NON-FINAL OFFICE ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b) CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
Claims 1-4, 9, 10, 17-19, and 25 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA 35 U.S.C. 112, the applicant), regards as the invention.
Claims 1 and 17 recite the limitation “obtaining a SIM profile from a network node or a second service provide”, followed by “obtaining a set of SASE instances from the network node”. There is insufficient antecedent basis for the second limitation in the claim because the previous limitation is in alternate form.
Claim Rejections - 35 USC § 103
Claims 1-4, 10, 11, 13, 17-19, 27, and 29 are rejected under 35 U.S.C. 103 as being unpatentable over U.S. Pat. PGPUB 2021/0336959A1 to Shah et al. (“Shah”) in view of U.S. Pat. PGPUB 2022/0104005A1 to Xiong et al. (“Xiong”) and U.S. Pat. PGPUB 2022/0215101A1 to Rioux et al. (Rioux”).
As to claim 1, Shah discloses:
A method performed by a computer-implemented controller, the method comprising:
receiving a request for managing one or more user equipments (UEs);
Shah discloses a computer-implemented method including receiving a request for managing user equipment. Shah at ¶¶60-61 and 78 disclosing an application supporting MDM functions for managing UEs 300.
obtaining a user-specific security profile from a first service provider;
[…];
obtaining a set of […] edge […] instances from the network node;
Shah discloses obtaining edge instance information from a network node. Shah at ¶78 (“[o]n successful authentication, the server contacts Mobile Device Management (MDM) or Inventory management provider to define access control rights for the user device 300”); ¶70 (“[i]n an embodiment, the monitored data can be from different categories, including application-related, network-related, device-related (also can be referred to as endpoint-related), protocol-related, etc. Data can be collected at the application 350 or the cloud edge to quantify user experience for specific applications, i.e., the application-related and device-related data”); ¶75 (“[i]n another embodiment, the metrics can be enriched by triggering synthetic measurements in the context of an inline transaction by the application 350 or cloud edge”); ¶111 (“FIG. 14 is a flowchart of a device enrollment process 800 for the client user device 300 and the connector application 350 On successful authorization, the mobile admin server enrolls the user to cloud services with their authentication contexts (step 808). Each cloud service responds with specific access controls and protocol information that the client receives from mobile admin and uses for local network setup (step 810)”). See also id. at ¶63.
building one or more UE-specific […]configurations based on the user-specific security profile, […], and the set of SASE instances; and
Shah discloses building UE specific configurations dependent on the information. Shah at ¶¶78, 82-83, 98, and 111, showing sending UE-specific configurations from various service providers),
sending the one or more UE-specific […]configurations to a third service provider, the one or more UE-specific […]configurations being obtainable by the one or more UEs to establish a secured wireless communication channel through a zero-trusted network.
Shah discloses sharing the configuration information and that the UEs may use configurations to establish a secure channel through a zero-trust network. Shah at ¶60 ("[t]he application 350 can automatically forward user traffic with the cloud-based system 100 as well as ensuring that security and access policies are enforced, regardless of device, location, operating system, or application. … The application 350 can support various cloud services, including ZIA, ZPA, ZDX, etc., allowing the best in class security with zero trust access to internal apps"); ¶¶62-63, secure tunneling between the user device 300 and connector 400; see also ¶84, "[p]ost proper enrollment, the connector application 350 securely connects to cloud services by means of network tunnels".
Shah does not disclose the configurations are bootstrap configurations, or that the edges are SASE instances, or obtaining and using a SIM profile.
Xiong discloses the obtaining of and use of SIM profiles for MDM enrollment. Xiong at FIGS 5F and 5G and at ¶¶45-47.
Rioux discloses a bootstrap scenario where edge instances use the SASE model. Rioux at ¶¶215-216 and 620 (“In some embodiments, one or more of the components described above may be deployed using a secure access service edge (‘SASE’) model or similar model. In a SASE model, the services, functionality, or components described above may be deployed at edge devices (or relatively close to such edge device) such as a user's laptop, tablet, smartphone, or other device. In such a way, network security controls may be delivered on such edge devices. SASE capabilities may be delivered as a service based upon the identity of the entity, real-time context, enterprise security/compliance policies and continuous assessment of risk/trust throughout the sessions, where the identity of entities can be associated with people, groups of people, devices, applications, services, IoT systems or edge computing locations, and so on”).
Therefore it would have been obvious to one of ordinary skill in the art at the time of applicant’s filing to add such features to Shah. Xiong and Rioux both disclose features that were known at the time and one of ordinary skill in the art would have seen such as merely combining prior art elements according to known methods to yield predictable results. MPTP § 2143 I. A., citing KSR Int'l Co. v. Teleflex Inc., 550 U.S. 398, 415-421, 82 USPQ2d 1385, 1395-97 (2007).
Further as to claim 2:
The method of claim 1, further comprising the steps of, for each UE of the one or more UEs:
obtaining one or more identifiers associated with one or more components of the UE;
storing the one or more identifiers in a device inventory of the controller; and
sending the one or more identifiers to the third service provider.
Shah, Xiong, and Rioux discloses obtaining and storing identifiers associated with UE components to be sent to the provider in that the SIM has a unique ID (Xiong at ¶45 and 56 “[t]he wireless device 102 obtains a unique identifier value, e.g., an integrated circuit card identifier”).
Further as to claim 3:
The method of claim 1, wherein obtaining the user-specific security profile from the first service provider comprise:
generating a set of user-specific rules; and
exchanging security keys with the first service provider, wherein the user-specific security profile includes the set of user-specific rules and the security keys, the user-specific security profile being configured to facilitate the third service provider to authenticate a UE of the one or more UEs.
Xiong discloses generating a set of user-specific rules in creating a profile. Xiong at ¶¶52-53. Further, Shah and Rioux discloses exchanging security keys to authenticate a UE. Shah at ¶61 as to installation of client and SSL certificates during enrollment, Rioux at ¶¶114.
Further as to claim 4:
The method of claim 1, wherein obtaining the SIM profile from the network provider or the second service provider comprises:
sending a request to the network node to obtain the SIM profile; and
receiving the SIM profile from the network node, wherein the SIM profile is configured to facilitate a UE of the one or more UEs to establish a cellular communication.
One of ordinary skill in the art would have understood that SIM information is specifically configured to facilitate a UE to establish a cellular connection.
Further as to claim 10:
The method of claim 1, further comprising:
sending a request for registering the one or more UEs with a virtual private network (VPN) controller; and
receiving a confirmation from the VPN controller that the one or more UEs are registered.
Shah discloses sending a request to register with a VPN. Shah at ¶¶86. A response comes back from the VPN system. Id. at FIG 12.
As to claim 11, Shah discloses:
A method performed by a user equipment, the method comprising:
connecting to a wireless network;
upon connecting to the wireless network, obtaining one or more UE-specific […]configurations from a mobile device management (MDM) service provider,
Shah discloses connecting to a wireless network and obtaining UE configurations from a MDM provider. Shah at ¶¶60-61. Shah discloses building UE specific configurations dependent on the information. Shah at ¶¶78, 82-83, 98, and 111, showing sending UE-specific configurations from various service providers).
the one or more UE-specific […]configurations being based on a user-specific security profile, […], and a set of […]instances; obtaining user credentials; and
Shah discloses obtaining edge instance information from a network node. Shah at ¶78 (“[o]n successful authentication, the server contacts Mobile Device Management (MDM) or Inventory management provider to define access control rights for the user device 300”); ¶70 (“[i]n an embodiment, the monitored data can be from different categories, including application-related, network-related, device-related (also can be referred to as endpoint-related), protocol-related, etc. Data can be collected at the application 350 or the cloud edge to quantify user experience for specific applications, i.e., the application-related and device-related data”); ¶75 (“[i]n another embodiment, the metrics can be enriched by triggering synthetic measurements in the context of an inline transaction by the application 350 or cloud edge”); ¶111 (“FIG. 14 is a flowchart of a device enrollment process 800 for the client user device 300 and the connector application 350 On successful authorization, the mobile admin server enrolls the user to cloud services with their authentication contexts (step 808). Each cloud service responds with specific access controls and protocol information that the client receives from mobile admin and uses for local network setup (step 810)”). See also id. at ¶63.
establishing, based on the one or more UE-specific […]configurations, the user credentials, […], a secured wireless communication channel with a network node through a zero-trusted network.
Shah discloses sharing the configuration information and that the UEs may use configurations to establish a secure channel through a zero-trust network. Shah at ¶60 ("[t]he application 350 can automatically forward user traffic with the cloud-based system 100 as well as ensuring that security and access policies are enforced, regardless of device, location, operating system, or application. … The application 350 can support various cloud services, including ZIA, ZPA, ZDX, etc., allowing the best in class security with zero trust access to internal apps"); ¶¶62-63, secure tunneling between the user device 300 and connector 400; see also ¶84, "[p]ost proper enrollment, the connector application 350 securely connects to cloud services by means of network tunnels".
Shah does not disclose the configurations are bootstrap configurations, or that the edges are SASE instances, or obtaining and using a SIM profile.
Xiong discloses the obtaining of and use of SIM profiles for MDM enrollment. Xiong at FIGS 5F and 5G and at ¶¶45-47.
Rioux discloses a bootstrap scenario where edge instances use the SASE model. Rioux at ¶¶215-216 and 620 (“In some embodiments, one or more of the components described above may be deployed using a secure access service edge (‘SASE’) model or similar model. In a SASE model, the services, functionality, or components described above may be deployed at edge devices (or relatively close to such edge device) such as a user's laptop, tablet, smartphone, or other device. In such a way, network security controls may be delivered on such edge devices. SASE capabilities may be delivered as a service based upon the identity of the entity, real-time context, enterprise security/compliance policies and continuous assessment of risk/trust throughout the sessions, where the identity of entities can be associated with people, groups of people, devices, applications, services, IoT systems or edge computing locations, and so on”).
Therefore it would have been obvious to one of ordinary skill in the art at the time of applicant’s filing to add such features to Shah. Xiong and Rioux both disclose features that were known at the time and one of ordinary skill in the art would have seen such as merely combining prior art elements according to known methods to yield predictable results. MPTP § 2143 I. A., citing KSR Int'l Co. v. Teleflex Inc., 550 U.S. 398, 415-421, 82 USPQ2d 1385, 1395-97 (2007).
Further as to claim 13:
The method of claim 11, wherein establishing the secured wireless communication channel with the network node through the zero-trust network comprises:
obtaining, based on an eSIM/iSIM reference configuration included in the one or more UE-specific bootstrap configurations, an eSIM/iSIM profile from a service manager (SM) service provider; and
activating the UE to connect to a cellular network based on the eSIM/iSIM profile.
Xiong discloses the profile is an eSIM profile. Xiong at ¶¶44-47. One of ordinary skill in the art would have understood that SIM information is specifically configured to facilitate a UE to establish a cellular connection.
As to claim 17, Shah discloses:
A computer-implemented controller for managing a mobile embedded security platform, the controller comprising:
a transceiver, a processor and a memory, said memory containing instructions executable by said processor whereby said controller is operative to perform:
Shah discloses a computer-implemented method including receiving a request for managing user equipment. Shah at ¶¶60-61 and 78 disclosing an application supporting MDM functions for managing UEs 300. The UE includes a transceiver.
obtaining a user-specific security profile from a first service provider;
[…];
obtaining a set of […]edge […] instances from the network node;
building one or more UE-specific […]configurations based on the user-specific security profile, […], and the set of […]instances; and
Shah discloses building UE specific configurations dependent on the information. Shah at ¶¶78, 82-83, 98, and 111, showing sending UE-specific configurations from various service providers),
sending the one or more UE-specific […]configurations to a third service provider, the one or more UE-specific […]configurations being obtainable by the one or more UEs to establish a secured wireless communication channel through a zero-trusted network.
Shah discloses sharing the configuration information and that the UEs may use configurations to establish a secure channel through a zero-trust network. Shah at ¶60 ("[t]he application 350 can automatically forward user traffic with the cloud-based system 100 as well as ensuring that security and access policies are enforced, regardless of device, location, operating system, or application. … The application 350 can support various cloud services, including ZIA, ZPA, ZDX, etc., allowing the best in class security with zero trust access to internal apps"); ¶¶62-63, secure tunneling between the user device 300 and connector 400; see also ¶84, "[p]ost proper enrollment, the connector application 350 securely connects to cloud services by means of network tunnels".
Shah does not disclose the configurations are bootstrap configurations, or that the edges are SASE instances, or obtaining and using a SIM profile.
Xiong discloses the obtaining of and use of SIM profiles for MDM enrollment. Xiong at FIGS 5F and 5G and at ¶¶45-47.
Rioux discloses a bootstrap scenario where edge instances use the SASE model. Rioux at ¶¶215-216 and 620 (“In some embodiments, one or more of the components described above may be deployed using a secure access service edge (‘SASE’) model or similar model. In a SASE model, the services, functionality, or components described above may be deployed at edge devices (or relatively close to such edge device) such as a user's laptop, tablet, smartphone, or other device. In such a way, network security controls may be delivered on such edge devices. SASE capabilities may be delivered as a service based upon the identity of the entity, real-time context, enterprise security/compliance policies and continuous assessment of risk/trust throughout the sessions, where the identity of entities can be associated with people, groups of people, devices, applications, services, IoT systems or edge computing locations, and so on”).
Therefore it would have been obvious to one of ordinary skill in the art at the time of applicant’s filing to add such features to Shah. Xiong and Rioux both disclose features that were known at the time and one of ordinary skill in the art would have seen such as merely combining prior art elements according to known methods to yield predictable results. MPTP § 2143 I. A., citing KSR Int'l Co. v. Teleflex Inc., 550 U.S. 398, 415-421, 82 USPQ2d 1385, 1395-97 (2007).
Further as to claim 18:
The computer-implemented controller of claim 17, further operative to perform the steps of, for each UE of the one or more UEs:
obtaining one or more identifiers associated with one or more components of the UE;
storing the one or more identifiers in a device inventory of the controller; and
sending the one or more identifiers to the third service provider.
Shah, Xiong, and Rioux discloses obtaining and storing identifiers associated with UE components to be sent to the provider in that the SIM has a unique ID (Xiong at ¶45 and 56 “[t]he wireless device 102 obtains a unique identifier value, e.g., an integrated circuit card identifier”).
Further as to claim 19:
The computer-implemented controller of claim 17, wherein obtaining the user-specific security profile from the first service provider comprises comprise:
generating a set of user-specific rules; and
exchanging security keys with the first service provider, wherein the user-specific security profile includes the set of user-specific rules and the security keys, the user-specific security profile being configured to facilitate the third service provider to authenticate a UE of the one or more UEs.
Xiong discloses generating a set of user-specific rules in creating a profile. Xiong at ¶¶52-53. Further, Shah and Rioux discloses exchanging security keys to authenticate a UE. Shah at ¶61 as to installation of client and SSL certificates during enrollment, Rioux at ¶¶114.
As to claim 27, Shah discloses:
A user equipment (UE) for establishing a secured connection based on a mobile embedded security platform, comprising:
a transceiver, a processor, and a memory, said memory containing instructions executable by the processor whereby the UE is operative to perform:
Shah discloses a computer-implemented method including receiving a request for managing user equipment. Shah at ¶¶60-61 and 78 disclosing an application supporting MDM functions for managing UEs 300. The UE includes a transceiver.
connecting to a wireless network;
upon connecting to the wireless network, obtaining one or more UE-specific […]configurations from a mobile device management (MDM) service provider,
Shah discloses connecting to a wireless network and obtaining UE configurations from a MDM provider. Shah at ¶¶60-61. Shah discloses building UE specific configurations dependent on the information. Shah at ¶¶78, 82-83, 98, and 111, showing sending UE-specific configurations from various service providers).
the one or more UE-specific […]configurations being based on a user-specific security profile, […], and a set of […]instances;
obtaining user credentials; and
Shah discloses obtaining edge instance information from a network node. Shah at ¶78 (“[o]n successful authentication, the server contacts Mobile Device Management (MDM) or Inventory management provider to define access control rights for the user device 300”); ¶70 (“[i]n an embodiment, the monitored data can be from different categories, including application-related, network-related, device-related (also can be referred to as endpoint-related), protocol-related, etc. Data can be collected at the application 350 or the cloud edge to quantify user experience for specific applications, i.e., the application-related and device-related data”); ¶75 (“[i]n another embodiment, the metrics can be enriched by triggering synthetic measurements in the context of an inline transaction by the application 350 or cloud edge”); ¶111 (“FIG. 14 is a flowchart of a device enrollment process 800 for the client user device 300 and the connector application 350 On successful authorization, the mobile admin server enrolls the user to cloud services with their authentication contexts (step 808). Each cloud service responds with specific access controls and protocol information that the client receives from mobile admin and uses for local network setup (step 810)”). See also id. at ¶63.
establishing, based on the one or more UE-specific […]configurations, the user credentials, […], a secured wireless communication channel with a network node through a zero-trusted network.
Shah discloses sharing the configuration information and that the UEs may use configurations to establish a secure channel through a zero-trust network. Shah at ¶60 ("[t]he application 350 can automatically forward user traffic with the cloud-based system 100 as well as ensuring that security and access policies are enforced, regardless of device, location, operating system, or application. … The application 350 can support various cloud services, including ZIA, ZPA, ZDX, etc., allowing the best in class security with zero trust access to internal apps"); ¶¶62-63, secure tunneling between the user device 300 and connector 400; see also ¶84, "[p]ost proper enrollment, the connector application 350 securely connects to cloud services by means of network tunnels".
Shah does not disclose the configurations are bootstrap configurations, or that the edges are SASE instances, or obtaining and using a SIM profile.
Xiong discloses the obtaining of and use of SIM profiles for MDM enrollment. Xiong at FIGS 5F and 5G and at ¶¶45-47.
Rioux discloses a bootstrap scenario where edge instances use the SASE model. Rioux at ¶¶215-216 and 620 (“In some embodiments, one or more of the components described above may be deployed using a secure access service edge (‘SASE’) model or similar model. In a SASE model, the services, functionality, or components described above may be deployed at edge devices (or relatively close to such edge device) such as a user's laptop, tablet, smartphone, or other device. In such a way, network security controls may be delivered on such edge devices. SASE capabilities may be delivered as a service based upon the identity of the entity, real-time context, enterprise security/compliance policies and continuous assessment of risk/trust throughout the sessions, where the identity of entities can be associated with people, groups of people, devices, applications, services, IoT systems or edge computing locations, and so on”).
Therefore it would have been obvious to one of ordinary skill in the art at the time of applicant’s filing to add such features to Shah. Xiong and Rioux both disclose features that were known at the time and one of ordinary skill in the art would have seen such as merely combining prior art elements according to known methods to yield predictable results. MPTP § 2143 I. A., citing KSR Int'l Co. v. Teleflex Inc., 550 U.S. 398, 415-421, 82 USPQ2d 1385, 1395-97 (2007).
Further as to claim 29:
The UE of claim 27, wherein establishing the secured wireless communication channel with the network node through the zero-trust network comprises:
obtaining, based on an eSIM/iSIM reference configuration included in the one or more UE-specific bootstrap configurations, an eSIM/iSIM profile from a service manager (SM) service provider; and
activating the UE to connect to a cellular network based on the eSIM/iSIM profile.
Xiong discloses the profile is an eSIM profile. Xiong at ¶¶44-47. One of ordinary skill in the art would have understood that SIM information is specifically configured to facilitate a UE to establish a cellular connection.
Allowable Subject Matter
Claims 12, 15, 16, 28, 31, and 32 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.
The following is a statement of reasons for the indication of allowable subject matter:
As to claims 12 and 28, the prior art does not disclose the parent claim wherein the one or more UE-specific bootstrap configurations comprise configurations associated with: an embedded subscriber identification module or integrated subscriber identification module (eSIM/iSIM) profile reference;
one or more of a VPN (virtual private network) controller URL (uniform resource link) and a VPN controller certificate;
disabling a physical SIM;
selecting a primary eSIM profile;
disabling adding new eSIM profiles; and
enabling capability of switching eSIM profiles.
As to claims 15 and 31, the prior art does not disclose the parent claim further comprising the steps of:
connecting to at least one of a generic bootstrapping architecture (GBA) service provider or an authenticated key management for application (AKMA) service provider to obtain one or more cryptograph keys;
connecting, via a virtual private network (VPN) client of the UE, to a VPN controller to obtain a set of user-specific rules, cryptograph keys, and SASE IP addresses; and
establishing a VPN connection between the UE and one or more SASE instances based on the set of user-specific rules, the one or more cryptograph keys, and the SASE IP addresses.
As to claims 16 and 32, the prior art does not disclose the parent claim wherein establishing a VPN connection between the UE and one or more SASE instances comprises:
in accordance with a determination that the UE is connected to the cellular network, establishing the VPN connection to the one or more SASE instances based on the cryptograph keys; and
in accordance with a determination that the UE is not connected to the cellular network, establishing the VPN connection to the one or more SASE instances based on the SASE IP addresses configured for the wireless network.
Conclusion
Any inquiry concerning this communication or earlier communications from the
Examiner should be directed to Charles Craver whose telephone number is (571) 272-
7849. The Examiner can normally be reached on Monday - Friday 8:30-5:30 PT Pacific
Time. If attempts to reach the Examiner by telephone are unsuccessful, the Examiner's
supervisor, Andrew J. Fischer can be reached on 571-272-6779. The fax phone number
for the organization where this application or proceeding is assigned is 571-273-8300.
Signed,
/CHARLES R CRAVER/
Primary Examiner, Art Unit 3992