patent granted on Application Number 16/369438 has been reviewed and is accepted. The terminal disclaimer has been recorded.
EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee. 	Authorization for this examiner’s amendment was given in an interview with Sean C. Crandall (Registration No. 57776) on 03/17/2022.
Please amend the Claims as follows:
1.	(Previously Presented) A computing apparatus, comprising:
	a hardware platform, comprising a processor and a memory; 
	a closed operating system comprising executable instructions to sandbox running applications; 	and
	executable instructions encoded in the memory to:

		provide an unencrypted client-only virtual private network (VPN) comprising a 	VPN 	client and a VPN server implementation on a single physical device, wherein the 	VPN client is 	configured to communicatively couple to the VPN server and to provide 	plain-text proxied 	Internet protocol (IP) communication services;
		inspect, via the security agent, a network transaction from a sandboxed 	application to a 	network service, wherein the network transaction passes through the client-only VPN; and
		take a security action based at least in part on the inspection.
2.	(Original) The computing apparatus of claim 1, wherein the VPN is a full VPN configured to intercept all IP traffic on the device.
3.	(Original) The computing apparatus of claim 1, wherein the VPN is a split VPN configured to intercept only selected IP traffic on the device.
4.	(Original) The computing apparatus of claim 1, wherein the instructions are to post the VPN on a loopback network interface.
5.	(Original) The computing apparatus of claim 1, wherein the instructions are further to provide an operating system, and wherein the VPN is to replace a built-in IP protocol stack for the operating system.
6.	(Cancelled)
7.	(Original) The computing apparatus of claim 1, wherein the instructions are further to provide a client-only DNS filtering service.
8.	(Original) The computing apparatus of claim 1, wherein the VPN provides a near-zero delay in establishing a VPN tunnel.
9.	(Original) The computing apparatus of claim 1, wherein the VPN is configured to modify an outgoing packet before sending the outgoing packet.
10.	(Original) The computing apparatus of claim 1, wherein the VPN is configured to intercept a response packet, and to modify the response packet before forwarding the response packet to an application.
11.	(Previously Presented) The computing apparatus of claim 1, wherein the instructions are further to provide a security agent, wherein the security agent is to provide network security via the VPN.


13.	(Previously Presented) One or more tangible, non-transitory computer-readable mediums having stored thereon executable instructions to provide a client-only virtual private network (VPN), the instructions to:
	provide a security agent on a single device to provide application security based on network activity, within a closed operating system, where the closed operating system restricts the security agent from inspecting sandboxed running applications directly;
	provide the client-only VPN on the device, the client-only VPN comprising a VPN client and a VPN server implementation that communicate via plain-text messaging; and
	inspect, via the security agent, a network transaction that passes through the client-only VPN for a sandboxed application of the closed operating system, wherein the VPN is to proxy communication between the sandboxed application and an external network service, wherein inspecting the network transaction comprises inspecting the network transaction for security issues.
14.	(Original) The one or more tangible, non-transitory computer-readable mediums of claim 13, wherein the VPN is a full VPN configured to intercept all IP traffic on the device.
15.	(Original) The one or more tangible, non-transitory computer-readable mediums of claim 13, wherein the VPN is a split VPN configured to intercept only selected IP traffic on the device.
16.	(Original) The one or more tangible, non-transitory computer-readable mediums of claim 13, wherein the instructions are further to provide an operating system, and wherein the VPN is to replace a built-in IP protocol stack for the operating system.
17.	(Original) The one or more tangible, non-transitory computer-readable mediums of claim 13, wherein the instructions are further to provide a security agent, wherein the security agent is to provide network security via a VPN.
18.	(Original) The one or more tangible, non-transitory computer-readable mediums of claim 17, wherein the security agent is a sandboxed application in a closed operating system.
19.	(Previously Presented) A computer implemented method of providing a client-only virtual private network (VPN), comprising:
	providing a security agent to provide application security for a closed operating system, wherein the closed operating system restricts the security agent from inspecting sandboxed running applications directly; 
, wherein the device provides both the VPN server and a VPN client; 
	inspecting, via the security agent, a network transaction for a sandboxed application, wherein the network transaction passes through the unencrypted local VPN, and based on the inspecting, determining whether a security action is needed for the sandboxed application.
20.	(Original) The method of claim 19, wherein the VPN is a full VPN configured to intercept all IP traffic on the device.
Allowable Subject Matter
Claims 1-5, and 7-20 are allowed.
The following is a statement of reasons for the indication of allowable subject matter:
In interpreting the currently amended claims, in light of the specification as well arguments presented in the responses to the Office actions, the Examiner finds the claimed invention to be patentably distinct from the prior art of record.  First, Applicant’s arguments with respect to traversing the prior art of record are persuasive.  In addition, based on an updated search and further consideration, the Examiner finds that the claimed invention is patentably distinct based on the following additional rationale.
 CHAMPAGNE (US Patent Publication No. 20150052599, hereinafter CHAMPAGNE) teaches a computing apparatus, comprising: a hardware platform, comprising a processor and a memory; a closed operating system comprising executable instructions to sandbox running applications; and executable instructions encoded in the memory; inspect, via the security agent, a network transaction from a sandboxed application to a network service, and take a security action based at least in part on the inspection.   
 Szabo et al. (US Pre-Grant Publication No. 20170339729, hereinafter Szabo) teaches providing a client-only virtual private network (VPN) comprising a VPN client and a VPN server implementation on a 
 SHULMAN et al. (US Patent No. 20170093824, hereinafter SHULMAN) teaches to provide plain-text proxied Internet protocol (IP) communication services.
The prior art of record fails to teach or suggest, individually or in combination, each and every limitation of the claimed invention, within the context of the claimed invention as a whole, as recited in Claims 1, 13, and 19.
Although CHAMPAGNE discloses a computing apparatus, comprising: a hardware platform, comprising a processor and a memory; a closed operating system comprising executable instructions to sandbox running applications; and executable instructions encoded in the memory; inspect, via the security agent, a network transaction from a sandboxed application to a network service, and take a security action based at least in part on the inspection, CHAMPAGNE does not disclose providing a security agent to provide application security based on network activity, wherein the closed operating system restricts the security agent from inspecting sandboxed running applications directly; provide an unencrypted client-only virtual private network (VPN) comprising a VPN client and a VPN server implementation on a single physical device, wherein the VPN client is configured to communicatively couple to the VPN server and to provide plain-text proxied Internet protocol (IP) communication services; wherein the network transaction passes through the client-only VPN.  Furthermore, the Examiner notes prior art teachings, such as Szabo, which teaches providing a client-only virtual private network (VPN) comprising a VPN client and a VPN server implementation on a single physical device, wherein the VPN client is configured to communicatively couple to the VPN server; and SHULMAN, which teaches to provide plain-text proxied Internet protocol (IP) communication services. However, the Examiner notes that the prior art does not properly disclose providing a security agent to provide application security based on network activity, wherein the closed operating system restricts the 
Thus, the Examiner finds that the prior art does not provide sufficient teaching or motivation for anticipating or rendering obvious the claimed invention as a whole, without the usage of impermissible hindsight reasoning.
Claims 2-5, 7-12, 14-18, and 20 are allowable based on at least on their depending from an allowable claim.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HAMID TALAMINAEI whose telephone number is (571)270-3283. The examiner can normally be reached Flexible, M-F 7:30 -5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on (571) 272-4219. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and 





/HAMID TALAMINAEI/Examiner, Art Unit 2436                                                                                                                                                                                                        

/FATOUMATA TRAORE/Primary Examiner, Art Unit 2436