Citrix Systems Inc v. Workspot Inc

1. Case Identification

• Case #: IPR Unassigned
• Patent #: 9,426,182
• Filed: April 19, 2018
• Petitioner(s): Citrix Systems, Inc.
• Patent Owner(s): Workspot, Inc.
• Challenged Claims: 1-18

2. Patent Overview

• Title: Context-Based Authentication
• Brief Description: The ’182 patent describes systems and methods for context-based authentication of mobile devices. The invention is directed to an access control system, external to a plurality of enterprises, that stores a mapping of request contexts (e.g., user identity, device type, location) to specific "action control policies" and uses this mapping to manage access to applications, particularly those hosted by a Software as a Service (SaaS) system.

3. Grounds for Unpatentability

Ground 1: Obviousness over Qureshi - Claims 1-5, 7, 8, 10-18 are obvious over Qureshi

• Prior Art Relied Upon: Qureshi (Patent 8,869,235).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner argued that Qureshi, which was not cited during prosecution, discloses a mobile device management system that functions as the claimed "access control system." This system is located in the cloud, external to the enterprise, and stores mobile device rules ("action control policies") that control actions a device can perform in a given context (e.g., disabling the web browser based on location). Qureshi's system receives requests from mobile devices for interacting with applications, with the request providing context information. It then determines the appropriate rule, and sends it to an agent on the client device for enforcement.
  • Motivation to Combine (for §103 grounds): While Qureshi does not explicitly teach a single management system storing rules for a plurality of enterprises, it discloses that a related component (the secure mobile gateway) can handle requests for multiple enterprise systems. Petitioner asserted a POSITA would have been motivated to modify Qureshi’s mobile device management system to support multiple enterprises to achieve predictable results, such as reduced complexity and cost compared to deploying separate systems for each enterprise. This was presented as applying a known technique (multi-tenancy) to a system ready for improvement.
  • Expectation of Success (for §103 grounds): A POSITA would have a high expectation of success because Qureshi already provides the fundamental architecture for a cloud-based, policy-driven mobile management system.

Ground 2: Anticipation by Narain - Claims 1-4, 7, 8, 10-16, 18 are anticipated by Narain

• Prior Art Relied Upon: Narain (Patent 8,578,443).
• Core Argument for this Ground:
  • Prior Art Mapping: Petitioner contended that Narain, also not cited during prosecution, anticipates the challenged claims. Narain allegedly teaches an enforcement engine ("access control system") with a management platform that can accommodate a multi-tenant system where each tenant is an enterprise customer, thus meeting the "plurality of enterprises" limitation. This system stores policies that prohibit actions (e.g., accessing an app without a VPN) based on context. Petitioner asserted that Narain's system is external to the enterprise network, receives requests to access cloud-based applications (disclosing YouTube as an example of a SaaS application), identifies the enterprise associated with the device, determines the relevant policy based on context, and sends policy information to a client-side agent for enforcement.

Ground 3: Obviousness over Narain in view of Thomas - Claims 5 and 17 are obvious over Narain in view of Thomas

• Prior Art Relied Upon: Narain (Patent 8,578,443) and Thomas (Patent 8,713,633).

• Core Argument for this Ground:

  • Prior Art Mapping: This ground addresses dependent claims 5 and 17, which add the limitation of generating a "contextual model" identifying expected device contexts and determining a policy based on a deviation from that model. Petitioner argued that Narain teaches generating a four-way mapping of users, devices, applications, and access times, which constitutes the claimed "contextual model" of expected contexts. However, Petitioner conceded Narain does not explicitly teach determining a policy based on a deviation from this model.
  • Motivation to Combine (for §103 grounds): Petitioner argued Thomas, which is in the same field, explicitly teaches using a predictive model ("contextual model") based on historical user behavior to detect violations of policy and to improve or determine enterprise policies based on such deviations. A POSITA would combine Thomas's predictive modeling and deviation analysis with Narain's multi-tenant policy enforcement system to dynamically adapt and improve an enterprise's policies based on new information about mobile application usage, thereby addressing gaps in existing policies.
  • Expectation of Success (for §103 grounds): The combination was argued to be a predictable integration of known techniques, allowing Narain's system to become more robust and adaptive.

• Additional Grounds: Petitioner asserted additional obviousness challenges, including: (1) Qureshi in view of Joshi (Application # 2012/0210068) to teach specifying cache sizes in a policy; (2) Qureshi in view of Shelest (Application # 2006/0282876) to teach time-based policy activation; (3) Narain in view of Joshi for cache size policies; and (4) Narain in view of Shelest for time-based policies. These grounds relied on similar rationales of combining known, secondary features into the primary systems of Qureshi or Narain.

4. Key Claim Construction Positions

• "action control policies": Petitioner argued this term, added during prosecution, is not defined in the specification. Based on prosecution history and a single example in the specification, Petitioner proposed the broadest reasonable construction is "a set of actions that can be performed by a client device of a user in a particular context." This broad construction is critical to mapping prior art "rules" or "policies" directly onto this claim limitation.
• "attributes describing a request received from a client device": Petitioner argued this term should be construed broadly as "information describing a request received from a client device, including information describing the client device itself." This construction encompasses a wide range of contextual data (e.g., location, device type, user identity, network type, request parameters), allowing Petitioner to argue that various types of device and user data disclosed in the prior art meet this limitation.

5. Relief Requested

• Petitioner requests institution of an inter partes review and cancellation of claims 1-18 of Patent 9,426,182 as unpatentable.