DETAILED ACTION
This Action is in consideration of the Applicant’s response on September 21, 2022. Claims 1, 9 and 13 are amended. Claims 1-19, where Claims 1, 9 and 13 are in independent form, are presented for examination. 

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Drawings
The drawings were received on September 21, 2022.  These drawings are considered.

Response to Amendments
Applicant's amendment filed on September 21, 2022 have been fully considered.  The amendment includes: 
In [0054], line 6 of the specification, “The“ before “system” has been amended as --the--;
In [0054], lines 7 and 8 of the specification, “the an“ before “identity” each has been amended as --the-- and the objection thereto is now moot;
In [0109], line 3 of the specification, “in the art witho” has been amended as --in the art without-- and the objection thereto is now moot.  

Response to Arguments
Applicant's arguments filed on September 21, 2022 have been fully considered but they are not persuasive. Applicant argued:
Regarding claim interpretation of claim 1 under 35 U.S.C. 112(f), a structure to achieve the function of “an Identity, Application and role-aware enrichment module” and “an Identity, Application and Role-Aware enforcement module” would be fully understood by one skilled in the art [See remarks, page 8, 4th para.];
Regarding rejection under 35 U.S.C. 102(a)(1), Qureshi does not disclose the limitation recited in claim 9 of the amendment, 1) “a database configured to store network services authorization rules associated with each of the at least one applications” [See remarks, page 9, 2nd  para.]; 2) “at least one application, accessible to a user via a computer network, wherein the at least one application is configured to use network services” [See remarks, page 9, 3rd  para.]; and 3) “a workload-aware firewall configured to receive a request from the at least one application to access network services and to control access between the at least one application and the network services based on the user.” [See remarks, page 9, 4th  para. to page 10, 2nd para.]. 4) Qureshi does not disclose the limitation recited in claims 11 and 12,  “an application, acting on behalf of a user, accessing a network service and ” [See remarks, page 10, 3rd para.]; 
Regarding rejection of claims 1-8, 10 and 13-19 under 35 U.S.C. 103, neither Qureshi nor Lander disclose the limitation recited in independent claims 1 and 13 of the amendment, “a remote application” to be associated with the connections or flows wherein policies and rules are able to associated with the application tied to the user roles. [See remarks, page 10, 4th  para. to page 11, 2nd para.] Further, Linder does not disclose a remote application and the access token to provide for identity confirmation in more than one remote application, wherein the rules associated with a user’s role within an application to be stored remotely. [See remarks, page 11, 2nd para.]
The Examiner respectfully disagree with Applicant’s assertions.
With regard to a), the claim limitation(s), “an Identity, Application and role-aware enrichment module” and “an Identity, Application and Role-Aware enforcement module”, uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.
With regard to b), 
1) The Applicant provides arguments that “a database configured to store network services authorization rules associated with each of the at least one applications” is different from a repository 228 of tunnel definition of Qureshi, which stores details how to communicate between an application and a service. Though the Applicant is correct to point out that Qureshi discloses details how to communicate between an application and a service, Qureshi also discloses the database of gateway rules 404 specifying conditions under which a request is to be granted or denied by the gateway filter 401. The gateway rules 404 are provided by gateway configuration providers, e.g., the mobile device management system 126 and meta application, and used to regulate access to the enterprise network 110 [see Qureshi para. 0129 and Fig. 4];
2) The Applicant provides arguments that “at least one application, accessible to a user via a computer network, wherein the at least one application is configured to use network services” is a remote application that is different from an application installed in a mobile device.  While the Applicant is correct to point out that Qureshi discloses an application installed in a mobile device and sending a request to an enterprise network, Qureshi also discloses enterprise resources 130 locally positioned behind the internal firewall and including software applications [see Qureshi para 0071 and 0170 and Figs. 1A-1E].  Qureshi teaches as an exemplary of an application accessible to a user via a computer network among the enterprise resources, a Microsoft Exchange server [see Qureshi para 0115] and a remote control module 1202 [see Qureshi para. 0362-0363]; 
3) The Applicant provides arguments that Qureshi does not disclose “a workload-aware firewall configured to receive a request from the at least one application to access network services and to control access between the at least one application and the network services based on the user.” In detail, the Applicant pointed out Qureshi does not disclose that the request to access network service of the instant application including two steps of requests, the request between the actor and the application and the request between the application and the network service, and the request is allowed based on the identities of the user and the application respectively.  However, Qureshi discloses authentication of user based on username and password [see Qureshi para. 0393] and authorization of the application requesting to access the enterprise resources based on the identities of the user and the application [see Qureshi para. 0115-0130];
4) The Applicant provides arguments that Qureshi does not discloses an application, acting on behalf of a user, accessing a network service which is inaccessible except through the mechanisms of the present invention. However, Qureshi discloses a system and method of controlling an access to a Microsoft Exchange Server and send email corresponding to “the at least one application and the network services” based on user identity and authorization data and authorization rule taken from the request (HTTP header). “a network service which is inaccessible except through the mechanisms of the present invention” is not clear. Therefore, the 102(a)(1) rejection is maintained.
With regard to c), the Applicant provides arguments that neither Qureshi nor Lander disclose a remote application which is not on the user’s device and is able to be associated with the connections, wherein policies and rules are able to associated with the application tied to the user roles. However, Qureshi discloses the enterprise resource locally positioned behind the internal firewall and include software applications [see Qureshi para 0071 and 0170]  and the access polices and the gateway rules that are used to regulate access of the mobile device to the enterprise resource based on mobile device properties, user properties, the specific enterprise resources 130 [see Qureshi para 0069]. Therefore, the 103 rejection is maintained.

CLAIM INTERPRETATION
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation(s) is/are: “an Identity, Application and role-aware enrichment module” and “an Identity, Application and Role-Aware enforcement module” in claim 1.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. 
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. 

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-8 and 13-19 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 1 and 8 recite the limitation “the at least one application.” There is insufficient antecedent basis for this limitation in the claim. 
Claims 13 and 17 recite the limitation “the at least one application.” There is insufficient antecedent basis for this limitation in the claim. 
The dependent claims included in the statement of rejection but not specifically addressed in the body of the rejection have inherited the deficiencies of their parent claim and have not resolved the deficiencies. Therefore, they are rejected based on the same rationale as applied to their parent claims above.

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 9, 11 and 12 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Qureshi (US  2016/0099972, hereinafter “Qureshi”). 
Regarding claim 9, Qureshi discloses a system for identity and authorization management [reads on an enterprise system 110, Figs. 1A-1E], the system comprising: 
at least one application [reads on an enterprise resource 130, e.g., a Microsoft Exchange server, see Qureshi para. 0116. The Examiner asserts one of ordinary skill in the art would know for the enterprise resources to be locally positioned behind the internal firewall and include software applications (see Qureshi para 0071 and 0170)  and construes at least one application accessible to a user via a computer network to be the same as the enterprise resources 130 of the prior art.], accessible to a user [reads on the mobile device 120 or user 115, see Qureshi para. 0116] via a computer network [reads on connections 146 and 142 of Figs. 1A-1C, see Qureshi para. 0173 and 0179], wherein the at least one application [reads on an enterprise resource 130, e.g., the Microsoft Exchange server, see Qureshi para. 0116] is configured to use network services [reads on sync mailbox, send mail, get attachment, etc., see Qureshi para. 0119];
a database [reads on the database of gateway rules 404 specifying conditions under which a request is to be granted or denied by the gateway filter 401, wherein such a condition can involve a logical expression and/or combination of one or more values of the request properties of a protocol supported by the secure mobile gateway 128, see Qureshi para. 0116, 0119, and 0133 and Fig. 4] configured to store network services authorization rules [reads on the gateway rules 404, see Qureshi para. 0116, 0119, and 0133 and Fig. 4 block 404] associated with each of the at least one applications [reads on the enterprise resources 130, see Qureshi para. 0116]; and 
a workload-aware firewall [reads on a secure mobile gateway 128 configured to  monitor and log traffic between one or more enterprise resources 130 and a mobile device 120 and taking actions to implement enterprise policies as applied to the selected mobile device 120 that is requesting access to an enterprise resource 130 (see Qureshi para. 0111); to receive and process enterprise access requests 402 from mobile devices 120 (see Qureshi para. 0115); and to process ActiveSync requests to synchronize enterprise system data with mobile devices 120 (see Qureshi para. 0116)] configured to receive a request [reads on ActiveSync requests, see Qureshi para. 0116] from the at least one application [reads on a network resource, e.g., the Microsoft Exchange server, see Qureshi para. 0116] to access network services [reads on sync mailbox, send mail, get attachment, etc, see Qureshi para. 0119] and to control [reads on grant or deny the request, see Qureshi para. 0119] access between the at least one application and the network services based on the user [reads on one or more mobile devices 120 and/or users 115 identified by the gateway rule and analyzed by the analytics service 414, see Qureshi para. 0119 and 0402].

Regarding claim 11, Qureshi discloses all the limitation of claim 9 above. Qureshi further discloses that the workload-aware firewall [reads on a secure mobile gateway 128, see Qureshi para 0116 and Figs. 1A-4] is configured to control access [reads on the gateway filter 401 configured to filter the requests 402 based at least partly on request properties, wherein in the case of ActiveSync, the request properties can include DeviceID and DeviceType (taken from the request URL), the User and UserAgent parameters (taken from the HTTP headers), and one or more ActiveSync command parameters (ActiveSync defines numerous different commands, such as sync mailbox, send mail, get attachment, etc.), see Qureshi para. 0119] to the at least one application [reads on an enterprise resource 130, e.g., a Microsoft Exchange server, see Qureshi para. 0116] and the network services [reads on sync mailbox, send mail, get attachment, etc., see Qureshi para. 0119] based on a user identity [reads on one or more mobile devices 120 and/or users 115 identified by the gateway rule and analyzed by the analytics service 414, see Qureshi para. 0119, 393 and 0402] and authorization data [reads on the request properties, see Qureshi para. 0119] associated with the request from the at least one application [reads on an enterprise resource 130, e.g., a Microsoft Exchange server, see Qureshi para. 0116.  

Regarding claim 12,  Qureshi discloses all the limitation of claim 9 above. Qureshi further discloses that the workload-aware firewall [reads on a secure mobile gateway 128, see Qureshi para 0116 and Figs. 1A-4] is configured to control access to the at least one application [reads on an enterprise resource 130, e.g., a Microsoft Exchange server, see Qureshi para. 0116] and the network services [reads on sync mailbox, send mail, get attachment, etc., see Qureshi para. 0119] based on a user identity [reads on username, see Qureshi para. 0393] and the authorization rules [reads on a gateway rule 404 alternatively or additionally defining a number of other actions for the secure mobile gateway 128 to take for various groups, such as encrypting attachments for certain groups, modifying a body of a message (such as an email) for certain groups, blocking a mobile device 120 from certain groups from receiving messages in certain locations, etc. For the ActiveSync protocol, each group member can include values of DeviceID, User, UserAgent, DeviceType, and Cmd parameters, see Qureshi para. 0124 and 0125] associated with the at least one application [reads on an enterprise resource 130, e.g., a Microsoft Exchange server, see Qureshi para. 0116].  

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-8, 10, and 13-19 are rejected under 35 U.S.C. 103 as being unpatentable over Qureshi in view of Lander et al. (US 2017/0331832, hereinafter “Lander”).

Regarding claim 1, Qureshi discloses a system for identity and authorization management of users on a computer network [the enterprise computer system in Figs 1A-4], the system comprising: 
an Identity, Application and role-aware enrichment module [reads on the enterprise agent 320 configured to filter out those application-generated communications that meet predefined and/or configurable criteria, to modify the request by encapsulating some or all of the request within one or more headers according to an encapsulation protocol (producing an “agent-generated communication”), and to open a network connection between the mobile device 120 and a tunneling mediator associated with the enterprise system 110, see  Qureshi para 0181 and 0190] configured to determine and authenticate an identity of a user [reads on username, see Qureshi para. 0393] 
an Identity, Application and Role-Aware enforcement module [reads on the gateway filter 401 in the secure mobile gateway 128,  configured to intercept every incoming request 402 and consult a database of gateway rules 404 to take certain actions for a particular protocol and one or more conditions and determine if the gateway filter 401 should allow or deny the request, see  Qureshi para 0112 and 0116] configured to determine access to at least one  remote application [reads on the enterprise resources 130, in case of an allowed ActiveSync request 402, a Microsoft Exchange server, see  Qureshi para 0116] and provide access [reads on allow the request, see  Qureshi para 0116.] to the user [reads on a mobile device 120. see  Qureshi para 0116. The examiner construes the user to be the same as the mobile device 120 of the prior art because the request from the mobile device is already determined to be sent by the user of the mobile device, see  Qureshi para 0402]  
a database [reads on User Roles 206 associating the user 115 with the enterprise-related duties or activities in which the user engages and relate to or be the same as the roles defined in the RBAC system to assist the regulation of enterprise resources 130, see Qureshi para. 0100 and Fig. 2] configured to store authorization roles [reads on the user role associating the user 115 with the enterprise-related duties or activities in which the user engages, see  Qureshi para 0100] associated with the identity of the user [reads on username, see Qureshi para. 0393] and the at least one application [reads on the enterprise resources 130, see  Qureshi para 0100]; and 
a database [reads on Enterprise Access Policies 218 defining conditions under which mobile device access to enterprise resources 130 will be granted or denied, wherein policies 218 can depend on user roles 206, mobile device properties 208, the specific enterprise resources 130 requested to be accessed by the mobile devices 120, or any combination thereof, see Qureshi para. 0102 and Fig. 2] configured to store rules [reads on the access policies, see Qureshi para. 0102 and Fig. 2] associated with the authorization roles [reads on user roles 206, see Qureshi para. 0102 and Fig. 2].  
Qureshi discloses a mobile device management system of the enterprise computer system allowing a user/application to access to enterprise resource based on user’s role and access policies, however, does not appear to explicitly discloses that a token/ticket is issued to the authorized user and an access is provided to the user based on the access token.
However, Lander discloses that after authenticating a user [reads on by an authentication manager 1034 in OAuth microservice 1004, performing the corresponding authentication (e.g., based on ID/password received from a client 1011), see Lander para. 0183], an access token/ticket is issued [reads on by token manager 1036, issuing  a corresponding access token upon successful authentication, see Lander para. 0183].
Qureshi and Lander are considered to be analogous to the claimed invention because they are in the same field of network security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Qureshi to incorporate the teachings of Lander since both systems allowing enterprise users to use their mobile devices to securely access enterprise resources based on user information including a role of user and application information including a role of application and provide a mobile device management system of the enterprise computer system. The motivation to do so is to provide an access token to the user after evaluating the user information and the application information requesting to access enterprise resource or service (obvious to one skilled in the art, Lander, Abstract).

Regarding claim 2, Qureshi in view of Lander, discloses the limitation of claim 1 above. Lander further discloses that the access token comprises the identity of the user and the authorization roles associated with the user ([0225] Embodiments bind users to groups and give users privileges. With embodiments, different persona are expressed as application roles, and privileges are assigned to application roles. Users are granted application roles. Privileges are represented as scopes in one embodiment, which is a collection of permitted endpoint operations having common semantics. Scopes are interpreted by an authorization server and embedded in access tokens that are used to access resource servers. Therefore, roles are granted scopes.).  

Regarding claim 3, Qureshi in view of Lander, discloses the limitation of claim 2 above.  Lander further discloses that the access token is a cryptographically confirmed access token ([0182] In one embodiment, tokens 1032 provided to browser 1002 include JW identity and access tokens signed by the IDCS OAuth2 server.).  

Regarding claim 4, Qureshi in view of Lander, discloses the limitation of claim 1 above. Lander further discloses a second factor authentication module configured to issue an authentication challenge based on the identity of the user ([0181] In one embodiment, interactions between OAuth microservice 1004 and SSO microservice 1008 are based on browser redirects so that SSO microservice 1008 challenges the user using an HTML form, validates credentials, and issues a session cookie.).  

Regarding claim 5, Qureshi in view of Lander, discloses the limitation of claim 1 above. Qureshi further discloses an application aware firewall [reads on a secure mobile gateway 128 configured to  monitor and log traffic between one or more enterprise resources 130 and a mobile device 120 and support one or more different request protocols, such as ActiveSync requests, SharePoint requests, EWS requests, SAP requests, and/or requests associated with various other web server applications. see Qureshi para. 0111 and 0119], wherein the firewall comprises rules [reads on a gateway rule 404 include one or more values of properties of a mobile device request 402 formatted according to a protocol supported by the secure mobile gateway 128, Such properties can comprise URL parameters, header values, commands, etc., see Qureshi para. 0111 and 0119] associated with one or more of HTTP method, path, parameters [reads on the URL parameters, see Qureshi para. 0119], Client Certificates, HTTP headers [reads on the HTTP headers, see Qureshi para. 0119], and message body [reads on the commands, see Qureshi para. 0119].  

Regarding claim 6, Qureshi in view of Lander, discloses the limitation of claim 1 above. Lander further discloses an application aware firewall, wherein the firewall comprises rules associated with remote procedure call applications and methods, parameters, and body associated with the remote procedure call applications ([0104] The Administration service also supports a set of remote procedure call-style ("RPC-style") REST interfaces that do not perform CRUDQ operations but instead provide a functional service, for example, "UserPasswordGenerator," "UserPasswordValidator," etc.).  

Regarding claim 7, Qureshi in view of Lander, discloses the limitation of claim 1 above. Qureshi further discloses an identity aware firewall [reads on a secure mobile gateway 128 configured to enforce the user-specific gateway rules 404 that enforce the enterprise access policies 218, based on the list of users 115 or devices 120 (e.g., in the form of “group members.”) for which enterprise access is to be granted or denied, sent from the mobile device management system 126, wherein the enterprise access policies 218 requires the user 115 assigned to the access-requesting device 120 to have one or more predefined roles 206 associated with the enterprise. see Qureshi para. 0130, 0223, 0225], wherein the firewall is configured to provide a plurality of levels of access to the user based on the identity of the user  [reads on username, see Qureshi para. 0393] and the user authorization roles [reads on the one or more predefined roles 206, see Qureshi para. 0130, 0223, 0225].  

Regarding claim 8, Qureshi in view of Lander, discloses the limitation of claim 1 above. Qureshi discloses that at least one application [reads on an enterprise resource 130, e.g., a Microsoft Exchange server, see Qureshi para. 0116. The Examiner asserts one of ordinary skill in the art would know for the enterprise resources to be locally positioned behind the internal firewall and include software applications (see Qureshi para 0071 and 0170)  and construes at least one application accessible to a user via a computer network to be the same as the enterprise resources 130 of the prior art.] is configured to use network services [reads on sync mailbox, send mail, get attachment, etc., see Qureshi para. 0119]; and
the system further comprises: 
a database [reads on the database of gateway rules 404 specifying conditions under which a request is to be granted or denied by the gateway filter 401, wherein such a condition can involve a logical expression and/or combination of one or more values of the request properties of a protocol supported by the secure mobile gateway 128, see Qureshi para. 0116, 0119, and 0133 and Fig. 4] configured to store network services authorization rules [reads on the gateway rules 404, see Qureshi para. 0116, 0119, and 0133 and Fig. 4 block 404] associated with each of the at least one applications [reads on the enterprise resources 130, see Qureshi para. 0116]; and 
a workload-aware firewall [reads on a secure mobile gateway 128 configured to  monitor and log traffic between one or more enterprise resources 130 and a mobile device 120 and taking actions to implement enterprise policies as applied to the selected mobile device 120 that is requesting access to an enterprise resource 130 (see Qureshi para. 0111); to receive and process enterprise access requests 402 from mobile devices 120 (see Qureshi para. 0115); and to process ActiveSync requests to synchronize enterprise system data with mobile devices 120 (see Qureshi para. 0116)] configured to receive a request [reads on ActiveSync requests, see Qureshi para. 0116] from the at least one application [reads on a network resource, e.g., the Microsoft Exchange server, see Qureshi para. 0116] to access network services [reads on sync mailbox, send mail, get attachment, etc, see Qureshi para. 0119] and to control [reads on grant or deny the request, see Qureshi para. 0119] access between the at least one application and the network services based on the identity of user [reads on username, see Qureshi para. 0393] and the user authorization roles [reads on user roles 206, see Qureshi para. 0102 and Fig. 2]
reads on one or more mobile devices 120 and/or users 115 identified by the gateway rule and analyzed by the analytics service 414, see Qureshi para. 0119 and 0402].

Regarding claim 10, Qureshi discloses the limitation of claim 9 above. However, Qureshi does not appear to explicitly discloses that the request is a cryptographically-confirmed token.
However, Lander discloses that the request is a cryptographically-confirmed token ([0098] Interactive web-based and native applications leverage standard browser-based OpenID Connect flow to request user authentication, receiving standard identity tokens that are JavaScript Object Notation (“JSON”) Web Tokens (“JWTs”) conveying the user's authenticated identity.).  
Qureshi and Lander are considered to be analogous to the claimed invention because they are in the same field of network security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Qureshi to incorporate the teachings of Lander since both systems allowing enterprise users to use their mobile devices to securely access enterprise resources based on user information including a role of user and application information including a role of application and provide a mobile device management system of the enterprise computer system. The motivation to do so is to provide an access token to the user after evaluating the user information and the application information requesting to access enterprise resource or service (obvious to one skilled in the art, Lander, Abstract).

Regarding claim 13, Qureshi discloses a method for identity and authorization management [reads on a method in which a tunneling mediator uses access policies 218 to regulate mobile device access to enterprise resources 130, see  Qureshi para 0204], the method comprising: 
receiving [reads on by the mobile device management system 126, receiving a request to access enterprise resource from one of the mobile devices 120, see Qureshi para. 0204 and Fig. 7 block 702], via a user [reads on a mobile device 120. see  Qureshi para 0204. The examiner construes the user to be the same as the mobile device 120 of the prior art], a request to access at least one remote application [reads on the enterprise resource 130, see Qureshi para. 0204. The Examiner asserts one of ordinary skill in the art would know for the enterprise resources to be locally positioned behind the internal firewall and include software applications (see Qureshi para 0071 and 0170)  and construes at least one application accessible to a user via a computer network to be the same as the enterprise resources 130 of the prior art.]; 
determining [reads on by the tunneling mediator 224, determining which user 115 is assigned to the mobile device 120 by, e.g., using the user-device assignment records 210., see Qureshi para. 0204 and Fig. 7 block 702] an identity of the user [reads on username, see Qureshi para. 0393]; 

determining [reads on by the tunneling mediator 224 determining whether one or more properties of the user 115, e.g., the user's role 206 or other user-related information, assigned to the mobile device 120 are in compliance with the one or more relevant access policies 218, see Qureshi para. 0204 and Fig. 7 block 702] at least one role associated with the authenticated identity of the user [reads on username, see Qureshi para. 0393]; 
determining [reads on by the tunneling mediator 224, determining whether one or more properties of the mobile device 120 comply with one or more relevant access policies 218 (e.g., general access policies, or access policies associated with the requested enterprise resource(s) 130), see Qureshi para. 0204 and Fig. 7 block 702] whether any rules [reads on one or more relevant access policies 218, see  Qureshi para 0204] are associated with the access of the at least one application [reads on the enterprise resources 130, see  Qureshi para 0204], based on the identity [reads on the user and username, see  Qureshi para. 0204 and 0393] of the user and the associated role [reads on the user role, see  Qureshi para 0204] of the user; and 
providing access [reads on granting the mobile device 120 access to the requested enterprise resource(s) 130 (through the connection 152 or 162), see Qureshi para. 0204 and Fig. 7 block 708] to the at least one application [reads on the enterprise resources 130, see  Qureshi para 0116] based on the identity of the user [reads on username, see Qureshi para. 0393] and the associated roles [reads on the user role, see  Qureshi para 0204] and rules [reads on the enterprise access policies 218, see  Qureshi para 0204].  
Qureshi does not appear to explicitly discloses authenticating the identity of the user by providing an access token associated with the request.
However, Lander discloses authenticating the identity of the user by providing an access token associated with the request ([0183] In one embodiment, for example, OAuth microservice 1004 may receive an authorization request from a native application 1011 to authenticate a user according to a 2-legged OAuth flow. In this case, an authentication manager 1034 in OAuth microservice 1004 performs the corresponding authentication (e.g., based on ID/password received from a client 1011) and a token manager 1036 issues a corresponding access token upon successful authentication.).
Qureshi and Lander are considered to be analogous to the claimed invention because they are in the same field of network security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to have modified Qureshi to incorporate the teachings of Lander since both systems allowing enterprise users to use their mobile devices to securely access enterprise resources based on based on user information including a role of user and application information including a role of application and provide a mobile device management system of the enterprise computer system. The motivation to do so is to provide an access token to the user after evaluating the user information and the application information requesting to access enterprise resource or service (obvious to one skilled in the art, Lander, Abstract).

Regarding claim 14, Qureshi, in view of Lander, discloses the limitation of claim 13 above. Lander further discloses that the access token comprises the identity of the user and the authorization roles associated with the user ([0225] Embodiments bind users to groups and give users privileges. With embodiments, different persona are expressed as application roles, and privileges are assigned to application roles. Users are granted application roles. Privileges are represented as scopes in one embodiment, which is a collection of permitted endpoint operations having common semantics. Scopes are interpreted by an authorization server and embedded in access tokens that are used to access resource servers. Therefore, roles are granted scopes.).  

Regarding claim 15, Qureshi, in view of Lander, discloses the limitation of claim 14 above. Lander further discloses that the access token is a cryptographically confirmed access token ([0182] In one embodiment, tokens 1032 provided to browser 1002 include JW identity and access tokens signed by the IDCS OAuth2 server.).  

Regarding claim 16, Qureshi, in view of Lander, discloses the limitation of claim 13, above. Lander further discloses that authenticating the user comprises issuing an authentication challenge based on the identity of the user ([0181] In one embodiment, interactions between OAuth microservice 1004 and SSO microservice 1008 are based on browser redirects so that SSO microservice 1008 challenges the user using an HTML form, validates credentials, and issues a session cookie.).

Regarding claim 17, Qureshi, in view of Lander, discloses the limitation of claim 13 above. Qureshi further discloses: 
receiving [reads on  by a secure mobile gateway 128, receiving enterprise access requests 402 from mobile devices 120, see Qureshi para. 0115 ) by the enterprise resource 130, receiving the mobile device request 2302 via a gateway different than the secure mobile gateway 128 sending a user determination request 2304 to the analytics service 414, see  Qureshi para 0395] a second request from the at least one application [reads on the enterprise resources 130, in case of an allowed ActiveSync request 402, a Microsoft Exchange server, see  Qureshi para 0116] to access at least one network service [reads on sync mailbox, send mail, get attachment, etc., see Qureshi para. 0119]; 
determining [reads on by the enterprise agent 320, filtering out those application-generated communications that meet predefined and/or configurable criteria, modifying the request by encapsulating some or all of the request within one or more headers according to an encapsulation protocol (producing an “agent-generated communication”), see Qureshi para. 0181 and 0190] whether there is further user identity information to be added to the second request [reads on the request 402, see  Qureshi para 0120]; 
- 24 -determine [reads on by the secure mobile gateway 128, inspecting the body or “payload” of a request 402 to access an enterprise resource 130, in order to detect additional information that may be useful in evaluating whether to grant or deny the request, and modifying protocol metadata in these messages to implement various security-related features, see  Qureshi para 0120] whether there are any network service authorization rules associated with the request; and 
providing [reads on grant the request, see Qureshi para. 0119] access to the at least one network service based on the application [reads on a network resource, e.g., the Microsoft Exchange server, see Qureshi para. 0116] and associated authorization rules [reads on the gateway rules, see Qureshi para. 0116].  

Regarding claim 18,  Qureshi, in view of Lander, discloses the limitation of claim 13 above. Lander further discloses that the second request comprises a cryptographically-confirmed token ([0098] Interactive web-based and native applications leverage standard browser-based OpenID Connect flow to request user authentication, receiving standard identity tokens that are JavaScript Object Notation (“JSON”) Web Tokens (“JWTs”) conveying the user's authenticated identity.).      

Regarding claim 19, Qureshi, in view of Lander, discloses the limitation of claim 13 above. Lander further discloses that the providing of access may be further based on the authorization data of the user ([0225] Embodiments bind users to groups and give users privileges. With embodiments, different persona are expressed as application roles, and privileges are assigned to application roles. Users are granted application roles. Privileges are represented as scopes in one embodiment, which is a collection of permitted endpoint operations having common semantics. Scopes are interpreted by an authorization server and embedded in access tokens that are used to access resource servers. Therefore, roles are granted scopes.).

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JEONGSOOK YI whose telephone number is (571) 272-9407. The examiner can normally be reached Monday-Friday 8:00 am - 4:00 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jorge Ortiz-Criado can be reached on (571) 272-7624. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/J.Y./Examiner, Art Unit 2496                                                                                                                                                                                                        

/JORGE L ORTIZ CRIADO/Supervisory Patent Examiner, Art Unit 2496