Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the Amendment filed on 09/16/2022.
In the instant Amendment, claims 1-2, 4, 7, 14-15, 18 and 20 have been amended; and claims 1 and 14 are independent claims. Claims 1-20 have been examined and are pending. This Action is made Final
Response to Arguments
Applicant’s arguments, see Remarks pages 7, filed 09/16/22, with respect to the rejection(s) of claim(s) 1-20 under 103 have been fully considered and are persuasive.  Therefore, the rejection has been withdrawn.  However, upon further consideration, a new ground(s) of rejection is made in view of Salkini et al. (U.S. 20160198354 A1) and Mahaffey et al. (U.S. 20140189808 A1) necessitated by the claim amendment.
The objection of claim 1 is withdrawn as the claim has been amended. 
Claim Objections
Claims 2, 17 is objected to because of the following informality:
Regarding claim 2, claim 2 line 4 states “determining that the device is managed” should read “determining that the device is enrolled” to be consistent with the amendment. Appropriate corrections are required.
Regarding claim 17, claim 17 line 2 states “determining whether the device is unmanaged” should read “determining that the device is unenrolled” to be consistent with the amendment. Appropriate corrections are required.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Salkini et al. (U.S. 20160198354 A1; Hereinafter “Salkini”) in view of Mahaffey et al. (U.S. 20140189808 A1; Hereinafter “Mahaffey”).
Regarding claim 1, Salkini teaches a system, comprising: a memory (Salkini: claim 12“A system for controlling communications in a targeted coverage area overlaying an existing wireless network, comprising: wireless communications distribution hardware; and an intelligent network access controller coupled to the wireless communications distribution hardware, comprising: an equipment identity module that receives and stores information identifying wireless devices that enter the targeted coverage area,”, claim 16, “an existing wireless network, comprising a non-transitory computer-readable storage medium”); and 
a processor coupled to the memory and configured to identify unenrolled devices(Unknown device) entering a secure installation for a unified endpoint management (UEM) (INAC 100) service that tracks enrolled (allowed device) and unenrolled devices (unknown device) (Salkini: and fig. 6A step 420 “detect entry of device in the local wireless network”, “The INAC 100 may be implemented as software, hardware, or a combination of hardware and software. The INAC 100 may be implemented on a suitably programmable processor.” [0029] “Unknown devices 20 are those not specifically configured by the INAC 100 as allowed or restricted.”, see also claim1), 
wherein the UEM service requires device enrollment to access a network (Salkini: para[0019], “In short, the intelligent network access controller can be used in any situation or at any facility or locale to establish a controlled wireless communications environment whereby only selected individuals can access a wireless communications network” para [0028], “Allowed devices are those configured in the NAG 100 as to be allowed wireless service, see also figure 6C.), 
unenrolled devices being identified according to a method that included: detecting presence of a device based on receipt of communications from the device (Salkini: claim 1: “ receiving a registration signal from a wireless device, and determining an access category for the wireless device based on the received registration signal”)  
determining that the device is unenrolled by the UEM service based on data included with the communications received from the device (Salkini: fig. 6C Steps  456 and 454, in step 456 it is determined if the device is an unknown device “ Device unknown? Yes or no” If the device is unknown  block access, or if it is known allow access. para [0025-0027] “the INAC 100 recognizes three categories of subscriber devices 20: restricted, allowed, and unknown”, para[0026], fig. 6B. “The INAC 100 includes equipment identity module 110 that receives and stores identifying information associated with devices 20, the method of which is shown in FIG. 6B, block 443”, “determining an access category for each of the wireless devices based on the received registration signals and identification information”,  ); and 
in response to determining that the device is unenrolled by the UEM service, reporting the device to the UEM service to track the device as unenrolled to deny access to network (Salkini: para [0034], “As subscribers access the INAC 100, and either are locked to the INAC 100 or redirected to the wireless network 10, the INAC 100 captures access information that can be used to generate access reports for each type of device 20 (i.e., unknown, bad, or good). The reports provide an organized analysis as to which users are accessing the system, including time period, call duration, and frequency of use.”, para [0028],“Allowed devices are those configured in the NAG 100 as to be allowed wireless service. After determining the identity of the device 20, and determining that the device 20 is an "allowed" device, the INAC 100 redirects the device 20 from the INAC 100 to the appropriate wireless network 10, as shown in FIG. 6C, block 458.”).
Salkini does not explicitly teach the data not including a signature indicative of enrollment of the device with the UEM service.
However, in an analogous art, Mahaffey teaches the data not including a signature indicative of enrollment of the device with the UEM service(Mahaffey: para [0004], “Credentials may be bound in some way to the individual to whom they were issued, such as for identification, or they may be bearer credentials, which may be acceptable for general authorization.”, para [0062], [0068], [0101][0077], [0094], “For example credentials may comprise a username/password combination and/or a token and/or a cryptographic signature.”, “The user's credentials are then sent to the authentication server by whichever server or other resource is storing the credentials, act 458. In decision block 460, the authentication server determines whether or not the credentials are valid and approved.”).
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filling date of the claimed invention, to combine the teaching of Mahaffey into the teaching of Salkini to include determining that the device is unenrolled by the system based on data included with the communications received from the device because it will protect the network and prevent phishing attacks (Mahaffey: para [0133]).
Regarding claim 2, Salkini in view of Mahaffey teaches the independent claim 1.
 Salkini in view of Mahaffey does not explicitly teach wherein the method further includes: in response to determining that the device is unenrolled by the UEM service, offering an enrollment option to the device; and in response to determining that the device is managed, providing network access.
However, in an analogous, Mahaffey teaches wherein the method further includes: in response to determining that the device is unenrolled by the UEM service, offering an enrollment option to the device (Mahaffey: para [0045], “If a user is not enrolled in service, the user can be enrolled. In this case, the service may have its own authentication mechanism, server is interacting with it.”); and 
in response to determining that the device is managed, providing network access (Mahaffey: para [0101], “If instead the credentials are approved, then the client is allowed to access the resource, act 464”).
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filling date of the claimed invention, to combine the teaching of Mahaffey into the teaching of Salkini to include wherein the method further includes: in response to determining that the device is unenrolled by the UEM service, offering an enrollment option to the device; and in response to determining that the device is managed, providing network access because it will protect the network and prevent phishing attacks (Mahaffey: para [0133]).
Regarding claim 3, Salkini in view of Mahaffey teaches the independent claim 1. Salkini additionally teaches wherein detecting presence of the device includes monitoring communication channels for communications from the device (Salkini: para[0037], “the security and intercept module 160 allows law enforcement personnel to monitor and record conversations and data transfers (packet and circuit), call signaling messages, accessed features, and SMS originated or terminated messages for targeted wireless devices that are currently locked to the INAC 100 and allowed localized services on the INAC 100 system.”).
Regarding claim 4, Salkini in view of Mahaffey teaches the independent claim 1. Mahaffey teaches wherein determining whether the device is unenrolled by the UEM service includes configuring an access point with a management enforcement agent that attempts to capture the signature from the device and then authenticates the signature with the UEM service(Mahaffey: [0072], [0094] “Wi-Fi access points (APs) which may supply Wi-Fi SSIDs, BSSIDs, type of authentication information, any other information gather-able about the APs, and signal strength information,”).
Regarding claim 5, Salkini in view of Mahaffey teaches the independent claim 1. Salkini additionally teaches wherein detecting presence of the device includes utilizing a beacon or another device enrolled with the system to monitor for communications (Salkini: para[0037], “ The INAC 100 may include an optional security and intercept module 160 that is used for lawful intercept of wireless communications using a direct Internet connection (or other available connection type) to a monitoring station. When enabled at the INAC 100, the security and intercept module 160 allows law enforcement personnel to monitor and record conversations and data transfers (packet and circuit), call signaling messages, accessed features, and SMS originated or terminated messages for targeted wireless devices that are currently locked to the INAC 100 and allowed localized services on the INAC 100 system.”).
Regarding claim 6, Salkini in view of Mahaffey teaches the dependent claim 5. Mahaffey teaches wherein detecting presence of the device includes monitoring for an announcement from the device, wherein the announcement is generated using one of: Bluetooth, Low Energy Bluetooth (BLE) or near field communications (NFC)(Mahaffey: para[0043], “In the peer-communication embodiment, the types of network connection between requesting client and authorizing client can include Wi-Fi, Bluetooth, NFC (near field communications), or a mobile wireless network”).
Regarding claim 7, Salkini in view of Mahaffey teaches the independent claim 1. Mahaffey teaches wherein the UEM service enrolls an identified device that is unnenrolled by installing an agent onto the identified device, and wherein the agent is configured to output a unique signature indicative of the identified device (Mahaffey: Para [0041], [0044] [0108][0110] [0134] “Some services may require this, where in other cases, server provides open API where any service can request authentication or authorization without a user needing to enroll. The system determines if a user is enrolled in a given service with the server. It may do this by retrieving enrollment information from server (e.g. supply hostname or identifier of site as an HTTP referrer or explicitly) or service; looking for presence of a session or authentication cookie;”).
Regarding claim 8, Salkini in view of Mahaffey teaches the dependent claim 7. Mahaffey teaches wherein the unique signature is time dependent (Mahaffey: para[0128], “In an embodiment, the authorizing client based login system implements a time-based login mechanism. In such a case, a user must select or click on a user interface element that displays an appropriate message, such as "allow log in" to effect the web page login. For example, in an embodiment, the time-based login mechanism provides five seconds (or a similar period of time) to login to target server through the authorizing client”).
Regarding claim 9, Salkini in view of Mahaffey teaches the dependent claim 7. Mahaffey teaches wherein the unique signature is embedded in an encrypted token that can be decrypted by the system, and wherein the encrypted token is communicated over a secure channel (Mahaffey: para [0095], [0103], “The authenticating information comprising the credentials provided by the system, such as by a server or the authorizing client can be a username/password combination or a session token for the application's backend service, or an authorization token to retrieve login from a service (local or network-based), or other type of credential as described above.”, para [0089], “The client first authenticates the request using a relay of known credentials, digitally signed response, or other means, and provides the result data over a secure transmission channel.”).
Regarding claim 10, Salkini in view of Mahaffey teaches the dependent claim 7. Mahaffey teaches wherein the unique signature is provided at a predetermined communication layer based on capabilities of network switches (Mahaffey: para [0003] [0104], “In the Internet environment, clients and servers exchange messages according to a request-response messaging exchange in which the client sends a request, and the server returns a response in accordance with a defined communications protocol that operates in the application layer of the TCP/IP (Transmission Control Protocol/Internet Protocol) model.”).
Regarding claim 11, Salkini in view of Mahaffey teaches the dependent claim 1. Mahaffey teaches wherein the signature is provided over a set of different communication layers utilizing different frame patterns ((Mahaffey: para [0055],[0060, [0085], “The network interface between server computer and the client computers may include one or more routers that serve to buffer and route the data transmitted between the server and client computers. Network 110 may be the Internet, a Wide Area Network (WAN), a Local Area Network (LAN), or any combination thereof.”, “The request 120 includes the application identity information--for a website, mobile or desktop application, or other service needing authentication or authorization URL,.., signing certificate of hosting application,… a digital signature or HMAC provided by the application, or other information)”, the signature provided in Mahaffey used a wired network which has different communication layers and pattern than the Bluetooth communication used in Salkini”).
Regarding claim 12, Salkini in view of Mahaffey teaches the independent claim 1. Mahaffey additionally teaches wherein determining that the device is unenrolled includes sending a credential request to the device (Mahaffey: para[0059], “During a typical network exchange, a user through client computer 112 may make a request 120 to a target server 114 to access an application provided by the server or to access some other network resource through server 114. Many such applications or resources may be protected so that only authorized users may gain access. In this case, the accessed (or "target") server 114 will in turn respond with a challenge 122 requesting that the user provide appropriate authenticating credentials, such as a valid username and password.”).
Regarding claim 13, Salkini in view of Mahaffey teaches the independent claim 1. Mahaffey additionally teaches wherein the communications include cellular communications (Mahaffey: para[0085], “For an embodiment in which the authorizing client 132 is a mobile or cell phone, it may operate in a networked environment using logical connections to the requesting client 112, 118 or 119 via one or more communication interfaces. The communication interface may interface with a wireless network and/or a wired network. Examples of wireless networks include, for example, a BLUETOOTH network, a wireless personal area network, a wireless 802.11 local area network (LAN), wireless telephony network (e.g., a cellular, PCS, or GSM network), and/or near field communication (NFC)”).
Regarding claim 14, Salkini teaches a computerized method that identifies unenrolled devices entering an installation for a unified endpoint management (UEM) (INAC 100) service that tracks enrolled(allowed device)  and unenrolled devices(unknown device)(Salkini: and fig. 6A step 420 “detect entry of device in the local wireless network”, para [0025-0027] “the INAC 100 recognizes three categories of subscriber devices 20: restricted, allowed, and unknown”, “The INAC 100 may be implemented as software, hardware, or a combination of hardware and software. The INAC 100 may be implemented on a suitably programmable processor.”, see also claim1), 
wherein the UEM service requires device enrollment to access a network (Salkini: para[0019], “In short, the intelligent network access controller can be used in any situation or at any facility or locale to establish a controlled wireless communications environment whereby only selected individuals can access a wireless communications network” para [0028], “Allowed devices are those configured in the NAG 100 as to be allowed wireless service”, see also fig. 6C Steps  456, 454, and 458. If the device is  unknown  block access, or if it is known allow access. ), 
the method comprising: detecting presence of a device based on receipt of communications from the device (Salkini: claim 1: “ receiving a registration signal from a wireless device, and determining an access category for the wireless device based on the received registration signal”)  
determining that the device is unenrolled by the UEM service based on data included with the communications received from the device (Salkini: para[0026], fig. 6B. “The INAC 100 includes equipment identity module 110 that receives and stores identifying information associated with devices 20, the method of which is shown in FIG. 6B, block 443; access module 120 that determines, based on setup or operational mode of the INAC 100, which of the devices 20 are to be allowed access to the wireless communications network 10; locking module 125, which is used to lock a device 20 to the INAC 100 and to provide indications to the locked device 20 that make it appear that the device 20 actually is registered with the wireless network 10;”); and 
in response to determining that the device is unenrolled by the UEM service, reporting the device to the UEM service to track the device as unenrolled to deny access to network (Salkini: para [0034], “As subscribers access the INAC 100, and either are locked to the INAC 100 or redirected to the wireless network 10, the INAC 100 captures access information that can be used to generate access reports for each type of device 20 (i.e., unknown, bad, or good). The reports provide an organized analysis as to which users are accessing the system, including time period, call duration, and frequency of use.”, para [0028],“Allowed devices are those configured in the NAG 100 as to be allowed wireless service. After determining the identity of the device 20, and determining that the device 20 is an "allowed" device, the INAC 100 redirects the device 20 from the INAC 100 to the appropriate wireless network 10, as shown in FIG. 6C, block 458.”).
Salkini does not explicitly teach the data not including a signature indicative of enrollment of the device with the UEM service.
However, in an analogous art, Mahaffey teaches the data not including a signature indicative of enrollment of the device with the UEM service(Mahaffey: para [0004], “Credentials may be bound in some way to the individual to whom they were issued, such as for identification, or they may be bearer credentials, which may be acceptable for general authorization.”, para [0062], [0068], [0101][0077], [0094], “For example credentials may comprise a username/password combination and/or a token and/or a cryptographic signature.”, “The user's credentials are then sent to the authentication server by whichever server or other resource is storing the credentials, act 458. In decision block 460, the authentication server determines whether or not the credentials are valid and approved.”).
Therefore, it would have been obvious to a person having ordinary skill in the art, before the effective filling date of the claimed invention, to combine the teaching of Mahaffey into the teaching of Salkini to include determining that the device is unenrolled by the system based on data included with the communications received from the device because it will protect the network and prevent phishing attacks (Mahaffey: para [0133]).
Regarding claim 15, claim 15 is rejected under the same rational as claim 2.
Regarding claim 16, Salkini in view of Mahaffey teaches the independent claim 14. Salkini additionally teaches wherein detecting presence of the device includes at least one of: monitoring communication channels for communications from the device; utilizing a beacon or another device enrolled with the service to monitor for communications; or monitoring for an announcement from the device, wherein the announcement is generated using one of: Bluetooth, Low Energy Bluetooth (BLE) or near field communications (NFC) (Salkini: para[0037], “The INAC 100 may include an optional security and intercept module 160 that is used for lawful intercept of wireless communications using a direct Internet connection (or other available connection type) to a monitoring station. When enabled at the INAC 100, the security and intercept module 160 allows law enforcement personnel to monitor and record conversations and data transfers (packet and circuit), call signaling messages, accessed features, and SMS originated or terminated messages for targeted wireless devices that are currently locked to the INAC 100 and allowed localized services on the INAC 100 system.”). 
Regarding claim 17, claim 17 is rejected under the same rational as claim 4.
Regarding claim 18, Salkini in view of Mahaffey teaches the independent claim 14. Mahaffey teaches wherein an identified device that is unnenrolled is enrolled into the service by installing an agent onto the identified device, wherein the agent is configured to output a unique signature indicative of the identified device, and wherein the unique signature is at least one of: (Mahaffey: Para [0041], [0044] [0108][0110] [0134] “Some services may require this, where in other cases, server provides open API where any service can request authentication or authorization without a user needing to enroll. The system determines if a user is enrolled in a given service with the server. It may do this by retrieving enrollment information from server (e.g. supply hostname or identifier of site as an HTTP referrer or explicitly) or service; looking for presence of a session or authentication cookie;”); 
time dependent Mahaffey: para[0128], “In an embodiment, the authorizing client based login system implements a time-based login mechanism. In such a case, a user must select or click on a user interface element that displays an appropriate message, such as "allow log in" to effect the web page login. For example, in an embodiment, the time-based login mechanism provides five seconds (or a similar period of time) to login to target server through the authorizing client”);
embedded in an encrypted token that can be decrypted by the service, and wherein the encrypted token is communicated over a secure channel (Mahaffey: para [0095], [0103], “The authenticating information comprising the credentials provided by the system, such as by a server or the authorizing client can be a username/password combination or a session token for the application's backend service, or an authorization token to retrieve login from a service (local or network-based), or other type of credential as described above.”, para [0089], “The client first authenticates the request using a relay of known credentials, digitally signed response, or other means, and provides the result data over a secure transmission channel.”); or 
provided at a predetermined communication layer based on capabilities of network switches (Mahaffey: para [0003] [0104], “In the Internet environment, clients and servers exchange messages according to a request-response messaging exchange in which the client sends a request, and the server returns a response in accordance with a defined communications protocol that operates in the application layer of the TCP/IP (Transmission Control Protocol/Internet Protocol) model.”).
Regarding claim 19, claim 19 is rejected under the same rational as claim 11.
Regarding claim 20, claim 20 is rejected under the same rational as claim 12.
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to LYDIA L NOEL whose telephone number is (571)272-1628. The examiner can normally be reached Monday - Friday 9:00 - 5:00.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kristine Kincaid can be reached on (571) 272 - 4063. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/L.L.N./
Examiner, Art Unit 2437                                                                                                                                                                                            
/KRISTINE L KINCAID/Supervisory Patent Examiner, Art Unit 2437