Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
                                                          DETAILED ACTION 
This is in response to the communication filed on 08/23/2022. Claims 1-21 are pending in the application.  Claims 1-21 are rejected. 
                                                         Response to Arguments
Applicant’s arguments, see pages 9 and 10 of remarks, filed on 08/23/2022, with respect to 35 USC 103 type rejections of claims 1-6, 8-13 and 15-20 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of  Raju et al. reference. 
Applicant’s arguments, see pages 9 and 10 of remarks, filed on 08/23/2022, with respect to 35 USC 103 type rejections of claims 7, 14 and 21 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Raju et al. reference. 
Applicant’s arguments, see  page 10 of remarks, filed on 08/23/2022, with respect to  obviousness type double patenting rejections of claims 1-21 have been fully considered. Previous  obviousness type double patenting rejections are held in abeyance as requested by the applicant.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-21 are rejected under 35 U.S.C. 103 as being obvious over US 2016/0219060 A1 (hereinafter Karunakaran et al) in view of US 2012/0084836 A1 (hereinafter Mahaffey et al)
Regarding claim 1, Karunakaran et al teaches a method comprising: 
receiving, via a processor from an identity broker, a request regarding access by a client device to a service provided by a service provider (note figure 1B.120: Identity Provider Proxy; para.  [0020], [0031]: Identity Provider Proxy receiving a request from client to access cloud services); 
in response to receiving the request, determining a security state of the client device representing a risk of compromise associated with the client device (note para. [0033], [0042], [0056]: determining device security posture information); 
determining that the security state of the client device is a secure state representing a risk level  (note  para. [0023], [0033], [0042], [0049]: non-compliant/ compromised posture); and 
in response to determining that the security state of the client device is the secure state, indicating to the identity broker permission to authorize  (note para.  [0042], [0049], [0056]: establishing connection/ tunnel, based on client device authentication and security posture information; the client app communicates with the cloud-based service via the identity provider Proxy), wherein the identity broker is configured to, in response to receiving the permission,  (note para.  [0042], [0049], [0056])
Karunakaran et al fails to teach expressly determining that the security state of the client device is a secure state representing a risk level below a threshold risk; sending to the identity broker an indication that the client device is in the secure state; indicating to the identity broker permission to authorize direct access by  the client device to the service provider; and wherein the identity broker is configured to send a communication to the service provider that approves the direct access by the client device.
However, Mahaffey et al teaches determining that the security state of the client device is a secure state representing a risk level below a threshold risk (note para. [0027], [0033], [0048]: security state/ level information reflecting acceptable score/ limit representing a compromised state of the device); sending] to the identity broker an indication that the client device is in the secure state (note para. [0029], [0033]:  sending security state information to the server 111); indicating to the identity broker permission to authorize direct access by  the client device to the service provider (note para. [0034], [0045], [0055]: allowing client device to access the service provider); and wherein the identity broker is configured to send a communication to the service provider that approves the direct access by the client device (note para.  [0045]-[0046], [0055]: client device directly access service provider 150upon security state determination by the server 111)
Mahaffey et al and Karunakaran et al are analogous art because they are from the same field of endeavor of securely managing client devices for accessing network resource server. Therefore, before the effective filing of the claimed invention, it would have been obvious to a person of ordinary skill in art to modify Karunakaran et al method to further include the features of sending to the identity broker an indication that the client device is in the secure state; indicating to the identity broker permission to authorize direct access by  the client device to the service provider; and wherein the identity broker is configured to send a communication to the service provider that approves the direct access by the client device taught by Mahaffey et al  in order to provide users with a secure mechanism for monitoring and provisioning network resources further based on security state information associated with the client devices (note Mahaffey et al, para [0004], [0048])

Regarding claim 2, Karunakaran et al teaches the method of claim 1, wherein the determination of the security state includes transmitting a request for a first context to the client device (note para. [0037]- [0038]: providing a security token to client app 106 may be used to obtain and provide to the second (or other subsequent) client app a security token to be used by the second (or other subsequent) app to authenticate itself and gain access to a cloud-based service with which the second (or other subsequent) app is associated; see also para. [0059]: contextual information)
Regarding claim 3, Karunakaran et al teaches the method of claim 2, further comprising receiving the first context from the client device, the first context representing information related to the security of the client device, and determining the security state based on the first context (note para. [0023], [0037]- [0038], [0047]), and determining the security state based on the first context (note para. [0033], [0042]: determining device “security posture” information; see also para. [0059]: contextual information including app, operating system related information)
Regarding claim 4, Karunakaran et al teaches the method of claim 3,  wherein the  first context information about an operating system of the client device (note para. [0023],  [0050], [0058]- [0059]: security posture of the device; various security posture/ contextual  information including token associated with client app, software running on the client device, operating system type etc.)
Regarding claim 5, Karunakaran et al teaches the method of claim 3, further comprising determining a second secure state (note para. [0058] –[0059]: Conditional access rules may be applied based on contextual information, e.g., whether device and/or user agent (e.g., requesting mobile app)   is under management; the type, provider, and version of the user agent software (e.g., browser, type of browser, etc.); IP address  (e.g., whitelisted IP address range); whether the connection is initiate via the identity provider or the service provider; the type of operating system and/or platform; etc.), and in response to determining the second security state transmitting a second indication representing whether to permit access between the client device and the service provider (note para. [0037]- [0038] providing a security token to client app 106 may be used to obtain and provide to the second (or other subsequent) client app a security token to be used by the second (or other subsequent) app to authenticate itself and gain access to a cloud-based service with which the second (or other subsequent) app is associated)
Regarding claim 6, Karunakaran et al teaches the method of claim 5, wherein the determined second secure state indicates compromise of the client device  (note para. [0023], [0033], [0042]: compromised or  non-compliant state / posture)
Regarding claim 7, it is rejected applying as same motivation and rationale applied above rejecting claim 3, furthermore, Mahaffey et al  teaches the method further comprising determining that a component on the client device responsible for collecting information related to the first context is not initiated, and sending a request to the client device to initiate the component (note para. [0029]: server 111  may initiate   a request for device 101's security state information.)

Regarding claim 8, Karunakaran et al teaches a system (note para. [0033]: system) comprising:
 at least one processor (note para. [0018]: processor); and 
memory (note para. [0018]: memory) storing instructions configured to instruct the at least one processor to: 
receive, from an identity broker, a request regarding access by a client device to a service provided by a service provider (note figure 1B.120: Identity Provider Proxy; para.  [0020], [0031]: Identity Provider Proxy receiving a request from client to access cloud services); 
in response to receiving the request, determine a security state of the client device representing a risk of compromise associated with the client device (note para. [0033], [0042], [0056]: determining device security posture information); 
determine that the security state of the client device is a secure state representing a risk level  (note  para. [0023], [0033], [0042], [0049]: non-compliant/ compromised posture);
in response to determining that the security state of the client device is the secure state, indicating to the identity broker permission to authorize  (note para.  [0042], [0049], [0056]: establishing connection/ tunnel, based on client device authentication and security posture information; the client app communicates with the cloud-based service via the identity provider Proxy), wherein the identity broker is configured to, in response to receiving the permission,  (note para.  [0042], [0049], [0056])
Karunakaran et al fails to teach expressly determining that the security state of the client device is a secure state representing a risk level below a threshold risk; sending to the identity broker an indication that the client device is in the secure state; indicating to the identity broker permission to authorize direct access by  the client device to the service provider; and wherein the identity broker is configured to send a communication to the service provider that approves the direct access by the client device.
However, Mahaffey et al teaches determining that the security state of the client device is a secure state representing a risk level below a threshold risk (note para. [0027], [0033], [0048]: security state/ level information reflecting acceptable score/ limit representing a compromised state of the device); sending] to the identity broker an indication that the client device is in the secure state (note para. [0029], [0033]:  sending security state information to the server 111); indicating to the identity broker permission to authorize direct access by  the client device to the service provider (note para. [0034], [0045], [0055]: allowing client device to access the service provider); and wherein the identity broker is configured to send a communication to the service provider that approves the direct access by the client device (note para.  [0045]-[0046], [0055]: client device directly access service provider 150upon security state determination by the server 111)
Mahaffey et al and Karunakaran et al are analogous art because they are from the same field of endeavor of securely managing client devices for accessing network resource server. Therefore, before the effective filing of the claimed invention, it would have been obvious to a person of ordinary skill in art to modify Karunakaran et al method to further include the features of sending to the identity broker an indication that the client device is in the secure state; indicating to the identity broker permission to authorize direct access by  the client device to the service provider; and wherein the identity broker is configured to send a communication to the service provider that approves the direct access by the client device taught by Mahaffey et al  in order to provide users with a secure mechanism for monitoring and provisioning network resources further based on security state information associated with the client devices (note Mahaffey et al, para [0004], [0048])
Regarding claim 9, Karunakaran et al teaches the system of claim 8, wherein the determination of the security state includes transmitting a request for a first context to the client device (note para. [0037]- [0038] providing a security token to client app 106 may be used to obtain and provide to the second (or other subsequent) client app a security token to be used by the second (or other subsequent) app to authenticate itself and gain access to a cloud-based service with which the second (or other subsequent) app is associated; see also para. [0059]: contextual information)
Regarding claim 10, Karunakaran et al teaches the system of claim 9,  wherein the instructions are further configured to instruct the processor to receive  the first context from the client device, the first context representing information related to the security of the client device (note para. [0023], [0037]- [0038], [0047]), and determining the security state based on the first context  (note para. [0033], [0042]: determining device “security posture” information; see also para. [0059]: contextual information including app, operating system related information)
Regarding claim 11, Karunakaran et al teaches the system of claim 10, wherein the first context includes information about an operating system of the client device (note para. [0023],  [0050], [0058]- [0059]: security posture of the device; various security posture/ contextual  information including token associated with client app, software running on the client device, operating system type etc.)
Regarding claim 12, Karunakaran et al teaches the system of claim 10, wherein the instructions are further configured to instruct the processor to determine a second secure state (note para. [0058] –[0059]: Conditional access rules may be applied based on contextual information, e.g., whether device and/or user agent (e.g., requesting mobile app)   is under management; the type, provider, and version of the user agent software (e.g., browser, type of browser, etc.); IP address  (e.g., whitelisted IP address range); whether the connection is initiate via the identity provider or the service provider; the type of operating system and/or platform; etc.), and in response to determining the second security state transmits a second indication representing whether to permit access between the client device and the service provider (note para. [0037]- [0038] providing a security token to client app 106 may be used to obtain and provide to the second (or other subsequent) client app a security token to be used by the second (or other subsequent) app to authenticate itself and gain access to a cloud-based service with which the second (or other subsequent) app is associated)
Regarding claim 13, Karunakaran et al teaches the system of claim 12, wherein the determined second secure state indicates compromise of the client device (note para. [0023], [0033], [0042]: compromised or  non-compliant state / posture)
Regarding claim 14, it is rejected applying as same motivation and rationale applied above rejecting claim 3, furthermore, Mahaffey et al  teaches the system, wherein the instructions are further configured to instruct the processor to determine that a component on the client device responsible for collecting information related to the first context is not initiated, and send   a request to the client device to initiate the component (note para. [0029]: server 111  may initiate   a request for device 101's security state information.)
Regarding claim 15, Karunakaran et al teaches a non-transitory computer-readable storage medium (note para. [0018]: storage medium) storing computer-readable  instructions, which when executed, cause a computing device at least to: 
receive, from an identity broker, a request regarding access by a client device to a service provided by a service provider (note figure 1B.120: Identity Provider Proxy; para.  [0020], [0031]: Identity Provider Proxy receiving a request from client to access cloud services); 
in response to receiving the request, determine a security state of the client device representing a risk of compromise associated with the client device (note para. [0033], [0042], [0056]: determining device security posture information); 
determine that the security state of the client device is a secure state representing a risk level  (note  para. [0023], [0033], [0042], [0049]: non-compliant/ compromised posture);
in response to determining that the security state of the client device is the secure state, indicating to the identity broker permission to authorize  (note para.  [0042], [0049], [0056]: establishing connection/ tunnel, based on client device authentication and security posture information; the client app communicates with the cloud-based service via the identity provider Proxy), wherein the identity broker is configured to, in response to receiving the permission,  (note para.  [0042], [0049], [0056])
Karunakaran et al fails to teach expressly determining that the security state of the client device is a secure state representing a risk level below a threshold risk; sending to the identity broker an indication that the client device is in the secure state; indicating to the identity broker permission to authorize direct access by  the client device to the service provider; and wherein the identity broker is configured to send a communication to the service provider that approves the direct access by the client device.
However, Mahaffey et al teaches determining that the security state of the client device is a secure state representing a risk level below a threshold risk (note para. [0027], [0033], [0048]: security state/ level information reflecting acceptable score/ limit representing a compromised state of the device); sending] to the identity broker an indication that the client device is in the secure state (note para. [0029], [0033]:  sending security state information to the server 111); indicating to the identity broker permission to authorize direct access by  the client device to the service provider (note para. [0034], [0045], [0055]: allowing client device to access the service provider); and wherein the identity broker is configured to send a communication to the service provider that approves the direct access by the client device (note para.  [0045]-[0046], [0055]: client device directly access service provider 150upon security state determination by the server 111)
Mahaffey et al and Karunakaran et al are analogous art because they are from the same field of endeavor of securely managing client devices for accessing network resource server. Therefore, before the effective filing of the claimed invention, it would have been obvious to a person of ordinary skill in art to modify Karunakaran et al medium to further include the features of sending to the identity broker an indication that the client device is in the secure state; indicating to the identity broker permission to authorize direct access by  the client device to the service provider; and wherein the identity broker is configured to send a communication to the service provider that approves the direct access by the client device taught by Mahaffey et al  in order to provide users with a secure mechanism for monitoring and provisioning network resources further based on security state information associated with the client devices (note Mahaffey et al, para [0004], [0048])

Regarding claim 16, Karunakaran et al teaches the non-transitory computer-readable storage medium of claim 15, wherein  the determination of the security state includes   transmitting a request for a first context to the client device (note para. [0037]- [0038] providing a security token to client app 106 may be used to obtain and provide to the second (or other subsequent) client app a security token to be used by the second (or other subsequent) app to authenticate itself and gain access to a cloud-based service with which the second (or other subsequent) app is associated; see also para. [0059]: contextual information)
Regarding claim 17, Karunakaran et al teaches the non-transitory computer-readable storage medium of claim 16, wherein the instructions further cause the computing device to receive  the first context from the client device, the first context representing information related to the security of the client device (note para. [0023], [0037]- [0038], [0047]), and determines the security state based on the first context (note para. [0033], [0042]: determining device “security posture” information; see also para. [0059]: contextual information including app, operating system related information)
Regarding claim 18, Karunakaran et al teaches the non-transitory computer-readable storage medium of claim 17, further  the first context includes  information about an operating system of the client device (note para. [0023],  [0050], [0058]- [0059]: security posture of the device; various security posture/ contextual  information including token associated with client app, software running on the client device, operating system type etc.)
Regarding claim 19, Karunakaran et al teaches the non-transitory computer-readable storage medium of claim 17, further  wherein the instructions further cause the computing device to determine a second secure state (note para. [0058] –[0059]: Conditional access rules may be applied based on contextual information, e.g., whether device and/or user agent (e.g., requesting mobile app)   is under management; the type, provider, and version of the user agent software (e.g., browser, type of browser, etc.); IP address  (e.g., whitelisted IP address range); whether the connection is initiate via the identity provider or the service provider; the type of operating system and/or platform; etc.)), and in response to determining the second security state transmits  a second indication representing whether to permit access between the client device and the service provider (note para. [0037]- [0038] providing a security token to client app 106 may be used to obtain and provide to the second (or other subsequent) client app a security token to be used by the second (or other subsequent) app to authenticate itself and gain access to a cloud-based service with which the second (or other subsequent) app is associated)
Regarding claim 20, Karunakaran et al teaches the non-transitory computer-readable storage medium of claim 19, wherein the determined second secure state indicates compromise of the client device (note para. [0023], [0033], [0042]: compromised or  non-compliant state / posture)
Regarding claim 21, it is rejected applying as same motivation and rationale applied above rejecting claim 3, furthermore, Mahaffey et al  teaches the non-transitory computer-readable storage medium of claim 17, wherein the instructions further cause the computing device to determine  that a component on the client device responsible for collecting information related to the first context is not initiated, and a request to the client device to initiate the component (note para. [0029]: server 111  may initiate   a request for device 101's security state information.)

               Double Patenting 
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the "right to exclude" granted by a patent and to prevent possible harassment by multiple assignees.  See In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent is shown to be commonly owned with this application.  See 37 CFR 1.130(b).
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer.  A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).

A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); and In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985).

Claims 1-21 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-19 of the commonly owned patent No. 10,785,230 B1.
		In particular, claims 1, 8 and 15 of the instant application are obvious over claims 1 and 18-19 of the commonly owned patent No. 10,785,230 B1; claims 2-4, 9-11 and 16-18 of the instant application are obvious over claims 7-9 of the commonly owned patent No. 10,785,230 B1; and claims 5-7, 12-14 and 19-21 of the instant application are obvious over claims 2, 9, 12 and 16-17 of the commonly owned patent No. 10,785,230 B1.
Although the conflicting claims are not identical, they are not patentably distinct from each other because all the elements/ features of claim-set of the instant application would have been obvious over the conflicting claim-set of the commonly owned patent No. 10,785,230 B1. Conflicting claim set of both the instant application and the commonly owned patent are directed to a method of managing access to a service provided by a service provider based on security state information of a client device. Differences between the conflicting claim set of the instant application and the commonly owned patent are that the features set forth in the independent claims of the commonly owned patent are alternatively recited over the one or more conflicting claims of the instant application.
However, before the effective filing date of the claimed invention, it would have been obvious to a person of ordinary skill in the art to modify the features of the conflicting claims of the commonly owned patent by re-arranging them differently in order to present the claimed invention with the alternatively, or to present them with broader scopes since a claim with broader scope would inherently encompass more features.
This is an obviousness type double patenting rejection. 

                                                   Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHANTO ABEDIN whose telephone number is 571-272-3551.  The examiner can normally be reached on M-F from 10:00 AM to 6:30 PM.  Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http:// www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, Jung (Jay) Kim, can be reached on 571-272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 703-872-9306. Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
/SHANTO ABEDIN/           Primary Examiner, Art Unit 2494