AirWatch LLCDownload PDFPatent Trials and Appeals BoardSep 8, 20212020004025 (P.T.A.B. Sep. 8, 2021) Copy Citation UNITED STATES PATENT AND TRADEMARK OFFICE UNITED STATES DEPARTMENT OF COMMERCE United States Patent and Trademark Office Address: COMMISSIONER FOR PATENTS P.O. Box 1450 Alexandria, Virginia 22313-1450 www.uspto.gov APPLICATION NO. FILING DATE FIRST NAMED INVENTOR ATTORNEY DOCKET NO. CONFIRMATION NO. 15/012,185 02/01/2016 CRAIG FARLEY NEWELL W279 (500103-1460) 7304 152577 7590 09/08/2021 Thomas | Horstemeyer, LLP (VMW) 3200 Windy Hill Road, SE Suite 1600E Atlanta, GA 30339 EXAMINER WILCOX, JAMES J ART UNIT PAPER NUMBER 2439 NOTIFICATION DATE DELIVERY MODE 09/08/2021 ELECTRONIC Please find below and/or attached an Office communication concerning this application or proceeding. The time period for reply, if any, is set in the attached communication. Notice of the Office communication was sent electronically on above-indicated "Notification Date" to the following e-mail address(es): docketing@thomashorstemeyer.com ipadmin@vmware.com uspatents@thomashorstemeyer.com PTOL-90A (Rev. 04/07) UNITED STATES PATENT AND TRADEMARK OFFICE ____________ BEFORE THE PATENT TRIAL AND APPEAL BOARD ____________ Ex parte CRAIG FARLEY NEWELL, SULAY SHAH, LEUNG TAO KWOK, and ADAM RYKOWSKI, Appeal 2020-004025 Application 15/012,185 Technology Center 2400 ____________ Before RICHARD M. LEBOVITZ, BETH Z. SHAW, and SCOTT E. BAIN, Administrative Patent Judges. LEBOVITZ, Administrative Patent Judge. DECISION ON APPEAL The Examiner rejected claims 1–20 under 35 U.S.C. § 103 as obvious. Pursuant to 35 U.S.C. § 134(a), Appellant1 appeals from the Examiner’s decision to reject the claims. We have jurisdiction under 35 U.S.C. § 6(b). We AFFIRM. 1 We use the word “Appellant” to refer to “applicant” as defined in 37 C.F.R. § 1.42. Appellant identifies the real party in interest as VMware, Inc. Appeal Br. 2. Appeal 2020-004025 Application 15/012,185 2 STATEMENT OF THE CASE Claims 1–20 stand rejected by the Examiner in the Final Office Action (“Final Act.”) under 35 U.S.C. § 103 as obvious in view of Qureshi et al. (US 2014/0007192 A2, published Jan. 2, 2014) (“Qureshi”) and Barton et al. (US 9,521,117 B2, issued Dec. 13, 2016) (“Barton”). Final Act. 4. There are three independent claims on appeal, claims 1, 5, and 15. All three claims have similar limitations and are not argued separately by Appellant. Appeal Br. 8. Accordingly, independent claim 1 is selected as representative and reproduced below (annotated with bracketed numbers for reference to the claim limitations): 1. A non-transitory computer-readable medium embodying at least one program executable in at least one computing device, the at least one program, when executed by the at least one computing device, being configured to cause the at least one computing device to at least: [1] receive, from an administrator client, a specification of a plurality of security groups for a particular application executed in client devices on an external network, the security groups comprising: [1a] a compliant security group for compliant client devices, and [1b] a default security group for non-compliant client devices; [2] configure a gateway that connects the external network to an internal network, the gateway being configured to permit the particular application to access network resources based on the security groups, wherein [2a] the compliant security group is associated with a first set of network resources, and [2b] the default security group is associated with a second set of network resources; and [3] establish a virtual private network tunnel with a client device based on an evaluation of compliance of the client device, wherein the evaluation is based on: [3a] at least one compliance rule, and [3b] device management attribute data received from the client device. Appeal 2020-004025 Application 15/012,185 3 DISCUSSION Claim 1 In the first step [1] of claim 1, the specification of two security groups are received from an administrator client for [1a] compliant client devices and [1b] “default security group for non-compliant client devices.” A gateway is established in the second step [2] of the claim for permitting [2a] the complaint device to access a first set of network resources and [2b] the non-complaint device to access a second set of network resources. In the last step [3] of the claim, a virtual private network tunnel is established with client devices based on a compliance rule and device management attribute data. The Examiner found that Qureshi describes steps [1], [1a], [1b], [2a], [2b], [3], [3a], and [3b] of claim 1 (see annotated numbering above), but not step [2] of configuring a gateway that connects the external network to an internal network. Final Act. 4–6. For the latter step, the Examiner found that Barton describes VPN tunnels that connect mobile devices to external networks, such as WAN, MAN, PAN, and LAN, teaching the corresponding limitation of the claim. Final Act. 6. The Examiner found that it would have been obvious to one of ordinary skill in the art to configure the gateway as described in Barton to “provide users with a means for providing virtualized private network tunnels (Barton, Col. 1, Lines 55-56).” Id. Appellant asserts that the Examiner’s finding with respect to the “default security group” is an error because Qureshi describes a “‘default action,’” which is not the same as a default security group associated with a second set of network resources as recited in steps [1b] and [2b] of the claim. Appeal Br. 6. Appellant also argues that Qureshi denies access in response to non-compliance, which does not teach the claim limitation of Appeal 2020-004025 Application 15/012,185 4 “[2b] the default security group is associated with a second set of network resources.” Id. at 7. Appellant further argues that Barton does not “cure” the deficiency in Qureshi. Id. For the following reasons, we are not persuaded by Appellant’s argument that the Examiner erred. Qureshi describes management of mobile computing devices for accessing managed resources of an enterprise (e.g., corporations, partnerships, academic institutions). Qureshi ¶¶ 3, 5. As part of this management, Qureshi discloses security features that “enable the enterprise to specify and implement policies for controlling mobile device accesses to particular enterprise resources.” Id. ¶ 53. To enable the security features, Qureshi further describes “policies,” implemented as gateway rules,2 which “control mobile device accesses to enterprise resources based on a variety of criteria,” including “the configuration of the mobile device (e.g., whether any blacklisted mobile applications are installed),” “the logged behaviors of the user,” etc. Id. Thus, Qureshi describes different security groups as required by step [1] of claim 1 (namely, a group having access to resources based on criteria) and giving access to different resources as in step [2] of the claim (namely, giving different access depending on the “criteria” met by the mobile device). Appellant attempts to distinguish Qureshi by asserting that the default action in paragraph 123 of Qureshi and the denial of access request are not the same as the claimed default security group with access to second network resources. Appeal Br. 6. 2 Qureshi § 120: “A gateway rule 404 can specify conditions under which a request is to be granted or denied by the gateway filter 401.” Appeal 2020-004025 Application 15/012,185 5 The “default action” described by Qureshi includes the “grant or denial of the access request.” Qureshi ¶ 123. Qureshi explains: The gateway rules 404 can take many different forms and can be written in a variety of programming languages, such as XML. In one embodiment, a gateway rule 404 includes a list of “groups” plus an indication of a default “action” (e.g., grant or denial of the access request or whether to encrypt attachment data). In this context, a group is a collection of “group members” plus a corresponding action for the group. Id. It is clear from the disclosure of Qureshi in paragraph 123 that a particular group can be in a “default” setting that only gets access to a specific group of network resources (the default action is “grant”), and not access to other resources (the default action is “deny”). Appellant’s argument that Qureshi only describes denying a request, and that a default action is different from what is accomplished in the claim (Appeal Br. 6–7), ignores the fact that denying certain requests for resources and granting other requests for resources, in the default action mode, is the same as using a configured gateway to permit “access network resources based on the security groups” as in step [2] of the claim. See also 111,3 172, 207,4 and 3 “With reference to FIG. 1A, an enterprise may wish to regulate how its mobile device users 115 access the enterprise resources 130 via the mobile devices 120. Any given enterprise user 115 typically only has a need to access a subset of the enterprise resources 130, ordinarily based upon the user's duties or role within the enterprise. Therefore, since there is no need to provide the user 115 with mobile device access to many of the resources 130, doing so can expose the enterprise to unnecessary security risks.” (Emphasis added.) 4 “There are many possible cases in which an enterprise may wish to regulate or restrict mobile device access to enterprise resources 130 based Appeal 2020-004025 Application 15/012,185 6 2185 (describing security compliance). Access or denial is not unilateral in Qureshi, but involves granting some requests and denying others for access to the network resource, depending on the subset of resources (see 111 in fn. 3) made available to a group. For the foregoing reasons, the rejection of claim 1 is affirmed. Claims 2–8 and 10–19 fall with claim 1 because separate arguments for their patentability were not made. See 37 C.F.R. § 1.37(c)(1)(iv). Claim 9 Claim 9, depends from claims 7 and 5, and further recites: wherein when executed the at least one program is further configured to cause the at least one computing device to at least configure the gateway to route network traffic from the particular application on the client device to a virtual network segment comprising the second set of network resources in response to determining, based on the evaluation, that the the client device is a non-compliant device. The Examiner cited Qureshi ¶ 205 as teaching the claim limitation. Final Act. 13. on mobile device properties and/or properties of users 115 assigned to the mobile devices 120.” (Emphasis added.) 5 “One or more of the access policies 218 can require that the access- requesting device 120 complies with a security requirement (e.g., an antivirus requirement) of the enterprise. If a mobile device 120 is not security-compliant (e.g., does not have up-to-date antivirus software installed or has not conducted a sufficiently recent auto-scan of its files, data, or applications for viruses), then permitting the device 120 to access an enterprise resource 130 may cause the virus to infect the resource 130, potentially jeopardizing the operability of the enterprise system 110 or at least the specific resource 130 to which access is given. Hence, these types of access policies 218 can prevent such undesirable outcomes.” Appeal 2020-004025 Application 15/012,185 7 Appellant argues that the cited paragraph 205 of Qureshi does not describe the recited limitation, but “it will instead deny the access request.” Appeal Br. 9. This argument is not persuasive of Examiner error. The claim requires routing “the client device to a virtual network segment comprising the second set of network resources” when the device is a non-compliant device. Paragraph 205 of Qureshi discloses: Accordingly, in step 702 of FIG. 7, the mobile device management system 126 receives an access request from one of the mobile devices 120. In certain embodiments, when such a request is received from a mobile device 120, the tunneling mediator 224 is configured to deny the request if one or more properties of the mobile device 120 and/or one or more properties of a user 115 assigned to the mobile device 120 do not comply with one or more of the access policies 218. It is true this passage describes denying a request for access when a device is not compliant with access policies. However, it is understood from Qureshi’s disclosure, as explained above, that this “denial” is not unilateral for all resources, but only for the specific resource for access is requested. For example, Figure 7 discloses in box 702 in the flow chart: “RECEIVE REQUEST FROM MOBILE DEVICE TO ACCESS ENTERPRISE RESOURCE,” indicating access is being requested to a particular resource, which is denied because of non-compliance. In other words, the device may only be allowed by the gateway rules to access a subset of resources. Thus, some requests are denied and others are granted. Qureshi expressly discloses: Any given enterprise user 115 typically only has a need to access a subset of the enterprise resources 130, ordinarily based Appeal 2020-004025 Application 15/012,185 8 upon the user's duties or role within the enterprise. . . . Limiting mobile device access to specific enterprise resources 130 can prevent the malware and viruses from infecting other enterprise resources 130. As discussed below, the mobile device management system 126 and secure mobile gateway 128 preferably address these issues by enabling an enterprise to restrict mobile device access only to authorized enterprise resources 130, in a way that is customizable based on user properties, mobile device properties, and/or the enterprise resources 130 for which mobile device access is requested. Qureshi ¶ 111. Paragraph 111 of Qureshi makes it clear that access can be denied to “specific enterprise resources” to “prevent the malware and viruses from infecting other enterprise resources,” but doesn’t teach that all access is necessarily denied. It would have been obvious to one of ordinary skill in the art that the management system could be “customizable,” to allow access to certain resources and not others, depending on the compliance of the device to avoid compromising certain resources. The obviousness rejection of claim 9 is affirmed. Claim 20 Claim 20 depends from claims 18 and 15, and further recites: configuring the gateway to assign a different virtual network segment in response to determining that the client device is non-compliant with the at least one device management attribute, wherein the different virtual network segment provides access to the second set of network resources. The claim requires assigning a different virtual network segment when a device is not compliant. The Examiner cited Qureshi ¶ 205 as teaching the claim limitation. Final Act. 20. Appellant asserts that this Appeal 2020-004025 Application 15/012,185 9 limitation is not disclosed in Qureshi 205, arguing only denial of an access request is disclosed. Appeal Br. 9–10. Qureshi, as found by the Examiner, describes establishing application tunnels to access network resources. Qureshi ¶ 205. Qureshi explains that: One benefit of using application tunnels for communications between mobile device applications 318 and enterprise resources 130 is that it is possible to limit the mobile device's access to those enterprise resources 130 that the user 115 of the mobile device 120 needs for the performance of his or her enterprise role 206. Qureshi ¶ 172. In other words, the tunneling described by Qureshi includes assigning tunnels to mobile devices to restrict access to specific enterprise resources and thus represents a “different” network segment as required by the claim because the tunnel established depends on the specific resources that the device is permitted to access. Appellant did not adequately identify a deficiency in Qureshi with respect to the specific limitation recited in claim 20. The rejection of claim 20 is affirmed. CONCLUSION In summary: Claims Rejected 35 U.S.C. § Reference(s)/Basis Affirmed Reversed 1–20 103 Qureshi, Barton 1–20 Appeal 2020-004025 Application 15/012,185 10 TIME PERIOD No time period for taking any subsequent action in connection with this appeal may be extended under 37 C.F.R. § 1.136(a)(1)(iv). AFFIRMED Copy with citationCopy as parenthetical citation
