DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 2, 4, 9, and 11 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Dependent claims 2, 4, 9, and 11 recite: “the management server”. However, their respective parent claims only recite a “management system”. It is unclear if the claims were intended to be directed to the management system or an undefined management server in the system.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-2, 6-9, 13-16, and 20 are rejected under 35 U.S.C. 102(a)(1) and/or (a)(2) as being anticipated by US 2020/0177589 to Mangalvedkar et al. (hereinafter, “Mangalvedkar”).
As per claim 1: Mangalvedkar discloses: A method for onboarding a device into a management system (Internet-of-Things (IoT) provisioning solutions are presented [Mangalvedkar, ¶0020]; such as the registration of an IoT device 101 to a computer network 160/IoT platforms 153 [Mangalvedkar, ¶0099; Fig. 2]), comprising: loading a management agent onto the device (a URL embedded in the IoT device 101 is initially provided by the manufacturer and/or made available to the IoT device 101 by the IoT platform 153 [Mangalvedkar, ¶0099; Fig. 5]); receiving inventory information for the device (receiving metadata from the IoT device, wherein the metadata include the IP address, MAC address, and other attributes of the IoT device 101 [Mangalvedkar, ¶0100]); receiving a request to whitelist the device (receiving a registration request with metadata from the IoT device 101 [Mangalvedkar, ¶0100]); authorizing the device to be added to the whitelist (the metadata is used for querying the rules registry 119 to obtain one or more rules that are applicable to the IoT device 101 seeking registration [Mangalvedkar, ¶0107-0108]; the rules include an approved and a banned list; if the device does not exist in any of the lists, it can be added in the appropriate list in accordance with the rules [Mangalvedkar, ¶0073]); in an instance in which the device has been added to the whitelist, onboarding the device into the management system (successfully provision and register the IoT device to the IoT platform 153, [Mangalvedkar, ¶0111]).

As per claim 2: Mangalvedkar discloses all limitations of claim 1. Furthermore, Mangalvedkar discloses: further comprising, before authorizing the device to be added to the whitelist: receiving an onboarding request at the management server from the device (receiving a request from the IoT device 153 in a first-time connection [Mangalvedkar, ¶0099]); and denying the onboarding request in an instance where the device is not in the whitelist (a banned list that denies registration of pre-defined IoT devices [Mangalvedkar, ¶0109]).

As per claim 6: Mangalvedkar discloses all limitations of claim 1. Furthermore, Mangalvedkar discloses: wherein the inventory information comprises a hardware token created using hardware information for the device (metadata is implemented in a readable format, markup language or schema [Mangalvedkar, ¶0067]; wherein the metadata includes identifiers of the device’s manufacturer/company, device ID, serial number model ID, MAC address, or any other parameters, attributes, and properties [Mangalvedkar, ¶0067-0072]).

As per claim 7: Mangalvedkar discloses all limitations of claim 1. Furthermore, Mangalvedkar discloses: further comprising pre-registering the device using initial purchase information for the device (a preregistration_ID identifies an unregistered IoT device named by the manufacturer and is maintained in a list of approved/banned preregistration_IDs [Mangalvedkar, ¶0072]).

As per claim 8: Claim 8 is different in overall scope from claim 1 but recites substantially similar subject matter as claim 1. Claim 8 is directed to a non-transitory, computer-readable medium containing instructions corresponding to the method of claim 1. Thus, the response provided above for claim 1 is equally applicable to claim 9.

As per claim 9: Claim 9 incorporates all limitations of claim 8 and is a non-transitory, computer-readable medium containing instructions corresponding to the method of claim 2. Therefore, the arguments set forth above with respect to claims 2 and 8 are equally applicable to claim 9 and rejected for the same reasons.

As per claim 13: Claim 13 incorporates all limitations of claim 8 and is a non-transitory, computer-readable medium containing instructions corresponding to the method of claim 6. Therefore, the arguments set forth above with respect to claims 6 and 8 are equally applicable to claim 13 and rejected for the same reasons.

As per claim 14: Claim 14 incorporates all limitations of claim 8 and is a non-transitory, computer-readable medium containing instructions corresponding to the method of claim 7. Therefore, the arguments set forth above with respect to claims 7 and 8 are equally applicable to claim 14 and rejected for the same reasons.

As per claim 15: Claim 15 is different in overall scope from claim 1 but recites substantially similar subject matter as claim 1. Claim 15 is directed a system comprising a management server that performs functions corresponding to the method of claim 1. Thus, the response provided above for claim 1 is equally applicable to claim 15.

As per claim 16: Claim 16 incorporates all limitations of claim 15 and a system comprising a management server that performs functions corresponding to the method of claim 2. Therefore, the arguments set forth above with respect to claims 2 and 15 are equally applicable to claim 16 and rejected for the same reasons.

As per claim 20: Claim 20 incorporates all limitations of claim 15 and a system comprising a management server that performs functions corresponding to the method of claim 6. Therefore, the arguments set forth above with respect to claims 6 and 15 are equally applicable to claim 20 and rejected for the same reasons.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 3-5, 10-12, and 17-19 are rejected under 35 U.S.C. 103 as being unpatentable over Mangalvedkar in view of US 2020/0358760 to Krishan (hereinafter, “Krishan”).
As per claim 3: Mangalvedkar discloses all limitations of claim 1. Mangalvedkar does not disclose the feature of claim 3. However, Mangalvedkar suggests using credentials, including user names/passwords, of the IoT devices pre-loaded by the manufacturer, distributor or administrator of the IoT device (e.g. “installing technician[s]”). Krishan also similarly directed to user authentication and discloses: wherein authorizing the device comprises: sending an out-of-band message comprising a code to an installing technician; receiving a response from the technician containing the code (an authentication system 400 confirms that a user is in possession of a mobile device by sending a SMS verification message (an “out-of-band message”) containing a verification code from a server to the mobile device, wherein the user employs a mobile application to transmit the verification code to the server [Krishan, ¶0080]).
Thus, it would have been obvious to a person having ordinary skill in the art before the claimed invention was effectively filed to implement an additional layer of authentication for the administrator in Mangalvedkar for initially provisioning a new IoT device (e.g. setting up the device by an “installing technician”). Krishan would have enabled a second factor authentication method in Mangalvedkar, in which possession of an authorized physical device would have provided an additional means of verifying a person.

As per claim 4: Mangalvedkar in view of Krishan disclose all limitations of claim 3. The motivation for incorporating Krishan with Mangalvedkar in claim 3 is also applicable to claim 4. Therefore, Mangalvedkar in view of Krishan disclose: wherein the response from the technician is provided through an application executing on a user device of the technician and in communication with the management server (a mobile application transmits the verification code from the SMS verification message to the server to confirm correctness of the code [Krishan, ¶0080]).

As per claim 5: Mangalvedkar in view of Krishan disclose all limitations of claim 3. The motivation for incorporating Krishan with Mangalvedkar in claim 3 is also applicable to claim 5. Therefore, Mangalvedkar in view of Krishan disclose: wherein the out-of-band message is at least one of a short message service (SMS) message or an email (a SMS verification message [Krishan, ¶0080]).

As per claim 10: Claim 10 incorporates all limitations of claim 8 and is a non-transitory, computer-readable medium containing instructions corresponding to the method of claim 3. Therefore, the arguments set forth above with respect to claims 3 and 8 are equally applicable to claim 10 and rejected for the same reasons.

As per claim 11: Claim 11 incorporates all limitations of claim 10 and is a non-transitory, computer-readable medium containing instructions corresponding to the method of claim 4. Therefore, the arguments set forth above with respect to claims 4 and 10 are equally applicable to claim 11 and rejected for the same reasons.

As per claim 12: Claim 12 incorporates all limitations of claim 10 and is a non-transitory, computer-readable medium containing instructions corresponding to the method of claim 5. Therefore, the arguments set forth above with respect to claims 5 and 10 are equally applicable to claim 12 and rejected for the same reasons.

As per claim 17: Claim 17 incorporates all limitations of claim 15 and a system comprising a management server that performs functions corresponding to the method of claim 3. Therefore, the arguments set forth above with respect to claims 3 and 15 are equally applicable to claim 17 and rejected for the same reasons.

As per claim 18: Claim 18 incorporates all limitations of claim 17 and a system comprising a management server that performs functions corresponding to the method of claim 4. Therefore, the arguments set forth above with respect to claims 4 and 17 are equally applicable to claim 18 and rejected for the same reasons.

As per claim 19: Claim 19 incorporates all limitations of claim 17 and a system comprising a management server that performs functions corresponding to the method of claim 5. Therefore, the arguments set forth above with respect to claims 5 and 17 are equally applicable to claim 19 and rejected for the same reasons.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 2021/0176638: Discloses a 3-way protocol to coordinate device onboarding of Internet-of-Things (IoT) users with principles of least privilege.
US 2021/0021589: Discloses binding an IoT device with an identity of a user. The process involves transmitting a one-time password (OTP) to the user’s mobile device and entering the OTP onto an application operating in the mobile device.
US 10,560,448: Discloses onboarding an out-of-the-box device using previously installed certificates in said device.
US 2015/0121470: Discloses setting up or onboarding an IoT device with limited or no interfacing capability to connect to a network through another IoT device that is already connected.
US 2010/0125635: Discloses voice calls, emails, or SMS to mobile devices as well-known out-of-band authentication methods for second factor authentication.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ROBERT B LEUNG whose telephone number is (571)270-1453. The examiner can normally be reached Mon - Thurs: 10am-7pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, JUNG KIM can be reached on 571-272-3804. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/ROBERT B LEUNG/Primary Examiner, Art Unit 2494                                                                                                                                                                                                        6-30-2022