Authorization for Internet Communications
The examiner encourages Applicant to submit an authorization to communicate with the examiner via the Internet by making the following statement (from MPEP 502.03):
“Recognizing that Internet communications are not secure, I hereby authorize the USPTO to communicate with the undersigned and practitioners in accordance with 37 CFR 1.33 and 37 CFR 1.34 concerning any subject matter of this application by video conferencing, instant messaging, or electronic mail. I understand that a copy of these communications will be made of record in the application file.”

Please note that the above statement can only be submitted via Central Fax, Regular postal mail, or EFS Web (PTO/SB/439).
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Examiner Notes
Examiner cites particular columns and line numbers in the references as applied to the claims below for the convenience of the applicant. Although the specified citations are representative of the teachings in the art and are applied to the specific limitations within the individual claim, other passages and figures may apply as well.  It is respectfully requested that, in preparing responses, the applicant fully consider the references in entirety as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the examiner.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim(s) 1 and 7 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Novak et al. (U.S. PG PUB 2017/0228182).

Regarding claim 1, Novak teaches a method, comprising: 
providing, by a device and during creation of a first container of a containerized environment, information to the first container (see ¶ [0051] “Once a container 202 is created, such as through a container image as described above, the container 202 may provide a runtime environment for an application within the container 202. The application may wish to access the credential locked resource 204 and may require an initial credential. In an example, once an initial credential, the container can use the credential, either directly or by proxy, to authenticate to the target resource.” See ¶[0053] “If the hosting environment 206 determines that the container has authorization based on a policy, the hosting environment may request 214 a credential from the credential management service 208. The credential may be a credential cookie indicating a location by which a hosting system or a container may access a full credential. As used herein, access can include direct access, e.g. getting a value, and oracle access, e.g. making use of a credential without ever discovering its plaintext value. The credential management service 208 can return 214 the credential to the hosting environment 206. When the hosting environment 206 receives the credential, the hosting environment 206 may pass the initial credential to the container 202. The credential may also be withheld from the container 202 and instead only a credential cookie may be passed to the container 202. In either case, credential or cookie, both types can expire based on an expiry time set by the credential management service 208.”);
wherein the information identifies a lock that is to be utilized for an embedded device of the containerized environment (see ¶ [0062] “In an example, the access to be provided to the container is a credential cookie, an encrypted credential for storage in the container corresponding to a credential identifier supplied from the host environment, or a credential cookie to expire after an expiry time.” See ¶ [0076] “A container may ultimately use several types of credentials to operate. Credential types can include a machine account password used by services running as a “network service” or also used for NTLM pass-through authentication to a domain controller. In an example, a server process, NetLogon, may provide OS instances with domain join functionality, such as, but not limited to, rolling over of a machine account ($Machine.Acc) 636 and group managed service account (gMSA) passwords 640. A credential type may be a local service account password 638. A credential type may be credential manager credentials used by any application that authenticates using stored credentials 642. A credential type may be a SysKey used as a root secret for other similar secrets 644. A credential type may be a certificate private key.” See ¶[0084] “The host environment may provide a credential for a credential locked resource to the container if the container is approved to receive the credential based on a policy. Example 1 may also include a host environment that includes a credential cache to store credentials; and a credential fetcher to check the credential cache for the credential to access the credential locked resource based on a detected request for access to the credential locked resource.”);
receiving, by the device and based on the information, a lock request associated with using the embedded device (see ¶[0046] “In some embodiments, the access provider module 144 can provide an initial access for a credential locked resource to the container if the container is approved to receive the container specific access to a credential based on a policy. In an example, the policy is to provide a specific container access to a credential based on a security level the container.”), 
wherein the lock request is associated with a first instance of a first application being executed in the first container (see ¶ [0004] “The host environment may detect a request for the credential to the credential locked resource from the container.”); 
performing, by the device, a lock operation associated with the embedded device to: permit the first instance of the first application to use the embedded device (see ¶ [0006] “In an example, the method can also include providing a credential for a credential locked resource to the container if the container is approved to receive the credential based on a policy.”), and 
prevent a second instance of a second application from using the embedded device (see ¶[0021] “A refusal by the hosting environment may be based on the lack of permission for a container or application executing in the container to access the credential locked resource. A refusal by the hosting environment may also be based on the hosting environment's inability to access the credential for some other reason.”), 
wherein the second instance of the second application is executing in a second container of the containerized environment (see ¶[0002] “The software containers can include any suitable operating system and any number of applications.” and ¶[0063] “A subset of services, applications, and similar resources may correspond to a container instance. These services, applications, and resources may be restricted unless a credential is provided. In an example, an application or even an entire container may be restricted such that these resources may be inaccessible to the container or application within the container unless credential is provided. While a resource or data set may be available to parts of a system, the selective provision of credentials can regulate which containers and which applications in containers may access these resources.”); 
monitoring, by the device, use of the embedded device during a device access operation of the first instance of the first application to detect an unlock event associated with unlocking the embedded device; and (see ¶ [0045] “In some embodiments, the request detector module 142 can detect, with a host environment communicatively coupled to a container, an initial request for access to a credential locked resource from the container. In an example, the host environment can include a credential cache to store credentials and a credential fetcher to check the credential cache for a credential to access the credential locked resource based on a detected request for access to the credential locked resource. In an example, the credential fetcher may request an initial credential from a credential management service if the credential is not present in the credential cache.” Note: if the credential is not present then it is locked, requesting a credential is the unlock event); 
performing, by the device, an unlock operation based on detecting the unlock event to permit the second instance of the second application to use the embedded device (see ¶ [0004] “The host environment may provide a credential for a credential locked resource to the container if the container is approved to receive the credential based on a policy.”).

Regarding claim 7, Novak teaches 
wherein monitoring the use of the embedded device comprises: maintaining a session identifier of the first instance of the first application in a device management data structure (see ¶[0020] “A credential substitute can also include an action that achieves the end result of establishing an authenticated session with the resource. For example, if the container requests access to a resource in order to send and receive data to and from the resource and if the container requests the host provide this initial access, the host may send an initial credential or act as a proxy to the resource”) and a timeout timer (see ¶[0053] “In either case, credential or cookie, both types can expire based on an expiry time set by the credential management service 208.”);
denying, during a time period defined by the timeout timer (see ¶[0062] “In an example, the access to be provided to the container is a credential cookie, an encrypted credential for storage in the container corresponding to a credential identifier supplied from the host environment, or a credential cookie to expire after an expiry time.”),
received lock management requests associated with the embedded device (see ¶[0063] “A subset of services, applications, and similar resources may correspond to a container instance. These services, applications, and resources may be restricted unless a credential is provided. In an example, an application or even an entire container may be restricted such that these resources may be inaccessible to the container or application within the container unless credential is provided”); and 
detecting the unlock event based on the time period expiring without the received lock management requests (see ¶[0086] “Example 3 and other examples disclosed may also include a policy that may provide the credential to expire after an expiry time.”) including an unlock request associated with the session identifier (see ¶[0020] “A credential substitute can also include an action that achieves the end result of establishing an authenticated session with the resource.”).


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 2, 8-9, and 11-14 are rejected under 35 U.S.C. 103 as being unpatentable over Novak et al. (U.S. PG PUB 2017/0228182) in view of Ahmed (U.S. PG PUB 2012/0047425).

Regarding claim 2, Novak does not expressly disclose, however, Ahmed teaches wherein the lock request (see ¶ [0128] “the virtual container may support the ability to lock or unlock the container or only lock access to particular applications or data”) is received via a software development kit that is associated with the embedded device and configured to permit the first instance of the first application to communicate with the embedded device during the device access operation (see ¶[0125] “FIG. 9 illustrates an architecture of one embodiment of a content adaptive application 200 including a virtual application container 205. As explained above, the application 205 including the virtual container 205 is embodied as a native application written for a particular mobile device using the software development kit ( SDK) provided by the mobile device manufacturer or OS provider.”).
Hence, it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the teachings of Novak by adapting Ahmed to provide for better monitoring and control of content (see ¶[0002] of Ahmed).

Regarding claim 8, Novak teaches a device, comprising: 
one or more memories (see Fig. 1, 106 system memory); and 
one or more processors (see Fig. 1, 104 processing unit) to: 
provide, during creation of a first container of a containerized environment, information to the first container (see ¶ [0051] “Once a container 202 is created, such as through a container image as described above, the container 202 may provide a runtime environment for an application within the container 202. The application may wish to access the credential locked resource 204 and may require an initial credential. In an example, once an initial credential, the container can use the credential, either directly or by proxy, to authenticate to the target resource.” See ¶[0053] “If the hosting environment 206 determines that the container has authorization based on a policy, the hosting environment may request 214 a credential from the credential management service 208. The credential may be a credential cookie indicating a location by which a hosting system or a container may access a full credential. As used herein, access can include direct access, e.g. getting a value, and oracle access, e.g. making use of a credential without ever discovering its plaintext value. The credential management service 208 can return 214 the credential to the hosting environment 206. When the hosting environment 206 receives the credential, the hosting environment 206 may pass the initial credential to the container 202. The credential may also be withheld from the container 202 and instead only a credential cookie may be passed to the container 202. In either case, credential or cookie, both types can expire based on an expiry time set by the credential management service 208.”), 
wherein the information identifies a lock that is to be utilized for an embedded device of the containerized environment (see ¶ [0062] “In an example, the access to be provided to the container is a credential cookie, an encrypted credential for storage in the container corresponding to a credential identifier supplied from the host environment, or a credential cookie to expire after an expiry time.”, See ¶ [0076] “A container may ultimately use several types of credentials to operate. Credential types can include a machine account password used by services running as a “network service” or also used for NTLM pass-through authentication to a domain controller. In an example, a server process, NetLogon, may provide OS instances with domain join functionality, such as, but not limited to, rolling over of a machine account ($Machine.Acc) 636 and group managed service account (gMSA) passwords 640. A credential type may be a local service account password 638. A credential type may be credential manager credentials used by any application that authenticates using stored credentials 642. A credential type may be a SysKey used as a root secret for other similar secrets 644. A credential type may be a certificate private key.” See ¶[0084] “The host environment may provide a credential for a credential locked resource to the container if the container is approved to receive the credential based on a policy. Example 1 may also include a host environment that includes a credential cache to store credentials; and a credential fetcher to check the credential cache for the credential to access the credential locked resource based on a detected request for access to the credential locked resource.”);
receive, from the first container and based on the information, a lock request associated with using the embedded device (see ¶[0046] “In some embodiments, the access provider module 144 can provide an initial access for a credential locked resource to the container if the container is approved to receive the container specific access to a credential based on a policy. In an example, the policy is to provide a specific container access to a credential based on a security level the container.”), 
perform a lock operation associated with the embedded device to (see ¶ [0004] “The host environment may detect a request for the credential to the credential locked resource from the container.”): 
permit the first instance of the SDK to use the embedded device in association with a device access operation (see ¶ [0006] “In an example, the method can also include providing a credential for a credential locked resource to the container if the container is approved to receive the credential based on a policy.”), and 
deny a lock request, received during the device access operation, from a second instance (see ¶[0021] “A refusal by the hosting environment may be based on the lack of permission for a container or application executing in the container to access the credential locked resource. A refusal by the hosting environment may also be based on the hosting environment's inability to access the credential for some other reason.”); monitor the device access operation to detect an unlock event associated with unlocking the embedded device (see ¶ [0045] “In some embodiments, the request detector module 142 can detect, with a host environment communicatively coupled to a container, an initial request for access to a credential locked resource from the container. In an example, the host environment can include a credential cache to store credentials and a credential fetcher to check the credential cache for a credential to access the credential locked resource based on a detected request for access to the credential locked resource. In an example, the credential fetcher may request an initial credential from a credential management service if the credential is not present in the credential cache.”); and perform an unlock operation based on detecting the unlock event to permit the second instance to use the embedded device (see ¶ [0004] “The host environment may provide a credential for a credential locked resource to the container if the container is approved to receive the credential based on a policy.”).
Novak do not expressly disclose, however, Ahmed teaches wherein the lock request is received from a first instance of a software development kit (SDK) being used by an application in the first container (see ¶ [0125] “FIG. 9 illustrates an architecture of one embodiment of a content adaptive application 200 including a virtual application container 205. As explained above, the application 205 including the virtual container 205 is embodied as a native application written for a particular mobile device using the software development kit ( SDK) provided by the mobile device manufacturer or OS provider.”); the SDK in a second container to prevent the second instance of the SDK from using the embedded device during the device access operation (see ¶ [0128] “the virtual container may support the ability to lock or unlock the container or only lock access to particular applications or data”).
Hence, it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the teachings of Novak by adapting Ahmed to provide for better monitoring and control of content (see ¶[0002] of Ahmed).

Regarding claim 9, Novak do not expressly disclose, however, Ahmed teaches wherein the first instance of the SDK is associated with a first instance of the application that is in the first container (see ¶ [0125] “FIG. 9 illustrates an architecture of one embodiment of a content adaptive application 200 including a virtual application container 205. As explained above, the application 205 including the virtual container 205 is embodied as a native application written for a particular mobile device using the software development kit ( SDK) provided by the mobile device manufacturer or OS provider.”), and wherein the second instance of the SDK is associated with a second instance of the application that is in the second container (see ¶ [0139] “Virtual containers on different devices may use the same VL 300 but display data in different formats to match the native look and feel of the host device.” –note: there is more than one container).
Hence, it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the teachings of Novak by adapting Ahmed to provide for better monitoring and control of content (see ¶[0002] of Ahmed).

Regarding claim 11, Novak teaches wherein the unlock event comprises at least one of: determining that the device access operation timed out (see ¶[0053] “In either case, credential or cookie, both types can expire based on an expiry time set by the credential management service 208.”), or receiving an unlock request from the first instance of the SDK.

Regarding claim 12, Novak teaches wherein the one or more processors, when monitoring the use of the embedded device, are configured to: 
maintain, based on receiving the lock request, a session identifier of the first instance in a device management data structure (see ¶[0020] “A credential substitute can also include an action that achieves the end result of establishing an authenticated session with the resource. For example, if the container requests access to a resource in order to send and receive data to and from the resource and if the container requests the host provide this initial access, the host may send an initial credential or act as a proxy to the resource”); analyze received lock management requests associated with a plurality of embedded devices of the containerized environment (see ¶[0063] “A subset of services, applications, and similar resources may correspond to a container instance. These services, applications, and resources may be restricted unless a credential is provided. In an example, an application or even an entire container may be restricted such that these resources may be inaccessible to the container or application within the container unless credential is provided”); and determine, in association with receiving an unlock request from, that the unlock event occurred, wherein the unlock request includes the session identifier of the first instance (see ¶[0020] “A credential substitute can also include an action that achieves the end result of establishing an authenticated session with the resource.”) and a device identifier of the embedded device (see ¶ [0018] “The container seeking a credential for a specific resource for the first time may request the credential from the hosting environment. The hosting environment may then determine if the container has authorization to access the resource through the requested credential.” Note: it can be inferred that the credential includes a device identifier because the container needs to seek a specific resource, and there must be a way to identify a specific resource).
Novak does not expressly disclose the first instance of the SDK . However, Ahmed teaches the first instance of the SDK (see ¶ [0125] “FIG. 9 illustrates an architecture of one embodiment of a content adaptive application 200 including a virtual application container 205. As explained above, the application 205 including the virtual container 205 is embodied as a native application written for a particular mobile device using the software development kit ( SDK) provided by the mobile device manufacturer or OS provider.”).
Hence, it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the teachings of Novak by adapting Ahmed to provide for better monitoring and control of content (see ¶[0002] of Ahmed).

Regarding claim 13, Novak teaches wherein the one or more processors, when monitoring the use of the embedded device, are configured to: maintain a session identifier of the first instance in a device management data structure (see ¶[0020] “A credential substitute can also include an action that achieves the end result of establishing an authenticated session with the resource. For example, if the container requests access to a resource in order to send and receive data to and from the resource and if the container requests the host provide this initial access, the host may send an initial credential or act as a proxy to the resource”) and a timeout timer (see ¶[0053] “In either case, credential or cookie, both types can expire based on an expiry time set by the credential management service 208.”); analyze, during a time period defined by the timeout timer, received lock management requests associated with a plurality of embedded devices of the containerized environment (see ¶[0063] “A subset of services, applications, and similar resources may correspond to a container instance. These services, applications, and resources may be restricted unless a credential is provided. In an example, an application or even an entire container may be restricted such that these resources may be inaccessible to the container or application within the container unless credential is provided”); and determine that the unlock event occurred in association with the time period expiring without receiving an unlock request that includes the session identifier (see ¶[0086] “Example 3 and other examples disclosed may also include a policy that may provide the credential to expire after an expiry time.”).
Novak does not expressly disclose the first instance of the SDK. However, Ahmed teaches the first instance of the SDK (see ¶ [0125] “FIG. 9 illustrates an architecture of one embodiment of a content adaptive application 200 including a virtual application container 205. As explained above, the application 205 including the virtual container 205 is embodied as a native application written for a particular mobile device using the software development kit ( SDK) provided by the mobile device manufacturer or OS provider.”).
Hence, it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the teachings of Novak by adapting Ahmed to provide for better monitoring and control of content (see ¶[0002] of Ahmed).
Regarding claim 14, Novak does not wherein the embedded device comprises at least one of: a router, a switch fabric, a retimer, or a sensor. However, Ahmed teaches the embedded device comprises at least one of: a router, a switch fabric, a retimer, or a sensor (see ¶[0111] “Types of other hardware that may be controlled include tethered devices, sensors, monitors, computers, transmitters, receivers and other pluggable devices”).
Hence, it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the teachings of Novak by adapting Ahmed to provide for better monitoring and control of content (see ¶[0002] of Ahmed).


Claims 3 and 4 are rejected under 35 U.S.C. 103 as being unpatentable over Novak et al. (U.S. PG PUB 2017/0228182) in view of Baron et al. (U.S. PG PUB 2014/0068127).

Regarding claim 3, Novak teaches a third application operating in a different container from the first container (see ¶[0002] “The software containers can include any suitable operating system and any number of applications.” and ¶[0063] “A subset of services, applications, and similar resources may correspond to a container instance. These services, applications, and resources may be restricted unless a credential is provided. In an example, an application or even an entire container may be restricted such that these resources may be inaccessible to the container or application within the container unless credential is provided. While a resource or data set may be available to parts of a system, the selective provision of credentials can regulate which containers and which applications in containers may access these resources.”).  
Novak does not expressly disclose, however, Baron teaches further comprising: 27PATENTDocket No. 0023-1067prior to performing the lock operation, verifying that the embedded device is not locked according to another lock request received from a different instance of a third application, wherein the lock operation is performed based on verifying that the embedded device is not locked (see ¶[0039] “Exclusive locking module 245 and shared locking module 250 may be responsible for managing the resource management logical volume 222. In one embodiment, exclusive locking module 245 acquires exclusive locks for hosts by writing exclusive lock flags to an appropriate region in the resource management logical volume associated with a host ID leased to the host and a resource ID for the resource in question. Exclusive locking module 245 may first check the resource management logical volume 222 to determine if any other hosts have an exclusive or shared lock on the resource before obtaining the exclusive lock for the host. If any other hosts have exclusive or shared locks on the resource, then exclusive locking module 245 may return a failure to a host that requested the lock. In one embodiment, the Paxos protocol is followed for performing exclusive locking.”).
Hence, it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the teachings of Novak by adapting Baron to ensure that while a host with a lock is using a resource, another host will not be able to modify the resource (see ¶ [0002] of Baron)

Regarding claim 4, Novak does not expressly disclose, however, Baron teaches further comprising: 
prior to performing the lock operation, identifying the embedded device based on the lock request including information identifying at least one of: a device type of the embedded device, or a device identifier of the embedded device, wherein the lock operation is performed on the embedded device based on identifying the embedded device (see ¶ [0018] “The actual composition of the resources on the storage domains 125-128 may depend on a storage type for that storage domain (e.g., whether or not it includes a file system, a type of file system, etc.) as well as a type of resource”).
Hence, it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the teachings of Novak by adapting Baron to ensure that while a host with a lock is using a resource, another host will not be able to modify the resource (see ¶ [0002] of Baron).


Claims 5 and 6 are rejected under 35 U.S.C. 103 as being unpatentable over Novak et al. (U.S. PG PUB 2017/0228182) in view of Luo et al. (U.S. PG PUB 2020/0364095).

Regarding claim 5, Novak does not expressly disclose, however, Luo teaches 
wherein the lock request identifies a device type of the embedded device (see ¶ [0066]), and performing the lock operation comprises: 
permitting the first instance of the first application to use the embedded device based on the device type being identified in the lock request (see ¶ [0066] “Specifically, in the embodiment of the present application, the data operation request may include identification information of the target communication device, for example, the data operation request may include an IP address, a pre-configured device identifier of the target communication device, and the like”).
Hence, it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the teachings of Novak by adapting Luo to implement sequential processing for the requests (see ¶ [0003] of Luo).

Regarding claim 6, Novak teaches 
wherein monitoring the use of the embedded device comprises: 
maintaining, based on receiving the lock request, a session identifier of the first instance of the first application in a device management data structure, wherein the request includes the session identifier of the first instance of the first application (see ¶[0020] “A credential substitute can also include an action that achieves the end result of establishing an authenticated session with the resource. For example, if the container requests access to a resource in order to send and receive data to and from the resource and if the container requests the host provide this initial access, the host may send an initial credential or act as a proxy to the resource”).
Novak does not expressly disclose, however, Luo teaches denying lock management requests associated with the embedded device until the unlock event is detected (see ¶ [0064] “If different systems or different nodes of the same system share one resource or a group of resources, when accessing these resources, mutual exclusion is often required to prevent interference with each other, so as to ensure that the shared resources accessed by different nodes are consistent. The mechanism of the distributed lock allows the system or node that obtains the distributed lock to access or process the shared resources. The resources that need to be shared may be equipped with a corresponding distributed lock, and the distributed lock is managed by a distributed lock manager.”); and detecting the unlock event based on receiving an unlock request from the first instance of the first application (see ¶[0034] “In an implementation, the first node that obtains the first distributed lock through competition is configured for releasing the first distributed lock after storing the obtained data operation request, such that other first nodes obtaining data operation requests start to compete for the first distributed lock.”), wherein the unlock request includes a device identifier of the embedded device (see ¶ [0066] “Specifically, in the embodiment of the present application, the data operation request may include identification information of the target communication device, for example, the data operation request may include an IP address, a pre-configured device identifier of the target communication device, and the like”).
Hence, it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the teachings of Novak by adapting Luo to implement sequential processing for the requests (see ¶ [0003] of Luo).

Claim 10 is rejected under 35 U.S.C. 103 as being unpatentable over Novak et al. (U.S. PG PUB 2017/0228182) in view of Ahmed (U.S. PG PUB 2012/0047425), as applied to claim 8, further in view of Baron et al. (U.S. PG PUB 2014/0068127).

Regarding claim 10, Ahmed teaches the SDK associated with the lock request as disclosed above. Novak and Ahmed do not expressly disclose wherein the one or more processors are further to: prior to performing the lock operation, identifying the embedded device based on the lock request to perform the device access operation via a particular device type, wherein the lock operation is performed based on identifying that the embedded device is of the particular device type and is unlocked.
However, Baron teaches wherein the one or more processors are further to: prior to performing the lock operation, identifying the embedded device based on the lock request to perform the device access operation via a particular device type, wherein the lock operation is performed based on identifying that the embedded device is of the particular device type and is unlocked  (see ¶ [0018] “The actual composition of the resources on the storage domains 125-128 may depend on a storage type for that storage domain (e.g., whether or not it includes a file system, a type of file system, etc.) as well as a type of resource”).
Hence, it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the teachings of Novak and Ahmed by adapting the teachings of Baron to ensure that while a host with a lock is using a resource, another host will not be able to modify the resource (see ¶ [0002] of Baron).

Claims 15-20 are rejected under 35 U.S.C. 103 as being unpatentable over Novak et al. (U.S. PG PUB 2017/0228182) in view of Baron et al. (U.S. PG PUB 2014/0068127) in view of Ahmed (U.S. PG PUB 2012/0047425).
Regarding claim 15, Novak teaches a non-transitory computer-readable medium storing a set of instructions (see Fig. 1, 106 system memory), the set of instructions comprising: 
one or more instructions that, when executed by one or more processors of a device (see Fig. 1, 104 processing unit), cause the device to: 
provide, during creation of a first container of a containerized environment, information to the first container (see ¶ [0051] “Once a container 202 is created, such as through a container image as described above, the container 202 may provide a runtime environment for an application within the container 202. The application may wish to access the credential locked resource 204 and may require an initial credential. In an example, once an initial credential, the container can use the credential, either directly or by proxy, to authenticate to the target resource.” See ¶[0053] “If the hosting environment 206 determines that the container has authorization based on a policy, the hosting environment may request 214 a credential from the credential management service 208. The credential may be a credential cookie indicating a location by which a hosting system or a container may access a full credential. As used herein, access can include direct access, e.g. getting a value, and oracle access, e.g. making use of a credential without ever discovering its plaintext value. The credential management service 208 can return 214 the credential to the hosting environment 206. When the hosting environment 206 receives the credential, the hosting environment 206 may pass the initial credential to the container 202. The credential may also be withheld from the container 202 and instead only a credential cookie may be passed to the container 202. In either case, credential or cookie, both types can expire based on an expiry time set by the credential management service 208.”),
wherein the information identifies a lock that is to be utilized for a set of embedded devices of the containerized environment (see ¶ [0062] “In an example, the access to be provided to the container is a credential cookie, an encrypted credential for storage in the container corresponding to a credential identifier supplied from the host environment, or a credential cookie to expire after an expiry time.”, see ¶ [0076] “A container may ultimately use several types of credentials to operate. Credential types can include a machine account password used by services running as a “network service” or also used for NTLM pass-through authentication to a domain controller. In an example, a server process, NetLogon, may provide OS instances with domain join functionality, such as, but not limited to, rolling over of a machine account ($Machine.Acc) 636 and group managed service account (gMSA) passwords 640. A credential type may be a local service account password 638. A credential type may be credential manager credentials used by any application that authenticates using stored credentials 642. A credential type may be a SysKey used as a root secret for other similar secrets 644. A credential type may be a certificate private key.” See ¶[0084] “The host environment may provide a credential for a credential locked resource to the container if the container is approved to receive the credential based on a policy. Example 1 may also include a host environment that includes a credential cache to store credentials; and a credential fetcher to check the credential cache for the credential to access the credential locked resource based on a detected request for access to the credential locked resource.”);
receive, based on the information, a lock request associated with using the set of embedded devices (see ¶[0046] “In some embodiments, the access provider module 144 can provide an initial access for a credential locked resource to the container if the container is approved to receive the container specific access to a credential based on a policy. In an example, the policy is to provide a specific container access to a credential based on a security level the container.”); 
identify an embedded device, of the set of embedded devices, for use in association with a device access operation (see ¶ [0018] “The container seeking a credential for a specific resource for the first time may request the credential from the hosting environment. The hosting environment may then determine if the container has authorization to access the resource through the requested credential.” Note: it can be inferred that the credential includes a device identifier because the container needs to seek a specific resource, and there must be a way to identify a specific resource);
perform a lock operation associated with the embedded device (see ¶ [0004] “The host environment may detect a request for the credential to the credential locked resource from the container.”) to: 
permit the first instance of the device access operation on the embedded device, and prevent from accessing the embedded device during the device access operation (see ¶ [0006] “In an example, the method can also include providing a credential for a credential locked resource to the container if the container is approved to receive the credential based on a policy.”), wherein the second instance is executing in a second container of the containerized environment (see ¶[0056] “The credential cache 304 can store a number of credentials for a container or a number of containers as discussed below”); 
detect an unlock event associated with unlocking the embedded device (see ¶ [0005] “An example of a method for providing credentials comprising can include requesting, with a container operating in a memory device through the execution of a processing device, a credential to a credential locked resource.”); and 
perform, based on detecting the unlock event, an unlock operation to permit to use the embedded device (see ¶[0046] “In some embodiments, the access provider module 144 can provide an initial access for a credential locked resource to the container if the container is approved to receive the container specific access to a credential based on a policy. In an example, the policy is to provide a specific container access to a credential based on a security level the container.”).
Novak does not expressly disclose 
wherein the embedded device is identified based on the device type being identified in the lock request.
However, Baron teaches wherein the embedded device is identified based on the device type being identified in the lock request (see ¶ [0018] “The actual composition of the resources on the storage domains 125-128 may depend on a storage type for that storage domain (e.g., whether or not it includes a file system, a type of file system, etc.) as well as a type of resource”).
Hence, it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the teachings of Novak by adapting the teachings of Baron to ensure that while a host with a lock is using a resource, another host will not be able to modify the resource (see ¶ [0002] of Baron).
Novak and Baron do not expressly disclose wherein the lock request is associated with a first instance of a software development kit (SDK) that is associated with a device type of the set of embedded devices and that is in the first container; the first instance of the SDK, and a second instance of the SDK.
However, Ahmed teaches wherein the lock request is associated with a first instance of a software development kit (SDK) that is associated with a device type of the set of embedded devices and that is in the first container (see ¶ [0125] “FIG. 9 illustrates an architecture of one embodiment of a content adaptive application 200 including a virtual application container 205. As explained above, the application 205 including the virtual container 205 is embodied as a native application written for a particular mobile device using the software development kit ( SDK) provided by the mobile device manufacturer or OS provider.”); the first instance of the SDK, and a second instance of the SDK; the first instance of the SDK, and a second instance of the SDK (see ¶ [0125] “FIG. 9 illustrates an architecture of one embodiment of a content adaptive application 200 including a virtual application container 205. As explained above, the application 205 including the virtual container 205 is embodied as a native application written for a particular mobile device using the software development kit ( SDK) provided by the mobile device manufacturer or OS provider.”).
Hence, it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the teachings of Novak and Baron by adapting Ahmed to provide for better monitoring and control of content (see ¶[0002] of Ahmed).

Regarding claim 16, Novak teaches wherein the lock request is received from the first instance based on an instance of an application in the first container causing the first instance to provide the lock request to permit the application to perform the device access operation (see ¶[0020] “A credential substitute can also include an action that achieves the end result of establishing an authenticated session with the resource. For example, if the container requests access to a resource in order to send and receive data to and from the resource and if the container requests the host provide this initial access, the host may send an initial credential or act as a proxy to the resource”).
Novak and Baron do not expressly disclose the first instance of the SDK. 
However, Ahmed teaches the first instance of the SDK (see ¶ [0125] “FIG. 9 illustrates an architecture of one embodiment of a content adaptive application 200 including a virtual application container 205. As explained above, the application 205 including the virtual container 205 is embodied as a native application written for a particular mobile device using the software development kit ( SDK) provided by the mobile device manufacturer or OS provider.”).
Hence, it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the teachings of Novak and Baron by adapting Ahmed to provide for better monitoring and control of content (see ¶[0002] of Ahmed).

Regarding claim 17, Novak does not expressly disclose, however, Baron teaches wherein the one or more instructions further cause the device to: prior to performing the lock operation, verify that the embedded device is not locked according to another lock request received from a different instance operating in a different container from the first container, wherein the lock operation is performed based on verifying that the embedded device is not locked (see ¶[0039] “Exclusive locking module 245 and shared locking module 250 may be responsible for managing the resource management logical volume 222. In one embodiment, exclusive locking module 245 acquires exclusive locks for hosts by writing exclusive lock flags to an appropriate region in the resource management logical volume associated with a host ID leased to the host and a resource ID for the resource in question. Exclusive locking module 245 may first check the resource management logical volume 222 to determine if any other hosts have an exclusive or shared lock on the resource before obtaining the exclusive lock for the host. If any other hosts have exclusive or shared locks on the resource, then exclusive locking module 245 may return a failure to a host that requested the lock. In one embodiment, the Paxos protocol is followed for performing exclusive locking.”).
Novak and Baron do not expressly disclose the SDK. However, Ahmed teaches the SDK (see ¶ [0125] “FIG. 9 illustrates an architecture of one embodiment of a content adaptive application 200 including a virtual application container 205. As explained above, the application 205 including the virtual container 205 is embodied as a native application written for a particular mobile device using the software development kit ( SDK) provided by the mobile device manufacturer or OS provider.”).
Hence, it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the teachings of Novak and Baron by adapting Ahmed to provide for better monitoring and control of content (see ¶[0002] of Ahmed).
Regarding claim 18, Novak does not expressly disclose, however, Baron teaches wherein the lock request identifies a quantity of the set of embedded devices that are to be used in association with the device access operation (see ¶ [0011] “Described herein is a method and system for managing locks on shared resources (e.g., resources in a clustered environment).”), wherein the one or more instructions further cause the device to: prior to performing the lock operation, identify a group of embedded devices, of the set of embedded devices, that are available to be used in association with the device access operation (see ¶[0018] “Each storage domain 125-128 may contain locking data structures for a collection of resources. The locking data structures may be reserved spaces on shared storage that represent locking states for the resources. The resources may include data and objects that are stored in the storage domains 125-128 as well as logical resources that are not stored in any storage domain.”): 
wherein the lock operation is performed on the group of embedded devices based on identifying the group of embedded devices, wherein the embedded device is one of the group of embedded devices (see ¶[0018] “For example, the cluster may have a single storage pool manager (SPM) that is responsible for performing operations in the cluster such as moving data, changing configurations, and so forth. Any host may assume the role of the SPM by acquiring an exclusive lock on the SPM resource. The actual composition of the resources on the storage domains 125-128 may depend on a storage type for that storage domain (e.g., whether or not it includes a file system, a type of file system, etc.) as well as a type of resource.”).
Hence, it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the teachings of Novak by adapting the teachings of Baron to ensure that while a host with a lock is using a resource, another host will not be able to modify the resource (see ¶ [0002] of Baron).

Regarding claim 19, Novak teaches wherein the one or more instructions that cause the one or more processors to detect the unlock event, cause the one or more processors to: receive an unlock request from the first instance, wherein receiving the unlock request corresponds to the unlock event (see ¶ [0045] “In some embodiments, the request detector module 142 can detect, with a host environment communicatively coupled to a container, an initial request for access to a credential locked resource from the container. In an example, the host environment can include a credential cache to store credentials and a credential fetcher to check the credential cache for a credential to access the credential locked resource based on a detected request for access to the credential locked resource. In an example, the credential fetcher may request an initial credential from a credential management service if the credential is not present in the credential cache.” Note: if the credential is not present then it is locked, requesting a credential is the unlock event).
Novak and Baron do not expressly disclose the SDK, However, Ahmed teaches the SDK (see ¶ [0125] “FIG. 9 illustrates an architecture of one embodiment of a content adaptive application 200 including a virtual application container 205. As explained above, the application 205 including the virtual container 205 is embodied as a native application written for a particular mobile device using the software development kit ( SDK) provided by the mobile device manufacturer or OS provider.”).
Hence, it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the teachings of Novak and Baron by adapting Ahmed to provide for better monitoring and control of content (see ¶[0002] of Ahmed).

Regarding claim 20, Novak does not expressly disclose, however, Baron teaches wherein the device access operation comprises at least one of: a read operation associated with the embedded device, or a write operation associated with the embedded device (see ¶[0012] “The lock manager may grant both shared locks (also referred to as read only locks) and exclusive locks (also referred to as read/write locks). If a host has a shared lock to a resource, then other resources can still read the resource and can also obtain shared locks on the resource.”).
Hence, it would have been obvious to one of ordinary skill in the art before the effective filing date to modify the teachings of Novak by adapting the teachings of Baron to ensure that while a host with a lock is using a resource, another host will not be able to modify the resource (see ¶ [0002] of Baron).
Response to Arguments
Applicant's arguments filed 6/10/2022 have been fully considered but they are not persuasive.
Applicants argue that Novak does not disclose “receiving, by the device and based on the information identifying the lock, a lock request associated with using the embedded device.”
Examiner disagrees. Novak teaches the limitation in ¶[0054], ¶[0076], and ¶ [0084] which describes the claimed limitation. Here, the credential is the lock, the information identifying the lock is the lock type determined by policy and the lock request is the request to access the locked resource. 

¶ [0054] “If the container 202 has been initially provided the credential, a credential cookie, or access to the resource through the hosting environment 206, then the container 202 accesses 218 the credential locked resource 204. The container 202 may continue to subsequently use the credential, either directly or by proxy, to authenticate to the resource 204. Access 218 of the resource can include a communication, an instruction, a query, and the like.” 

¶ [0076] “A container may ultimately use several types of credentials to operate. Credential types can include a machine account password used by services running as a “network service” or also used for NTLM pass-through authentication to a domain controller. In an example, a server process, NetLogon, may provide OS instances with domain join functionality, such as, but not limited to, rolling over of a machine account ($Machine.Acc) 636 and group managed service account (gMSA) passwords 640. A credential type may be a local service account password 638. A credential type may be credential manager credentials used by any application that authenticates using stored credentials 642. A credential type may be a SysKey used as a root secret for other similar secrets 644. A credential type may be a certificate private key.” 

¶[0084] “The host environment may provide a credential for a credential locked resource to the container if the container is approved to receive the credential based on a policy. Example 1 may also include a host environment that includes a credential cache to store credentials; and a credential fetcher to check the credential cache for the credential to access the credential locked resource based on a detected request for access to the credential locked resource.”

Support for Amendments and Newly Added Claims
Applicants are respectfully requested, in the event of an amendment to claims or submission of new claims, that such claims and their limitations be directly mapped to the specification, which provides support for the subject matter.  This will assist in expediting compact prosecution.  MPEP 714.02 recites: “Applicant should also specifically point out the support for any amendments made to the disclosure. See MPEP § 2163.06. An amendment which does not comply with the provisions of 37 CFR 1.121(b), (c), (d), and (h) may be held not fully responsive. See MPEP § 714.”  Amendments not pointing to specific support in the disclosure may be deemed as not complying with provisions of 37 C.F.R.  1.121(b), (c), (d), and (h) and therefore held not fully responsive.  Generic statements such as “Applicants believe no new matter has been introduced” may be deemed insufficient.
Interview Requests
In accordance with 37 CFR 1.133(a)(3), requests for interview must be made in advance.  Interview requests are to be made by telephone (571-270-7848) call or FAX (571-270-8848).  Applicants must provide a detailed agenda as to what will be discussed (generic statement such as “discuss §102 rejection” or “discuss rejections of claims 1-3” may be denied interview).  The detail agenda along with any proposed amendments is to be written on a PTOL-413A or a custom form and should be faxed (or emailed, subject to MPEP 713.01.I / MPEP 502.03) to the Examiner at least 5 business days prior to the scheduled interview. Interview requests submitted within amendments may be denied because the Examiner was not notified, in advance, of the Applicant Initiated Interview Request and due to time constraints may not be able to review the interview request to prior to the mailing of the next Office Action.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CARINA YUN whose telephone number is (571)270-7848. The examiner can normally be reached Mon, Weds, Thurs, 9-4.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Sam Sough can be reached on (571) 272-6799. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

Carina Yun
Patent Examiner
Art Unit 2194



/CARINA YUN/Examiner, Art Unit 2194                                                                                                                                                                                                        
/S. Sough/SPE, AU 2192/2194