Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of claims
This office action is in response to claims filed on 04/18/2022
Claims 1-6 and 8-20 are pending and rejected; claims 1, 14 and 19 are independent claims; claim 7 is canceled.

Response to Arguments
Applicant’s arguments with respect to claim(s) 1, 14 and 19 filed on 04/18/2022 have been fully considered but are moot because of the new ground of rejection.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-6 and 8-20 are rejected under 35 U.S.C. 103 as being unpatentable over Roach et al. US Pub. No.: 2013/0254831 A1 (hereinafter Roach) in view of Nicodemus et al. US Pub. No.: 2007/0143851 A1 (hereinafter Nicodemus).

Roach teaches:
As to claim 1, a method, comprising: receiving, by a processor, context data associated with a context for a computing device (see Roach Abstract, determining context information associated with a device); 
identifying, based on the context data, a first policy that is applicable for the context of the computing device (cee Roach ¶35, a change in a security policy of a device based on contextual information associated with the device);
identifying a behavior associated with a first software upon receiving a request from the computing device for an access permission for the first software under the same context data (cee Roach ¶56, secure switching is caused by an application of any mobile security policy of any secure network 111 that the UE 101 has permission to access….);
comparing the policy characteristics of the first policy to the behavior, and determining that the access permission for the first software does not comply with the first policy based on the comparison (see Roach ¶56, secure switching of security policies may be facilitated by the secure network 111 pushing its own security policy onto the UE 101 so that any connectivity to the secure network 111 is based on the security policies of the secure network 111, and security policy of the UE 101 as well as any applications 113 onboard the UE 101 may be caused to adapt to the security policies of the secure network 111); and 
based on determining that the access permission for the first software does not comply with the first policy (see Roach ¶67, the security policy management platform 103 may react similarly to that discussed above and cause access to any secure applications 121 or secure data to be revoked based on any change in context such as a perceived threat, change in location, end of mission, suspicious activity, etc.). 
Roach does not explicitly teach but the related art Nicodemus teaches:
the first policy having policy characteristics regarding access permissions for software installed on computing devices the access permission associated with a behavior of the first software, the behavior monitored on a plurality of computing devices executing the firs software under the same context data (see Nicodemus ¶362, policies established to control access to host system 102 and/or access to local host resources 102G as described above, can specify a number of behavioral options for endpoint system, ¶¶884-887, policy-based, situation-specific or context-sensitive adjustments are possible based on endpoint state information and such adjustment capabilities are supported by the policy management system ), and sending a communication to the computing device, the communication including denying the access permission for the first software (see Nicodemus ¶758, Provide a context-sensitive user notification;¶1106, send an alert to a mail server to notify IT admin describing the issue and providing 2 links, one for approve, one for deny).
It would have been obvious to one of ordinary skill in the art at the time of the invention to modify Roach to include policy having policy characteristics regarding access permissions for software and sending a communication to the computing device, the communication including denying the access permission for the first software. The motivation for doing so would have been, to mitigate they lack the ability to form context-based access control decisions using as decision inputs state information provided by point solutions that are not context aware (see Nicodemus ¶10).

As to claim 2, the combination of Roach and Nicodemus teaches the method of claim 1, further comprising: receiving additional context data associated with the context for the computing device (see Roach ¶64, security policy of the secure application 121 based on the determined context); and 
in response to determining that the context has changed, restoring the access permission for the first software (see Roach ¶81, upon change of an existing one or more policies, contexts may be provisioned on-demand to maintain the user's access to one or more resources). 

As to claim 3, the combination of Roach and Nicodemus teaches the method of claim 1, wherein the context data comprises data regarding a connection by the computing device to a network (see Roach ¶19, "context parameters" including, but not limited to…, current configuration of the devices such as device settings, preferences, and/or network connectivity). 

As to claim 4, the combination of Roach and Nicodemus teaches the method of claim 1, wherein the context data comprises data regarding a geographic location of the computing device (see Roach ¶55, the security policy management platform 103 not only switches a security policy enabling network access of the UE 101 to the secure network 111, based on context (user, location, time, mission, activity, network, data, and threat),). 

As to claim 5, the combination of Roach and Nicodemus teaches the method of claim 1, wherein revoking the access permission for the first software is implemented automatically by a policy manager (see Roach ¶46, accessibility to the mission applications and/or data, and/or the remote cloud, for example, may be revoked because of a change in context). 

As to claim 6, the combination of Roach and Nicodemus teaches the method of claim 1, further comprising sending a report to an administrator server that manages policy for a plurality of computing devices including the computing device, the report indicating that the access permission for the first software has been revoked (see Roach ¶66, If any change in security policy occurs that causes connectivity to the secure network 111 to be revoked, the security policy management platform 103 determines the cause of the change in security policy and may cause an alert to be displayed by the UE). 

As to claim 7, (canceled). 

As to claim 8, the combination of Roach and Nicodemus teaches the method of claim 1, wherein the computing device has made a delegation regarding permissions, and wherein revoking the access permission for the first software is implemented in conformance with the delegation (see Roach ¶67, access to any secure applications 121 or secure data to be revoked based on any change in context such as a perceived)

As to claim 9, the combination of Roach and Nicodemus teaches the method of claim 8, further comprising: receiving, in order to manage permissions of the computing device in conformance with the delegation, a selection of persons or computing devices (see Roach ¶45, mission based security policy may be implemented if contextual parameters match the mission parameters such as time and/or location, for example); and 
receiving first data associated with the person or the computing devices (see Roach ¶45, mission based security policy may be implemented if contextual parameters match the mission parameters such as time and/or location, for example). 

As to claim 10, the combination of Roach and Nicodemus teaches the method of claim 9, wherein the first data comprises: permission configurations made by the selected persons; or permission configurations of the selected computing devices (see Roach ¶92, if the user context changes again, or the security policy management platform 103 perceives a threat, the UE 101's security policy may again change such that permission to access the secure network).

As to claim 11, the combination of Roach and Nicodemus teaches the method of claim 1, wherein a security component resides on the computing device, the security component has been authorized by a user or administrator of the computing device to change permissions, and revoking the access permission for the first software is automatically implemented by the security component (see Roach ¶67, the security policy management platform 103 may react similarly to that discussed above and cause access to any secure applications 121 or secure data to be revoked based on any change in context such as a perceived threat, change in location, end of mission, suspicious activity, etc.,). 

As to claim 12, the combination of Roach and Nicodemus teaches the method of claim 1, further comprising: evaluating, by the processor, the first software (see Roach ¶79, based on an assessment that the UE 101 should implement a particular security policy); and 
determining that the first software is associated with a security threat; wherein revoking the access permission for the first software is based at least in part on determining that the first software is associated with the security threat (see Roach ¶¶67, 84, access to any secure applications 121 or secure data to be revoked based on any change in context such as a perceived threat). 

As to claim 13, the combination of Roach and Nicodemus teaches the method of claim 12, wherein: evaluating the first software is performed in response to determining that the access permission for the first software does not comply with the first policy (see Roach ¶¶67, 79, determine what security policies the UE 101 should implement in view of the context information); 
evaluating the first software comprises evaluating a behavior of the first software to determine that the behavior is associated with the security threat (see Roach ¶¶67, 80, the more secure the network because it will detect changes in context, user credentials, security settings, threat levels, mission parameters); and revoking the access permission for the first software disables the behavior by the first software on the computing device (see Roach ¶67, 82, the security policy implementation module 205 may cause the security policy enabling connectivity to the secure network 111 to change so that the connectivity to the secure network 111 is revoked, whether temporarily or permanently depending on a determined cause of the change). 

Roach teaches:
As to claim 14, a system, comprising: 
at least one processor (see Roach Fig. 2, processor); and 
memory storing instructions configured to instruct the at least one processor to: determine a behavior associated with software, the behavior monitored on the ones of the computing devices executing the software under the same context data (cee Roach ¶56, secure switching is caused by an application of any mobile security policy of any secure network 111 that the UE 101 has permission to access….);
determine that the user device has requested a user grant a permission for the software, wherein the permission corresponds to the behavior (see Roach ¶42, CAMSPA implies that if a mobile device and user have been granted access to a network, and the behavior, configuration, operational context or security context of the device and/or user of the device changes); and 
comparing the policy characteristics of the first policy to the behavior in response to determining that the user device has requested the user grant the permission, send a communication to the user device (see Roach ¶42, CAMSPA implies that if a mobile device and user have been granted access to a network, and the behavior, configuration, operational context or security context of the device and/or user of the device changes), 
Roach does not explicitly teach but the related art Nicodemus teaches:
identify, based on context data, a first policy that is applicable for a context of a user device, the first policy having policy characteristics regarding access permissions for software installed on a plurality of computing devices (see Nicodemus ¶362, policies established to control access to host system 102 and/or access to local host resources 102G as described above, can specify a number of behavioral options for endpoint system, ¶¶884-887, policy-based, situation-specific or context-sensitive adjustments are possible based on endpoint state information and such adjustment capabilities are supported by the policy management system ), and sending a communication to the computing device when the comparison determines that the access permission for the first software does not comply with the first policy, the communication including  denying the access permission for the first software (see Nicodemus ¶758, Provide a context-sensitive user notification;¶1106, send an alert to a mail server to notify IT admin describing the issue and providing 2 links, one for approve, one for deny).
It would have been obvious to one of ordinary skill in the art at the time of the invention to modify Roach to include policy having policy characteristics regarding access permissions for software and sending a communication to the computing device, the communication including denying the access permission for the first software. The motivation for doing so would have been, to mitigate they lack the ability to form context-based access control decisions using as decision inputs state information provided by point solutions that are not context aware (see Nicodemus ¶10).

As to claim 15, the combination of Roach and Nicodemus teaches the system of claim 14, wherein the instructions are further configured to instruct the at least one processor to: determine a change of context for the user device (see Roach ¶68, based on any change in context such as a perceived threat, change in location, end of mission); and 
in response to determining the change of context, revoke the permission for the software on the user device (see Roach ¶67, cause access to any secure applications 121 or secure data to be revoked based on any change in context). 

As to claim 16, the combination of Roach and Nicodemus teaches the system of claim 15, wherein the communication includes the data from the administrator device, and the instructions are further configured to instruct the at least one processor to: determine permissions settings for the user device (see Roach ¶61, the security policy management platform 103 may act as a container for various security policy setting); and 
in response to determining the change of context, send a report of the permissions settings to the administrator device (see Roach ¶65, any determined change in the user identified to the device, or sensed by the device, may cause the UE 101 to have its connectivity to the secure network 111 revoked by having its current security policy enabling secure network 111 connectivity); 
wherein the data from the administrator device is generated by the administrator device in response to receiving the permissions settings, and wherein sending the communication to the user device causes the user device to deny or revoke the permission for the software(see Roach ¶65, any determined change in the user identified to the device, or sensed by the device, may cause the UE 101 to have its connectivity to the secure network 111 revoked by having its current security policy enabling secure network 111 connectivity). 

As to claim 17, the combination of Roach and Nicodemus teaches the system of claim 14, wherein the communication includes the data associated with the decision delegation, and the instructions are further configured to instruct the at least one processor to: receive, from the user device and for managing permissions of the user device in conformance with the decision delegation, a selection of persons or computing devices (see Roach ¶67, security policy management platform 103 will determine the cause of the change in security policy that resulted in a revocation of access and determine whether the change in security policy revoking access to the secure application 121); and 
receive data regarding decisions for the permission made by the selected persons or computing devices; wherein sending the communication causes the user device to deny or revoke the permission (see Roach ¶67, security policy management platform 103 will determine the cause of the change in security policy that resulted in a revocation of access and determine whether the change in security policy revoking access to the secure application 121). 

As to claim 18, the combination of Roach and Nicodemus teaches the system of claim 14, wherein sending the communication to the user device causes the user device to perform at least one of: providing a warning to the user regarding the permission (see Roach ¶88, a warning message may be presented to the UE 101 and the UE 101 may be blocked from the network); 
preventing the software from launching; removing the software from the user device (see Roach ¶47, policies should be disabled outside the area to prevent data leakage or unauthorized data access); 
preventing network traffic from the software while the permission is not in compliance with a policy enforced by the administrator device; or denying access to a network (see Roach ¶34, when a user enters a secure facility, he or she may be required to disable certain features on the device in order to comply with policies associated with the secure facility). 
	As to independent claim 19, this claim directed to a non-transitory computer-readable storage medium storing computer-readable instruction executing the method of claim 1; therefore, it is rejected along similar rationale.
As to dependent claims 20, these claims contain substantially similar subject matter as claim 18; therefore, they are rejected along the same rationale.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NEGA WOLDEMARIAM whose telephone number is (571)270-7478. The examiner can normally be reached Monday to Friday, 8am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on 5712726798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/NEGA WOLDEMARIAM/             Examiner, Art Unit 2433                   

/JEFFREY C PWU/             Supervisory Patent Examiner, Art Unit 2433