DETAILED ACTION
This Action is in consideration of the Applicant’s response on July 7, 2022. Claims 1-5, 8, 10-12, 14, and 15-17 are amended. Claims 1-20, where Claims 1, 10, and 15 are in independent form, are presented for examination. 

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
Applicant's amendment filed on July 7, 2022 have been fully considered.  The amendment includes: 
Abstract has been amended to remove phrases which can be implied and the objection thereto is now moot; 
Claim 2 has been amended to change “the second application” to “the complied second application”, and the objection is now moot. 
Claim 14 has been amended and the 112(b) rejection is now moot. 

Response to Arguments
Applicant’s arguments filed on July 7, 2022 with respect to claim(s) 1-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.


Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 4 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. 
Claim 4 recites the limitation “sending the key”. There is insufficient antecedent basis for this limitation in the claim. Because claim 1 recites no “sending the key”. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Barton et al. (US 2014/0109171, hereinafter “Barton”) in view of Barton et al. (US 2014/0298420, hereinafter “Barton2”), further in view of Courage et al. (US 2015/0121462, hereinafter “Courage”).
Regarding claim 1, Barton discloses a method comprising: 
based on receiving [[0146], When a user executes a managed application on the mobile device, the user is typically challenged to authenticate the user's identity along with passwords and other factors as dictated by corporate rules.; [0147] For example, the enterprise may grant a certificate to a mobile device when applicable policy information allows the device (or application) to access a particular resource that requires a certificate administered by the enterprise.], by a server and from a first application  executing on a first portion [Fig. 5, a unmanaged partition] of a computing device, a token [ticket, certificate]: 
generating a key [[0149], At step 1001, an access gateway (or MRM server) may update policy information. The policy information may be related to or be for a particular application installed a particular user's mobile device. The Examiner construes a key to be the same as the policy information related to the application of the prior art.]; 
storing [[0150], The listing of tickets or listing of applications may also be associated with information identifying the user of the mobile device and/or any credentials used to authenticate the user.; [0151], Furthermore, such information may be created, accessed, modified and/or stored by the access gateway based on one or more risk score.], in a database, an association between the token [ticket, certificate], and the key [the policy information related to the application]; and
 wherein the second portion of the computing device is prevented by a security policy from interacting with the first portion of the computing device [[0072] The operating system of the mobile device may be separated into a managed partition 510 and an unmanaged partition 512. Stated differently, by enforcing policies on managed apps, those apps may be restricted to only be able to communicate with other managed apps and trusted enterprise resources, thereby creating a virtual partition that is impenetrable by unmanaged apps and devices.]; 
retrieving [[0156] In connection with or when requesting a per-application policy-controlled VPN tunnel, a mobile device may transmit a copy of a ticket to the access gateway and/or an identification of the application that is requesting the enterprise resource. The access gateway may compare the copy of the ticket to the listing of tickets and, if the ticket is present on the listing, reply with an acknowledgement or an indication that the ticket has been validated by the access gateway.], from the database and using the key, the token; and 
sending [[0154] At step 1007, the access gateway may transmit a ticket to the mobile device. … As another example, the access gateway may update the listing of applications with an identification of the application that the ticket was issued to.; [0155]  For example, if the ticket is included in the policy information, the ticket would be transmitted when transmitting the updated policy information.], to the second portion of the computing device and in response to the request, the token.  
Barton does not appear to explicitly disclose compiling a second application, wherein the compiled second application is configured to, when executed by the computing device, transmit a request, for the token that comprises the key; sending, by the server and to a second portion of the computing device, the compiled second application; and receiving, from the compiled second application executing in the second portion of the computing device, the request, for the token, that comprises the key.
However, Barton2 discloses compiling a second application [[0148] The enterprise may use a toolkit to prepare a mobile application as a managed mobile application (block 1002). The toolkit may add functionality (e.g., the MDX framework) that transforms the mobile application into a managed mobile application (block 1004). … The functionality added to the managed mobile application may include functionality that enables the managed mobile application to extract, arrange, and combine the embedded identification tokens in order to construct an application signature. The Examiner construes preparing a managed mobile application and adding functionalities thereto as compiling a second application. ]; and 
sending [Fig. 10, Blocks 1010-1018; [0149] The enterprise may then publish the managed mobile application to the enterprise application server along with the application metadata and any application policies associated with the mobile application (block 1010). The enterprise application server may receive a request from a mobile device to download a selected mobile application (block 1012). … the enterprise application server may download the selected mobile application to the mobile device in response to receipt of the request (1018)], by the server and to a second portion of the computing device, the compiled second application [managed mobile application].
Barton and Barton2 are both considered to be analogous to the claimed invention because they are in the same field of network security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Barton to incorporate the teachings of Barton2, provide an access manager operating at a mobile device to validate a mobile application installed at the mobile device and prevent or permit access to the computing resource, such that individuals associated with the enterprise may advantageously utilize remote and local computing resources with their personal mobile devices. [Barton2, Abstract and paragraphs [0009]-[0014]; Abstract, An access manager may operate at a mobile device to validate a mobile application installed at that mobile device. If the access manager does not successfully validate the mobile application, the access manager may prevent the mobile application from accessing computing resource. If the access manager does successfully validate the mobile application, then the access manager may identify the mobile application as a trusted mobile application. The access manager may thus permit the trusted mobile application to access the computing resource.].
Further, both of Barton and Bartion2 does not appear to explicitly disclose: wherein the compiled second application is configured to, when executed by the computing device, transmit a request, for the token that comprises the key; and receiving, from the compiled second application executing in the second portion of the computing device, the request, for the token, that comprises the key.
However, Courage discloses, wherein the compiled second application [Fig. 1, a packaged application 130] is configured to, when executed by the computing device, transmit a request, for the token [[0055] Method 500 may include receiving an application's request for access to a user's cloud- or network-based account (510). The application may be a packaged natively-operating application installed on the user's computing device. Receiving the application's request may involve providing an identity application programming interface (API) to receive and process the application's request.], that comprises the key [OAuth client ID and an array of scopes with the access token request; [0050] Packaged application 410 may pass in its OAuth client ID and an array of scopes with the access token request to Chrome runtime 420. ]; and 
receiving [[0050] In process 400, packaged application 410 may issue an access token request (e.g., identity.GetAuthToken) to Chrome runtime 420 to get an access token to access the user's service account (e.g., at accounts. xyz.com) (41). ... Chrome runtime 420 may then direct a call for the access token (e.g., oauth.v2.IssueToken) to Identity Provider API 180 at authorization provider server 430 (e.g., xyz.apis.com) using the user's credentials or token-based user credentials (42).], from the compiled second application [packaged application 410 ] executing in the second portion of the computing device, the request [an access token request], for the token, that comprises the key [[0050] OAuth client ID and an array of scopes with the access token request].
Barton and Courage are both considered to be analogous to the claimed invention because they are in the same field of network security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Barton to incorporate the teachings of Courage, provide a method returning an access token obtained by a web application to a packaged application (a native or natively-operating application) and allowing the packaged application to access a user’s cloud- or network-based account.  [Courage, Abstract,  A method includes receiving a packaged application's request for access to a user's cloud- or network-based account. The packaged application runs outside a web browser on a computing device. If there is an outstanding user consent to access by the packaged application to the user's cloud- or network-based account, the method includes returning an access token to the packaged application. The access token gives the packaged application access to the user's cloud- or network-based account. If there is no outstanding user consent to access by the packaged application to the user's cloud- or network-based account, the method includes presenting a web-based user consent dialog in a webview container in an identity component application installed on the computing device.].

Regarding claim 2, the combination of Barton, Barton2, and Courage discloses the method of claim 1, wherein the compiled second application comprises an authentication application  [Courage, [0012] A packaged app running outside a web browser on a user's computing device may request access to protected user data in a web account of the user. The request may be subject to user authentication and approval or consent.].

Regarding claim 3, the combination of Barton, Barton2, and Courage discloses the method of claim 1,  wherein compiling the second application comprises signing the second application with a second key [Barton 2, [0148] The functionality added to the managed mobile application may include functionality that enables the managed mobile application to extract, arrange, and combine the embedded identification tokens in order to construct an application signature. The functionality added to the managed mobile application may also include functionality that enables the managed mobile application to derive identification tokens dynamically as well as to arrange and combine the derived identification tokens with the embedded identification tokens when constructing the application signature. Furthermore, the functionality added to the managed mobile application may additionally include functionality that enables the managed mobile application to generate a hash value based, at least in part, on the application signature. The Examiner construes signing the second application to be same as adding to the managed mobile application functionality that enables the managed mobile application to extract, arrange, and combine the embedded identification tokens in order to construct an application signature of the prior art.]

Regarding claim 4, the combination of Barton, Barton2, and Courage discloses the method of claim 1, wherein sending the key comprises: 
sending, to a mobile device management application configured to manage the second portion of the computing device, the compiled second application [Barton2, [0167] Once the mobile device is enrolled, the MDM system may leverage the managed relationship to enforce policies, monitor the mobile device, push information to the mobile device, and the like.; [0171] It will be appreciated that the MDM system may additionally leverage the managed relationship to push mobile applications to the managed mobile device in order to control which mobile applications are installed at the mobile device.].

Regarding claim 5, the combination of Barton, Barton2, and Courage discloses the method of claim 1, wherein sending the compiled second application comprises: 
sending, to the second portion of the computing device, a Uniform Resource Locator (URL) which, when accessed by a web browser executing in the second portion of the computing device, provides the compiled second application [Barton2, [0144] The access manager may provide the user with an interface from which to browse the enterprise application server (e.g., the enterprise application store) and select various managed mobile applications to download to the mobile device. … In this way, the managed mobile applications presented to the user as available to download depend upon the rights and entitlements assigned to the user, e.g., the enterprise application server may only present managed mobile applications that the user is entitled to use.].

Regarding claim 6, the combination of Barton, Barton2, and Courage discloses the method of claim 1, wherein generating the key comprises:- 45 -B&W Ref.: 007737.01216Client Ref.: 20-0013-USO1/DTH 
receiving, from the computing device, user input comprising at least a portion of the key (Barton, [0099], An encryption key generation feature may be used such that the key used to encrypt data on the device is generated using a passphrase supplied by the user. It may be XORed with another key randomly generated and stored on the server side.].  

Regarding claim 7, the combination of Barton, Barton2, and Courage discloses the method of claim 1, wherein generating the key comprises: 
generating the key based on a determination that the key is not represented in the database [Barton, [0150], The listing of tickets or listing of applications may also be associated with information identifying the user of the mobile device and/or any credentials used to authenticate the user.; [0151], Furthermore, such information may be created, accessed, modified and/or stored by the access gateway based on one or more risk score.]. 

Regarding claim 8, the combination of Barton, Barton2, and Courage discloses the method of claim 1, wherein storing the association comprises:
configuring the database to delete the token after a predetermined time period [Barton, [0166], For example, an access gateway may receive a selective wipe acknowledgment that includes a listing of application and/or listing of tickets that were affected/deleted by the selective wipe and, respectively, may update its listing of applications installed on the mobile device by removing entries corresponding to the application(s) indicated by the acknowledgement and/or update its listing of tickets issued and valid to the mobile device by removing entries corresponding to the tickets indicated by the acknowledgement.].

Regarding claim 9, the combination of Barton, Barton2, and Courage discloses the method of claim 1, wherein retrieving the token comprises: 
querying, using the key and a user identifier associated with the computing device, the database for the token [Barton,  [0150] Additionally, such information may be created, accessed, modified, and/or stored by the access gateway based on network traffic to/from the mobile device and the enterprise network (e.g., the access gateway may update a list of tickets whenever a ticket is transmitted or issued to the mobile device in connection with providing access to enterprise resources on the basis of a per-application policy-controlled VPN tunnel, as described in connection with FIG. 9). The listing of tickets or listing of applications may also be associated with information identifying the user of the mobile device and/or any credentials used to authenticate the user.].

Regarding claim 10, Barton discloses a method comprising: 
sending [[0146], When a user executes a managed application on the mobile device, the user is typically challenged to authenticate the user's identity along with passwords and other factors as dictated by corporate rules.; [0147] For example, the enterprise may grant a certificate to a mobile device when applicable policy information allows the device (or application) to access a particular resource that requires a certificate administered by the enterprise.], to a server and from a first application executing on a first portion [Fig. 5, a unmanaged partition] of a computing device, a token [ticket, certificate]; 
wherein the second portion of the computing device is prevented by a security policy from interacting with the first portion of the computing device [[0072], The operating system of the mobile device may be separated into a managed partition 510 and an unmanaged partition 512. Stated differently, by enforcing policies on managed apps, those apps may be restricted to only be able to communicate with other managed apps and trusted enterprise resources, thereby creating a virtual partition that is impenetrable by unmanaged apps and devices.]; 
receiving [[0154], At step 1007, the access gateway may transmit a ticket to the mobile device. … As another example, the access gateway may update the listing of applications with an identification of the application that the ticket was issued to.; [0155]  For example, if the ticket is included in the policy information, the ticket would be transmitted when transmitting the updated policy information.], from the server and in the second portion of the computing device, the token; and 
decrypting, using the key, the token [[0190], In addition, the data communicated from the computing device to the application may also be encrypted, and the application running in managed mode may be configured to decrypt the received data.].
Barton does not appear to explicitly disclose receiving, in a second portion of a computing device and in response to sending the token, a second application that, when executed by the computing device, is configured to transmit a request, for the token, that comprises a key; and sending, to the server, a request by executing, in the second portion of the computing device, the second application. 
However, Barton2 discloses receiving [Fig. 10, Blocks 1010-1018; [0149] The enterprise may then publish the managed mobile application to the enterprise application server along with the application metadata and any application policies associated with the mobile application (block 1010). The enterprise application server may receive a request from a mobile device to download a selected mobile application (block 1012). … the enterprise application server may download the selected mobile application to the mobile device in response to receipt of the request (1018)], in a second portion of a computing device and in response to sending the token, a second application that. 
Barton and Barton2 are both considered to be analogous to the claimed invention because they are in the same field of network security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Barton to incorporate the teachings of Barton2, provide an access manager operating at a mobile device to validate a mobile application installed at the mobile device and prevent or permit access to the computing resource, such that individuals associated with the enterprise may advantageously utilize remote and local computing resources with their personal mobile devices. [Barton2, Abstract and paragraphs [0009]-[0014]; Abstract, An access manager may operate at a mobile device to validate a mobile application installed at that mobile device. If the access manager does not successfully validate the mobile application, the access manager may prevent the mobile application from accessing computing resource. If the access manager does successfully validate the mobile application, then the access manager may identify the mobile application as a trusted mobile application. The access manager may thus permit the trusted mobile application to access the computing resource.].
Further, both of Barton and Bartion2 does not appear to explicitly disclose: wherein the compiled second application is configured to, when executed by the computing device, transmit a request, for the token that comprises the key; and receiving, from the compiled second application executing in the second portion of the computing device, the request, for the token, that comprises the key.
However, Courage discloses wherein the compiled second application [Fig. 1, a packaged application 130] is configured to, when executed by the computing device, transmit a request, for the token [[0055] Method 500 may include receiving an application's request for access to a user's cloud- or network-based account (510). The application may be a packaged natively-operating application installed on the user's computing device. Receiving the application's request may involve providing an identity application programming interface (API) to receive and process the application's request.], that comprises the key [OAuth client ID and an array of scopes with the access token request; [0050] Packaged application 410 may pass in its OAuth client ID and an array of scopes with the access token request to Chrome runtime 420. ]; and 
sending [[0050] In process 400, packaged application 410 may issue an access token request (e.g., identity.GetAuthToken) to Chrome runtime 420 to get an access token to access the user's service account (e.g., at accounts. xyz.com) (41). ... Chrome runtime 420 may then direct a call for the access token (e.g., oauth.v2.IssueToken) to Identity Provider API 180 at authorization provider server 430 (e.g., xyz.apis.com) using the user's credentials or token-based user credentials (42).], to the server [Identity Provider API] , a request [an access token request], by executing, in the second portion of the computing device, the second application [packaged application 410 ]. 
Barton and Courage are both considered to be analogous to the claimed invention because they are in the same field of network security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Barton to incorporate the teachings of Courage, provide a method returning an access token obtained by a web application to a packaged application (a native or natively-operating application) and allowing the packaged application to access a user’s cloud- or network-based account.  [Courage, Abstract,  A method includes receiving a packaged application's request for access to a user's cloud- or network-based account. The packaged application runs outside a web browser on a computing device. If there is an outstanding user consent to access by the packaged application to the user's cloud- or network-based account, the method includes returning an access token to the packaged application. The access token gives the packaged application access to the user's cloud- or network-based account. If there is no outstanding user consent to access by the packaged application to the user's cloud- or network-based account, the method includes presenting a web-based user consent dialog in a webview container in an identity component application installed on the computing device.].

Regarding claim 11, the combination of Barton, Barton2, and Courage discloses the method of claim 10, wherein the second application comprises an authentication application [Courage, [0012] A packaged app running outside a web browser on a user's computing device may request access to protected user data in a web account of the user. The request may be subject to user authentication and approval or consent.].
 
Regarding claim 12, the combination of Barton, Barton2, and Courage discloses the method of claim 10, wherein sending the request for the token comprises: 
receiving, via the second application, user input comprising at least a portion of the key [Barton, [0096], An encryption key generation feature may be used such that the key used to encrypt data on the device is generated using a passphrase supplied by the user. It may be XORed with another key randomly generated and stored on the server side.].

Regarding claim 13, the combination of Barton, Barton2, and Courage discloses the method of claim 10, further comprising: 
encrypting the token before sending the token to the server [Barton, [0174],  For example, an application running in managed mode may be communicating with a computing device over a network, and the data transmitted from the application to the device may be encrypted.].  

Regarding claim 14, the combination of Barton, Barton2, and Courage discloses the method of claim 10,  further comprising: 
storing [Barton, [0157] For example, the technician may view the listing of application or listing of tickets via the user interface, modify the listing via the user interface, create a ticket to be sent to a mobile device via the user interface, and cause the access gateway to store and/or send the ticket to the mobile device via the user interface.], on storage of the computing device, the token; and 
deleting, after receiving the key, the token from the storage of the computing device.
[Barton, [0162], Steps 1103-1109 form part of a process for performing the selective wipe. Other data may be deleted from the mobile device during the selective wipe process. The below steps are related to identifying and deleting tickets from secure containers as part of a selective wipe process that deletes or otherwise makes inaccessible enterprise data associated with the managed application, which may include the policy information]. 

Claims 15-20 are rejected under 35 U.S.C. 103 as being unpatentable over Barton in view of Edwards.

Regarding claim 15, Barton discloses a method comprising: 
based on receiving, by a server and from a first application executing on a first portion of a computing device, a token ([0146], When a user executes a managed application on the mobile device, the user is typically challenged to authenticate the user's identity along with passwords and other factors as dictated by corporate rules. After authentication, the mobile device may be provided with a policy for determining how the managed application is to perform network accesses); 
causing  [[0073] The secure applications may be secure native applications 514, secure remote applications 522 executed by a secure application launcher 518, virtualization applications 526 executed by a secure application launcher 518, and the like. The secure native applications 514 may be wrapped by a secure application wrapper 520. The secure application wrapper 520 may include integrated policies that are executed on the mobile device 502 when the secure native application is executed on the device.], a second portion of the computing device to execute the second application, wherein the second portion of the computing device is prevented by a security policy from interacting with the first portion of the computing device [[0072] The operating system of the mobile device may be separated into a managed partition 510 and an unmanaged partition 512. Stated differently, by enforcing policies on managed apps, those apps may be restricted to only be able to communicate with other managed apps and trusted enterprise resources, thereby creating a virtual partition that is impenetrable by unmanaged apps and devices.]; 
sending [[0154] At step 1007, the access gateway may transmit a ticket to the mobile device. … As another example, the access gateway may update the listing of applications with an identification of the application that the ticket was issued to.; [0155]  For example, if the ticket is included in the policy information, the ticket would be transmitted when transmitting the updated policy information.], by the server and to the second portion of the computing device, and in response to the request, the token.  
Barton does not appear to explicitly disclose receiving, in a second portion of a computing device and in response to sending the token, a second application that, when executed by the computing device, is configured to transmit a request, for the token, that comprises a key; and sending, to the server, a request by executing, in the second portion of the computing device, the second application. 
However, Barton2 discloses signing, by the server, a second application with a key corresponding to the token [Barton2, [0148] The functionality added to the managed mobile application may include functionality that enables the managed mobile application to extract, arrange, and combine the embedded identification tokens in order to construct an application signature. The functionality added to the managed mobile application may also include functionality that enables the managed mobile application to derive identification tokens dynamically as well as to arrange and combine the derived identification tokens with the embedded identification tokens when constructing the application signature. Furthermore, the functionality added to the managed mobile application may additionally include functionality that enables the managed mobile application to generate a hash value based, at least in part, on the application signature. The Examiner construes signing the second application to be same as adding to the managed mobile application functionality that enables the managed mobile application to extract, arrange, and combine the embedded identification tokens in order to construct an application signature of the prior art].
Barton and Barton2 are both considered to be analogous to the claimed invention because they are in the same field of network security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Barton to incorporate the teachings of Barton2, provide an access manager operating at a mobile device to validate a mobile application installed at the mobile device and prevent or permit access to the computing resource, such that individuals associated with the enterprise may advantageously utilize remote and local computing resources with their personal mobile devices. [Barton2, Abstract and paragraphs [0009]-[0014]; Abstract, An access manager may operate at a mobile device to validate a mobile application installed at that mobile device. If the access manager does not successfully validate the mobile application, the access manager may prevent the mobile application from accessing computing resource. If the access manager does successfully validate the mobile application, then the access manager may identify the mobile application as a trusted mobile application. The access manager may thus permit the trusted mobile application to access the computing resource.].
Further, both of Barton and Bartion2 does not appear to explicitly disclose: wherein the second application is configured to, when executed by the computing device, transmit a request, for the token that comprises the key; and receiving, from the second application, the request, for the token, that comprises the key.
However, Courage discloses wherein the second application [Fig. 1, a packaged application 130] is configured to, when executed by the computing device, transmit a request, for the token [[0055] Method 500 may include receiving an application's request for access to a user's cloud- or network-based account (510). The application may be a packaged natively-operating application installed on the user's computing device. Receiving the application's request may involve providing an identity application programming interface (API) to receive and process the application's request.], that comprises the key [OAuth client ID and an array of scopes with the access token request; [0050] Packaged application 410 may pass in its OAuth client ID and an array of scopes with the access token request to Chrome runtime 420. ]; and 
receiving, by the server and from the second application, the request, for the token, that comprises the key [[0050] In process 400, packaged application 410 may issue an access token request (e.g., identity.GetAuthToken) to Chrome runtime 420 to get an access token to access the user's service account (e.g., at accounts. xyz.com) (41). ... Chrome runtime 420 may then direct a call for the access token (e.g., oauth.v2.IssueToken) to Identity Provider API 180 at authorization provider server 430 (e.g., xyz.apis.com) using the user's credentials or token-based user credentials (42).].
Barton and Courage are both considered to be analogous to the claimed invention because they are in the same field of network security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Barton to incorporate the teachings of Courage, provide a method returning an access token obtained by a web application to a packaged application (a native or natively-operating application) and allowing the packaged application to access a user’s cloud- or network-based account.  [Courage, Abstract,  A method includes receiving a packaged application's request for access to a user's cloud- or network-based account. The packaged application runs outside a web browser on a computing device. If there is an outstanding user consent to access by the packaged application to the user's cloud- or network-based account, the method includes returning an access token to the packaged application. The access token gives the packaged application access to the user's cloud- or network-based account. If there is no outstanding user consent to access by the packaged application to the user's cloud- or network-based account, the method includes presenting a web-based user consent dialog in a webview container in an identity component application installed on the computing device.].

Regarding claim 16, the combination of Barton, Barton2, and Courage discloses the method of claim 15, wherein the second application comprises an authentication application  [Courage, [0012] A packaged app running outside a web browser on a user's computing device may request access to protected user data in a web account of the user. The request may be subject to user authentication and approval or consent.].  

Regarding claim 17, the combination of Barton, Barton2, and Courage discloses the method of claim 15, wherein causing the second portion of the computing device to execute the second application comprises: 
sending, to a mobile device management application configured to manage the second portion of the computing device, the second application [Barton2, [0166] Once the mobile device is enrolled, the MDM system may leverage the managed relationship to enforce policies, monitor the mobile device, push information to the mobile device, and the like.; [0171] It will be appreciated that the MDM system may additionally leverage the managed relationship to push mobile applications to the managed mobile device in order to control which mobile applications are installed at the mobile device.].  

Regarding claim 18, the combination of Barton, Barton2, and Courage discloses the method of claim 15, further comprising: 
storing the token and the key [Barton, [0149], In one or more arrangements, the access gateway may update policy information based on information that is stored by, maintained by, and/or accessible to the access gateway, such as a listing of applications that are installed on the mobile device and/or a listing of tickets that are issued and currently valid for the mobile device. The Examiner construes a key to be the same as the policy information related to the application of the prior art.]; and 
deleting the token and the key after a predetermined time period [Barton, [0166], For example, an access gateway may receive a selective wipe acknowledgment that includes a listing of application and/or listing of tickets that were affected/deleted by the selective wipe and, respectively, may update its listing of applications installed on the mobile device by removing entries corresponding to the application(s) indicated by the acknowledgement and/or update its listing of tickets issued and valid to the mobile device by removing entries corresponding to the tickets indicated by the acknowledgement].  

Regarding claim 19, the combination of Barton, Barton2, and Courage discloses the method of claim 15, further comprising: 
receiving, from the computing device, user input comprising at least a portion of the key (Barton, [0096], An encryption key generation feature may be used such that the key used to encrypt data on the device is generated using a passphrase supplied by the user. It may be XORed with another key randomly generated and stored on the server side).

Regarding claim 20, the combination of Barton, Barton2, and Courage discloses the method of claim 15, further comprising: 
generating, after receiving the token, the key [Barton, [0149], At step 1001, an access gateway (or MRM server) may update policy information. The policy information may be related to or be for a particular application installed a particular user's mobile device.; [0150], The listing of tickets or listing of applications may also be associated with information identifying the user of the mobile device and/or any credentials used to authenticate the user.].

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEONGSOOK YI whose telephone number is (571)272-9407. The examiner can normally be reached Monday-Friday 8:00 am - 5:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge Ortiz-Criado can be reached on (571)272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/J.Y./Examiner, Art Unit 2496                                                                                                                                                                                                        
/JORGE L ORTIZ CRIADO/Supervisory Patent Examiner, Art Unit 2496