DETAILED ACTION
Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
The information disclosure statement(s) (IDS) submitted on 12/12/2024 was filed before the mailing date of this office action. The submission is in compliance with the provisions of 37 CFR 1.97. Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
Claims 1, 7-8, 11, 17 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over USPAT No. 11567646-B1 to Deore et al. (hereinafter “Deore”), US-PGPUB No. 2011/0246904 A1 to Pinto et al. (hereinafter “Pinto”), and further in view of US-PGPUB No. 2015/0373096 A1 to Chandrasekaran et al. (hereinafter “Chandrasekaran”)
Regarding claim 1:
Deore discloses:
A method (see the methods of FIGS. 5A-5B) comprising:
monitoring, by a computing device (see Fig. 1, Host-A 110A), a virtual desktop (see Fig. 1, Remote Desktop 126) accessible from an endpoint device (see Fig. 1, User Device(s) 148) via a remote session associated with a user (col 8, lines 4-7: “VM1 118 may generate a remote desktop 126 (virtual desktop) that is operated by and accessible to one or more client-side user device(s) 146 (e.g., a client device or a local/endpoint device) via the physical network 112.”, col 10, lines 30-35: “… the user selects a particular RSDH application … to request a connection so as to start a remote desktop session,”);
detecting, by the computing device, a user selection of an application displayed in the virtual desktop to be executed in a secure environment (col 3, lines 44-47: “When the user connects to an RDSH application from the Horizon client (e.g., by clicking one of the corresponding icons 306 in the UI 304 to initiate a connection to the remote desktop at the agent side), …”);
initiating, by the computing device, an on-demand virtual secure session between the computing device and the endpoint device (col 10, lines 30-39: “At 502 (“START APP SESSION”), the user selects a particular RSDH application … and opens/clicks on the application's icon to open it and to request a connection so as to start a remote desktop session, such as a Windows session. … with the agent service 212 running on VM1 118 receiving the connection request and starting a session at 504 (“startSession( )”).”), wherein the on-demand virtual secure session is agnostic to an identity of the user (col 3, lines 60-col 4, lines 1-13: “when a session with an RDSH application is requested, the graphics/window of the remote desktop is not streamed to the user device until after the user completes a logon process and the application is started. … Since SSO does not need user intervention after user credentials are entered, the entire logon process and/or the UI of the remote desktop can be hidden on the local desktop 300 from the user until after the SSO is completed and the RDSH application is started.”);
providing, by the computing device and via the on-demand virtual secure session, the endpoint device with access to a remote application corresponding to the application displayed in the virtual desktop, the remote application being hosted on the computing device and displayable on the endpoint device in a form of a user interface (col 9, lines 37-43: “… the remote desktop 126 may provide RDSH applications 210 installed/running thereon (e.g., the applications 124 of FIG. 1). These RDSH applications 210 (e.g., their respective icons or launched files/interfaces) may in turn be presented on a window/screen/display of the remote desktop 126 rendered on the display screen of the user device 146, when the user device 146 accesses the remote desktop 126,”);
However, Deore does not explicitly disclose the following limitation taught by Pinto:
detecting, by the computing device, a user indication to stop execution of the remote application in the user interface (Pinto, ¶173: “affirmative user input can include selecting an "Exit" option from a menu, clicking on an icon, or entering a termination command into a command-line interface. … in response to receiving a termination request, …”);
terminating, by the computing device, the on-demand virtual secure session (Pinto, ¶173: “… the server process 922 terminates the execution of the session 918 and of any application 916 within that session 918 is halted.”);
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of Deore to incorporate the functionality of the method to terminate a session, with an affirmative user input, when the user is finished executing an application operating in the session, as disclosed by Pinto, such modification would enable the system to prevent unintentional termination of a session.
The combination of Deore and Pinto does not explicitly disclose the following limitation taught by Chandrasekaran:
generating, by the computing device, a snapshot image indicating a state of the virtual desktop associated with the endpoint device (Chandrasekaran, ¶32: “… the server may generate and store a snapshot of the VM in response to receiving data from the computer 146 … For a virtual desktop, the computer 146 may send such VM data to the server in response to receiving, e.g., from the user 135, a command … or in response to the user closing a laptop computer.”); and
restoring, based on the snapshot image, the virtual desktop to a time prior to the initiation of the on-demand virtual secure session (Chandrasekaran, ¶54: “… at the conclusion of a VM session, the VDI client may send to the data center VM data, e.g., a snapshot of the VM, that allows the VM to be returned to the state of the VM at that time.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Deore and Pinot to incorporate the functionality of the method to generate and store snapshots of a virtual machine, periodically or in response to events, as disclosed by Chandrasekaran, such modification would enable the system to go back to state of a previous session of a virtual machine (virtual desktop), such as the VM's power state, e.g., powered-on, powered-off, or suspended, and/or the state of one or more virtual devices used by the VM.
Regarding claim 7:
The combination of Deore, Pinto and Chandrasekaran discloses:
The method of claim 1, wherein the application displayed in the virtual desktop corresponds to a first operating system format and the remote application displayed in the user interface corresponds to a second operating system format different from the first operating system format (Pinto, ¶88: “… the computing machine 100 can execute PARALLELS or another virtualization platform that can execute or manage a virtual machine executing a first operating system, while the computing machine 100 executes a second operating system different from the first operating system.”).
The same motivation which is applied to claim 1 with respect to Pinto applies to claim 7.
Regarding claim 8:
The combination of Deore, Pinto and Chandrasekaran discloses:
The method of claim 7, wherein the second operating system format comprises a Windows format, a Linux format and a Mac OS format (Pinto, ¶88: “… the computing machine 100 can execute any of the following operating systems: … WINDOWS VISTA; the different releases of the Unix and Linux operating systems; any version of the MAC OS …”).
The same motivation which is applied to claim 1 with respect to Pinto applies to claim 8.
Regarding claim 11:
Deore discloses:
A computing device (col 12, line 6: “Computing Device”), comprising:
at least one processor (col 12, lines 11-14: “The computing device may include processor(s), memory unit(s) and physical NIC(s) that may communicate with each other …”); and
memory storing computer-readable instructions (col 12, lines 14-18: “The computing device may include a non-transitory computer-readable medium having stored thereon instructions or program code that, in response to execution by the processor, cause the processor to perform processes described herein …”) that, when executed by the at least one processor, cause the computing device to:
In addition to the above limitations claim 11 recites substantially the same limitations as claim 1 in the form of a computing device to realize the corresponding functionality. Therefore, it is rejected by the same rationale.
Regarding claim 17:
Claim 17 recites substantially the same limitation as claim 7 in the form of a computing device to realize the corresponding functionality. Therefore, it is rejected by the same rationale.
Regarding claim 20:
Claim 20 recites substantially the same limitations as claim 1 in the form of a non-transitory computer-readable media storing instructions to perform the corresponding functions. Therefore, it is rejected by the same rationale.
Claims 2 and 12 are rejected under 35 U.S.C. 103 as being unpatentable over USPAT Deore, Pinto, Chandrasekaran, and further in view of US-PGPUB No. 2023/0337002 A1 to Hu et al. (hereinafter “Hu”)
Regarding claim 2:
The combination of Deore, Pinto and Chandrasekaran disclosesd the method of claim 1, but does not explicitly teach the following limitation taught by Hu:
wherein the remote session associated with the user and the on-demand virtual secure session share no security context (Hu, ¶44: “… ensure that security contexts used for different communication services are different.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Deore, Pinto and Chandrasekaran to incorporate the functionality of the method to prevent a security key included in a generated second security context from being the same as a security key included in a first security context, as disclosed by Hu, such modification would enable the system to ensure that security contexts used for different communication services are different which can ensure effective security isolation of the communication services, so that security of the communication services can be improved.
Regarding claim 12:
Claim 12 recites substantially the same limitation as claim 2 in the form of a computing device to realize the corresponding functionality. Therefore, it is rejected by the same rationale.
Claims 3-4 and 13-14 are rejected under 35 U.S.C. 103 as being unpatentable over USPAT Deore, Pinto, Chandrasekaran, US-PGPUB No. 2010/0253697 A1 to Rivera, and further in view of USPAT No. 10482561 B1 to Featonby et al. (hereinafter “Featonby”)
Regarding claim 3:
The combination of Deore, Pinto and Chandrasekaran discloses the method of claim 1, but does not explicitly teach the following limitation taught by Rivera:
further comprising:
after providing the endpoint device with access to the remote application, receiving one or more user commands (Rivera, ¶55: “… the application/desktop delivery system 210 receives user commands”) to execute the remote application (Rivera, ¶55: “Once the user commands are received by the application/desktop delivery system 210, they can be forwarded to the application 208 where they are processed.”);
executing, based on the one or more user commands, the remote application hosted on the computing device (Rivera, ¶55: “… the application/desktop delivery system 210 receives user commands and other user-generated input from the client agent 214. Once the user commands are received by the application/desktop delivery system 210, they can be forwarded to the application 208 where they are processed.”); […]
and causing to display the execution result of the remote application in the user interface (Rivera, ¶53: “the local computing machine 204 executes an application 208 that generates application output. The application output can comprise graphical data that is then display on a display device connected to the local computing machine 204”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention to modify the teachings of Deore, Pinto and Chandrasekaran to incorporate the functionality of the application/desktop delivery system to receive user commands to be forwarded to an application where they are processed, as disclosed by Rivera, such modification would enable the system to remotely execute an application using user commands.
The combination of Deore, Pinto, Chandrasekaran and Rivera does not explicitly teach the following limitation taught by Featonby:
[…] storing an execution result of the remote application in a secure storage in a cloud accessible by the computing device (Featonby, col 17, lines 45-53: “… at some point, one or more elements of the log 635 may be transferred to persistent storage external to the graphics server 420. … the log 635 may be stored using an external storage service 640. The storage service 640 may be a “cloud” storage service …”);
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Deore, Pinot, Chandrasekaran and Rivera to incorporate the functionality of the method to store one or more elements of the log 635 in a persistent storage associated with the graphics server 420, e.g., while the log is being generated during a session, as disclosed by Featonby, such modification would enable the system to delete generated logs or mark them for deletion or perform operations on the generated logs as needed.
Regarding claim 4:
The combination of Deore, Pinto, Chandrasekaran, Rivera and Featonby discloses:
The method of claim 3, further comprising:
after terminating the on-demand virtual secure session, deleting the execution result of the remote application from the secure storage (Featonby, col 17, lines 64- col 18, line 1: “Elements of the log 635 that are transferred from the graphics server 420 to the storage service 640 may not be retained on the graphics server, e.g., by deleting the elements or marking them for deletion upon transfer to the storage service.”).
The same motivation which is applied to claim 3 with respect to Featonby applies to claim 4.
Regarding claims 13-14:
Claims 13-14 recite substantially the same limitations as claims 3-4, respectively, in the form of a computing device to realize the corresponding functionalities. Therefore, they are rejected by the same rationale.
Claims 6 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over USPAT Deore, Pinto, Chandrasekaran, and further in view of US-PGPUB No. 2014/0033271 A1 to Barton et al. (hereinafter “Barton”)
Regarding claim 6:
The combination of Deore, Pinto and Chandrasekaran discloses the method of claim 1, but does not explicitly teach the following limitation taught by Barton:
wherein the user selection of the application comprises:
opening a file in the secure environment (Barton, ¶340: “selecting a set of applications on the mobile device 810 that can be used to open a file or data element identified by a link or icon”);
opening a link to the file in the secure environment (Barton, ¶340: “… open a file or data element identified by a link or icon (e.g., using Open In).”); and
installing a software in the secure environment (Barton, ¶533: “The method includes installing a set of managed applications of the enterprise on the mobile device,”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Deore, Pinot and Chandrasekaran to incorporate the functionality of the method t for selecting a set of applications on a mobile device that can be used to open a file or data element identified by a link or icon, as disclosed by Barton, such modification would enable the system to copy data or data objects from one application and paste the data or data objects in another application (e.g., via a hidden, encrypted paste buffer).
Regarding claim 16:
Claim 16 recites substantially the same limitation as claim 6 in the form of a computing device to realize the corresponding functionality. Therefore, it is rejected by the same rationale.
Claims 9-10 and 18-19 are rejected under 35 U.S.C. 103 as being unpatentable over USPAT Deore, Pinto, Chandrasekaran, and further in view of US-PGPUB No. 2020/0387876 A1 to Jones et al. (hereinafter “Jones”)
Regarding claim 9:
The combination of Deore, Pinto and Chandrasekaran discloses the method of claim 1, but does not explicitly teach the following limitation taught by Jones:
further comprising:
after initiating the on-demand virtual secure session, assigning a temporary account to the user without a reference to the identity of the user (Jones, ¶71: “a temporary account may be created and may be associated with a unique identifier. The unique identifier may, for example, be a credential such as a unique number that may be generated by the server system using, for example, a random or pseudo-random number generator.”).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the invention, to modify the teachings of the combination of Deore, Pinot and Chandrasekaran to incorporate the functionality of the server system to create a temporary account and to associate the temporary account to a unique identifier which may be a credential such as a unique number that may be generated by the server system using, for example, a random or pseudo-random number generator, as disclosed by Jones, such modification would enable the system to anonymously identify a user and protect PII.
Regarding claim 10:
The combination of Deore, Pinto, Chandrasekaran and Jones discloses
The method of claim 9, further comprising:
after terminating the on-demand virtual secure session, deleting the temporary account and data associated with the temporary account from a secure storage associated with the on-demand virtual secure session (Jones, ¶87: “After a transfer from a temporary account is completed, the temporary account may be deleted and/or disabled.”).
The same motivation which is applied to claim 9 with respect to Jones applies to claim 10.
Regarding claims 18-19:
Claims 18-19 recite substantially the same limitations as claims 9-10, respectively, in the form of a computing device to realize the corresponding functionalities. Therefore, they are rejected by the same rationale.
Allowable Subject Matter
Claims 5 and 15 are objected as being dependent upon rejected independent claims 1 and 11, respectively, but would be allowable if rewritten in independent form including all of the limitations of the base claim and intervening claims.
The following is a statement of reasons for the indication of allowable subject matter:
The combination of references Deore, Pinto and Chandrasekaran discloses the method of claim 1 which comprises: monitoring, by a computing device, a virtual desktop accessible from an endpoint device via a remote session associated with a user; detecting, by the computing device, a user selection of an application displayed in the virtual desktop to be executed in a secure environment; generating, by the computing device, a snapshot image indicating a state of the virtual desktop associated with the endpoint device; initiating, by the computing device, an on-demand virtual secure session between the computing device and the endpoint device, wherein the on-demand virtual secure session is agnostic to an identity of the user; providing, by the computing device and via the on-demand virtual secure session, the endpoint device with access to a remote application corresponding to the application displayed in the virtual desktop, the remote application being hosted on the computing device and displayable on the endpoint device in a form of a user interface; detecting, by the computing device, a user indication to stop execution of the remote application in the user interface; terminating, by the computing device, the on-demand virtual secure session; and restoring, based on the snapshot image, the virtual desktop to a time prior to the initiation of the on-demand virtual secure session. However, the combination of Deore, Pinto and Chandrasekaran fails to teach claim limitations (of claim 5): after generating the snapshot image and prior to initiating the on-demand virtual secure session, terminating the remote session; and after terminating the on-demand virtual secure session, initiating a new remote session associated with the user; and wherein restoring the virtual desktop to the time prior to the initiation of the on-demand virtual secure session comprises: providing, based on the snapshot image, the virtual desktop accessible from the endpoint device via the new remote session.
Claim 15 recites substantially the same limitations as claim 5 in the form of a computing device to realize the corresponding functionality, and is indicated as allowable subject matter.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Belkine et al. (US 20110153838-A1)- disclosed techniques for determining the status of virtual machine sessions on a computing device.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to MATTHIAS HABTEGEORGIS whose telephone number is (571)272-1916. The examiner can normally be reached M-F 8am-5pm ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, William R. Korzuch can be reached at (571)272-7589. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/M.H./Examiner, Art Unit 2491