ENHANCED TRUSTED APPLICATION MANAGER UTILIZING INTELLIGENCE FROM A SECURE ACCESS SERVER EDGE (SASE)

§103 §112

Remarks Claims 1, 2, and 4-25 are pending. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . Response to Arguments Applicant's arguments filed 11/24/2025 have been fully considered but they are not persuasive. Applicant only appears to ever argue Thaler, which is believed to be what Applicant refers to as “The TEEP HTTP Transport reference” or similar. Applicant also refers to “the references”, but never provides any argument against Hoy or Xu. It is noted that everything being argued is within Hoy and Xu, as shown below. Thaler was mainly cited as providing the acronyms in the claim, such as TEEP, TEE, and REE. For example, in section 1, Applicant refers only to Thaler (again, “the TEEP reference” is believed to refer to Thaler, though in the future, clarity in this respect would be helpful, as Applicant refers to Thaler in numerous different fashions), and alleges “The TEEP reference does not mention, teach, or suggest DNS layer security services, secure web gateways, firewalls, cloud access security brokers, or interactive threat intelligence services … Accordingly, the references do not teach or suggest at least “a secure access service edge (SASE) device comprising a security service selected from the group consisting of: DNS layer security, secure web gateway (SWG), firewall, cloud access security broker (CASB), and interactive threat intelligence (ITI).’” However, the secondary reference, Thaler, was not cited for this subject matter previously or currently. Hoy is cited as disclosing this and Applicant has provided absolutely no argument against Hoy’s disclosure in this regard. In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986). Applicant continues by providing piecemeal arguments only directed to Thaler, without providing any arguments directed to Hoy or Xu. Please see the above response. Additionally, here is a copy of the rejection of claim 1, which shows how Hoy and Xu disclose everything being argued by Applicant: Regarding Claim 1, Hoy discloses a system comprising: A secure access service edge device comprising a security service selected from the group comprising a domain name system layer security, a secure web gateway, a firewall, a cloud access security broker, or an interactive threat intelligence (Exemplary Citations: for example, Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures; device with VPN agent, application, log and event manager, etc., as examples; Exemplary Citations: for example, Column 7, line 66 to Column 8, line 7; Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures; VPN agent, log and event manager, etc., include and/or comprise at least one of the above, such as by allowing access to a cloud via a VPN, firewall, gateway allowing access to other entities, providing security related information, or the like, as examples); An infrastructure as a service device executed within a cloud service comprising (Exemplary Citations: for example, Column 7, line 66 to Column 8, line 7; Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 12, line 61 to Column 13, line 9; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; Column 22, lines 28-42; and associated figures; IaaS device having applications/agents installed thereon, for example): A trusted execution environment provisioning broker within a rich execution environment of the infrastructure as a service device (Exemplary Citations: for example, Column 7, line 66 to Column 8, line 7; Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 12, line 61 to Column 13, line 9; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; Column 22, lines 28-42; and associated figures; entity that installs VPN agent or similar is within the rich execution environment (e.g., overarching untrusted execution environment on any given device), for example); and A trusted execution environment provisioning agent within a trusted execution environment of the infrastructure as a service device (Exemplary Citations: for example, Column 7, line 66 to Column 8, line 7; Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 12, line 61 to Column 13, line 9; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; Column 22, lines 28-42; and associated figures; agent, which is trusted, or the like, for example); and A trusted application manager device in communication with the secure access service edge device and the infrastructure as a service device, the trusted application manager device comprising (Exemplary Citations: for example, Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures; device that manages VPNs between entities, such as VPN manager, for example): A processor (Exemplary Citations: for example, Figures 1-3 and associated written description); and Non-transitory computer-readable media storing instructions that, when executed by the processor, cause the processor to perform operations comprising (Exemplary Citations: for example, Figures 1-3 and associated written description, and all below citations): Receiving, at the trusted application manager device, a request to install a trusted application in the trusted execution environment of the infrastructure as a service device executing within the cloud service (Exemplary Citations: for example, Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures; request to VPN manager that results in installation of VPN agent, for example); Obtaining, from the security service of the secure access service edge, a data set defining intelligence provided by the security service, wherein the intelligence comprises at least one of malicious domain identification data, threat intelligence data, web traffic analysis data, or application security assessment data, the intelligence indicating a security policy related to execution devices located behind a device network managed by the secure access service edge device (Exemplary Citations: for example, Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures; obtaining any data, such as VPN traffic, VPN requirements, ACL information, ports, addresses, rules, policies, changes, messages indicating a change, etc., from VPN agents, applications, log and event manager, etc., as examples); Analyzing the data set to identify security threats associated with the requested trusted application or a source of the trusted application (Exemplary Citations: for example, Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures; analyzing data in order to determine if application is trusted or not, if intrusion is occurring, or the like, as examples); Defining a policy based at least in part on the intelligence provided by the security service and the security threat analysis, the policy defining rules indicating whether the security policy permits applications to be installed on the infrastructure as a service device based on threat levels, application sources, or security characteristics of the trusted application (Exemplary Citations: for example, Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures; creating, modifying, changing, etc., a policy based on received information, for example); Determining, based on the policy, whether to permit or block installation of the trusted application (Exemplary Citations: for example, Column 7, line 66 to Column 8, line 7; Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 12, line 61 to Column 13, line 9; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures; IaaS device having applications/agents installed thereon, for example); Managing a trusted application based on the policy at least by installing the trusted application on the trusted execution environment executed on the infrastructure as a service device based at least in part on the policy permitting installation (Exemplary Citations: for example, Column 7, line 66 to Column 8, line 7; Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 12, line 61 to Column 13, line 9; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures; IaaS device having applications/agents installed thereon, for example); Periodically monitoring the installed trusted application for security compromises using updated intelligence from the secure access service edge device (Exemplary Citations: for example, Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures; monitoring applications for security breaches, for example); Transmitting to the trusted execution environment provisioning broker of the infrastructure as a service device an authentication certificate (Exemplary Citations: for example, Column 7, line 66 to Column 8, line 7; Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 12, line 61 to Column 13, line 9; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures; various protocols described in Hoy, such as SSL, TLS, etc., include certificate exchange and authentication, for example); and Performing a trusted execution environment provisioning authentication between the trusted application manager device and the trusted execution environment provisioning agent of the infrastructure as a service device based at least in part on the authentication certificate (Exemplary Citations: for example, Column 7, line 66 to Column 8, line 7; Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 12, line 61 to Column 13, line 9; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures). Although not required, Hoy may not explicitly use the terms “TEE”, “REE”, “TEEP”, and the like. Thaler, however, discloses that the IaaS device executed within a cloud service comprises (Exemplary Citations: for example, Sections 1, 3, 4, 5.1, 5.4, 7): A TEEP broker within a REE of the IaaS device (Exemplary Citations: for example, Sections 1, 3, 4, 5.1, 5.4, 7; TEEP broker in REE, for example); and A TEEP agent within a TEE of the IaaS device (Exemplary Citations: for example, Sections 1, 3, 4, 5.1, 5.4, 7; TEEP agent in TEE, for example); and That the TAM device performs operations comprising: Receiving, at the TAM device, a request to install a TA in the TEE of the IaaS device executing within the cloud service (Exemplary Citations: for example, Sections 1, 3, 4, 5.1, 5.4, 7; receiving a request to install a trusted application, for example); Obtaining, from the security service of the SASE, a data set defining intelligence provided by the security service, the intelligence indicating a security policy related to execution devices located behind a device network managed by the SASE device (Exemplary Citations: for example, Sections 1, 3, 4, 5.1, 5.4, 7; obtaining policy information, for example); Defining a policy based at least in part on the intelligence provided by the security service, the policy defining rules indicating whether the security policy permits applications to be installed on the IaaS device (Exemplary Citations: for example, Sections 1, 3, 4, 5.1, 5.4, 7; policy used to install applications, for example); Determining, based on the policy, whether to permit or block installation of the TA (Exemplary Citations: for example, Sections 1, 3, 4, 5.1, 5.4, 7; determining whether to install application, for example); Managing a TA based on the policy at least by installing the TA on the TEE executed on the IaaS device based at least in part on the policy permitting installation (Exemplary Citations: for example, Sections 1, 3, 4, 5.1, 5.4, 7; installing application, for example); Transmitting to the TEEP broker of the IaaS device an authentication certificate (Exemplary Citations: for example, Sections 1, 3, 4, 5.1, 5.4, 7; TLS certificate, TAM certificate, etc., sent, received, and checked, for example. Please also see RFC 2818, referenced in Thaler as describing verification of TLS certificates); and Performing a TEEP authentication between the TAM device and the TEEP agent of the IaaS device based at least in part on the authentication certificate (Exemplary Citations: for example, Sections 1, 3, 4, 5.1, 5.4, 7). It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the TEEP HTTP transport techniques of Thaler into the VPN system of Hoy in order to allow for TEE provisioning, ensure that TAM communications adhere to protocol, provide for use of a variety of TEEs, and/or increase security in the system. Xu also discloses periodically monitoring the installed trusted application for security compromises using updated intelligence from the secure access service edge device (Exemplary Citations: for example, Paragraphs 51-54, 160-168, and associated figures; any malicious content, such as content that gets an application on a blacklist, any content within an application that causes the application to be detected as being malicious, etc., as examples). It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the security techniques of Xu into the VPN system of Hoy as modified by Thaler in order to allow the system to prevent installation of malicious installables, to allow for uninstallation of malicious applications, to provide additional techniques by which to detect malware, and/or to increase security in the system. Claim Rejections - 35 USC § 112 The following is a quotation of 35 U.S.C. 112(d): (d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers. The following is a quotation of pre-AIA 35 U.S.C. 112, fourth paragraph: Subject to the following paragraph [i.e., the fifth paragraph of pre-AIA 35 U.S.C. 112], a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers. Claim 22 is rejected under 35 U.S.C. 112(d) or pre-AIA 35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends. Claim 22 states “blocking installation of the TA…”. However, claim 1 already positively claims “managing a trusted application (TA) based on the policy at least by installing the TA…”. Thus, claim 22 is attempting to change this to not installing, even though claim 1 requires installing. Therefore, claim 22 does not further modify the claim from which it depends. Other claims may have similar issues. Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements. Claim Rejections - 35 USC § 103 In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis (i.e., changing from AIA to pre-AIA ) for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Claims 1, 2, 4-11, 13, 14, 16, 17, and 19-25 are rejected under 35 U.S.C. 103 as being unpatentable over Hoy (U.S. Patent 10,505,904) in view of Thaler (D. Thaler, “HTTP Transport for Trusted Execution Environment Provisioning: Agent-to-TAM Communication”, draft-ietf-teep-otrp-over-http-03, 11/4/2019, pp. 1-14) and Xu (U.S. Patent Application Publication 2020/0175208). Regarding Claim 1, Hoy discloses a system comprising: A secure access service edge device comprising a security service selected from the group comprising a domain name system layer security, a secure web gateway, a firewall, a cloud access security broker, or an interactive threat intelligence (Exemplary Citations: for example, Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures; device with VPN agent, application, log and event manager, etc., as examples; Exemplary Citations: for example, Column 7, line 66 to Column 8, line 7; Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures; VPN agent, log and event manager, etc., include and/or comprise at least one of the above, such as by allowing access to a cloud via a VPN, firewall, gateway allowing access to other entities, providing security related information, or the like, as examples); An infrastructure as a service device executed within a cloud service comprising (Exemplary Citations: for example, Column 7, line 66 to Column 8, line 7; Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 12, line 61 to Column 13, line 9; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; Column 22, lines 28-42; and associated figures; IaaS device having applications/agents installed thereon, for example): A trusted execution environment provisioning broker within a rich execution environment of the infrastructure as a service device (Exemplary Citations: for example, Column 7, line 66 to Column 8, line 7; Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 12, line 61 to Column 13, line 9; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; Column 22, lines 28-42; and associated figures; entity that installs VPN agent or similar is within the rich execution environment (e.g., overarching untrusted execution environment on any given device), for example); and A trusted execution environment provisioning agent within a trusted execution environment of the infrastructure as a service device (Exemplary Citations: for example, Column 7, line 66 to Column 8, line 7; Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 12, line 61 to Column 13, line 9; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; Column 22, lines 28-42; and associated figures; agent, which is trusted, or the like, for example); and A trusted application manager device in communication with the secure access service edge device and the infrastructure as a service device, the trusted application manager device comprising (Exemplary Citations: for example, Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures; device that manages VPNs between entities, such as VPN manager, for example): A processor (Exemplary Citations: for example, Figures 1-3 and associated written description); and Non-transitory computer-readable media storing instructions that, when executed by the processor, cause the processor to perform operations comprising (Exemplary Citations: for example, Figures 1-3 and associated written description, and all below citations): Receiving, at the trusted application manager device, a request to install a trusted application in the trusted execution environment of the infrastructure as a service device executing within the cloud service (Exemplary Citations: for example, Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures; request to VPN manager that results in installation of VPN agent, for example); Obtaining, from the security service of the secure access service edge, a data set defining intelligence provided by the security service, wherein the intelligence comprises at least one of malicious domain identification data, threat intelligence data, web traffic analysis data, or application security assessment data, the intelligence indicating a security policy related to execution devices located behind a device network managed by the secure access service edge device (Exemplary Citations: for example, Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures; obtaining any data, such as VPN traffic, VPN requirements, ACL information, ports, addresses, rules, policies, changes, messages indicating a change, etc., from VPN agents, applications, log and event manager, etc., as examples); Analyzing the data set to identify security threats associated with the requested trusted application or a source of the trusted application (Exemplary Citations: for example, Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures; analyzing data in order to determine if application is trusted or not, if intrusion is occurring, or the like, as examples); Defining a policy based at least in part on the intelligence provided by the security service and the security threat analysis, the policy defining rules indicating whether the security policy permits applications to be installed on the infrastructure as a service device based on threat levels, application sources, or security characteristics of the trusted application (Exemplary Citations: for example, Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures; creating, modifying, changing, etc., a policy based on received information, for example); Determining, based on the policy, whether to permit or block installation of the trusted application (Exemplary Citations: for example, Column 7, line 66 to Column 8, line 7; Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 12, line 61 to Column 13, line 9; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures; IaaS device having applications/agents installed thereon, for example); Managing a trusted application based on the policy at least by installing the trusted application on the trusted execution environment executed on the infrastructure as a service device based at least in part on the policy permitting installation (Exemplary Citations: for example, Column 7, line 66 to Column 8, line 7; Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 12, line 61 to Column 13, line 9; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures; IaaS device having applications/agents installed thereon, for example); Periodically monitoring the installed trusted application for security compromises using updated intelligence from the secure access service edge device (Exemplary Citations: for example, Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures; monitoring applications for security breaches, for example); Transmitting to the trusted execution environment provisioning broker of the infrastructure as a service device an authentication certificate (Exemplary Citations: for example, Column 7, line 66 to Column 8, line 7; Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 12, line 61 to Column 13, line 9; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures; various protocols described in Hoy, such as SSL, TLS, etc., include certificate exchange and authentication, for example); and Performing a trusted execution environment provisioning authentication between the trusted application manager device and the trusted execution environment provisioning agent of the infrastructure as a service device based at least in part on the authentication certificate (Exemplary Citations: for example, Column 7, line 66 to Column 8, line 7; Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 12, line 61 to Column 13, line 9; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures). Although not required, Hoy may not explicitly use the terms “TEE”, “REE”, “TEEP”, and the like. Thaler, however, discloses that the IaaS device executed within a cloud service comprises (Exemplary Citations: for example, Sections 1, 3, 4, 5.1, 5.4, 7): A TEEP broker within a REE of the IaaS device (Exemplary Citations: for example, Sections 1, 3, 4, 5.1, 5.4, 7; TEEP broker in REE, for example); and A TEEP agent within a TEE of the IaaS device (Exemplary Citations: for example, Sections 1, 3, 4, 5.1, 5.4, 7; TEEP agent in TEE, for example); and That the TAM device performs operations comprising: Receiving, at the TAM device, a request to install a TA in the TEE of the IaaS device executing within the cloud service (Exemplary Citations: for example, Sections 1, 3, 4, 5.1, 5.4, 7; receiving a request to install a trusted application, for example); Obtaining, from the security service of the SASE, a data set defining intelligence provided by the security service, the intelligence indicating a security policy related to execution devices located behind a device network managed by the SASE device (Exemplary Citations: for example, Sections 1, 3, 4, 5.1, 5.4, 7; obtaining policy information, for example); Defining a policy based at least in part on the intelligence provided by the security service, the policy defining rules indicating whether the security policy permits applications to be installed on the IaaS device (Exemplary Citations: for example, Sections 1, 3, 4, 5.1, 5.4, 7; policy used to install applications, for example); Determining, based on the policy, whether to permit or block installation of the TA (Exemplary Citations: for example, Sections 1, 3, 4, 5.1, 5.4, 7; determining whether to install application, for example); Managing a TA based on the policy at least by installing the TA on the TEE executed on the IaaS device based at least in part on the policy permitting installation (Exemplary Citations: for example, Sections 1, 3, 4, 5.1, 5.4, 7; installing application, for example); Transmitting to the TEEP broker of the IaaS device an authentication certificate (Exemplary Citations: for example, Sections 1, 3, 4, 5.1, 5.4, 7; TLS certificate, TAM certificate, etc., sent, received, and checked, for example. Please also see RFC 2818, referenced in Thaler as describing verification of TLS certificates); and Performing a TEEP authentication between the TAM device and the TEEP agent of the IaaS device based at least in part on the authentication certificate (Exemplary Citations: for example, Sections 1, 3, 4, 5.1, 5.4, 7). It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the TEEP HTTP transport techniques of Thaler into the VPN system of Hoy in order to allow for TEE provisioning, ensure that TAM communications adhere to protocol, provide for use of a variety of TEEs, and/or increase security in the system. Xu also discloses periodically monitoring the installed trusted application for security compromises using updated intelligence from the secure access service edge device (Exemplary Citations: for example, Paragraphs 51-54, 160-168, and associated figures; any malicious content, such as content that gets an application on a blacklist, any content within an application that causes the application to be detected as being malicious, etc., as examples). It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the security techniques of Xu into the VPN system of Hoy as modified by Thaler in order to allow the system to prevent installation of malicious installables, to allow for uninstallation of malicious applications, to provide additional techniques by which to detect malware, and/or to increase security in the system. Regarding Claim 10, Claim 10 is a method claim that corresponds to device claim 1 and is rejected for the same reasons. Regarding Claim 16, Claim 16 is a medium claim that corresponds to device claim 1 and is rejected for the same reasons. Regarding Claim 2, Hoy discloses that managing the trusted application further includes: Identifying reserved hardware of the infrastructure as a service device onto which the trusted application is to be installed (Exemplary Citations: for example, Column 7, line 66 to Column 8, line 7; Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 12, line 61 to Column 13, line 9; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures; hardware on IaaS device reserved for that device, for example); and Initiating a trusted application install message to the trusted execution environment provisioning agent via the trusted execution environment provisioning broker of the infrastructure as a service device to install the trusted application on the reserved hardware (Exemplary Citations: for example, Column 7, line 66 to Column 8, line 7; Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 12, line 61 to Column 13, line 9; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures; installation, for example); and Thaler discloses that managing the trusted application further includes: Identifying reserved hardware of the IaaS device onto which the TA is to be installed (Exemplary Citations: for example, Sections 1, 3, 5.1, 5.4, 7; any TEE hardware, for example); and Initiating a TA install message to the TEEP agent via the TEEP broker of the IaaS device to install the TA on the reserved hardware (Exemplary Citations: for example, Sections 1, 3, 5.1, 5.4, 7; TEE install message via broker, for example). Regarding Claim 11, Claim 11 is a method claim that corresponds to device claim 2 and is rejected for the same reasons. Regarding Claim 17, Claim 17 is a medium claim that corresponds to device claim 2 and is rejected for the same reasons. Regarding Claim 4, Hoy discloses that the security service executed by the secure access service edge device includes at least one of a domain name system layer security service, a secure web gateway service, a firewall service, a cloud access security broker, an interactive threat intelligence service, and combinations thereof (Exemplary Citations: for example, Column 7, line 66 to Column 8, line 7; Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures; VPN agent, log and event manager, etc., include and/or comprise at least one of the above, such as by allowing access to a cloud via a VPN, firewall, gateway allowing access to other entities, providing security related information, or the like, as examples). Regarding Claim 5, Hoy discloses storing the intelligence of the security service in a data store (Exemplary Citations: for example, Figures 1-3 and associated written description; Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures; the above data is stored somehow, for example); and Storing the policy in the data store (Exemplary Citations: for example, Figures 1-3 and associated written description; Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures; the above-described policies are also stored, for example). Regarding Claim 6, Hoy discloses identifying a malicious trusted application based at least in part on the intelligence of the security service (Exemplary Citations: for example, Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures; monitoring applications for security breaches, for example); and Taking action based at least in part on the policy (Exemplary Citations: for example, Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures; taking some form of action based on intrusion/breach being detected, such as splitting VPNs, monitoring more closely, etc., as examples); and Xu discloses identifying a malicious trusted application based at least in part on the intelligence of the security service (Exemplary Citations: for example, Paragraphs 51-54, 160-168, and associated figures; malicious application detected, for example); and Blocking the malicious trusted application from install on a trusted execution environment based at least in part on the policy (Exemplary Citations: for example, Paragraphs 51-54, 160-168, and associated figures; preventing install, for example). Regarding Claim 7, Hoy discloses identifying malicious content of the trusted application based at least in part on the intelligence of the security service (Exemplary Citations: for example, Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures); and Taking action with respect to a trusted execution environment based at least in part on the policy (Exemplary Citations: for example, Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures); and Xu disclose identifying malicious content of the trusted application based at least in part on the intelligence of the security service (Exemplary Citations: for example, Paragraphs 51-54, 160-168, and associated figures; any malicious content, such as content that gets an application on a blacklist, any content within an application that causes the application to be detected as being malicious, etc., as examples); and Blocking the malicious content from access to a trusted execution environment based at least in part on the policy (Exemplary Citations: for example, Paragraphs 51-54, 160-168, and associated figures; block, uninstall, etc., as examples). Regarding Claim 8, Hoy discloses periodically inspecting the trusted application for a compromise to the trusted application based at least in part on the intelligence of the security service (Exemplary Citations: for example, Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures); and Correcting the compromise to the trusted application based at least in part on the policy (Exemplary Citations: for example, Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures); and Xu discloses periodically inspecting the trusted application for a compromise to the trusted application based at least in part on the intelligence of the security service (Exemplary Citations: for example, Paragraphs 51-54, 160-168, and associated figures); and Correcting the compromise to the trusted application based at least in part on the policy (Exemplary Citations: for example, Paragraphs 51-54, 160-168, and associated figures). Regarding Claim 9, Hoy discloses detecting a change to the policy made by the secure access service edge with respect to the trusted application (Exemplary Citations: for example, Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures; policy changed based on needs and/or current and/or historical use and/or requirements, for example); and Managing the trusted application based on the change to the policy (Exemplary Citations: for example, Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures). Regarding Claim 13, Claim 13 is a method claim that corresponds to device claim 9 and is rejected for the same reasons. Regarding Claim 19, Claim 19 is a medium claim that corresponds to device claim 9 and is rejected for the same reasons. Regarding Claim 14, Hoy discloses that the change to the policy is affected via access provided to an application service provider to the secure access service edge (Exemplary Citations: for example, Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures). Regarding Claim 20, Claim 20 is a medium claim that corresponds to method claim 14 and is rejected for the same reasons. Regarding Claim 21, Hoy discloses that the operations further comprise receiving updated intelligence from the secure access service edge device indicating a change in security threat status for the installed trusted application (Exemplary Citations: for example, Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures; obtaining any data, such as VPN traffic, VPN requirements, ACL information, ports, addresses, rules, policies, changes, messages indicating a change, etc., from VPN agents, applications, log and event manager, etc., as examples); and Modifying or removing the installed trusted application based on the updated intelligence (Exemplary Citations: for example, Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures; anything performed by the application, any message being sent to the application or taken from the application change the state of the application, thus modifying the application, for example); and Xu discloses that the operations further comprise receiving updated intelligence from the secure access service edge device indicating a change in security threat status for the installed trusted application (Exemplary Citations: for example, Paragraphs 51-54, 160-168, and associated figures; similar to claim 8, for example); and Modifying or removing the installed trusted application based on the updated intelligence (Exemplary Citations: for example, Paragraphs 51-54, 160-168, and associated figures; similar to claim 8, for example). Regarding Claim 22, Hoy discloses that the operations further comprise identifying, based on the intelligence from the secure access service edge device, that the trusted application or a source domain of the trusted application is associated with malicious activity (Exemplary Citations: for example, Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures; monitoring applications for security breaches, for example); and Taking action based on the identification of malicious activity (Exemplary Citations: for example, Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures; taking some form of action based on intrusion/breach being detected, such as splitting VPNs, monitoring more closely, etc., as examples); and Xu discloses that the operations further comprise identifying, based on the intelligence from the secure access service edge device, that the trusted application or a source domain of the trusted application is associated with malicious activity (Exemplary Citations: for example, Paragraphs 51-54, 160-168, and associated figures; malicious application detected, for example); and Blocking installation of the trusted application based on the identification of malicious activity (Exemplary Citations: for example, Paragraphs 51-54, 160-168, and associated figures; preventing install, for example). Regarding Claim 23, Xu disclose that obtaining the data set comprises receiving, from the secure web gateway of the secure access service edge device, content inspection results for the trusted application (Exemplary Citations: for example, Paragraphs 46, 51-54, 160-168, and associated figures; detecting malicious application based on inspection of content associated with the application, for example); and Wherein defining the policy comprises incorporating the content inspection results into installation permission rules (Exemplary Citations: for example, Paragraphs 51-54, 160-168, and associated figures; permission rules, such as determining whether to allow application to install/run, being set based on whether or not application may be malicious, for example). Regarding Claim 24, Hoy discloses that the operations further comprise detecting a compromise of the installed trusted application based on intelligence from the secure access service edge device (Exemplary Citations: for example, Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures; similar to claim 8, for example); and Performing remediation actions comprising at least one of removing the trusted application, isolating the trusted execution environment, or alerting an administrator (Exemplary Citations: for example, Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures; alert to admin, for example); and Xu discloses that the operations further comprise detecting a compromise of the installed trusted application based on intelligence from the secure access service edge device (Exemplary Citations: for example, Paragraphs 51-54, 160-168, and associated figures; similar to claim 8, for example); and Performing remediation actions comprising at least one of removing the trusted application, isolating the trusted execution environment, or alerting an administrator (Exemplary Citations: for example, Paragraphs 51-54, 160-168, and associated figures; similar to claim 8, for example). Regarding Claim 25, Xu discloses that the security service comprises domain name system layer security (Exemplary Citations: for example, Paragraphs 25, 38, 48-54, 62, 74, 100, 101, 160-168, and associated figures; dealing with domains and DNS, for example); and The intelligence comprises identification of malicious domains contacted by or associated with the trusted application (Exemplary Citations: for example, Paragraphs 25, 38, 48-54, 62, 74, 100, 101, 160-168, and associated figures; malicious domains, such as those accessed by an application, for example). Claims 12, 15, and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Hoy in view of Thaler, Xu, and Thom (U.S. Patent Application Publication 2018/0375852). Regarding Claim 12, Hoy discloses that the authentication certificate is added to a trusted anchors database of the infrastructure as a service device (Exemplary Citations: for example, Column 7, line 66 to Column 8, line 7; Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 12, line 61 to Column 13, line 9; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures; authentication in VPN, such as SSL, TLS, etc., uses certificates and such certificates are stored, as is well-known, for example). Thom also discloses that the authentication certificate is added to a trusted anchors database of the infrastructure as a service device (Exemplary Citations: for example, Abstract, Paragraphs 14, 16, 18, 21-25, 27, 28, 32-37, 39, 41, 42, 48, 50, 53, 54, 59, 74, and associated figures; storing certificates at each end for attestation, SSL, TLS, verifying certificate chains, storing of CA certificates, manufacturer certificates, certificate chains, etc., as examples). It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the certificate generation, storage, and use techniques of Thom into the VPN system of Hoy as modified by Thaler and Xu in order to allow the system to verify certificates using trusted authority certificate chains, to ensure that TEE’s are properly authenticated via attestation, to ensure that devices are not compromised, and/or to increase security in the system. Regarding Claim 18, Claim 18 is a medium claim that corresponds to method claim 12 and is rejected for the same reasons. Regarding Claim 15, Hoy discloses storing authentication certificates in a data store of the trusted application manager, the authentication certificates defining access to hardware of an infrastructure as a service device onto which the trusted application is installed (Exemplary Citations: for example, Column 7, line 66 to Column 8, line 7; Column 10, line 14 to Column 11, line 13; Column 11, line 31 to Column 12, line 46; Column 12, line 61 to Column 13, line 9; Column 13, line 33 to Column 15, line 3; Column 15, line 35 to Column 16, line 39; Column 16, line 61 to Column 20, line 49; and associated figures). Thom also discloses storing authentication certificates in a data store of the trusted application manager, the authentication certificates defining access to hardware of an infrastructure as a service device onto which the trusted application is installed (Exemplary Citations: for example, Abstract, Paragraphs 14, 16, 18, 21-25, 27, 28, 32-37, 39, 41, 42, 48, 50, 53, 54, 59, 74, and associated figures). It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the certificate generation, storage, and use techniques of Thom into the VPN system of Hoy as modified by Thaler and Xu in order to allow the system to verify certificates using trusted authority certificate chains, to ensure that TEE’s are properly authenticated via attestation, to ensure that devices are not compromised, and/or to increase security in the system. Conclusion Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jeffrey D Popham whose telephone number is (571)272-7215. The examiner can normally be reached Monday through Friday 9:00-5:30. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached at (469) 295-9235. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /Jeffrey D. Popham/Primary Examiner, Art Unit 2432