DETAILED ACTION
1. This office action is in response to the communication filed on 04/11/2024.
2. Claims 1-20 are pending.
Notice of Pre-AIA or AIA Status
3. The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
4. Claim(s) 1-2, 4-9, 11-16, and 18-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Smith et al. (US 2024/0264855 A1, hereafter Smith) in view of Larson et al. (US 10693872 B1, hereafter Larson).
Regarding claim(s) 1, 8 and 15:
Smith discloses an apparatus for authentication service enrollment, comprising: one or more memories storing processor-executable code; and one or more processors coupled with the one or more memories and individually or collectively operable to execute the code to cause the apparatus to (see fig. 1 and para. 34 where a user computing device (UE) includes a computer):
receive, from a device management provider, an enrollment configuration request for an authentication service; provide, to a first device associated with a first user, a prompt to initiate enrollment in the authentication service, the enrollment being in accordance with the enrollment configuration request, wherein the first device is managed by a second user of an organization that is different from the first user and is associated with the device management provider; and transmit, to an authentication server associated with the authentication service, an enrollment request message comprising data associated with the first device, the enrollment request message requesting the enrollment of the first device in the authentication service, wherein the enrollment request message is transmitted based at least in part on the prompt to initiate the enrollment, and [wherein an attestation that the first device is associated with the organization is based at least in part on the enrollment request message] (see fig. 1 and paras. 58-59 where the UE receives, from a server, e.g., server 102A (i.e., device management provider) including a device management service, an authentication request (i.e., enrollment configuration request) to authenticate a user (i.e., first user) of the UE (i.e., first device) via an authentication service, wherein the user is associated with an organization/company, wherein the UE prompts the user to input credentials for authenticating, via the authentication service, to enroll to the device management service, wherein an authentication server, e.g., server 102N, authenticates the credentials provided by the user (i.e., the UE transmits, to the authentication server associated with the authentication service, a message comprising credentials inputted by the UE’s user based on the prompt to initiate the enrollment to the device management service); see paras. 28, 35, 40 where an admin user (i.e., second user) of an enterprise/company (i.e., organization) performs administrative operations to the UE and the device management service).
Smith does not, but Larson discloses:
wherein an attestation that the first device is associated with the organization is based at least in part on the enrollment request message (see Larson, col. 24, lines 32-36, where a user provides identity data, in response to a prompt during an enrollment process, to an identity verification service (IVS); see col. 28, lines 8-12, where a user of a client system provides identity data includes an organization/enterprise ID. In other words, an organization/enterprise ID (i.e., attestation) of a user of a client system (i.e., first device) associated with an organization is included in a message provided to the IVS for validation for an enrollment process).
It would have been obvious to one having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify Smith's invention by enhancing it for an attestation that the first device is associated with the organization is based at least in part on the enrollment request message, as taught by Larson, in order for verifying user identity including organization/enterprise ID during an enrollment process (Larson, abstract and col. 28, line 12).
Regarding claim(s) 2, 9, and 16:
Smith discloses:
receive, from the authentication server, a response message indicating that the first device is enrolled in the authentication service, the first device being enrolled in the authentication service based at least in part on the data of the enrollment request message (see paras. 58-59 where the UE prompts the user to input credentials and/or identity associated with a company/enterprise/organization for authenticating, via the authentication service, to enroll to the device management service, wherein the UE receives, from the authentication server, an authentication token (i.e., a response message comprising an authentication token) when the credentials and/or identity of the user of the UE associated with the company/enterprise/organization are valid to enroll to the device management service).
Regarding claim(s) 4, 11, and 18:
Smith does not, but Larson discloses:
receive, from the authentication server associated with the authentication service, an enrollment denial message that indicates a denial of the enrollment of the first device in the authentication service based at least in part on the attestation of the first device; and display, at a first user interface of the first device, the enrollment denial message based at least in part on receiving the enrollment denial message (see Larson, col. 6, lines. 56-63, where the client system (i.e., first device) runs an application to interact with the IVS (i.e. authentication server); see Larson, col. 24, lines 32-36, where a user provides identity data, in response to a prompt during an enrollment process, to an identity verification service (IVS); see col. 28, lines 8-12, where a user of a client system provides identity data includes an organization/enterprise ID (i.e., attestation); see col. 45, lines 57-67 where the application receive, from the IVS, an indication (i.e., enrollment denial message) of the user's enrollment status that indicates that the IVS was unable to verify the user’s identity, and displays the indication on a user interface, e.g., GUI, of the client system).
It would have been obvious to one having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify Smith's invention by enhancing it to receive, from the authentication server associated with the authentication service, an enrollment denial message that indicates a denial of the enrollment of the first device in the authentication service based at least in part on the attestation of the first device; and display, at a first user interface of the first device, the enrollment denial message based at least in part on receiving the enrollment denial message, as taught by Larson. The motivation is the same as presented in claim 1, 8, or 15.
Regarding claim(s) 5, 12, and 19:
Smith discloses:
wherein the prompt to initiate the enrollment of the first device associated with the first user in the authentication service comprises: receiving, from the first user, one or more user inputs to associate the first user with the first device, the first device being associated with an identity provider that provides the authentication service (see fig. 1 and paras. 39, 58 and/or 97).
Regarding claim(s) 6 and 13:
Smith discloses:
wherein the prompt to initiate the enrollment in the authentication service is displayed at a first user interface of the first device (see paras. 58 where the UE prompts the user to input credentials for authenticating, via the authentication service, to enroll to the device management service; see para. 97 where a prompt is displayed by a window for user input).
Regarding claim(s) 7, 14 and 20:
Smith discloses:
wherein the second user of the organization associated with the device management provider is an administrative user for the device management provider (see paras. 28, 35, 40 where an admin user (i.e., second user) of an enterprise/company (i.e., organization) performs administrative operations to the UE and the device management service).
5. Claim(s) 3, 10, and 17 is/are rejected under 35 U.S.C. 103 as being unpatentable over Smith, Larson, and further in views of Barton et al. (US 2014/0032691 A1, hereafter Barton) and Verzun et al. (US 2019/0386969 A1, hereafter Verzun).
Regarding claim(s) 3, 10, and 17:
Smith does not, but Barton discloses:
generate a signed device attestation to indicate that the first device is associated with the organization of the device management provider using a [signed] authentication certificate issued by the device management provider associated with the organization, wherein the enrollment request message comprises the signed device attestation (see Barton, para. 3 where a client/mobile device (i.e., first device) is issued to a user/employee by an organization/enterprise; ; see para. 86 where an enterprise has a certificate issuance service; see paras. 397-398, 401 where a client device has a client certificate issued by an enterprise, wherein the client certificate is used to sign an authentication message communicated from the client device to an authentication service; see para. 347 where a client device is authenticated based on user credentials associated with the client device. In other words, the client/mobile device generates a signed authentication message (i.e., enrollment request message) including user credentials (i.e., signed device attestation) of the client device associated with an organization of a certificate issuance service (i.e., device management provider) using a client certificate (i.e., authentication certificate) issued by the certificate issuance service).
It would have been obvious to one having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify Smith's invention by enhancing it to generate a signed device attestation to indicate that the first device is associated with the organization of the device management provider using an authentication certificate issued by the device management provider associated with the organization, wherein the enrollment request message comprises the signed device attestation, as taught by Barton, in order to sign an authentication message using a client certificate (see Barton, para. 398).
Smith-Barton does not, but Verzun discloses:
signed authentication certificate (see Verzun, para. 44, where a signed certificate is issued by a trust certificate authority).
It would have been obvious to one having ordinary skill in the art to which the claimed invention pertains, before the effective filing date of the claimed invention, to modify Smith-Barton's invention by enhancing it for signed authentication certificate, as taught by Verzun, in order for a trust certificate authority to issue a signed certificate (see Verzun, para. 44).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure:
Cook et al., US 2021/0218742 A1, COMPUTER-IMPLEMENTED SYSTEMS FOR DISTRIBUTED AUTHORIZATION AND FEDERATED PRIVACY EXCHANGE.
Mummadi et al., US 2020/0233918 A1, DYNAMICALLY DETERMINING A SERVER FOR ENROLLMENT WITH MANAGEMENT SYSTEM.
Gomi et al., US 2019/0268336 A1, AUTHENTICATION DEVICE MANAGEMENT DEVICE, AUTHENTICATION DEVICE MANAGEMENT METHOD, NON-TRANSITORY COMPUTER-READABLE RECORDING MEDIUM, AND AUTHENTICATION DEVICE MANAGEMENT SYSTEM.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HUAN V. DOAN whose telephone number is 571-272-3809. The examiner can normally be reached on Monday – Thursday, 9:00am – 5:00pm EST.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, PHILIP CHEA, can be reached on 571-272-3951. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/HUAN V DOAN/Primary Examiner, Art Unit 2499