Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This action is responsive to patent application as filed on 8/4/2022.
This action is made Non-Final.

	Claims 1 – 20 are pending in the case. Claims 1, 11 and 18 are independent claims. Claims 1, 11, 14 and 18 are amended.

Response to Arguments
Applicant's arguments filed 8/4/2022 have been fully considered but they are not persuasive. Applicant remarks that Tse does not disclose or teach the newly added limitations of amended claims 1 and 18 (page 7-9).
The Examiner disagrees.
Tse discusses a user profile, which includes user credentials, which can include a set of permissions that can determine which applications the user can [and can not] access (0021 and 0031). The management server assigns the profiles to the users, the profiles being assigned based on different security or access needs (0026-27). Therefore the Examiner maintains that Tse discloses every feature of amended claim 1, and teaches in view of DeGangi, every feature of claim 18. 


Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1-4 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Tse (USPUB 20170220368 A1).

Claim 1:
Tse discloses A method for implementing privileged access management comprising: receiving, from a client, a request of a user to access an application, the request including or being associated with user credentials of the user; evaluating the user credentials that are included in or associated with the request to determine that the user is authorized to access the application using privileged credentials that are different from the user credentials and that the user does not have access to (0021: “a thin client in an enterprise mobility management environment to run managed applications on a remote thin server. The thin client can be a managed application that executes on a user device. Upon execution, the thin client can contact the management server. The management server can determine a profile that corresponds to the user device. The profile can include a set of permissions that can determine which applications the user can access, the functionality available within the applications”; 0031: “the management server 130 can identify a corresponding profile based on a device identifier in the frame buffer request. The profile can also store a key, certificate, or other form of authentication credential to ensure an authorized user has accessed the application. In other examples, the thin client can request credentials from a user upon launch of the thin client. The credentials can be a username and password, a biometric identifier such as a fingerprint, a particular gesture, or other type of credential. The credentials can be provided to the management server 130 or thin server 140 without being maintained in long-term storage or caching on the user device 110. The credentials can vary based on the particular application that a user wants to execute from the thin client. For example, a user can access a corporate calendar without providing additional credentials, but using an application to access a corporate file repository may require authentication. The credentials can also identify a particular user when multiple users share a single device, allowing the thin client to display the appropriate profile-specific applications and features for a particular user. In other examples, receiving credentials may not be necessary where the management component 211 enforces security restrictions on the user device. For example, the management component 211 can require that a user have a PIN or password of a defined length to unlock their device. Once the user has unlocked their device, additional authentication when launching the thin client can be avoided, depending on the desired level of security for an enterprise's applications”; 0026-27: “The user devices 105 can enroll with the management server 130 in order to receive a thin client for execution on the respective user device 105. During enrollment or afterward, the management server 130 can assign one or more profiles to a first user device 110 that can be different than one or more profiles assigned to a second user device 115…The different profiles can be assigned based on different security or access needs for the different user devices 105. User devices 105 can be assigned to one or more groups, with each group describing different security or access levels. For example, an executive group can have different security access than a standard employee group. The executives therefore may be able to access applications that analyze corporate financial information, while other employees cannot. Different groups can also be assigned for different divisions of an enterprise”); in response to the request, executing the application on a container including logging in to the application using privileged credentials (0021-22: “The profile can include a set of permissions that can determine which applications the user can access, the functionality available within the applications, and the documents and file locations that are accessible. In one example, these applications and files can be accessed in a remote virtual machine environment…Based on the profile, the management server can cause a thin server to instantiate an instance of one of a plurality of virtual machines. The instance can be chosen to run a virtual machine configuration that includes a specific guest operation system, specific guest applications, and specific permitted or disallowed functionalities. The profile-specific instance can include only a subset of possible guest applications, and can include custom configurations of those guest applications to limit functionality. In one example, the guest operating system in the instance can be preset to omit or include certain guest processes, security features, and management features for a profile-specific experience. This can allow an enterprise to enforce or modify enterprise security, functionality, and access with respect to personal user devices while keeping applicable credentials and other sensitive information away from the user devices”); creating, from a user interface of the application, protocol frames that define images of the user interface (0023: “the profile-specific instance can send graphics information to the thin client at the user device for display. A frame buffer process running in the instance can buffer graphics data generated by the guest application(s). From the frame buffer, the instance can send the graphics data as pixels to the thin client, where the graphics are displayed to the user. While the thin client displays the graphics, it can also listen for user interface ("UI") events, such as clicks, mouse movements, selections, typing, and other user inputs. The thin client can send these UI events back to the instance of the virtual machine for performance within the guest application on the virtual machine”); sending, by the container and to the client, protocol communications containing the protocol frames to cause the images of the user interface to be displayed on the client (0023: “the profile-specific instance can send graphics information to the thin client at the user device for display. A frame buffer process running in the instance can buffer graphics data generated by the guest application(s). From the frame buffer, the instance can send the graphics data as pixels to the thin client, where the graphics are displayed to the user. While the thin client displays the graphics, it can also listen for user interface ("UI") events, such as clicks, mouse movements, selections, typing, and other user inputs. The thin client can send these UI events back to the instance of the virtual machine for performance within the guest application on the virtual machine”); receiving, by the container and from the client, additional protocol communications that define user input to the images that were displayed on the client (0023-24: “it can also listen for user interface ("UI") events, such as clicks, mouse movements, selections, typing, and other user inputs. The thin client can send these UI events back to the instance of the virtual machine for performance within the guest application on the virtual machine…Sharing graphics information and UI events in this manner can allow a user to execute enterprise applications agnostically with regard to the operating system required for the enterprise applications. In addition, security can be increased since critical credentials can be kept at the thin server rather than the user device. The user device instead can receive graphics information such as pixel data”); and causing corresponding user input to be generated on the container and provided to the application (0023-24: “it can also listen for user interface ("UI") events, such as clicks, mouse movements, selections, typing, and other user inputs. The thin client can send these UI events back to the instance of the virtual machine for performance within the guest application on the virtual machine…Sharing graphics information and UI events in this manner can allow a user to execute enterprise applications agnostically with regard to the operating system required for the enterprise applications. In addition, security can be increased since critical credentials can be kept at the thin server rather than the user device. The user device instead can receive graphics information such as pixel data”).
Claim 2:
Tse discloses the protocol communications containing the protocol frames are sent to the client via a proxy (0030-31: “When the user selects the icon, the thin client can initiate the process of contacting a thin server 140, 144, which will create a virtual machine that can execute the corresponding application based on a user's profile, as described in more detail below…the thin client can access one or more managed applications by requesting a frame buffer. The request can initially go to the management server 130, which stores at least one profile for the first user device 110. In one example, the management server 130 can identify a corresponding profile based on a device identifier in the frame buffer request”).

Claim 3:
Tse discloses forwarding, by the proxy, the protocol communications containing the protocol frames to a server (0030-31).

Claim 4:
Tse discloses storing, by the server, the protocol frames in a session log (0031-32 and 0072-76).


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Tse in view of Vilke (USPUB 20130268580 A1).

Claim 5:
Tse discloses every feature of claim 1.
Tse, by itself, does not seem to completely teach a website and wherein executing the application includes navigating the browser to the website and then logging in to the website using the privileged credentials.
The Examiner maintains that these features were previously well-known as taught by Vilke.
Vilke teaches a website and wherein executing the application includes navigating the browser to the website and then logging in to the website using the privileged credentials (0124: “the desktop connected to the network, such as an Internet, sends a connection request to a virtual center (VC) for access and control of a virtual service available within the VC. The connection request includes identity of the desktop along with other connection parameters. The desktop is first authenticated using the identity and other authentication information provided in the connection request prior to providing access to the virtual service. In one embodiment, the desktop is authenticated through a website, which maintains a list of authorized devices that can access a virtual infrastructure (VI) cloud associated with the virtual center and available on the Internet, using the identification information of the desktop obtained from the connection request”).
Tse and Vilke are analogous art because they are from the same problem-solving area, managing software application access in a virtual environment.
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Tse and Vilke before him or her, to combine the teachings of Tse and Vilke. The rationale for doing so would have been to obtain the benefit of providing a user the ability to securely access sensitive web-based content.
Therefore, it would have been obvious to combine Tse and Vilke to obtain the invention as specified in the instant claim(s).

Claim 6 is/are rejected under 35 U.S.C. 103 as being unpatentable over Tse in view of Lee (USPUB 20180032303 A1).

Claim 6:
Tse discloses every feature of claim 1.
Tse, by itself, does not seem to completely teach creating protocol frames comprises accessing frames that the application generates to represent the user interface and comparing corresponding microblocks in the frames to identify changed microblocks.
The Examiner maintains that these features were previously well-known as taught by Lee.
Lee teaches creating protocol frames comprises accessing frames that the application generates to represent the user interface and comparing corresponding microblocks in the frames to identify changed microblocks (0204, 0208 and 0210).
Tse and Lee are analogous art because they are from the same problem-solving area, managing software application access in a virtual environment.
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Tse and Lee before him or her, to combine the teachings of Tse and Lee. The rationale for doing so would have been to obtain the benefit of determining if any changes have occurred to a frame since a period of time has passed.
Therefore, it would have been obvious to combine Tse and Vilke to obtain the invention as specified in the instant claim(s).

Claims 18 and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Tse in view of DeGangi (USPUB 20190146645 A1).

Claim 18:
Tse discloses A method for enabling a user to access an application using privileged credentials without having access to the privileged credentials (0021-22), the method comprising:  - Page 32 -Docket No. 26941.26receiving, from a user of a client, a request to access an application using privileged credentials that the user does not have access to the request including or being associated with user credentials of the user; evaluating the user credentials that are included in or associated with the request to determine that the user is authorized to access the application using privileged credentials that are different from the user credentials and that the user does not have access to (0021: “a thin client in an enterprise mobility management environment to run managed applications on a remote thin server. The thin client can be a managed application that executes on a user device. Upon execution, the thin client can contact the management server. The management server can determine a profile that corresponds to the user device. The profile can include a set of permissions that can determine which applications the user can access, the functionality available within the applications”; 0031: “the management server 130 can identify a corresponding profile based on a device identifier in the frame buffer request. The profile can also store a key, certificate, or other form of authentication credential to ensure an authorized user has accessed the application. In other examples, the thin client can request credentials from a user upon launch of the thin client. The credentials can be a username and password, a biometric identifier such as a fingerprint, a particular gesture, or other type of credential. The credentials can be provided to the management server 130 or thin server 140 without being maintained in long-term storage or caching on the user device 110. The credentials can vary based on the particular application that a user wants to execute from the thin client. For example, a user can access a corporate calendar without providing additional credentials, but using an application to access a corporate file repository may require authentication. The credentials can also identify a particular user when multiple users share a single device, allowing the thin client to display the appropriate profile-specific applications and features for a particular user. In other examples, receiving credentials may not be necessary where the management component 211 enforces security restrictions on the user device. For example, the management component 211 can require that a user have a PIN or password of a defined length to unlock their device. Once the user has unlocked their device, additional authentication when launching the thin client can be avoided, depending on the desired level of security for an enterprise's applications; 0026-27: “The user devices 105 can enroll with the management server 130 in order to receive a thin client for execution on the respective user device 105. During enrollment or afterward, the management server 130 can assign one or more profiles to a first user device 110 that can be different than one or more profiles assigned to a second user device 115…The different profiles can be assigned based on different security or access needs for the different user devices 105. User devices 105 can be assigned to one or more groups, with each group describing different security or access levels. For example, an executive group can have different security access than a standard employee group. The executives therefore may be able to access applications that analyze corporate financial information, while other employees cannot. Different groups can also be assigned for different divisions of an enterprise”); creating a container that includes the application; executing the application on the container including logging in to the application using the privileged credentials (0021-22: “The profile can include a set of permissions that can determine which applications the user can access, the functionality available within the applications, and the documents and file locations that are accessible. In one example, these applications and files can be accessed in a remote virtual machine environment…Based on the profile, the management server can cause a thin server to instantiate an instance of one of a plurality of virtual machines. The instance can be chosen to run a virtual machine configuration that includes a specific guest operation system, specific guest applications, and specific permitted or disallowed functionalities. The profile-specific instance can include only a subset of possible guest applications, and can include custom configurations of those guest applications to limit functionality. In one example, the guest operating system in the instance can be preset to omit or include certain guest processes, security features, and management features for a profile-specific experience. This can allow an enterprise to enforce or modify enterprise security, functionality, and access with respect to personal user devices while keeping applicable credentials and other sensitive information away from the user devices”); while the application is executing on the container, creating and sending protocol frames to the client which define images of the application's user interface (0023: “the profile-specific instance can send graphics information to the thin client at the user device for display. A frame buffer process running in the instance can buffer graphics data generated by the guest application(s). From the frame buffer, the instance can send the graphics data as pixels to the thin client, where the graphics are displayed to the user. While the thin client displays the graphics, it can also listen for user interface ("UI") events, such as clicks, mouse movements, selections, typing, and other user inputs. The thin client can send these UI events back to the instance of the virtual machine for performance within the guest application on the virtual machine”); employing the protocol frames to display the images of the application's user interface on the client (0023: “the profile-specific instance can send graphics information to the thin client at the user device for display. A frame buffer process running in the instance can buffer graphics data generated by the guest application(s). From the frame buffer, the instance can send the graphics data as pixels to the thin client, where the graphics are displayed to the user. While the thin client displays the graphics, it can also listen for user interface ("UI") events, such as clicks, mouse movements, selections, typing, and other user inputs. The thin client can send these UI events back to the instance of the virtual machine for performance within the guest application on the virtual machine”); routing the protocol frames to a server for storage in a session log (0031-32).
Tse, by itself, does not seem to completely teach receiving a request to replay the user's access to the application; and employing the protocol frames stored in the session log to sequentially display the images of the application's user interface to thereby replay the user's access to the application.
The Examiner maintains that these features were previously well-known as taught by DeGangi.
DeGangi teaches receiving a request to replay the user's access to the application; and employing the protocol frames stored in the session log to sequentially display the images of the application's user interface to thereby replay the user's access to the application (0006 and 0030: a request to replay a user’s session can be processed, after which previously stored images of the the web page interactions are replayed to the user to recreate the user session).
Tse and DeGangi are analogous art because they are from the same problem-solving area, presenting and managing user interaction with web based content.
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Tse and DeGangi before him or her, to combine the teachings of Tse and DeGangi. The rationale for doing so would have been to monitor user interactions with the web based content.
Therefore, it would have been obvious to combine Tse and DeGangi to obtain the invention as specified in the instant claim(s).

Claim 19:
Tse teaches sending, to the server, one or more events that occurred during the user's access to the application; and storing the one or more events in the session log (0072-76).

Allowable Subject Matter
Claims 7-10 and 20 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
Claims 11-17 are allowed.

Note
    The Examiner cites particular columns, line numbers and/or paragraph numbers in the references as applied to the claims below for the convenience of the Applicant(s). Although the specified citations are representative of the teachings in the art and are applied to the specific limitations within the individual claim, other passages and figures may apply as well. It is respectfully requested that, in preparing responses, the Applicant fully consider the references in their entirety as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the Examiner. See MPEP 2123.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure and is listed in the attached PTOL-892 form.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMED-IBRAHIM ZUBERI whose telephone number is (571)270-7761.  The examiner can normally be reached on M-Th 8-6 Fri: 7-12/OFF.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Cesar Paula can be reached on (571) 272-4128.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/MOHAMMED H ZUBERI/               Primary Examiner, Art Unit 2177