Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
DETAILED ACTION
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 9/2/2022 has been entered. Claims 1, 5, 10, 14 and 19 are amended. Claims 1, 2, 4-11 and 13-20 are pending.
Response to Arguments
Examiner’s Remarks - - 35 USC § 103 - Independent claims 1, 10 and 19
The applicant has amended each independent claim to recite the feature(s) of, “and responsive to a request from a user, perform a policy lookup for the user and the user device to determine if the user and the user device are authorized and based on the policy”.  The examiner introduces the teachings of prior art reference, Thomson et al. (US Patent Publication No. 2011/0173674), to the record in response to the amendment. Thomson teaches the use of a lookup structure for determining applicable policy data. See rejection below.   

Examiner’s Remarks - - 35 USC § 103 - Dependent claims 5 and 14
The applicant has amended dependent claims 5 and 14 to recite the feature(s) of, “perform the user and user device policy lookup”.  The examiner introduces the teachings of prior art reference, Thomson et al. (US Patent Publication No. 2011/0173674), to the record in response to the amendment. Thomson teaches the use of a lookup structure for determining applicable policy data. See rejection below.   
 Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1, 2, 4-11, 13-20 are rejected under 35 U.S.C. 103 as being unpatentable over Joshi et al. (US Patent Publication No. 2013/0212486 and Joshi hereinafter) in view of Sama et al. (US Patent Publication No. 2016/0036920 and Sama hereinafter) and further in view of Thomson et al. (US Patent Publication No. 2011/0173674 and Thomson hereinafter).

As to claims 1, 10 and 19, Joshi teaches a secure application access system comprising:
a lightweight connector comprising a network interface (i.e., ... illustrates in figure 14, figure element 302" connector''), 
a processor communicatively coupled to the network interface (i.e., ... illustrates in figure 14 devices with processors and interfaces ... further teaches in par. 0146 the following: "(i.e., ... teaches in par. 0146 the following: "Session connector 302 may be implemented as one or more computing devices. In some examples, session connector 302 may be realized as a MobileSpan Session Connector cloud-based service."),
and memory storing instructions that, when executed, cause the processor to connect to a cloud-based system (i.e., …teaches in par. 0146 the following: "a cloud-based session connector 302."), via the network interface (i.e., ... see figure 14 that illustrates a network interface),
connect to one or more of a file share and an application (i.e., ... see figure 14 that illustrates a connector to files and applications), via the network interface (i.e., ... see figure 14 that illustrates a network interface),
wherein the lightweight connector is associated with specific applications or file shares (i.e., ... teaches in par. 0146 the following: "Session connector 302 may be implemented as one or more computing devices. In some examples, session connector 302 may be realized as a MobileSpan Session Connector cloud-based service." ... the examiner notes that connector is associated with the specific application of), 
perform one of i) prevent the user from seeing the one or more of the file share and the application (i.e., ... teaches in par. 93 the following: "[0093] Some commands may be considered inappropriate for mobile device 12, and may therefore be disabled. Graphical user interface elements for performing such commands may be hidden, greyed out and thereby unselectable, or removed entirely from the display by native application simulator 54. Therefore, native application simulator 54 may hide or remove this element. As another example, native application simulator 54 may disable user interface controls based on policies, such as preventing unlocking of a password protected document by omitting display of a screen to enter the password. Likewise, lesser-used commands may be removed (e.g., by configuration or dynamically) to reduce clutter. These removed commands may be replaced in a separate user interface window that the user may specifically request."),
and ii) provide access to a user device to the one or more of the file share and the application via a stitched connection between the network interface and the user device through the cloud-based system (i.e., teaches in par. 0141 the following: "a user can open a document, sales record, or other item or resource hosted on a cloud service like Box.net, Google Docs, and/or Salesforce.com. Mobile device 12 may open a viewer and editor for the document, such as graphical user interface 270. This viewer is a native application for mobile device 12 (such as a native browser for an iPad), so viewing, scrolling, and editing are natively handled by mobile device 12, and may be incredibly responsive." further teaches in par. 0146 the following: "In this example, system 300 includes enterprise 308, which includes one or more remote computing devices that maintain resources, as well as mobile devices 304 and a cloud-based session connector 302. Session connector 302 may be implemented as one or more computing devices. In some examples, session connector 302 may be realized as a MobileSpan Session Connector cloud-based service. Session connector 302 may assist in session establishment between mobile devices 304 and computing devices within enterprise 308. For example, session connector 302 may help a PC inside enterprise 308 and an authorized one of mobile devices 304 to find each other and to negotiate a secure end-to-end encrypted tunnel. When possible, this tunnel may be created directly between the PC and the mobile device. Otherwise, session connector 302 may act as a data relay of encrypted data.". The examiner notes that the session connector stitches together the communication connection to each endpoint).

Joshi does not expressly teach:
wherein the lightweight connector is configured to only dial out for connections over the Internet via the cloud-based system and is configured to reject inbound connections of any kind.
In this instance the examiner notes the teachings of prior art reference Sama.
Sama teaches in par. 0028 the following: "The tenant application may establish a secured outbound connection to the connector service. "Outbound" means that the secured connection is initiated by the tenant application within the tenant's communication system. this relieves the configuration concern for deployment for not having to drill a hole in the firewall. The outbound connection may be secured, for example, using transaction layer security (TLS) secured TCP/IP or using standard secure HTTPS protocols. This approach may avoid the need to drill any firewall holes in the tenant's network for inbound connections. Thus, the tenant's communication system may not admit or process inbound connection requests. This limits the exposure of the tenant's communication system to the cloud, and may provide additional security against flooding denial of service (DoS) attacks against the tenant's communication system."....further teaches in par. 0037 the following: "the tenant application 100 may initiate the establishment of the bridge 150, and the tenant application 100 may not respond to inbound connection requests from external communication systems, which may enhance the security and/or stability of the tenant's private communication system 1O.".
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the of the claimed invention was made to implement the teaching of Joshi with the teachings of Sama by having their system comprise connection control access. One would have been motivated to do so to provide a simple and effective means to further secure the network, wherein the connection control access helps identifies prevent intrusion make it easier to ensure system integrity.

The system of Joshi and Sama does not expressly teach:
	and responsive to a request from a user, perform a policy lookup for the user and the user device to determine if the user and the user device are authorized and based on the policy.
In this instance the examiner notes the teachings of prior art reference Thomson. 
Thomson teaches in par. 0034 the following: “look-up table or the like associating various target devices, including the target device 111, with respective data sources and addresses containing user information.”. Thomson teaches in par. 0036 the following: “maintain a list or look-up table of data source potentially having user information and substitute a short identifier for each data source, e.g., including the authorization policy server 122 and the device capability server 123. … Accordingly, the location server 115 is able to identify the authorization policy server 122 and the device capability server 123 using only the unique identifier associated with the target device 111”. Teaches in par. 0043 the following: “confirm that the application 134 is permitted to retrieve the location of the target device 111 using the policy information”.
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the of the claimed invention was made to implement the teaching of Joshi and Sama with the teachings of Thomson by having their system comprise lookup structures. One would have been motivated to do so to provide a simple and effective means to provide secure communication, wherein lookup structure helps identify correct policy information for an authorized user and device to make it easier to ensure system security.

As to claims 2 and 11, the system of Joshi, Sama and Thomson as applied to claim 1 above teaches network communication, specifically Joshi teaches secure application access system of claim 1, wherein the lightweight connector is in front of the file share and the application (i.e., …teaches in par. 0146 the following: “Session connector 302 may assist in session establishment between mobile devices 304 and computing devices within enterprise 308. For example, session connector 302 may help a PC inside enterprise 308 and an authorized one of mobile devices 304 to find each other and to negotiate a secure end-to-end encrypted tunnel.”.).

3. (Canceled)

As to claims 4 and 13, the system of Joshi, Sama and Thomson as applied to claim 1 above teaches network communication, specifically Joshi teaches secure application access system of claim 1, wherein the cloud- based system includes a plurality of cloud nodes with the user device and the network interface each connected to a different cloud node (i..e, …teaches in par. 00148 the following: “cloud sources,”..

As to claims 5 and 14, the system of Joshi, Sama and Thomson as applied to claim 1 above teaches network communication, specifically Joshi teaches a secure application access system of claim 4, wherein the cloud-based system includes a central authority configured perform the user and user device policy lookup and form the stitched connection ( i.e., teaches in par. 0141 the following: "a user can open a document, sales record, or other item or resource hosted on a cloud service like Box.net, Google Docs, and/or Salesforce.com. Mobile device 12 may open a viewer and editor for the document, such as graphical user interface 270. This viewer is a native application for mobile device 12 (such as a native browser for an iPad), so viewing, scrolling, and editing are natively handled by mobile device 12, and may be incredibly responsive." further teaches in par. 0146 the following: "In this example, system 300 includes enterprise 308, which includes one or more remote computing devices that maintain resources, as well as mobile devices 304 and a cloud-based session connector 302. Session connector 302 may be implemented as one or more computing devices. In some examples, session connector 302 may be realized as a MobileSpan Session Connector cloud-based service. Session connector 302 may assist in session establishment between mobile devices 304 and computing devices within enterprise 308. For example, session connector 302 may help a PC inside enterprise 308 and an authorized one of mobile devices 304 to find each other and to negotiate a secure end-to-end encrypted tunnel. When possible, this tunnel may be created directly between the PC and the mobile device. Otherwise, session connector 302 may act as a data relay of encrypted data.". The examiner notes that the session connector stitches together the communication connection to each endpoint).

The system of Joshi and Sama does not expressly teach:
	perform the user and user device policy lookup.
In this instance the examiner notes the teachings of prior art reference Thomson. 
Thomson teaches par. 0034 the following: “look-up table or the like associating various target devices, including the target device 111, with respective data sources and addresses containing user information.”. Teaches in par. 0036 the following: “maintain a list or look-up table of data source potentially having user information and substitute a short identifier for each data source, e.g., including the authorization policy server 122 and the device capability server 123. … Accordingly, the location server 115 is able to identify the authorization policy server 122 and the device capability server 123 using only the unique identifier associated with the target device 111”. Teaches in par. 0043 the following: “confirm that the application 134 is permitted to retrieve the location of the target device 111 using the policy information”.
Thus, it would have been obvious to one of ordinary skill in the art before the effective filing date of the of the claimed invention was made to implement the teaching of Joshi and Sama with the teachings of Thomson by having their system comprise lookup structures. One would have been motivated to do so to provide a simple and effective means to provide secure communication, wherein lookup structure helps identify correct policy information for an authorized user and device to make it easier to ensure system security.

As to claims 6 and 15, the system of Joshi, Sama and Thomson as applied to claim 1 above teaches network communication, specifically Joshi teaches a secure application access system of claim 1, wherein the one or more of the file share and the application are located in an enterprise network and the user device is located remote from the enterprise network (i.e., …figure 14 illustrates a plurality of networks).

As to claims 7 and 16, the system of Joshi, Sama and Thomson as applied to claim 1 above teaches network communication, specifically Joshi teaches a secure application access system of claim 6, wherein the user device is associated with a user having specific access rights such that the user device only has visibility of the one or more of the file share and the application, based on configuration of the specific access rights (i.e., Joshi teaches as part of his claim 1 elements the following: “data indicative of relationships between accesses to resources”.).

As to claims 8 and 17, the system of Joshi, Sama and Thomson as applied to claim 1 above teaches network communication, specifically Joshi teaches a secure application access system of claim 1, wherein the one or more of the file share and the application are located in a data center and the user device is located remote from the data center (i.e., …figure 14 illustrates a plurality of networks).

As to claims 9, 18 and 20, the system of Joshi, Sama and Thomson as applied to claim 1 above teaches network communication, specifically Joshi teaches a secure application access system of claim 1, wherein the instructions that, when executed, cause the processor to receive a query for discovery, and respond to the query based on the one or more of the file share and the application connected thereto (i.e., …teaches in par. 0010 the following: “a request to access a resource”).

12. (Canceled)
Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRYAN F WRIGHT whose telephone number is (571)270-3826.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni Shiferaw can be reached on (571)272-3867.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/BRYAN F WRIGHT/Examiner, Art Unit 2497