Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
Response to Arguments
In communications filed on 8/10/2022, claims 2-3, 5-11, and 13-23 are presented for examination. Claims 2, 9, and 16 are independent.
Amended claim(s): 2, 9, 13, 16
Rejection of claims under 35 USC 101 is withdrawn in view of amendments to the claims.
Applicants’ arguments, see Applicant Arguments/Remarks filed 8/10/2022, with respect to claim(s) rejected under prior art have been fully considered and are persuasive in so far Cromer et al do not explicitly disclose applied to a combination of an account associated with the accessor device and the accessor device. However, newly cited art Adam teaches applied to a combination of an account associated with the accessor device and the accessor device (Adam: ¶49, i.e., session policies applied to user and user devices for connecting to services over the network).  

Specification
The amendment filed 8/10/22 is objected to under 35 U.S.C. 132(a) because it introduces new matter into the disclosure.  35 U.S.C. 132(a) states that no amendment shall introduce new matter into the disclosure of the invention.  The added material which is not supported by the original disclosure is as follows: provide a credential for the accessor device for use in the session based on an in-session policy applied to a combination of an account associated with the accessor device and the accessor device. (Emphasis added). There is no support for the highlighted portion in Applicant’s disclosure as originally filed including ¶0033 as asserted by Applicant in the Remarks filed 8/10/22.
Applicant is required to cancel the new matter in the reply to this Office Action.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 2, 9, 16 and their respective dependent claims are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. Amended claims recite: provide a credential for the accessor device for use in the session based on an in-session policy applied to a combination of an account associated with the accessor device and the accessor device. (Emphasis added). There is no support for the highlighted portion in Applicant’s disclosure as originally filed including ¶0033 as asserted by Applicant in the Remarks filed 8/10/22.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claim 2, 3, 5-11, 13-23 is/are rejected under 35 U.S.C. 103 as being unpatentable over US 20080244705 A1 (hereinafter ‘Cromer’) in view of US 20020062379 A1 (hereinafter ‘Widegren’) in view of US 20060104306 A1 (hereinafter ‘Adam’).

As regards claim 2, Cromer (US 20080244705 A1) discloses: A privileged access management (PAM) apparatus comprising at least one computing device comprising a hardware processor, the at least one computing device configured to: (Cromer: Fig. 1A, system 100)
push an access application to an endpoint device in response to receiving a first request from an accessor device, wherein the access application is automatically executed by the endpoint device, wherein the endpoint device and the accessor device are separate devices; (Cromer: Fig. 1A, ¶23-¶25, ¶63, i.e., the push server sending application to be installed on the customer system 105 (i.e., the endpoint) at the request of the representative system 103 (i.e., the accessor device), wherein the application is automatically executed by the customer system, and wherein the customer system and the representative system are separate system/devices)
receive a second request to connect from the access application; (Cromer: Fig. 1A, ¶23-¶25, ¶63, i.e., the application is automatically executed on the customer system and the application then established a session with the representative system) and establish a session between the accessor device and the access application executed by the endpoint device. (Cromer: Fig. 1A, ¶23-¶25, ¶63, i.e., the application is automatically executed on the customer system and the application then established a session with the representative system)
Although Cromer discloses using credentials to communicate over the established sessions wherein the credentials and sessions are based on session policies, thus disclosing: a credential for the accessor device for use in the session based on an in-session policy (Cromer: Figs 3-4, Table 1, Security Module 273, ¶9, ¶10, ¶56-¶57, i.e., sharing of credentials for the sessions based on session policies such as LDAP, RADIUS, Kerberos and so forth), however, Cromer does not explicitly disclose ‘provide’ or ‘grant’: provide.
In analogous art, Widegren teaches providing/granting a token (i.e., credential) to an accessing system based on a policy for a established session (Widegren: Fig. 22, ¶113)
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Cromer to provide/grant token to an accessing system based on a policy for an established session between the systems as taught by Widegren with the motivation to ensure session is authorized (Widegren: Fig. 22, ¶113)
However, Cromer et al do not but in analogous art, Adam (US 20060104306 A1) teaches: applied to a combination of an account associated with the accessor device and the accessor device. (Adam: ¶49, i.e., session policies applied to user and user devices for connecting to services over the network)
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Cromer to include session policies/configurations that are applied to user and devices as taught by Adam with the motivation to route user requests over the network (Adam: ¶49)   

As regards claim 16, Cromer discloses: A system comprising: a data store comprising an access application; (Cromer: Fig. 1A, system 100, i.e., the push server that contains the applications) an endpoint device; and (Cromer: Fig. 1A, i.e., the customer system 105) a privileged access management (PAM) appliance in communication with the endpoint device and the data store, the PAM appliance comprising a hardware processor and being configured to: (Cromer: Fig. 1A, i.e., system 100) in response to receiving a first request from an accessor device, retrieve the access application from the data store; (Cromer: Fig. 1A, ¶23-¶25, ¶63, i.e., the push server sending application to be installed on the customer system 105 (i.e., the endpoint) at the request of the representative system 103 (i.e., the accessor device), wherein the application is automatically executed by the customer system, and wherein the customer system and the representative system are separate system/devices)
push the access application to the endpoint device; (Cromer: Fig. 1A, ¶23-¶25, ¶63, i.e., the push server sending application to be installed on the customer system 105 (i.e., the endpoint) at the request of the representative system 103 (i.e., the accessor device), wherein the application is automatically executed by the customer system, and wherein the customer system and the representative system are separate system/devices)
receive a second request for connection from the access application; and (Cromer: Fig. 1A, ¶23-¶25, ¶63, i.e., the application is automatically executed on the customer system and the application then established a session with the representative system) establish a session between the accessor device and the access application executed by the endpoint device. (Cromer: Fig. 1A, ¶23-¶25, ¶63, i.e., the application is automatically executed on the customer system and the application then established a session with the representative system)
Although Cromer discloses using credentials to communicate over the established sessions wherein the credentials and sessions are based on session policies, thus disclosing: a credential based on an in-session policy. (Cromer: Figs 3-4, Table 1, Security Module 273, ¶9, ¶10, ¶56-¶57, i.e., sharing of credentials for the sessions based on session policies such as LDAP, RADIUS, Kerberos and so forth), however, Cromer does not explicitly disclose ‘provide’ or ‘grant’: grant, to the accessor device, access to a credential.
In analogous art, Widegren teaches providing/granting a token (i.e., credential) to an accessing system based on a policy for a established session (Widegren: Fig. 22, ¶113), thus teaching: grant, to the accessor device, access to a credential based on an in-session policy.
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Cromer to provide/grant token to an accessing system based on a policy for an established session between the systems as taught by Widegren with the motivation to ensure session is authorized (Widegren: Fig. 22, ¶113)
However, Cromer et al do not but in analogous art, Adam (US 20060104306 A1) teaches: applied to a combination of an account associated with the accessor device and the accessor device. (Adam: ¶49, i.e., session policies applied to user and user devices for connecting to services over the network)
Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art to modify Cromer to include session policies/configurations that are applied to user and devices as taught by Adam with the motivation to route user requests over the network (Adam: ¶49)  

Claim 9 recites substantially the same features recited in claims 2 and 16 above, and is rejected based on the aforementioned rationale discussed in the rejection.

As regards claim 3, Cromer et al combination discloses the PAM apparatus of claim 2, wherein the at least one computing device is further configured to push the access application to the endpoint device based on at least one of: a system management bus, a remote procedure call, inter process communications, a file transfer protocol, a secure shell, or a hypertext transfer protocol. (Cromer: ¶71) 

As regards claim 5, Cromer et al combination discloses the PAM apparatus of claim 2, wherein the at least one computing device is further configured to: receive a third request from a second accessor device to access a second endpoint device; (Cromer: Fig. 1A, ¶19, ¶23-¶25, ¶63) receive a fourth request to connect from the other access application; (Cromer: Fig. 1A, ¶19, ¶23-¶25, ¶63) and establish a second session between the second accessor device and the second endpoint device. (Cromer: Fig. 1A, ¶19, ¶23-¶25, ¶63)

As regards claim 6, Cromer et al combination discloses the PAM apparatus of claim 2, wherein the endpoint device excludes a pre-installed access client. (Cromer: Fig. 1A, ¶23-¶25, ¶63, i.e., the push server sending application to be installed on the customer system 105 (i.e., the endpoint) at the request of the representative system 103 (i.e., the accessor device), i.e., the application is installed upon request and deleted i.e., excluded from pre-installation)

As regards claim 7, Cromer et al combination discloses the PAM apparatus of claim 2, wherein the at least one computing device is further configured to execute a push service to handle operations for pushing the access application to the endpoint device. (Cromer: Fig. 1A, ¶23-¶25, ¶63)

As regards claim 8, Cromer et al combination discloses the PAM apparatus of claim 2, wherein the at least one computing device is further configured to manage access rights to the endpoint device. (Cromer: Fig. 1A. 1B, ¶19-¶25, ¶63)

As regards claim 10, Cromer et al combination discloses the method of claim 9, wherein sending the access application to the endpoint device is performed by a protocol agent on behalf of a privileged access management (PAM) appliance. (Cromer: Fig. 1A. 1B, ¶19-¶25, ¶63)

As regards claim 11, Cromer et al combination discloses the method of claim 10, wherein the protocol agent communicates with the endpoint device on a local network and communicates with the PAM appliance on a wide-area network. (Cromer: Fig. 1A. 1B, ¶19-¶25, ¶63, ¶82-¶83)

As regards claim 13, Cromer et al combination discloses the method of claim 12, wherein a PAM appliance establishes the session and the method further comprises managing, via the PAM appliance, access rights to a plurality of endpoint devices including the endpoint device and respective access session traffic. (Cromer: Fig. 1A. 1B, 2B, Table-1, ¶19-¶25, ¶43, ¶52-¶52, ¶63)

As regards claim 14, Cromer et al combination discloses the method of claim 9, further comprising determining an in-session policy for the session, wherein the in-session policy grants or denies access to at least one of: a tool, a command, or a resource for the endpoint. (Cromer: Fig. 1A. 1B, Table-1, ¶19-¶25, ¶43, ¶52-¶52, ¶63)

As regards claim 15, Cromer et al combination discloses the method of claim 9, wherein sending the access application to the endpoint device is performed by the accessor device. (Cromer: Fig. 1A. 1B, Table-1, ¶19-¶25, ¶43, ¶52-¶52, ¶63)

As regards claim 17, Cromer et al combination discloses the system of claim 16, wherein the endpoint device is configured to: receive the access application from the PAM appliance; and (Cromer: Fig. 1A. 1B, Table-1, ¶19-¶25, ¶43, ¶52-¶52, ¶63) in response to receiving the access application, automatically execute the access application. (Cromer: Fig. 1A. 1B, Table-1, ¶19-¶25, ¶43, ¶52-¶52, ¶63)

As regards claim 18, Cromer et al combination discloses the system of claim 16, further comprising a protocol agent in communication via a local area network with the endpoint device, wherein the access application is pushed to the endpoint device via the protocol agent. (Cromer: Fig. 1A. 1B, ¶19-¶25, ¶43, ¶63, ¶82-¶83)

As regards claim 19, Cromer et al combination discloses the system of claim 16, further comprising a protocol agent configured to: connect to the endpoint device using a first protocol via the first network; and (Cromer: Fig. 1A. 1B, ¶19-¶25, ¶43, ¶63, ¶82-¶83) connect to the PAM appliance using a second protocol via a second network. (Cromer: Fig. 1A. 1B, ¶19-¶25, ¶43, ¶63, ¶82-¶83)

As regards claim 20, Cromer et al combination discloses the system of claim 16, further comprising a protocol agent configured to convert an access protocol used by the PAM appliance to another protocol used by the endpoint device. (Cromer: Fig. 1A. 1B, ¶19-¶25, ¶43, ¶63, ¶82-¶83)

As regards claim 21, Cromer et al combination discloses the system of claim 16, wherein the PAM appliance is further configured to establish a persistent connection to a protocol agent based on a certificate based authentication. (Cromer: Fig. 1A. 1B, ¶19-¶25, ¶43, ¶63, ¶66-¶67, ¶82-¶83)

As regards claim 22, Cromer et al combination discloses the PAM apparatus of claim 2, wherein establishing the session comprises providing the accessor device with real time access control to resources of the endpoint device. (Cromer: Fig. 1A. 1B, ¶19-¶25, ¶43, ¶63, ¶66-¶67, ¶82-¶83)

As regards claim 23, Cromer et al combination discloses the method of claim 9, further comprising assigning the in-session policy to the accessor device. (Cromer: Figs 3-4, Table 1, Security Module 273, ¶9, ¶10, ¶56-¶57, ¶63, ¶82-¶83. See also, Widegren: Fig. 22, ¶113)

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SYED A ZAIDI whose telephone number is (571)270-5995. The examiner can normally be reached Monday-Thursday: 5:30AM-5:30PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/SYED A ZAIDI/Primary Examiner, Art Unit 2432