Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of claims
This office action is in response to claims filed on 12/09/2020.
Claims 1- 20 are pending and rejected; claims 1, 9 and 15 are independent claims

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 12/09/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

Claims 10 and 15-20 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. claims 10, 15 and 19 cite “cross-endpoint management service” that is not sufficiently described in the disclosure.

Claim Rejections - 35 USC § 102
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1-2 and 5-16 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Hayton et al. US Pub. No. 2015/0319174 A1 (hereinafter Hayton).

Hayton teaches
As to claim 1, a computer system comprising: 
a second endpoint configured to communicate with a first endpoint distinct from the second endpoint (see Hayton Fig. 2 and Col. 6, ¶¶31-33,  Computing device 201 [i.e. second endpoint] communicate with a mobile/client device 240 [first endpoint]), the second endpoint comprising 
a network interface (see Hayton Fig. 2), 
a memory, and one or more processors coupled to the memory and the network interface (see Hayton Fig. 2), the one or more processors configured to 
receive, from an endpoint management service via the network interface, authorization information authorizing the first endpoint to access digital resources controlled by the endpoint management service (see Hayton ¶¶7-9, receiving, by the computing device [i.e. second endpoint, from enterprise device] and in response to a successful authentication of the authentication credentials associated with the client device [i.e. first device], the authorization information associated with the enterprise resource), and 
transmit the authorization information to the first endpoint to enable the first endpoint to access the digital resources based on the authorization information (see Hayton ¶7, passing, by the computing device to the client device, information associated with the requested enterprise resource based on the received authorization information associated with the enterprise resource).

As to claim 2, the computer system of claim 1, wherein: 
the authorization information includes an authorization token usable by the first endpoint to access the digital resources, and one or more policies dictating one or more corresponding rules associated with accessing the digital resources (see Hayton ¶48, all applications may execute in accordance with a set of one or more policy files received separate from the application, and which define one or more security parameters ¶¶89-90, retrieve/access/request authentication information (e.g., passwords, login credentials, etc.) and/or authorization information (e.g., cookies, tokens, etc.), and may transmit this retrieved information to the enterprise resource.).


5. The computer system of claim 1, wherein the one or more processors are further configured to: transmit the authorization information to the first endpoint over a personal area network or a local area network (see Hayton ¶24, A local area network (LAN) may have one or more of any known LAN topology and may use one or more of a variety of different protocols, such as Ethernet. Devices 103, 105, 107, 109 and other devices (not shown) may be connected to one or more of the networks via twisted pair wires, coaxial cable, fiber optics, radio waves or other communication media) .

As to claim 6, the computer system of claim 1, wherein the one or more processors are further configured to: 
receive, from the first endpoint, an indication that an application program has been installed in the first endpoint, and a first request for the authorization information, the first request comprising authentication credentials that includes one or both of a user identifier or a password (see Hayton ¶120, authentication credentials may include the authentication credentials transmitted to gateway 360 by client device 302 when client device 302 authenticated (e.g., logged into) itself with gateway 360); and 
transmit, to the endpoint management service, a second request for the authorization information, the second request including the authentication credentials, wherein the second endpoint receives the authorization information from the endpoint management service in response to the second request (see Hayton ¶104, after transmitting the authentication credentials to the enterprise service, the gateway 360 may then retrieve the required authorization information needed to access the enterprise service based on the information transmitted in the enterprise's response).

As to claim 7, the computer system of claim 1, wherein the network interface is a first network interface, the memory is a first memory, the one or more processors are first one or more processors (see Hayton Fig. 4 ¶60, n enrolled client device (e.g., mobile device) 402 with a client agent 404, which interacts with gateway server 406), and wherein the computer system further comprises: the first endpoint comprising: 
a second network interface; a second memory; and 
one or more second processors coupled to the second memory and the second network interface, the one or more second processors being configured to install an application program in the first endpoint (see Hayton ¶21, installation at the mobile computing device), 
transmit, to the second endpoint, a request for the authorization information, to enable the application program to access the digital resources (see Hayton ¶21, the access manager may ensure the mobile application requesting access to the enterprise resource can be trusted and is not attempting to circumvent the security mechanisms used to protect those enterprise resource) , 
receive, from the second endpoint, the authorization information (see Hayton ¶88, authenticating a client device on a gateway and on an enterprise system. FIGS. 5-7 also relate to authorizing a client device and/or gateway device access to enterprise system resources), and 
execute the application program, and access, using the application program, the digital resources, based on the authorization information (see Hayton ¶88, client device 302 or 402 may communicate with an enterprise system through gateway 360 or 406, may provide authentication credentials to validate the user's or client device's identity, and then may request and access the various resources and services of the enterprise system).

As to claim 8, the computer system of claim 7, wherein: 
the authorization information includes an authorization token usable by the first endpoint to access the digital resources, and one or more policies dictating one or more corresponding rules associated with accessing the digital resources (see Hayton ¶55, Policy manager services 370 may include device policy manager services, application policy manager services, data policy manager services, and the like); and 
the one or more second processors are further configured to store the authorization token and the one or more policies in the second memory (see Hayton ¶100, gateway 360 and/or client device 302 already has an access token, gateway 360 and/or client device 302 may transmit the token with the request, thereby satisfying the enterprise's authorization requirement), and 
in response to a deviation in communication with the second endpoint and/or in response to a request from the second endpoint, delete the authorization token and/or wipe out application data associated with the application program (see Hayton ¶100, the enterprise system may deny the initial request for the enterprise resource, and may transmit this denial to gateway 360)

Hayton teaches
As to claim 9, A first endpoint comprising: 
a network interface (see Hayton Fig. 2); 
a memory (see Hayton Fig. 2); and 
one or more processors coupled to the memory and the network interface, the one or more processors configured to install an application program in the first endpoint (see Hayton ¶35, the computing environment 200 may include a network appliance installed between the server(s) 206 and client machine(s) 240; ¶61, client agent 404 also supports the installation and management of native applications on the mobile device 402); 
request, to an endpoint management service via a second endpoint, for an authorization token (see Hayton ¶¶04-106, gateway 360 transmit/provide one or more tokens specific for that enterprise service before granting access to that enterprise service) ; 
receive, from the endpoint management service via the second endpoint, the authorization token (see Hayton ¶89, gateway may also retrieve/access/request authentication information (e.g., passwords, login credentials, etc.) and/or authorization information (e.g., cookies, tokens, etc.), and may transmit this retrieved information to the enterprise resource) ; and 
execute the application program, in response to receiving the authorization token (see Hayton ¶¶04-106, gateway 360 transmit/provide one or more tokens specific for that enterprise service before granting access to that enterprise service).

As to claim 10, the first endpoint of claim 9, wherein: 
the one or more processors are further configured to execute a first cross-endpoint management service that processes the authorization token (see Hayton ¶98, session or authentication information may be transmitted from gateway 360 to client device 302 after authentication, such as a token); 
the authorization token is received from a second cross-endpoint management service being executed in the second endpoint (see Hayton ¶98, session or authentication information may be transmitted from gateway 360 to client device 302 after authentication, such as a token); and 
during reception of the authorization token, a same user credential is used to log into both of the first cross-endpoint management service and the second cross-endpoint management service (see Hayton ¶105, token issuer may also communicate with the enterprise resource's login service, thereby determining when a gateway or client device is authenticated by the enterprise resource).

As to claim 11, the first endpoint of claim 9, wherein the first endpoint transmits the request for the authorization token to the second endpoint and receives the authorization token from the second endpoint over a personal area network or a local area network (see Hayton ¶105, token issuer may also communicate with the enterprise resource's login service, thereby determining when a gateway or client device is authenticated by the enterprise resource, ¶24, using local area network).

As to claim 12, the first endpoint of claim 9, wherein the one or more processors are further configured to: transmit another request to an authentication service to access enterprise digital resources, the other request including the authorization token (see Hayton ¶89, gateway may also retrieve/access/request authentication information (e.g., passwords, login credentials, etc.) and/or authorization information (e.g., cookies, tokens, etc.), and may transmit this retrieved information to the enterprise resource); and 
in response to the authentication service successfully verifying the authorization token, receive authorization to access the enterprise digital resources (see Hayton ¶94, authenticating and authorizing client devices in enterprise systems using a gateway device in accordance with one or more features described herein).

As to claim 13, the first endpoint of claim 9, further comprising: 
a non-volatile storage logically partitioned in a first section and a second section, wherein application data associated with the application program and the authorization token are stored in the first section, wherein personal user data are stored in the second section, and wherein the one or more processors are further configured to receive, from the second endpoint, instructions to revoke authorization to execute the application program, wherein the instructions to revoke originates either (i) in the endpoint management service and transmitted via the second endpoint, or (ii) in the second endpoint, and in response to the instructions to revoke, delete the authorization token and/or wipe out the application data from the first section of the non-volatile storage, without deleting any personal user data from the second section of the non-volatile storage (see Hayton ¶¶98 119, authentication service 610/login 704 may deny the login request/attempt. Authentication service 610/login 704 may then send a denial (e.g., 401 response) to the gateway. This denial may include information, such as why the request was denied, what is required to login using that method, and the like. In this case, the denial may indicate that gateway 360 did not send any authentication credentials with the login request).

As to claim 14, the first endpoint of claim 9, further comprising: a non-volatile storage logically partitioned in a first section and a second section, wherein application data associated with the application program and the authorization token are stored in the first section, wherein personal user data are stored in the second section, and wherein the one or more processors are further configured to detect a failure of the first endpoint to communicate with the second endpoint for at least a threshold period of time, and in response to the failure to communicate for at least the threshold period of time, delete the authorization token and/or wipe out the application data from the first section of the non-volatile storage, without deleting any personal user data from the second section of the non-volatile storage (see Hayton ¶¶98 119, gateway 360 may attach to and/or associate an expiration with a session cookie. For example, a cookie may have a time limit of 5 minutes, such that after 5 minutes, the current login session may be disabled, and client device 302 may need to subsequently log back in to gateway 360)

Hayton teaches
As to claim 15, a method comprising: 
receiving, by a second endpoint and from an endpoint management service, an authorization token intended for a first endpoint (see Fig. 2 and ¶¶ 31-33 computing device 201 ¶100, authorization information, such as an access token) ; and 
transmitting, by a second cross-endpoint management service being executed in the second endpoint, the authorization token to a first cross-endpoint management service being executed in the first endpoint, to facilitate the first endpoint to access digital resources based on the authorization token (see ¶100, authorization information, such as an access token; ¶¶7-9, access request executed by client device)
wherein during transmission of the authorization token, a same user credential is used to log into both of the first cross-endpoint management service and the second cross-endpoint management service (see Hayton ¶102, the login service may be part of the enterprise service's authentication service, which may be similar to or the same as authentication service 358. In response to receiving the authentication credentials along with the chosen login method, the enterprise service may authenticate the gateway 360 and/or client device 302).

As to claim 16, the method of claim 15, further comprising: 
receiving, from the first endpoint, a request for authorization, the request including authorization credentials (see Hayton ¶106, gateway 360 may transmit the required authorization information and the client device request). ; and 
transmitting the request, along with the authorization credentials, to the endpoint management service, wherein the authorization token is received by the second endpoint from the endpoint management service, in response to transmitting the request to the endpoint management service (see Hayton ¶¶7-9, receiving, by the computing device [i.e. second endpoint, from enterprise device] and in response to a successful authentication of the authentication credentials associated with the client device [i.e. first device], the authorization information associated with the enterprise resource).

Claim Rejections - 35 USC § 103
Claim(s) 3-4 and 17-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hayton et al. US Pub. No. 2015/0319174 A1 (hereinafter Hayton) as applied above in claim 1 and further in view of Barton et al. US Pub. No.: 2014/0298420 A1 (hereinafter Barton).

As to claim 3, Hayton does not explicitly teach but the related art Barton teaches:
the computer system of claim 2, wherein the one or more processors are further configured to: 
receive a user input to prevent the first endpoint from accessing the digital resources (see Barton ¶79, stored in the secure data container 528 may be deleted from the device upon receipt of a command from the device manager 524) ; and 
in response to the user input, transmit one or more of a first request to the endpoint management service, requesting the endpoint management service to mark the authorization token as being invalid, thereby preventing the first endpoint from accessing the digital resources, or a second request to the first endpoint, requesting the first endpoint to delete the authorization token and/or to wipe out application data associated with one or more application programs installed in the first endpoint (see Barton ¶111, feature relates to application container locking and wiping, which may automatically occur upon jail-break or rooting detections, and occur as a pushed command from administration console, and may include a remote wipe functionality even when an application 610 is not running).
Therefore, it would have been obvious to one with ordinary skill in the art at the time the invention was filed to modify enterprise system authentication and authorization via gateway disclosed by Hayton to include the validating the identity of a mobile application for mobile application management as thought by Barton, a person with ordinary skill in the art would have been motivated to validate authorization credentials/token and remove/delete/wipe/prevent unauthorized access in order to enhance security.

As to claim 4, Hayton does not explicitly teach but the related art Barton teaches 
the computer system of claim 2, wherein the one or more processors are further configured to: 
identify a deviation in communications between the second endpoint and the first endpoint (see Barton ¶90, processing logic on any of the L2-L7 layers and may comply with (or selectively deviate from, as appropriate) one or more networking standards throughout these layers); and in response to identification of the deviation, request the endpoint management service to mark the authorization token as being invalid, thereby preventing the first endpoint from accessing the digital resources (see Barton ¶156, the access manager may determine that the mobile application has falsely identified itself, has been altered after installation at the mobile device, and so forth. As a result, the access manager may deny the mobile application access to the computing resources (block 1234)) .
Same rational applied as above to combine the cited prior art references.

As to claim 17, Hayton does not explicitly teach but the related art Barton teaches 
the method of claim 15, further comprising: receiving a user input to revoke authorization of the first endpoint to access the digital resources; and in response to the user input, transmitting by the second endpoint and to the endpoint management service, a request to revoke the authorization of the first endpoint (see Barton ¶79, stored in the secure data container 528 may be deleted from the device upon receipt of a command from the device manager 524).
Same rational applied as above to combine the cited prior art references.

As to claim 18, Hayton does not explicitly teach but the related art Barton teaches: 
the method of claim 17, further comprising: in response to the user input, transmitting by the second endpoint and to the first endpoint, another request to delete the authorization token and/or to perform a wipe out process at the first endpoint (see Barton ¶79, stored in the secure data container 528 may be deleted from the device upon receipt of a command from the device manager 524).
Same rational applied as above to combine the cited prior art references.

As to claim 19,  Hayton does not explicitly teach but the related art Barton teaches: 
the method of claim 15, further comprising: identifying, by the second cross-endpoint management service of the second endpoint, a deviation in communications with the first cross-endpoint management service of the first endpoint; and in response to identifying the deviation in communications, transmitting, by the second endpoint and to the endpoint management service, a request to revoke the authorization of the first endpoint (see Barton ¶156, the access manager may determine that the mobile application has falsely identified itself, has been altered after installation at the mobile device, and so forth. As a result, the access manager may deny the mobile application access to the computing resources (block 1234)).
Same rational applied as above to combine the cited prior art references.

As to claim 20, Hayton does not explicitly teach but the related art Barton teaches :
the method of claim 15, further comprising: receiving, by the second endpoint, a request from the endpoint management service, to revoke authorization of the first endpoint to access the digital resources; and in response to the request, transmitting, by the second endpoint and to the first endpoint, another request to delete the authorization token and/or to perform a wipe out process at the first endpoint (see Barton ¶156, the access manager may determine that the mobile application has falsely identified itself, has been altered after installation at the mobile device, and so forth. As a result, the access manager may deny the mobile application access to the computing resources (block 1234)).
Same rational applied as above to combine the cited prior art references.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to NEGA WOLDEMARIAM whose telephone number is (571)270-7478. The examiner can normally be reached Monday to Friday, 8am-5pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Pwu can be reached on 5712726798. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/NEGA WOLDEMARIAM/               Examiner, Art Unit 2433                     

/JEFFREY C PWU/             Supervisory Patent Examiner, Art Unit 2433