Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
	This communication is in response to the application filed on 12/08/2021.
	Claims 1-20 are pending. 
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 12/08/2021 is in compliance with the provisions of 37 C.F.R. § 1.97. Accordingly, the IDS is being considered by the examiner.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-9 of the claimed invention are directed to non-statutory subject matter. The preamble of independent claim 1 recites a system, however, the body of the claim only directly recites that system comprising instructions. Because the system is not recited as comprising any hardware, claim 1 is directed to non-statutory subject matter. The memory and processor in claim 1 should be directly and explicitly recited (for example, the IHS comprising: a memory to store instructions and a processor to execute the instructions…). Dependent claims 2-8 are rejected because of their dependency on the rejected base claim. Appropriate corrections are required.  

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.  
Claims 1-20 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over the claims of Patent No. 11,240,109 (“Pat. ‘109”).
Claim #
Present Application
Pat. ‘109
Claim #
1

An Information Handling System (IHS), the IHS comprising: instructions stored in at least one memory and executed by at least one processor to: 





instantiate, using one or more files or policies, a first workspace based upon a first workspace definition; 

allow a user to execute a first workload in the first workspace; 


determine that the first workspace is compromised by calculating a security risk score associated with how the user is operating the IHS; and 

in response to the determination: 






instantiate, using one or more other files or policies, a second workspace based upon a second workspace definition; 





migrate the first workload from the first workspace to a second workload in the second workspace; and 













allow the user to execute, according to the one or more other files of policies, the second workload in the second workspace corresponding to how the workload in the first workspace was executed.
A client Information Handling System (IHS), the client IHS comprising: a processor; and a memory coupled to the processor, the memory having program instructions stored thereon that, upon execution by the processor, cause the client IHS to: 

instantiate, using one or more files or policies, a first workspace based upon a first workspace definition; 

allow a user to execute a non-vetted application in the first workspace; 

determine that the first workspace is compromised because the application is non-vetted; and 


in response to the determination: identify a vetted application that corresponds to the non-vetted application, wherein the vetted application is different than the non-vetted application; 

instantiate, using one or more other files or policies, a second workspace based upon a second workspace definition, wherein the second workspace definition indicates the vetted application corresponding to the non-vetted application; 

cause the client IHS to migrate a workload from the first workspace to the second workspace; cause the client IHS to transmit, to a workspace orchestration service, cloned user actions and data collected during execution of the non-vetted application in the first workspace, and wherein the one or more other files or policies comprise an indication of the cloned user actions and data that is applicable to the vetted application in the second workspace; and 

allow the user to execute the vetted application in the second workspace.
1


The client IHS of claim 1, wherein the program instructions, upon execution, further cause the client IHS to determine that the first workspace is compromised in response to a security risk score being equal to or greater than a threshold value.
5


The client IHS of claim 5, wherein the security risk score is calculated based upon at least one of: a risk metric associated with a locale of the client IHS, a risk metric associated with the user of the client IHS, a risk metric associated with a network of the client IHS, a risk metric associated with hardware of the client IHS, a risk metric associated with a requested datafile, or a regulatory risk metric associated with the user, the locale, and the requested datafile.
7


	Independent claims 10 and 16 here are not patentably distinct in view of the limitations in claim 1, 5 and 7 of Pat. ‘109.
Claims 2-4, 9, 11-13 and 17-18 here are not patentably distinct in view of the limitations in the independent claims of Pat. 109.
Claims 5 and 19 here are not patentably distinct in view of the limitations in claim 7 of Pat. 109.
Claims 6 and 14 here are not patentably distinct in view of the limitations in claims 5-6 of Pat. 109.
Claims 7 and 20 here are not patentably distinct in view of the limitations in claim 4 of Pat. 109.
Claims 8 and 15 here are not patentably distinct in view of the limitations in claim 17 of Pat. 109.
Claim Objections
Claim 9 is objected to because of the following informalities:  There is a typographical error in the limitation “…wherein the first and workspaces…” Examiner believes that the limitation should read: wherein the first and second workspaces. Appropriate correction is required.


Claim Rejections - 35 U.S.C. § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. §§ 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. § 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-7, 9-14 and 16-20 are rejected under 35 U.S.C. § 103 as being unpatentable over Cardamore (Pub. No. US 2013/0097657 A1) in view of Hamilton (Pub. No. US 2016/0232024 A1).

Regarding claim 1, Cardamore teaches an Information Handling System (IHS), the IHS comprising: instructions stored in at least one memory and executed by at least one processor to: instantiate, using one or more files or policies, a first workspace based upon a first workspace definition (Cardamore ¶ [0039], “The wireless communication device 410 may include a default perimeter [workspace].” Which allows for performing actions, such as “‘out of the box’ operations” according to a perimeter policy– this default perimeter, or any old perimeter before a new one is dynamically generated, is the first workspace; see also Fig. 1, policy 120a & ¶ [0014], perimeter includes applications for use by users); allow a user to execute a first workload in the first workspace (Cardamore Fig. 1, Apps 116 & ¶ [0014], application 116a [first workload] executes within a perimeter); determine that the first workspace is compromised by determining a security risk associated with how the user is operating the HIS (Cardamore ¶ [0039], “the wireless communication device may dynamically generate an enterprise perimeter based on one or more trigger events. For example, a user of the wireless communication device 410 may add an enterprise account”; see also ¶ [0010] regarding general discussion of generating perimeters to securely isolate resources, “The personal perimeter may provide permission to be accessed by personal applications, and the enterprise perimeter, when unlocked by the user, may provide permission to be accessed by enterprise applications.”; see also ¶ [0042]); and in response to the determination: instantiate, using one or more other files or policies, a second workspace based upon a second workspace definition (Cardamore ¶ [0039], “the wireless communication device may dynamically generate an enterprise perimeter based on one or more trigger events”; see also ¶ [0040], “Automatically generating the new enterprise perimeter may further include retrieving security policies associated with the enterprise perimeter from the enterprise server 430.”); migrate the first workload from the first workspace to a second workload in the second workspace (Cardamore ¶ [0042], a new perimeter is dynamically and automatically generated based on, for example, connection to a bridge device, which will necessarily migrate the workload [such as applications] to the new perimeter, “Applications that use the password manager can use the service to create, allow or deny access to perimeters”, where when access is allowed the application [workload] is migrated to the new perimeter – *Examiner notes that the secondary art of record Hamilton also teaches this limitation as can be seen below); and allow the user to execute, according to the one or more other files of policies, the second workload in the second workspace corresponding to how the workload in the first workspace was executed (Cardamore ¶ [0042], a new perimeter is dynamically and automatically generated based on, for example, connection to a bridge device, which will necessarily migrate the workload to the new perimeter; “Applications that use the password manager can use the service to create, allow or deny access to perimeters”, where when access is allowed the application [workload] is migrated to the new perimeter – *Examiner notes that the secondary art of record Hamilton explicitly teaches this limitation as can be seen below).
Cardamore does not explicitly teach calculating a security risk score.
However, Hamilton teaches determine that the first workspace is compromised by calculating a security risk score associated with how the user is operating the HIS (Hamilton  Fig. 4 & ¶¶ [0065] & [0075], threat related to operation of computer system is detected and security risk score is calculated; see also ¶ [0061], computer systems are used by users “one or more of VMs 410a-n can be used for processing tasks of a first user”); and migrate the first workload from the first workspace to a second workload in the second workspace and allow the user to execute, according to the one or more other files of policies, the second workload in the second workspace corresponding to how the workload in the first workspace was executed (*Although Cardamore teaches these limitations so does Hamilton; see Hamilton ¶ [0080], a workload is migrated from one VM to another VM).
It would have been obvious to a person of ordinary skill in the art to combine the teachings of Cardamore and Hamilton to teach scoring a security risk because it allows for the consideration of urgency and severity of threat when responding to the threat thereby enhancing remediation by resolving the most pressing security concerns first and enhancing flexibility in responding to a threat. See Hamilton ¶¶ [0075], [0080]-[0081], “VMs having a greater response factor are given higher priority in terms of when they are subjected to proactive responsive actions, and may also be subjected to greater proactive responsive actions to ensure they are protected from the detected threat.”

Regarding claim 2, Cardamore and Hamilton teach the IHS of claim 1. Cardamore furthermore teaches wherein the instructions are further executed to clone user actions and data collected during execution of the first workload in the first workspace, wherein the one or more other files or policies comprise information associated with the cloned user actions and data that is applicable to the second workload in the second workspace (Cardamore ¶ [0042], adding an ActiveSync account (an account in Exchange) causes creation of a new perimeter which clones user actions to the new perimeter; see also ¶ [0039]).

Regarding claim 3, Cardamore and Hamilton teach the IHS of claim 1. Cardamore furthermore teaches wherein the first and second workloads each comprise at least one of executing an application or accessing data from a secure location (Cardamore Fig. 1, Apps 116 & ¶ [0014], applications 116 execute within a perimeter).

Regarding claim 4, Cardamore and Hamilton teach the IHS of claim 1. Cardamore furthermore teaches wherein the instructions are further executed to determine that the first workspace is compromised according to a security context of the IHS (Cardamore ¶ [0039], “the wireless communication device may dynamically generate an enterprise perimeter based on one or more trigger events. For example, a user of the wireless communication device 410 may add an enterprise account”; see also ¶ [0040], perimeters secure applications for enterprise accounts which were added in an unsecured perimeter, “wireless communication device 410 may automatically/dynamically generate a new enterprise perimeter to securely separate resources associated with the enterprise account, and provide access privileges for the enterprise account to the wireless communication device 410. Automatically generating the new enterprise perimeter may further include retrieving security policies associated with the enterprise perimeter from the enterprise server 430.”).

Regarding claim 5, Cardamore and Hamilton teach the IHS of claim 4. Cardamore furthermore teaches wherein the instructions are further executed to calculate the security context according to at least one of a risk metric associated with a locale of the client IHS, a risk metric associated with a user of the client IHS, a risk metric associated with hardware of the client IHS, a risk metric associated with a requested datafile, or a regulatory risk metric associated with the user, the locale, and the requested datafile (Cardamore ¶ [0039], “the wireless communication device may dynamically generate an enterprise perimeter based on one or more trigger events. For example, a user of the wireless communication device 410 may add an enterprise account”; see also ¶ [0040], perimeters secure applications for enterprise accounts [requested datafile] which were added in an unsecured perimeter, “wireless communication device 410 may automatically/dynamically generate a new enterprise perimeter to securely separate resources associated with the enterprise account, and provide access privileges for the enterprise account to the wireless communication device 410. Automatically generating the new enterprise perimeter may further include retrieving security policies associated with the enterprise perimeter from the enterprise server 430.”)

Regarding claim 6, Cardamore and Hamilton teach the IHS of claim 1. 
Cardamore does not explicitly teach wherein the instructions are further executed to determine that the first workspace is compromised in response to a security risk score being equal to or greater than a threshold value, wherein the threshold value comprises a security target associated with the first workspace definition.
However, Hamilton teaches wherein the instructions are further executed to determine that the first workspace is compromised in response to a security risk score being equal to or greater than a threshold value, wherein the threshold value comprises a security target associated with the first workspace definition (Hamilton ¶ [00680], “One or more thresholds can be specified to determine which VMs in the determined neighborhood should be subjected to proactive responsive actions, what those actions should be (e.g., migrating a workload of a VM to another VM, instantiating another VM, migrating a VM to a different host computer system, etc.), and when those actions should be performed relative to other VMs in the determined neighborhood.”; see also ¶ [0081], “in a scenario involving the VMs having calculated response factors on a scale of 1 to 100, a user or security policy can specify a threshold of 40, such that only VMs in the determined neighborhood having a response factor greater than or equal to 40 will be subjected to proactive responsive actions in response to detected threats.”)
It would have been obvious to a person of ordinary skill in the art to combine the teachings of Cardamore and Hamilton to teach scoring a security risk because it allows for the consideration of urgency and severity of threat when responding to the threat thereby enhancing remediation by resolving the most pressing security concerns first and enhancing flexibility in responding to a threat. See Hamilton ¶¶ [0075], [0080]-[0081], “VMs having a greater response factor are given higher priority in terms of when they are subjected to proactive responsive actions, and may also be subjected to greater proactive responsive actions to ensure they are protected from the detected threat.”

Regarding claim 7, Cardamore and Hamilton teach the IHS of claim 1. Cardamore furthermore teaches wherein the instructions are further executed to select the one or more other files or policies in anticipation of the determination that the first workspace is compromised (Cardamore ¶ [0039], “the wireless communication device may dynamically generate an enterprise perimeter based on one or more trigger events”; see also ¶ [0040], “Automatically generating the new enterprise perimeter may further include retrieving security policies associated with the enterprise perimeter from the enterprise server 430.”)

Regarding claim 9, Cardamore and Hamilton teach the IHS of claim 1. Cardamore furthermore teaches wherein the first and workspaces are created by a workspace orchestration service (Cardamore ¶ [0042], perimeters are created by a service , “Applications that use the password manager can use the service to create, allow or deny access to perimeters”).

Cardamore and Hamilton teach all the limitations of claims 10 and 16 as asserted above with regard to claim 1. 

Cardamore and Hamilton teach all the limitations of claims 11 and 17 as asserted above with regard to claim 2. 

Cardamore and Hamilton teach all the limitations of claim 12 as asserted above with regard to claim 3.

Cardamore and Hamilton teach all the limitations of claims 13 and 18 as asserted above with regard to claim 4. 

Cardamore and Hamilton teach all the limitations of claim 19 as asserted above with regard to claim 5.

Cardamore and Hamilton teach all the limitations of claim 14 as asserted above with regard to claim 6.

Cardamore and Hamilton teach all the limitations of claim 20 as asserted above with regard to claim 7.

Cardamore and Hamilton teach all the limitations of claim 15 as asserted above with regard to claim 8.

Claims 8 and 15 are rejected under 35 U.S.C. § 103 as being unpatentable over Cardamore (Pub. No. US 2013/0097657 A1) in view of Hamilton (Pub. No. US 2016/0232024 A1) and further in view of Enguehard (Pub. No. US 2020/0089526 A1).

Regarding claim 8, Cardamore and Hamilton teach the IHS of claim 1. 
Cardamore and Hamilton do not explicitly teach wherein the instructions are further executed to terminate the first workspace after migrating the first workload to the second workspace.
However, Enguehard teaches wherein the instructions are further executed to terminate the first workspace after migrating the first workload to the second workspace (Enguehard ¶ [0029], “once the origin node has sent the last data packet including remaining components of the image of the application container [after migrating the first workload to the second workspace], the origin node can terminate the original container.”; see also ¶¶ [0024]-[0025]).
It would have been obvious to a person of ordinary skill in the art, before the effective filing date of the claimed invention, to combine the teachings of Cardamore Hamilton with the teachings of Enguehard to teach terminating the first workspace after migration because it conserves resources. 

Cardamore, Hamilton and Enguehard teach all the limitations of claim 15 as asserted above with regard to claim 8. 
Conclusion
	The prior art made of record and not relied upon is considered pertinent to Applicant’s disclosure. 
Busch (Pub. No. US 2015/0268989 A1) teaches “prior to termination of the application virtual machine, the application virtual machine causes (642) migratable objects in the object store not currently stored in the persistent datastore to be migrated to the persistent datastore, and, after termination of the application virtual machine, a subsequent instance of the application virtual machine causes at least a subset of the migrated objects to be retrieved from the persistent datastore and stored in an object store of the subsequent instance of the application virtual machine.” Busch ¶ [0126]. 
Dos Santos Silva (Pub. No. US 2021/0075815 A1) teaches “A security incident is detected at a first location; a risk of the security incident is evaluated. A first security scores is generated for the first location. A set of security scores are generated for a set of alternative locations; the set of security scores excludes the first security score. A second security score within the set of security scores is determined to be the best security score among a plurality of security scores; the plurality of security scores comprises the set of security scores and the first security score. A workload associated with the first location is migrated to a second location, where the second location is associated with the second security score.” Dos Santos Silva Abstract.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to GREGORY P TOLCHINSKY whose telephone number is (571)270-0599.  The examiner can normally be reached on m-f (9:30-6:30PM).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Umar Cheema can be reached on 571-270-3037.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






Gregory P. Tolchinsky
/G.P.T./Examiner, Art Unit 2454     
09/21/2022
/Brian Whipple/Primary Examiner, Art Unit 2456                                                                                                                                                                                                        9/22/2022