Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in an interview with Christopher B. Anderson (Reg. No: 77,898) on 08/29/2022. 

CLAIMS
The application has been amended as follows: 
1.	(Currently Amended) A non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform operations for securely establishing secretless and remote native access sessions, the operations comprising:
identifying a client configured to participate in a remote native access session with a target resource, the target resource requiring a credential for secure access by the client, wherein the client has a remote access protocol file including information for establishing a secure tunnel connection using a native remote access client without using the credential, wherein the remote access protocol file includes:
an indication of a target host associated with the target resource, wherein [[and]] the indication of the target host is modified to include an identifier associated with the client, the identifier being distinct from the credential; and
at least one of a field or a designated space for the credential, the field or the designated space being blank or including default text other than the credential;
sending a prompt to the client to establish the secure tunnel connection with a connection agent using the identifier associated with the client;
authenticating the client using a mobile device associated with the client;
accessing target identity information associated with one or more target resources;
receiving from the client, via the secure tunnel connection, a request to access the target resource, the request including a token, the token identifying the target resource from among the one or more target resources based on a selection of the target resource through the mobile device;
obtaining the credential based on the token and an account selected by a user through the mobile device, wherein obtaining the credential includes accessing the credential from a credentials vault; and
initiating, using the credential, a remote native access session between the client and the target resource.
2.	(Previously Presented) The non-transitory computer readable medium of claim 1, wherein the indication of the target host is modified by the client.
3.	(Canceled).
4.	(Original) The non-transitory computer readable medium of claim 1, wherein the credential is obtained in a secretless manner from the perspective of the client.
5.	(Canceled).
6.	(Canceled).
7.	(Previously Presented) The non-transitory computer readable medium of claim 1, wherein the one or more target resources are identified based on access rights of the client.
8.	(Previously Presented) The non-transitory computer readable medium of claim 1, wherein the one or more target resources are identified based on the authentication of the client.
9.	(Original) The non-transitory computer readable medium of claim 1, wherein the remote access protocol file is a remote desktop protocol.
10.	(Previously Presented) The non-transitory computer readable medium of claim 1, wherein the credential includes at least one of a username, an SSH key, an access token, a security token, or a password and the identifier associated with the client is at least one of: a mobile telephone number, an email address, or a custom identifier created by the client.
11.	(Currently Amended) A computer-implemented method for securely establishing secretless and remote native access sessions, the method comprising:
identifying a client configured to participate in a remote native access session with a target resource, the target resource requiring a credential for secure access by the client, wherein the client has a remote access protocol file including information for establishing a secure tunnel connection using a native remote access client without using the credential, wherein the remote access protocol file includes:
an indication of a target host associated with the target resource, wherein [[and]] the indication of the target host is modified to include an identifier associated with the client, the identifier being distinct from the credential; and
at least one of a field or a designated space for the credential, the field or the designated space being blank or including default text other than the credential;
sending a prompt to the client to establish the secure tunnel connection with a connection agent using the identifier associated with the client;
authenticating the client using a mobile device associated with the client;
accessing target identity information associated with one or more target resources;
receiving from the client, via the secure tunnel connection, a request to access the target resource, the request including a token, the token identifying the target resource from among the one or more target resources based on a selection of the target resource through the mobile device;
obtaining the credential based on the token and an account selected by a user through the mobile device, wherein obtaining the credential includes accessing the credential from a credentials vault; and
initiating, using the credential, a remote native access session between the client and the target resource.
12.	(Canceled).
13.	(Original) The computer-implemented method of claim 11, wherein the credential is obtained without making the credential available to the client.
14.	(Canceled).
15.	(Canceled).
16.	(Previously Presented) The computer-implemented method of claim 11, further comprising sending to the client data for generating a selectable menu of the one or more target resources, the target resource being selected through the selectable menu.
17.	(Previously Presented) The computer-implemented method of claim 16, wherein the selectable menu of the one or more target resources comprises icons and identifying data associated with the one or more target resources.
18.	(Original) The computer-implemented method of claim 11, wherein the authentication of the client is performed according to at least one of: OpenID or Security Assertion Markup Language.
19.	(Original) The computer-implemented method of claim 11, wherein the connection agent is located in a local network in which the target resource is also located.
20.	(Original) The computer-implemented method of claim 11, wherein the connection agent is located in a virtualized network in which the target resource is also located.

Examiner’s Statement of Reasons for Allowance
Claims 1-2, 4, 7-10, 11, 13 and 16-20 (renumbered as claims 1-14) are allowed. 
The present invention is directed to: systems and methods for securely establishing secretless and remote native access sessions. Techniques include identifying a client configured to participate in remote native access sessions, wherein the client has a remote access protocol file that has been modified to include an identifier associated with the client; sending a prompt to the client to establish a secure tunnel connection with a connection agent using the identifier associated with the client; and authentication the client. The techniques may further include accessing target identity information associated with one or more target resources; receiving from the client a token that identifies a target resource from among the one or more target resources; obtaining, based on the token, a credential required for secure access to the target resource; and initiating, using the credential, a remote native access session between the client and the target resource.
The closest prior art, as previously recited, are Innes et al (“Innes,” US 20210021605), Hoover et al (“Hoover,” US 20070061887), Mathew et al (“Mathew,” US 20180077243) in view of Will et al (“Will,” US 20210099451) and further in view of Lee et al (“Lee,” US 20150039908). 
Innes is directed to: methods and systems for granting or denying a client device access to one or more resources in a remote computing environment are described herein. A computing device may receive from an identity provider a token authenticating that a user of a client device is at a first location. The computing device may determine, based on the token, one or more labels for a session associated with the user. Each label of the one or more labels is associated with a corresponding security group. Based on the one or more labels, the user of the client device may be granted access to sensitive data.
Hoover is directed to: smart tunneling of resources in a network where a client computer hosts a virtual private network tool to establish a virtual private network connection with a remote network. Upon startup, the virtual private network tool collects critical network information for the client computer, and sends this critical network information to an address assignment server in the remote network. The address assignment server compares the critical network information with a pool of available addresses in the remote network, and assigns addresses for use by the client computer that do not conflict with the addresses for local resources. The address assignment server also provides routing information for resources in the remote network to the virtual private network tool. The virtual private network tool will postpone loading this routing information into the routing tables of the client computer until the client computer requests access to a specific resource in the remote network. When the client computer requests access to a specific resource in the remote network, the virtual private network tool will only provide the routing table with the routing information for that specific remote resource.
Mathew is directed to: providing users of an access management system the capability to manage the user's active sessions. The system may receive a first request by a user at a first device to modify one or more sessions established for the user. The system may access session information about the one or more sessions that are associated with the user, wherein a session of the one or more sessions provides the user with access to one or more resources. The system may send the session information to the first device, the session information causing the first device to display a graphical interface including the session information about the one or more sessions. The system may receive, from the first device, a second request indicating a modification to the session. The system may modify the session in accordance with the modification indicated in the second request.
Will is directed to: an authentication system includes an authentication module maintaining a store of credentials for a set of users. In response to an identity specified by credentials provided from a requestor address not being found in the store of credentials, the authentication module transmits an authentication failure response. In response to the provided credentials matching selected credentials, the authentication module transmits an authentication success response. The authentication system includes an analyzer module configured to determine a number of identity-not-found failures corresponding to a first address, identify a triggering event in response to the number exceeding a predetermined threshold, and, in response to the triggering event, add the first address to a block list. The authentication system includes a query module configured to, in response to a query for a specified address, determine whether the specified address is present in the block list and, if so, instruct transmission of the authentication failure response.
Lee is directed to: a method for utilizing a secure credential vault on a mobile computing device includes: prompting a user for and receiving from the user a credential vault password; prompting a user for and receiving a near-field communication (NFC) security token from a NFC-enabled device; verifying the credential vault password and the received NFC security token; and opening a secure session with the secure credential vault in response to successful verification.
For example, none of the cited prior art teaches or suggests the steps of independent claims 1 and 11: wherein the client has a remote access protocol file including information for establishing a secure tunnel connection using a native remote access client without using the credential, wherein the remote access protocol file includes: an indication of a target host associated with the target resource, wherein he indication of the target host is modified to include an identifier associated with the client, the identifier being distinct from the credential; and at least one of a field or a designated space for the credential, the field or the designated space being blank or including default text other than the credential; sending a prompt to the client to establish the secure tunnel connection with a connection agent using the identifier associated with the client; authenticating the client using a mobile device associated with the client; accessing target identity information associated with one or more target resources; receiving from the client, via the secure tunnel connection, a request to access the target resource, the request including a token, the token identifying the target resource from among the one or more target resources based on a selection of the target resource through the mobile device; obtaining the credential based on the token and an account selected by a user through the mobile device, wherein obtaining the credential includes accessing the credential from a credentials vault.
Therefore, the claims are allowable over the cited prior art. 
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES J WILCOX whose telephone number is (571)270-3774. The examiner can normally be reached M-F: 8 A.M. to 5 P.M..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu T. Pham can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/JAMES J WILCOX/Examiner, Art Unit 2439  



/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439