Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION 
This is in response to the communication filed on 06/05/2020. Claims 1-21 are pending in the application.  Claims 1-21 are rejected. 
Priority
Applicant’s claim for the benefit of prior-filed continuation-in-part application No.  16/666,063 and 16/296,060 under 35 U.S.C. 119(e) or under 35 U.S.C. 120, 121, 365(c), or 386(c) is acknowledged. 
     Information Disclosure Statement
The information disclosure statements (IDS) submitted on 06/19/2020, 09/18/2020, 09/26/2020 and 01/13/2021 are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statements are being considered by the examiner.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-6, 8-13 and 15-20 are rejected under 35 U.S.C. 103 as being obvious over US 2016/0219060 A1 (hereinafter Karunakaran et al) in view of US 2017/0289134 A1 (hereinafter Bradley et al)
Regarding claim 1, Karunakaran et al teaches a method comprising: 
receiving, via a processor from an identity broker, a request regarding access by a client device to a service provided by a service provider (note figure 1B.120: Identity Provider Proxy; para.  [0020], [0031]: Identity Provider Proxy receiving a request from client to access cloud services); 
in response to receiving the request, determining a security state of the client device representing a risk of compromise associated with the client device (note para. [0033], [0042], [0056]: determining device security posture information);
determining that the security state of the client device is a secure state representing a risk level 
in response to determining that the security state of the client device is the secure state, sending, to the identity broker an indication that the client device is in the secure state (note para. [0033], [0038], [0046], [0049]: indication like  a security token (e.g., cookie,  SAML assertion) cached and/or regenerated at the security   proxy server may be used to allow   subsequent apps to authenticate to their respective cloud-based services) indicating to the identity broker permission to authorize access to the client device to the service provider (note para.  [0042], [0049], [0056]: establishing connection/ tunnel, based on client device authentication and security posture information; the client app communicates with the cloud-based service via the identity provider Proxy)
Karunakaran et al fails to teach expressly determining that the security state of the client device is a secure state representing a risk level below a threshold risk.
However,  Bradley et al teaches determining that the security state of the client device is a secure state representing a risk level below a threshold risk (note para. [0085]: comparing risk assessment value against threshold; and para. [0086]: For example, the SP session authorization module  can include various thresholds and/or criteria for different levels of access to the SP server  and/or the client SaaS application. For example, when a risk value stored in the distributed consensus database indicates little to no risk for that user and/or client compute device, the user and/or client compute device can meet the criterion for full access (e.g., read and write access) to the SP server. For another example, when a risk value stored in the distributed consensus database for that user and/or client compute device  indicates a high risk, the SP server  can deny access even though that user and/or client compute device  is authenticated to some degree)
BRADLEY et al and Karunakaran et al are analogous art because they are from the same field of endeavor of securely managing client devices for accessing network resource server. Therefore, the effective filing of the claimed invention, it would have been obvious to a person of ordinary skill in art to modify Karunakaran et al method to further include the features of determining that the security state of the client device is a secure state representing a risk level below a threshold risk taught by BRADLEY et al in order to provide users with a secure mechanism for monitoring and provisioning network resources further based on a predetermined risk level associated with the client devices (note BRADLEY et al, para 006, 086)
Regarding claim 2, Karunakaran et al teaches the method of claim 1, further comprising the determination of the security state including transmitting a request for a first context to the client device (note para. [0023] : a SAML assertion (or other security token or information) to be used by the client   app to access the cloud-based service; and para. [0037]- [0038] providing a security token to client app 106 may be used to obtain and provide to the second (or other subsequent) client app a security token to be used by the second (or other subsequent) app to authenticate itself and gain access to a cloud-based service with which the second (or other subsequent) app is associated; see also para. [0059]: contextual information)
Regarding claim 3, Karunakaran et al teaches the method of claim 2, further comprising receiving the first context from the client device, the first context representing information related to the security of the client device (note para. [0023], [0037]- [0038], [0047]), and determining the security state based on the first context (note para. [0033], [0042]: determining device “security posture” information; see also para. [0059]: contextual information including app, operating system related information)
Regarding claim 4, Karunakaran et al teaches the method of claim 3, further comprising the first context including information about an operating system of the client device (note para. [0023],  [0050], [0058]- [0059]: security posture of the device; various security posture/ contextual  information including token associated with client app, software running on the client device, operating system type etc.)
Regarding claim 5, Karunakaran et al teaches the method of claim 3, further comprising determining a second secure state (note para. [0058] –[0059]: Conditional access rules may be applied based on contextual information, e.g., whether device and/or user agent (e.g., requesting mobile app)   is under management; the type, provider, and version of the user agent software (e.g., browser, type of browser, etc.); IP address  (e.g., whitelisted IP address range); whether the connection is initiate via the identity provider or the service provider; the type of operating system and/or platform; etc.)), and in response to determining the second security state transmitting a second indication representing whether to permit access between the client device and the service provider (note para. [0037]- [0038] providing a security token to client app 106 may be used to obtain and provide to the second (or other subsequent) client app a security token to be used by the second (or other subsequent) app to authenticate itself and gain access to a cloud-based service with which the second (or other subsequent) app is associated)
Regarding claim 6, Karunakaran et al teaches the method of claim 5, wherein the determined second secure state indicates compromise of the client device (note para. [0023], [0033], [0042]: compromised or  non-compliant state / posture)
Regarding claim 8, Karunakaran et al teaches a system (note para. [0033]: system) comprising: 
at least one processor (note para. [0018]: processor); and 
memory  (note para. [0018]: memory) storing instructions configured to instruct the at least one processor to:
 receive, from an identity broker, a request regarding access by a client device to a service provided by a service provider (note figure 1B.120: Identity Provider Proxy; para.  [0020], [0031]: Identity Provider Proxy receiving a request from client to access cloud services); 
in response to receiving the request, determine a security state of the client device representing a risk of compromise associated with the client device (note para. [0033], [0042], [0056]: determining device security posture information); 
determine that the security state of the client device is a secure state representing a risk level 
in response to determining that the security state of the client device is the secure state, send, to the identity broker an indication that the client device is in the secure state (note para. [0033], [0038], [0046], [0049]: indication like  a security token (e.g., cookie,  SAML assertion) indicating to the identity broker permission to authorize access to the client device to the service provider (note para.  [0042], [0049], [0056]: establishing connection/ tunnel, based on client device authentication and security posture information; the client app communicates with the cloud-based service via the identity provider Proxy)
Karunakaran et al fails to teach expressly determining that the security state of the client device is a secure state representing a risk level below a threshold risk.
However,  Bradley et al teaches determining that the security state of the client device is a secure state representing a risk level below a threshold risk (note para. [0085]: comparing risk assessment value against threshold; and para. [0086]: For example, the SP session authorization module  can include various thresholds and/or criteria for different levels of access to the SP server  and/or the client SaaS application. For example, when a risk value stored in the distributed consensus database indicates little to no risk for that user and/or client compute device, the user and/or client compute device can meet the criterion for full access (e.g., read and write access) to the SP server. For another example, when a risk value stored in the distributed consensus database for that user and/or client compute device  indicates a high risk, the SP server  can deny access even though that user and/or client compute device  is authenticated to some degree)
BRADLEY et al and Karunakaran et al are analogous art because they are from the same field of endeavor of managing client devices for accessing network resource server. Therefore, the effective filing of the claimed invention, it would have been obvious to a person of ordinary skill in art to modify Karunakaran et al system to further include the features of determining that the security state of the client device is a secure state representing a risk level below a threshold risk taught by BRADLEY et al in order to provide users with a secure mechanism for monitoring and provisioning network resources further based on a predetermined risk level associated with the client devices (note BRADLEY et al, para [0006], [0086])
Regarding claim 9, Karunakaran et al teaches the system of claim 8, further comprising the determination of the security state including transmitting a request for a first context to the client device (note para. [0023] : a SAML assertion (or other security token or information) to be used by the client   app to access the cloud-based service; and para. [0037]- [0038] providing a security token to client app 106 may be used to obtain and provide to the second (or other subsequent) client app a security token to be used by the second (or other subsequent) app to authenticate itself and gain access to a cloud-based service with which the second (or other subsequent) app is associated; see also para. [0059]: contextual information)
Regarding claim 10, Karunakaran et al teaches the system of claim 9, further comprising receiving the first context from the client device, the first context representing information related to the security of the client device, and determining the security state based on the first context (note para. [0023], [0037]- [0038], [0047]), and determining the security state based on the first context (note para. [0033], [0042]: determining device “security posture” information; see also para. [0059]: contextual information including app, operating system related information)
Regarding claim 11, Karunakaran et al teaches the system of claim 10, further comprising the first context including information about an operating system of the client device (note para. [0023],  [0050], [0058]- [0059]: security posture of the device; various security posture/ contextual  information including token associated with client app, software running on the client device, operating system type etc.)
Regarding claim 12, Karunakaran et al teaches the system of claim 10, further comprising determining a second secure state (note para. [0058] –[0059]: Conditional access rules may be applied based on contextual information, e.g., whether device and/or user agent (e.g., requesting mobile app)   is under management; the type, provider, and version of the user agent software (e.g., browser, type of browser, etc.); IP address  (e.g., whitelisted IP address range); whether the connection is initiate via the identity provider or the service provider; the type of operating system and/or platform; etc.)), and in response to determining the second security state transmitting a second indication representing whether to permit access between the client device and the service provider (note para. [0037]- [0038] providing a security token to client app 106 may be used to obtain and provide to the second (or other subsequent) client app a security token to be used by the second (or other subsequent) app to authenticate itself and gain access to a cloud-based service with which the second (or other subsequent) app is associated)
Regarding claim 13, Karunakaran et al teaches the system of claim 12, wherein the determined second secure state indicates compromise of the client device (note para. [0023], [0033], [0042]: compromised or  non-compliant state / posture)
Regarding claim 15, Karunakaran et al teaches a non-transitory computer-readable storage medium (note para. [0018]: storage medium) storing computer-readable instruction, which when executed, cause a computing device at least to: 
receive, from an identity broker, a request regarding access by a client device to a service provided by a service provider (note figure 1B.120: Identity Provider Proxy; para.  [0020], [0031]: Identity Provider Proxy receiving a request from client to access cloud services); 
in response to receiving the request, determine a security state of the client device representing a risk of compromise associated with the client device (note para. [0033], [0042], [0056]: determining device security posture information); 
determine that the security state of the client device is a secure state representing a risk level 
in response to determining that the security state of the client device is the secure state, send, to the identity broker an indication that the client device is in the secure state (note para. [0033], [0038], [0046], [0049]: indication like  a security token (e.g., cookie,  SAML assertion) indicating to the identity broker permission to authorize access to the client device to the service provider (note para.  [0042], [0049], [0056]: establishing connection/ tunnel, based on client device authentication and security posture information; the client app communicates with the cloud-based service via the identity provider Proxy)
Karunakaran et al fails to teach expressly determining that the security state of the client device is a secure state representing a risk level below a threshold risk.
However,  Bradley et al teaches determining that the security state of the client device is a secure state representing a risk level below a threshold risk (note para. [0085]: comparing risk assessment value against threshold; and para. [0086]: For example, the SP session authorization module  can include various thresholds and/or criteria for different levels of access to the SP server  and/or the client SaaS application. For example, when a risk value stored in the distributed consensus database indicates little to no risk for that user and/or client compute device, the user and/or client compute device can meet the criterion for full access (e.g., read and write access) to the SP server. For another example, when a risk value stored in the distributed consensus database for that user and/or client compute device  indicates a high risk, the SP server  can deny access even though that user and/or client compute device  is authenticated to some degree)
BRADLEY et al and Karunakaran et al are analogous art because they are from the same field of endeavor of managing client devices for accessing network resource server. Therefore, the effective filing of the claimed invention, it would have been obvious to a person of ordinary skill in art to modify Karunakaran et al medium to further include the features of determining that the security state of the client device is a secure state representing a risk level below a threshold risk taught by BRADLEY et al in order to provide users with a secure mechanism for monitoring and provisioning network resources further based on a predetermined risk level associated with the client devices (note BRADLEY et al, para [0006], [0086])
Regarding claim 16, Karunakaran et al teaches the non-transitory computer-readable storage medium of claim 15, further comprising the determination of the security state including transmitting a request for a first context to the client device (note para. [0023] : a SAML assertion (or other security token or information) to be used by the client   app to access the cloud-based service; and para. [0037]- [0038] providing a security token to client app 106 may be used to obtain and provide to the second (or other subsequent) client app a security token to be used by the second (or other subsequent) app to authenticate itself and gain access to a cloud-based service with which the second (or other subsequent) app is associated; see also para. [0059]: contextual information)
Regarding claim 17, Karunakaran et al teaches the non-transitory computer-readable storage medium of claim 16, further comprising receiving the first context from the client device, the first context representing information related to the security of the client device, and determining the security state based on the first context (note para. [0023], [0037]- [0038], [0047]), and determining the security state based on the first context (note para. [0033], [0042]: determining device “security posture” information; see also para. [0059]: contextual information including app, operating system related information)
Regarding claim 18, Karunakaran et al teaches the non-transitory computer-readable storage medium of claim 17, further comprising the first context including information about an operating system of the client device (note para. [0023],  [0050], [0058]- [0059]: security posture of the device; various security posture/ contextual  information including token associated with client app, software running on the client device, operating system type etc.)
Regarding claim 19, Karunakaran et al teaches the non-transitory computer-readable storage medium of claim 17, further comprising determining a second secure state (note para. [0058] –[0059]: Conditional access rules may be applied based on contextual information, e.g., whether device and/or user agent (e.g., requesting mobile app)   is under management; the type, provider, and version of the user agent software (e.g., browser, type of browser, etc.); IP address  (e.g., whitelisted IP address range); whether the connection is initiate via the identity provider or the service provider; the type of operating system and/or platform; etc.)), and in response to determining the second security state transmitting a second indication representing whether to permit access between the client device and the service provider (note para. [0037]- [0038] providing a security token to client app 106 may be used to obtain and provide to the second (or other subsequent) client app a security token to be used by the second (or other subsequent) app to authenticate itself and gain access to a cloud-based service with which the second (or other subsequent) app is associated)
Regarding claim 20, Karunakaran et al teaches the non-transitory computer-readable storage medium of claim 19, wherein the determined second secure state indicates compromise of the client device (note para. [0023], [0033], [0042]: compromised or  non-compliant state / posture)

Claims 7, 14 and 21 are rejected under 35 U.S.C. 103 as being obvious over Karunakaran et al in view of Bradley et al  further in view of US 2013/0169434 A1 (hereinafter McCown et al)
Regarding claims 7, 14 and 21, they are rejected applying as same motivation and rationale applied above rejecting claims 3, 10 and 17, furthermore, Karunakaran et al teaches the method/ system/ medium, further comprising determining that a component on the client device responsible for collecting information related to the first context is not initiated, 902), i.e., not via a tunnel or tunnel server as in the example shown in FIG. 1B. In various embodiments, the connection request   may be received from a browser, an unmanaged application, or a managed application communicating other than via a secure tunnel. If the browser or other requesting   application is determined  to be associated with a mobile device, as opposed to a desktop browser or other desktop software, then a challenge is sent to request  that a certificate be provided to authenticate the user and/or device …  If a valid certificate is present, or if the browser was determined to be a desktop  (i.e., non-mobile) browser (and/or other acceptance criteria have been determined   to have been satisfied), then the request is processed normally, such as by passing the requests (e.g., proxying the connection) through to the “real” IdP associated with the service)
Karunakaran et al fails to teach expressly sending a request to the client device to initiate the component.
However, McCown et al teaches sending a request to the client device to initiate the component (note para. [0061], [0080], [0083]: activating security function, tracking beacon  etc. upon determining unsafe device posture/ state)
McCown et al and Karunakaran et al are analogous art because they are from the same field of endeavor of managing client devices for accessing network resource server. Therefore, the effective filing of the claimed invention, it would have been obvious to a person of ordinary skill in art to modify Karunakaran et al method/ system/ medium to further include the features of sending a request to the client device to initiate the component taught by McCown et al in order to provide users with an efficient security mechanism for collecting necessary contextual/ state information associated with a client device (note McCown et al, para [0002], [0080])

               Double Patenting 
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the "right to exclude" granted by a patent and to prevent possible harassment by multiple assignees.  See In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent is shown to be commonly owned with this application.  See 37 CFR 1.130(b).
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer.  A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).

A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); and In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985).

Claims 1-21 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-19 of the commonly owned patent No. 10,785,230 B1.
		In particular, claims 1, 8 and 15 of the instant application are obvious over claims 1 and 18-19 of the commonly owned patent No. 10,785,230 B1; claims 2-4, 9-11 and 16-18 of the instant application are obvious over claims 7-9 of the commonly owned patent No. 10,785,230 B1; and claims 5-7, 12-14 and 19-21 of the instant application are obvious over claims 2, 9, 12 and 16-17 of the commonly owned patent No. 10,785,230 B1.
Although the conflicting claims are not identical, they are not patentably distinct from each other because all the elements/ features of claim-set of the instant application would have been obvious over the conflicting claim-set of the commonly owned patent No. 10,785,230 B1. Conflicting claim set of both the instant application and the commonly owned patent are directed to a method of managing access to a service provided by a service provider based on security state information of a client device. Differences between the conflicting claim set of the instant application and the commonly owned patent are that the features set forth in the independent claims of the commonly owned patent are alternatively recited over the one or more conflicting claims of the instant application.
However, before the effective filing date of the claimed invention, it would have been obvious to a person of ordinary skill in the art to modify the features of the conflicting claims of the commonly owned patent by re-arranging them differently in order to present the claimed invention with the alternatively, or to present them with broader scopes since a claim with broader scope would inherently encompass more features.
This is an obviousness type double patenting rejection. 

             Conclusion
A shortened statutory period for response to this action is set to expire in 3 (Three) months and 0 (Zero) days from the mailing date of this letter. Failure to respond within the period for response will result in ABANDOMENT of the application (see 35 U.S.C 133, M.P.E.P 710.02(b)). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHANTO ABEDIN whose telephone number is 571-272-3551.  The examiner can normally be reached on M-F from 8:30 AM to 6:30 PM. If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Jung (Jay) Kim, can be reached on 571-272-3804. The RightFax number for faxing directly to the examiner is 571-273-3551. 
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http:// www.uspto.gov/interviewpractice.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/SHANTO ABEDIN/Primary Examiner, Art Unit 2494