Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
This is the initial office action that has been issued in response to patent application, 17/456,961 filed on 11/30/2021. Claims 1-20 are currently pending and have been considered below. Claims 1, 9 and 15 are independent claims. 

Priority
The application claims priority of Continuation application 16/416,452, filed on 05/20/2019.

Drawings
The drawings file on 11/30/2021 are accepted by the examiner. 

Information Disclosure Statement
The information disclosure statements (IDS’s) submitted on 11/30/2021 and 06/10/2022 are in compliance with provisions of 37 CFR 1.97. Accordingly, the information disclosure statement. 


Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

The claimed invention is not directed to patent
eligible subject matter. Based upon consideration of all of
the relevant factors with respect to the claim as a whole,
claims 9-14 are rejected under 35 U.S.C. 101 because the
claimed invention is directed to non-statutory subject
matter.
Claim 9 recite “at a virtual delivery appliance, receiving requests from a client device to connect with the virtual delivery appliance”. The claims recite system without having any hardware positively recited. Under broadest reasonable interpretation, Examiner assumes that “a at a virtual delivery appliance, receiving requests from a client device to connect with the virtual delivery appliance” is no more than
software. Computer programs per se do not fit within
recognized categories of statutory subject matter. Claim 9 13 recite “at a virtual delivery appliance, receiving requests from a client device to connect with the virtual delivery appliance” without reciting any component or structure. The preamble recites “at a virtual delivery appliance, receiving requests from a client device to connect with the virtual delivery appliance” but the device cannot be implemented in software or tangible component. If the device / apparatus / system is considered as machine, then the machine needs to consist of some concrete part or structure which is absent in the claim. See MPEP § 2106.
A claim that covers both statutory and non-statutory
embodiments (under the broadest reasonable interpretation
of the claim when read in light of the specification and in
view of one skilled in the art) embraces subject matter
that is not eligible for patent protection and therefore is
directed to non-statutory subject matter.
Claims 10-14 are dependent claims dependent on claim 9 and have inherited the deficiencies of their parent claim and have not resolved deficiencies. Therefore, they are rejected based on the same rationale as applied to the parent claim 9 above.



Double Patenting
	The non-statutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A non-statutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 16USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on non-statutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to  www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

	Claims 1-20 are rejected on the ground of non-statutory double patenting as being unpatentable over claims 1-20 of U.S. Patent No Patent No. 16/416452. Although the claims at issue are not identical, they are not patentably distinct from each other because the claims in the co-pending application contains every element of claims of the instant application. 
Dependent claims 2-8, 10-14 and 16-18 of the current application are similar to claims 2-8, 10-14 and 16-18 of the issued patent. Also Claims 19-20 are respectively similar to claims 13-14 of the issued patent.
This is a non-statutory obviousness type double patenting. 

Current U.S. Patent No. 17/456961
Co-pending U.S. Patent No. 16/416452
Claim 1:
A computing device comprising:
 a memory and a processor cooperating with the memory and configured to receive requests from a client device to connect 
with the computing device, the client device being shared by multiple authenticated users and having a public/private encryption key pair associated therewith, the requests based upon connection leases and the public key for the client device, and the connection leases being generated for respective authenticated users and including an authenticated version of the public key for the client device so that the connection leases are specific to the client device and respective users; 


and provide the client device with access to computing sessions for respective authenticated users based upon the connection leases and verification of the public key, and prevents the use of the connection leases for authorizing connections for other authenticated users.

Claim 9:
A method comprising:
 at a virtual delivery appliance, receiving requests from a client device to connect with the virtual delivery appliance, the client device being shared by multiple authenticated users, the client device having a public/private encryption key pair associated therewith, the requests based upon connection leases and the public key for the client device, and the connection leases being generated for respective authenticated users and including an authenticated version of the public key for the client device so that the connection leases are specific to the client device and respective users; 

and providing the client device with access to computing sessions for respective authenticated users based upon the connection leases and verification of the public key, and preventing the use of the connection leases for authorizing connections for other authenticated users.

Claim 15: 
A method comprising:
 receiving a request at a computing device from a client device, the client device having a public/private encryption key pair associated therewith, the request being based upon a connection lease and the public key for the client device, and the connection lease including an authenticated version of the public key for the client device so that the connection lease is specific to the client device; 








verifying at the computing device that the authenticated version of the public key upon which the connection lease was generated matches the public key for the client device; 



and providing the client device with access to a computing session responsive to verification of the authenticated version of the public key.
Claim 1:
A computing device comprising: a memory and a processor cooperating with the memory and configured to receive a connection request from a client device having a public/private encryption key pair associated therewith, the connection request based upon a connection lease and the public key for the client device, and the connection lease including an authenticated version of the public key for the client device so that the connection lease is specific to the client device; verify that the authenticated version of the public key upon which 
the connection lease was generated matches the public key for the client device; 


and authorize the connection with the client device 
and provide the client device with access to a virtual computing session via the connection.





Claim 9:
A method comprising: receiving a connection request at a virtual delivery appliance from a client device having a public/private encryption key pair associated therewith, the connection request being based upon a connection lease and the public key for the client device, and the connection lease including an authenticated version of the public key for the client device so that the connection lease is specific to the client device; verifying at the virtual delivery appliance that the authenticated version of the public key upon which the connection lease was generated matches the public key for the client device; 



and authorizing a connection with the client device and providing the client device with access to a virtual computing session via the connection.





Claim 15:
A computing system comprising: a server configured to generate a connection lease for a client device, the client device having a public/private encryption key pair associated therewith, and the connection lease including an authenticated version of the public key for the client device so that the connection lease is specific to the client device; 

and a virtual delivery appliance configured to receive a connection request from the client device based upon the connection lease and the public key for the client device, 

verify that the authenticated version of the public key upon which the connection lease was generated matches the public key for the client device, authorize a connection with the client device



 and provide the client device with access to a virtual computing session via the connection.




Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-7 and 9-20 are rejected under 35 U.S.C. 103 as being unpatentable over Bell (US Patent Publication No. 20130219468 A1) in view of Saulpaugh (US Patent Publication No. 8001232 B1).

Regarding Claim 1, Bell discloses, a computing device comprising: a memory and a processor cooperating with the memory and configured to receive requests from a client device to connect with the computing device, the client device being shared by multiple authenticated users and having a public/private encryption key pair associated therewith, the requests based upon connection leases and the public key for the client device(Bell, [0010],  another aspect described herein provides a method for establishing a session using a connection lease. Initially, a connection broker receives a request for a session from a client device. The connection broker determines, based on an identification of the client device, one or more session hosts the client device is authorized to access. [0009], According to another aspect, a session host apparatus may include a processor controlling operations of the session host apparatus, and memory storing computer readable instructions that, when executed by the processor, cause the session host apparatus to establish a session with a session client using a connection lease.  [0066], in a public key infrastructure (PKI), each connection lease might be signed and/or encrypted using a private key of the broker 401, and each session host can verify the lease by authenticating or decrypting the connection lease using the public key), 
and provide the client device with access to computing sessions for respective authenticated users based upon the connection leases and verification of the public key, and prevents the use of the connection leases for authorizing connections for other authenticated users (Bell, [0078], a lease token (or a separate lease) may include information to authorize a network connection through a security device, such as an access gateway, in which case the lease may be presented to the gateway as part of establishing the connection with the session host.).  
Bell does not explicitly disclose the following limitations that Saulpaugh teaches:
and the connection leases being generated for respective authenticated users and including an authenticated version of the public key for the client device so that the connection leases are specific to the client device and respective users (Saulpaugh, Col. 36, lines 6-10, The lease presenter then presents the lease token to one or more session hosts in step 607 as defined by the lease token. The lease presenter may further provide confirmation to the session host that the user has already been authenticated. Alternatively, the lease token may be delivered to the session host by a network device, virtual machine (VM) or other server such as an Access Gateway, Web Interface, Delivery Services or the broker itself (any of which can act as the “lease presenter”), after intercepting the initial request from the session client); 
It would have been obvious to a person having ordinary skill in the art before the effective filling date of the invention to modify Bell with Saulpaugh because when the client is authorized, the space service may also obtain a lease on the service advertisement for the client with the lease request time specified by the client, as indicated at 326. Leases are further discussed below. The space service may then send a message to the client which includes the allocated lease and the service advertisement of the service, as indicated at 328. In one embodiment, the client may run an authentication service specified in the service advertisement and obtain an authentication credential, as indicated at 330[Saulpaugh, Col. 39, lines 4-12].

Regarding Claim 2, Bell and Saulpaugh disclose, the computing device of claim 1, 
and validate the signed response with the public key for the client device (Bell, [0066], Each connection lease may be cryptographically signed 511 so that a session host can verify the validity of the lease without needing to communicate with a broker. For example, in a public key infrastructure (PKI), each connection lease might be signed and/or encrypted using a private key of the broker 401, and each session host can verify the lease by authenticating or decrypting the connection lease using the public key of the trusted broker.).
Bell does not explicitly disclose the following limitations that Saulpaugh teaches:
wherein the processor is further configured to, prior to authorizing connections with the client device: initiate a challenge to be signed by the client device with the private key associated with the client device (Saulpaugh, Col. 56, lines 17-20, In one embodiment, the client may access the authentication service using a challenge/response mechanism Such as a logon account with password and thus may be verified as a valid client.); 
It would have been obvious to a person having ordinary skill in the art before the effective filling date of the invention to modify Bell with Saulpaugh because the security checks may be implemented using Access Control Lists (ACLs) in conjunction with an authentication service. In one embodiment, a challenge/response sequence (such as a logon and password account) may be used to authenticate a client. In one embodiment, the client authentication and gate creation security checks may be hidden from the client and service, the gate factory may only be aware of the authentication service to be used, and the authentication service may be aware of the authentication mechanism and policies. [Saulpaugh, Col. 56-57 lines 67 and lines 1-9]

Regarding Claim 3, Bell and Saulpaugh discloses, the computing device of claim 2 wherein the processor initiates the challenge and validates the signed response prior to verification of the authenticated version of the public key upon which the connection lease was generated matches the public key for the client device (Bell, [0074], The session client thus received from the lease presenter the same sort of file expected to be received in response to the session client's initial request to connection broker 401. The session client then uses the received launch file in step 613 to establish the session with the session host and, more specifically, with the specific hosted services (desktop, application, etc.). Using the method of FIG. 6, an existing legacy session client can establish a session using the lease token methods and systems described herein. The session host can autonomously determine the validity of the lease and whether to permit the session connection, without communicating with the connection broker. [0066], a public key infrastructure (PKI), each connection lease might be signed and/or encrypted using a private key of the broker 401, and each session host can verify the lease by authenticating or decrypting the connection lease using the public key of the trusted broker.).  

Regarding Claim 4, Bell and Saulpaugh discloses, the computing device of claim 2 wherein, prior to the challenge and response, the processor is further configured to validate a signature and date associated with the connection lease, and validate that the public key is valid (Bell, Claim 14, the session host validating the lease token based on the cryptographic signature of the lease token ;based on the validating, the session host sending connection information for use by the client device to establish a session with the session host).  
  
Regarding Claim 5, Bell and Saulpaugh discloses, the computing device of claim 2 wherein the processor initiates the challenge and validates the signed response after verification of the authenticated version of the public key upon which the connection lease was generated matches the public key for the client device (Bell, [0074], The session client thus received from the lease presenter the same sort of file expected to be received in response to the session client's initial request to connection broker 401. The session client then uses the received launch file in step 613 to establish the session with the session host and, more specifically, with the specific hosted services (desktop, application, etc.). Using the method of FIG. 6, an existing legacy session client can establish a session using the lease token methods and systems described herein. The session host can autonomously determine the validity of the lease and whether to permit the session connection, without communicating with the connection broker. [0066], a public key infrastructure (PKI), each connection lease might be signed and/or encrypted using a private key of the broker 401, and each session host can verify the lease by authenticating or decrypting the connection lease using the public key of the trusted broker.).  

Regarding Claim 6, Bell and Saulpaugh discloses, the computing device of claim 1 wherein the connection lease includes a hash of the authenticated version of the public key for the client device (Bell, [0066], in a public key infrastructure (PKI), each connection lease might be signed and/or encrypted using a private key of the broker 401, and each session host can verify the lease by authenticating or decrypting the connection lease using the public key of the trusted broker. The session host can thereby ensure that the information included in the lease is provided by a trusted broker. The broker may further include a hash value associated with the lease token to ensure that the lease is not improperly altered or changed after issuance by the broker and before use by a user or device).
  
Regarding Claim 7, Bell and Saulpaugh discloses, the computing device of claim 1,
Bell does not explicitly disclose the following limitations that Saulpaugh teaches:
wherein the public/private key pair is generated at the client device using a hardware-backed key store (Saulpaugh, Col. 52, lines 38-42, In some embodiments, a hardware-based physical identification method may be used to authenticate the client. For example, the user may Supply a physical identification Such as a Smart card for identification and authorization.).
	It would have been obvious to a person having ordinary skill in the art before the effecting filing date of the invention to modify Bell with Saulpaugh because a public/private key encryption mechanism may be used as unique identifiers for the client and the service. In one embodiment, the client may receive the service token in the service advertisement, and the client may provide the client token and the service token to the authentication service. [Saulpaugh, Col. 55-56 lines 64-67 and lines 1-2].

Regarding Claim 9, Bell discloses, a method comprising: at a virtual delivery appliance, receiving requests from a client device to connect with the virtual delivery appliance, the client device being shared by multiple authenticated users, the client device having a public/private encryption key pair associated therewith, the requests based upon connection leases and the public key for the client device (Bell, [0010],  another aspect described herein provides a method for establishing a session using a connection lease. Initially, a connection broker receives a request for a session from a client device. The connection broker determines, based on an identification of the client device, one or more session hosts the client device is authorized to access. [0009], According to another aspect, a session host apparatus may include a processor controlling operations of the session host apparatus, and memory storing computer readable instructions that, when executed by the processor, cause the session host apparatus to establish a session with a session client using a connection lease.  [0066], in a public key infrastructure (PKI), each connection lease might be signed and/or encrypted using a private key of the broker 401, and each session host can verify the lease by authenticating or decrypting the connection lease using the public key), 
and providing the client device with access to computing sessions for respective authenticated users based upon the connection leases and verification of the public key, and preventing the use of the connection leases for authorizing connections for other authenticated users (Bell, [0078], a lease token (or a separate lease) may include information to authorize a network connection through a security device, such as an access gateway, in which case the lease may be presented to the gateway as part of establishing the connection with the session host.).  
Bell does not explicitly disclose the following limitations that Saulpaugh discloses:
and the connection leases being generated for respective authenticated users and including an authenticated version of the public key for the client device so that the connection leases are specific to the client device and respective users (Saulpaugh, Col. 36, lines 6-10, The lease presenter then presents the lease token to one or more session hosts in step 607 as defined by the lease token. The lease presenter may further provide confirmation to the session host that the user has already been authenticated. Alternatively, the lease token may be delivered to the session host by a network device, virtual machine (VM) or other server such as an Access Gateway, Web Interface, Delivery Services or the broker itself (any of which can act as the “lease presenter”), after intercepting the initial request from the session client); 
The same motivation to modify with Saulpaugh, as in claim 1, applies.

Regarding Claim 10, Bell and Saulpaugh discloses, the method of claim 9 further comprising, 
Bell does not explicitly disclose the following limitations that Saulpaugh teaches:
prior to authorizing the connection with the client device: initiating a challenge from the virtual delivery appliance to be signed by the client device with the private key associated with the client device (Saulpaugh, Col. 56, lines 17-20, In one embodiment, the client may access the authentication service using a challenge/response mechanism Such as a logon account with password and thus may be verified as a valid client.);  
and validating at the virtual delivery appliance the signed response with the public key for the client device (Bell, [0066], Each connection lease may be cryptographically signed 511 so that a session host can verify the validity of the lease without needing to communicate with a broker. For example, in a public key infrastructure (PKI), each connection lease might be signed and/or encrypted using a private key of the broker 401, and each session host can verify the lease by authenticating or decrypting the connection lease using the public key of the trusted broker.).  

Regarding Claim 11, Bell and Saulpaugh disclose, the method of claim 10 wherein initiating and validating comprise initiating the challenge and validating the signed response prior to verification of the authenticated version of the public key upon which the connection lease was generated matches the public key for the client device (Bell, [0074], The session client thus received from the lease presenter the same sort of file expected to be received in response to the session client's initial request to connection broker 401. The session client then uses the received launch file in step 613 to establish the session with the session host and, more specifically, with the specific hosted services (desktop, application, etc.). Using the method of FIG. 6, an existing legacy session client can establish a session using the lease token methods and systems described herein. The session host can autonomously determine the validity of the lease and whether to permit the session connection, without communicating with the connection broker. [0066], a public key infrastructure (PKI), each connection lease might be signed and/or encrypted using a private key of the broker 401, and each session host can verify the lease by authenticating or decrypting the connection lease using the public key of the trusted broker.).
  
Regarding Claim 12, Bell and Saulpaugh disclose, the method of claim 10 wherein initiating and validating comprise initiating the challenge and validating the signed response after verification of the authenticated version of the public key upon which the connection lease was generated matches the public key for the client device (Bell, [0074], The session client thus received from the lease presenter the same sort of file expected to be received in response to the session client's initial request to connection broker 401. The session client then uses the received launch file in step 613 to establish the session with the session host and, more specifically, with the specific hosted services (desktop, application, etc.). Using the method of FIG. 6, an existing legacy session client can establish a session using the lease token methods and systems described herein. The session host can autonomously determine the validity of the lease and whether to permit the session connection, without communicating with the connection broker. [0066], a public key infrastructure (PKI), each connection lease might be signed and/or encrypted using a private key of the broker 401, and each session host can verify the lease by authenticating or decrypting the connection lease using the public key of the trusted broker.).
  
Regarding Claim 13, Bell and Saulpaugh discloses, the method of claim 9 wherein the public key for the client device is registered with a broker (Bell, [0010], Yet another aspect described herein provides a method for establishing a session using a connection lease. Initially, a connection broker receives a request for a session from a client device. The connection broker determines, based on an identification of the client device, one or more session hosts the client device is authorized to access, and one or more resources the client device is authorized to use on the one or more session hosts.); 
and further comprising validating, at the virtual delivery appliance, that the public key for the client device is registered with the broker prior to verification of the authenticated version of the public key upon which the connection lease was generated matches the public key for the client device (Bell, [0066],  in a public key infrastructure (PKI), each connection lease might be signed and/or encrypted using a private key of the broker 401, and each session host can verify the lease by authenticating or decrypting the connection lease using the public key of the trusted broker. The session host can thereby ensure that the information included in the lease is provided by a trusted broker. [0005], When a user desires to connect to a virtual desktop, the user's local software client contacts a connection broker to establish a session with a remote desktop or other resource. Conventional connection brokers are said to be “inline” and thus involved in all decisions to determine where to direct a user's session. Stated differently, all connections must be initiated through and established with the assistance of the connection broker). 
  
Regarding Claim 14, Bell and Saulpaugh discloses, the method of claim 9 wherein the connection lease includes a hash of the authenticated version of the public key for the client device (Bell, [0066], in a public key infrastructure (PKI), each connection lease might be signed and/or encrypted using a private key of the broker 401, and each session host can verify the lease by authenticating or decrypting the connection lease using the public key of the trusted broker. The session host can thereby ensure that the information included in the lease is provided by a trusted broker. The broker may further include a hash value associated with the lease token to ensure that the lease is not improperly altered or changed after issuance by the broker and before use by a user or device).
  

Regarding Claim 15, Bell discloses, a method comprising: receiving a request at a computing device from a client device, the client device having a public/private encryption key pair associated therewith, the request being based upon a connection lease and the public key for the client device (Bell, [0010], another aspect described herein provides a method for establishing a session using a connection lease. Initially, a connection broker receives a request for a session from a client device. The connection broker determines, based on an identification of the client device, one or more session hosts the client device is authorized to access. [0009], According to another aspect, a session host apparatus may include a processor controlling operations of the session host apparatus, and memory storing computer readable instructions that, when executed by the processor, cause the session host apparatus to establish a session with a session client using a connection lease.  [0066], in a public key infrastructure (PKI), each connection lease might be signed and/or encrypted using a private key of the broker 401, and each session host can verify the lease by authenticating or decrypting the connection lease using the public key), 
verifying at the computing device that the authenticated version of the public key upon which the connection lease was generated matches the public key for the client device (Bell, [0074], The session client thus received from the lease presenter the same sort of file expected to be received in response to the session client's initial request to connection broker 401. The session client then uses the received launch file in step 613 to establish the session with the session host and, more specifically, with the specific hosted services (desktop, application, etc.). Using the method of FIG. 6, an existing legacy session client can establish a session using the lease token methods and systems described herein. The session host can autonomously determine the validity of the lease and whether to permit the session connection, without communicating with the connection broker. [0066], a public key infrastructure (PKI), each connection lease might be signed and/or encrypted using a private key of the broker 401, and each session host can verify the lease by authenticating or decrypting the connection lease using the public key of the trusted broker.); 
and providing the client device with access to a computing session responsive to verification of the authenticated version of the public key (Bell, [0078], a lease token (or a separate lease) may include information to authorize a network connection through a security device, such as an access gateway, in which case the lease may be presented to the gateway as part of establishing the connection with the session host.).  
Bell does not explicitly disclose the following limitations that Saulpaugh teaches:
and the connection lease including an authenticated version of the public key for the client device so that the connection lease is specific to the client device (Saulpaugh, Col. 36, lines 6-10, The lease presenter then presents the lease token to one or more session hosts in step 607 as defined by the lease token. The lease presenter may further provide confirmation to the session host that the user has already been authenticated. Alternatively, the lease token may be delivered to the session host by a network device, virtual machine (VM) or other server such as an Access Gateway, Web Interface, Delivery Services or the broker itself (any of which can act as the “lease presenter”), after intercepting the initial request from the session client); 
The same motivation to modify with Saulpaugh, as in claim 1, applies.	

Regarding Claim 16, Bell and Saulpaugh discloses, the method of claim 15 further comprising, 
Bell does not explicitly disclose the following limitations that Saulpaugh teaches:
prior to providing the client device with access to the computing session: initiating a challenge from the computing device to be signed by the client device with the private key associated with the client device (Saulpaugh, Col. 56, lines 17-20, In one embodiment, the client may access the authentication service using a challenge/response mechanism Such as a logon account with password and thus may be verified as a valid client.); 
and validating at the computing device the signed response with the public key for the client device (Bell, [0066], Each connection lease may be cryptographically signed 511 so that a session host can verify the validity of the lease without needing to communicate with a broker. For example, in a public key infrastructure (PKI), each connection lease might be signed and/or encrypted using a private key of the broker 401, and each session host can verify the lease by authenticating or decrypting the connection lease using the public key of the trusted broker.).  

Regarding Claim 17, Bell and Saulpaugh discloses, the method of claim 16 wherein initiating and validating comprise initiating the challenge and validating the signed response prior to verifying that the authenticated version of the public key upon which the connection lease was generated matches the public key for the client device (Bell, [0074],  The session client thus received from the lease presenter the same sort of file expected to be received in response to the session client's initial request to connection broker 401. The session client then uses the received launch file in step 613 to establish the session with the session host and, more specifically, with the specific hosted services (desktop, application, etc.). Using the method of FIG. 6, an existing legacy session client can establish a session using the lease token methods and systems described herein. The session host can autonomously determine the validity of the lease and whether to permit the session connection, without communicating with the connection broker. [0066], a public key infrastructure (PKI), each connection lease might be signed and/or encrypted using a private key of the broker 401, and each session host can verify the lease by authenticating or decrypting the connection lease using the public key of the trusted broker.).
  
Regarding Claim 18, Bell and Saulpaugh discloses, the method of claim 16 wherein initiating and validating comprise initiating the challenge and validating the signed response after verifying that the authenticated version of the public key upon which the connection lease was generated matches the public key for the client device (Bell, [0074],  The session client thus received from the lease presenter the same sort of file expected to be received in response to the session client's initial request to connection broker 401. The session client then uses the received launch file in step 613 to establish the session with the session host and, more specifically, with the specific hosted services (desktop, application, etc.). Using the method of FIG. 6, an existing legacy session client can establish a session using the lease token methods and systems described herein. The session host can autonomously determine the validity of the lease and whether to permit the session connection, without communicating with the connection broker. [0066], a public key infrastructure (PKI), each connection lease might be signed and/or encrypted using a private key of the broker 401, and each session host can verify the lease by authenticating or decrypting the connection lease using the public key of the trusted broker.).
  
Regarding Claim 19, Bell and Saulpaugh discloses, the method of claim 15 wherein the public key for the client device is registered with a broker (Bell, [0010], Yet another aspect described herein provides a method for establishing a session using a connection lease. Initially, a connection broker receives a request for a session from a client device. The connection broker determines, based on an identification of the client device, one or more session hosts the client device is authorized to access, and one or more resources the client device is authorized to use on the one or more session hosts. ); 
and further comprising validating, at the computing device, that the public key for the client device is registered with the broker prior to verifying that the authenticated version of the public key upon which the connection lease was generated matches the public key for the client device (Bell, [0066],  in a public key infrastructure (PKI), each connection lease might be signed and/or encrypted using a private key of the broker 401, and each session host can verify the lease by authenticating or decrypting the connection lease using the public key of the trusted broker. The session host can thereby ensure that the information included in the lease is provided by a trusted broker. [0005], When a user desires to connect to a virtual desktop, the user's local software client contacts a connection broker to establish a session with a remote desktop or other resource. Conventional connection brokers are said to be “inline” and thus involved in all decisions to determine where to direct a user's session. Stated differently, all connections must be initiated through and established with the assistance of the connection broker). 
  
Regarding Claim 20, Bell and Saulpaugh discloses, the method of claim 15 wherein the connection lease includes a hash of the authenticated version of the public key for the client device (Bell, [0066], in a public key infrastructure (PKI), each connection lease might be signed and/or encrypted using a private key of the broker 401, and each session host can verify the lease by authenticating or decrypting the connection lease using the public key of the trusted broker. The session host can thereby ensure that the information included in the lease is provided by a trusted broker. The broker may further include a hash value associated with the lease token to ensure that the lease is not improperly altered or changed after issuance by the broker and before use by a user or device).

Claim 8 is rejected under 35 U.S.C. 103 as being unpatentable over Bell (US Patent Publication No. 20130219468 A1) and Saulpaugh (US Patent Publication No. 8001232 B1) in view of Luo(US Patent Publication No. 20190281449 A1). 

Regarding Claim 8, Bell and Saulpaugh discloses, the computing device of claim 1,
Bell and Saulpaugh does not explicitly disclose the following limitations that Luo teaches:
wherein the processor is further configured to drop the connection with the client device based on a failure to verify that the authenticated version of the public key upon which the connection lease was generated matches the public key for the client device (Luo, [0066], Once the secure TLS tunnel connection is established between the peripheral device 101 and the server 103, the peripheral device 101 transmits its firmware ID 519 and 520 in encrypted form to the server 103 via the TLS tunnel.  [0067], at 530, if the received firmware hash values match the expected firmware hash values, the firmware of the peripheral device 101 is valid and at 534, the server determines whether the device ID and public key received from the peripheral device 101 are unique (e.g., by performing a lookup of the device ID in its peripheral device database 236). If the device ID and/or public key are not unique (e.g., they are already being used by another peripheral device), the server 103 transmits a request 535 and 536 to the peripheral device 101 for the peripheral device 101 to generate a new device ID and public key.) [0075], At 611, the host device 102 failed to validate the peripheral device 101's certificate, so the host device 102 silently drops the connection to the peripheral device 101).  
It would have been obvious to a person having ordinary skill in the art before the effecting filing date of the invention to modify Bell and Saulpaugh with Luo in order to minimize the chance of being tricked into any unsafe communications with the peripheral device [Luo, para.0075].   

Conclusion
25. 	Any inquiry concerning this communication or earlier communications from the examiner should be directed to MAYASA SHAAWAT whose telephone number is (571)272-3939.  The examiner can normally be reached on M-F, 8 AM TO 5 PM. If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, JEFFREY PWU can be reached on (571)272-6789. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/MAYASA SHAAWAT/
Examiner Art Unit 2433

/NOURA ZOUBAIR/Primary Examiner, Art Unit 2434