DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 
This is a Non-Final Office Action in response to the communication filed on July 16, 2019.
Claims 1-20 have been examined.


Drawings
The drawings filed on July 16, 2019 are acceptable for examination proceedings.

Information Disclosure Statement
The information disclosure statements (IDS) submitted on April 29, 2020, August 10, 2020, and February 12, 2021 were filed after the mailing date of the application 16/512612 on July 16, 2019.  The submission is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.

Claim Rejections - 35 USC § 112 
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1, 3-4, 6-8, 10-11, 14-15, and 17-18 are rejected under 35 U.S.C. 112(b)  or pre-AIA  35 U.S.C. 112, second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Independent claim 1 recites the limitation “a user” in line 15, the limitation “a user” is already introduce in line 2.  Independent claims 8, and 15 have similar issues that of independent claim 1. There is insufficient antecedent basis for this limitation in the claim. 
Dependent claims 3, 10, and 17 recite the limitation “the security layer” in line 2, but such “security layer” has not been introduced any of the preceding claims.  There is insufficient antecedent basis for this limitation in the claim.
Dependent claims 4, 11, and 18 recite the limitation “the certificate” in line 1, but such “certificate” has not been introduced any of the preceding claims.  There is insufficient antecedent basis for this limitation in the claim.
Dependent claim 6 recites the limitation “the compliance status” in line 1, but such “compliance status” has not been introduced any of the preceding claims.  There is insufficient antecedent basis for this limitation in the claim.
Dependent claims 7, and 14 recite the limitation “a user” in line 2, but such “a user” has been already introduced in the independent claim 1, and 8.  There is insufficient antecedent basis for this limitation in the claim.
Appropriate correction is requested.

Claim Objections
Claims 1, 8, and 15 are objected to because of the following informalities:  
Independent clam 1 says “wherein the VPN configuration routes an authentication request associated with the application through the VPN configuration” (lines 11-12), but phrase at the end of the limitation should say “a VPN connection” (See, Specification, Para 15:5-11).
Independent claims 8, and 15 have similar issues as is identified in the independent claim 1.
The claim language is vague and unclear.  Appropriate correction is required.


Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with 
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what form should be used.  A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission.  For more information about eTerminal Disclaimers, refer to http://www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.  
Claims 1-5, 7-12, and 14-19 are rejected under the judicially created doctrine of obviousness-type double patenting as being unpatentable over claims 1-17 of U.S. Patent No. 10,362,021. Although the conflicting claims are not identical, they are not patentably distinct from each other because all the limitations of claims 1-5, 7-12, and 14-19 of this instant application are found in claims 1-17 of the patent No. 10,362,021. Therefore, claims 1-5, 7-12, and 14-19 of this instant application are anticipated by claims 1-17 of Patent 10,362,021, because all the limitation of broader genus claims of this instant application are contained in the narrower species claims of Patent 10,362,021.

Application No.16/512612
Patent No. 10,362,021
1. A system for performing a device posture assessment during authentication of a user, comprising: at least one computing device comprising a processor and a memory; and a management service executable by the at least one computing device, the management service causing the at least one computing device to at least:




transmit a request to install an application on the client device as a managed application; 
generate a virtual private network (VPN) configuration associated with the application, wherein the VPN configuration routes an authentication request associated with the application through the VPN configuration; 









initiate installation of the VPN configuration on the client device; obtain an indication of a device identification parameter from an identity provider configured to perform user authentication of a user, the device identification parameter received in the authentication request made to the identity provider by the application; 
determine that the client device is in compliance with at least one compliance rule maintained by the management service; and 
transmit the indication that the client device is in compliance with the at least one compliance rule to the identity provider, wherein the identity provider grants access the client device access to a resource.

at least one computing device comprising a processor and a memory; and a management service executable by the at least one computing device, the management service causing the at least one computing device to at least:

transmit a security certificate to be installed on the client device, wherein the security certificate is associated with the client device;
transmit a request to install an application on the client device as a managed application; 
generate a virtual private network (VPN) configuration associated with the application, wherein the VPN configuration routes an authentication request associated with the application through the VPN configuration, 
the VPN configuration further configured to wrap the authentication request with a security layer, the security layer comprising a transport layer security (TLS) encryption layer, wherein at least one device identification parameter is embedded into the TLS encryption layer, the TLS encryption layer is encrypted with the certificate, and the TLS encryption layer is terminated at an identity provider configured to carry out federated authentication on behalf of an enterprise; initiate installation of the VPN configuration on the client device; obtain an indication of a device identification parameter from the identity provider configured to perform user authentication of a user, the device identification parameter corresponding to the client device and being extracted from the TLS encryption layer by the identity provider; 
determine that the client device is in compliance with at least one compliance rule maintained by the management service; and 
transmit an indication that the client device is in compliance with the at least one compliance rule to the identity provider, wherein the identity provider grants access the client device access to a resource.



3. The system of claim 1, wherein the authentication request is secured with transport layer security (TLS) and the security layer comprises an additional TLS layer applied to the authentication request.
4. The system of claim 3, wherein the additional TLS layer is secured with the certificate installed on the client device.
4. The system of claim 3, wherein the additional TLS layer is secured with the certificate installed on the client device.
5. The system of claim 1, wherein the identity provider is in communication with the at least one computing device, the identity provider causing the at least one computing device to at least: receive the authentication request from the client device; remove the security layer from the authentication request; and authenticate the authentication request based upon the at least one device identification parameter or a certificate signature based upon the certificate.
5. The system of claim 1, wherein the identity provider causes the at least one computing device to at least: receive the authentication request from the client device; remove the security layer from the authentication request; and authenticate the authentication request based upon the at least one device identification parameter or a certificate signature based upon the certificate.
6. The system of claim 1, wherein the compliance status is based upon whether the client device complies with at least one compliance rule.

7. The system of claim 1, wherein the identity provider further causes the at least one computing device to at least authenticate a user associated with the client device without requiring an additional credential to be entered by the user.
6. The system of claim 5, wherein the identity provider further causes the at least one computing device to at least authenticate a user associated with the client device without requiring an additional credential to be entered by the user.
8. A method for performing a device posture assessment during authentication of a user, comprising: initiating enrollment of a client device with a management service as a managed device; transmitting a request to install an application on the client device as a managed application; generating a virtual private network (VPN) configuration associated with the application, wherein the VPN configuration routes an 


8. The method of claim 7, wherein the at least one device identification parameter comprises at least one of: an application identifier associated with the application, a timestamp, a device identifier associated with the client device, an operating system version of the client device, geolocation parameters, or a network address of the client device.
10. The method of claim 8, wherein the authentication request is secured with transport layer security (TLS) 


10. The method of claim 9, wherein the additional TLS layer is secured with the certificate installed on the client device.
12. The method of claim 8, further comprising: receiving the authentication request from the client device; removing the security layer from the authentication request; and authenticating the authentication request based upon the at least one device identification parameter or a certificate signature based upon the certificate.
11. The method of claim 7, further comprising: receiving the authentication request from the client device; removing the security layer from the authentication request; and authenticating the authentication request based upon the at least one device identification parameter or a certificate signature based upon the certificate.
13. The method of claim 8, further comprising authenticating the authentication request by querying the management service for a compliance status of the client device, wherein the compliance status is based upon whether the client device complies with at least one compliance rule.

14. The method of claim 8, further comprising authenticating a user associated with the client device without requiring an additional credential.
12. The method of claim 11, further comprising authenticating a user associated with the client device without requiring an additional credential.
15. A non-transitory computer-readable medium comprising machine-readable instructions for performing a device posture assessment during authentication of a user, wherein when executed by a processor of a computing device, the machine-readable instructions cause the computing device to at least:
initiate enrollment of a client device with the management service as a managed device;
transmit a request to install an application on the client device as a managed application; 



generate a virtual private network (VPN) configuration associated with the application, wherein the VPN configuration routes an authentication request 










initiate installation of the VPN configuration on the client device; obtain an indication of a device identification parameter from an identity provider configured to perform user authentication of a user, the device identification parameter received in the authentication request made to the identity provider by the application; 
determine that the client device is in compliance with at least one compliance rule maintained by the management service; and 
transmit the indication that the client device is in compliance with the at least one compliance rule to the identity provider, wherein the identity provider grants access the client device access to a resource.

initiate enrollment of a client device with a management service as a managed device;
transmit a security certificate to be installed on the client device, wherein the security certificate is uniquely associated with the client device;
transmit a request to install an application on the on the client device as a managed application; 
generate a virtual private network (VPN) configuration associated with the application, wherein the VPN configuration routes an authentication request 
the VPN configuration further configured to wrap the authentication request with a security layer, the security layer comprising a transport layer security (TLS) encryption layer, wherein at least one device identification parameter is embedded into the TLS encryption layer, the TLS encryption layer is encrypted with the certificate, and the TLS encryption layer is terminated at an identity provider configured to carry out federated authentication on behalf of an enterprise;
initiate installation of the VPN configuration on the client device; obtain an indication of a device identification parameter from the identity provider configured to perform user authentication of a user, the device identification parameter corresponding to the client device and being extracted from the TLS encryption layer by the identity provider; 
determine that the client device is in compliance with at least one compliance rule maintained by the management service; and 
transmit an indication that the client device is in compliance with the at least one compliance rule to the identity provider, wherein the identity provider grants access the client device access to a resource.

14. The non-transitory computer-readable medium of claim 13, wherein the at least one device identification parameter comprises at least one of: an application identifier associated with the application, a timestamp, a device identifier associated with the client device, an operating system version of the client device, geolocation parameters, or a network address of the client device.
17. The non-transitory computer-readable medium of claim 15, wherein the authentication request is secured with transport layer security (TLS) and the security 


16. The non-transitory computer-readable medium of claim 15, wherein the additional TLS layer is secured with the certificate installed on the client device.
19. The non-transitory computer-readable medium of claim 15, wherein the machine-readable instructions further cause the computing device to at least: receive the authentication request from the client device; remove the security layer from the authentication request; and authenticate the authentication request based upon the at least one device identification parameter or a certificate signature based upon the certificate.
17. The non-transitory computer-readable medium of claim 13, wherein the machine-readable instructions further cause the computing device to at least: receive the authentication request from the client device; remove the security layer from the authentication request; and authenticate the authentication request based upon the at least one device identification parameter or a certificate signature based upon the certificate.
20. The non-transitory computer-readable medium of claim 15, wherein the machine-readable instructions further cause the computing device to at least authenticate the authentication request by querying the management service for a compliance status of the client device, wherein the compliance status is based upon whether the client device complies with at least one compliance rule.



Claims 1-17 of Patent No. 10,362,021 contain every element of claims 1-5, 7-12, and 14-19 of the instant application and thus anticipate the claims of the instant application. Claims of the instant application therefore are not patently distinct from the earlier patent claims and as such are unpatentable over obvious-type double patenting. A later application/patent claim is not patentably distinct from an earlier claim if the later claim anticipated by the earlier claim.
“A later patent claim is not patentably distinct from an earlier patent claim if the later claim is obvious over, or anticipated by, the earlier claim.  In re Longi, 759 F.2d at 896, 225 USPQ at 651 (affirming a holding of obviousness-type double patenting because the claims at issue were obvious over claims in four prior art patents); In re Berg, 140 F.3d at 1437, 46 
 Accordingly, absent a terminal disclaimer, claims 1-5, 7-12, and 14-19 were properly rejected under the doctrine of obviousness-type double patenting.” (In re Goodman (CA FC) 29 USPQ2d 2010 (12/3/1993).


Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-20 are rejected under AIA  35 U.S.C. 103(a) 35 U.S.C. 103 as being obvious over Daniel Murphy (U.S. Patent Application Publication No.: US 2015/0052595 A1 / or 
	
[Based on 112 Rejection and Claim Objection above] Regarding claim 1, Murphy discloses “A system for performing a device posture assessment during authentication of a user, comprising” (Para 0061, methods and systems for creating a VPN tunnel is disclosed. Also, Para 0134, and 0136):
“at least one computing device comprising a processor and a memory” (Processor 1422; and Memory 1424);
“and a management service executable by the at least one computing device, the management service causing the at least one computing device to at least:
initiate enrollment of a client device with the management service as a managed device” (Para 0007: a mobile device i.e., a “client device” tries to log-on or enroll to an enterprises network i.e., a “management service”; and Para 0088-0089: uses certificate to negotiate enrollment);
“transmit a request to install an application on the client device as a managed application” (Para 0030: a secure app 106 i.e., an “application” is installed on the mobile device);  
“generate a virtual private network (VPN) configuration associated with the application” (Para 0061: the secure app 106  is used to create a VPN connection; and Fig. 7),
[wherein the VPN configuration routes an authentication request associated with the application through a VPN connection];
“initiate installation of the VPN configuration on the client device” (Para 0061, using the secure app 106  a VPN connection is established; and Para 0063);
“obtain an indication of a device identification parameter from an identity provider configured to perform user authentication of a user, the device identification parameter received in the authentication request made to the identity provider by the application” (Para 0134, obtains a ticket i.e., an “indication of a device identification parameter” and an Active Directory i.e., an “identity provider” is consulted); 
“determine that the client device is in compliance with at least one compliance rule maintained by the management service” (Murphy, Para 0054: device policy control; and Para 0130);
“and W307.01.C132transmit the indication that the client device is in compliance with the at least one compliance rule to the identity provider” (Para 00134, the ticket i.e., the “indication” is provided  to a Web Services to establish trust), 
“[wherein the identity provider grants access the client device access to a resource].
	But Murphy fails to specially disclose a VPN configuration routes an authentication request associated with an application through a VPN connection and returning a result of an authentication request to a requested party.
However, Goldschlag discloses “wherein the VPN configuration routes an authentication request associated with the application through a VPN connection” (Goldschlag, Para 0072; and Para 0073).
“wherein the identity provider grants access the client device access to a resource” (Goldschlag, Para 0073).


Regarding claim 2, in view of claim 1, Murphy discloses “wherein the at least one device identification parameter comprises at least one of: 
an application identifier associated with the application, a timestamp, a device identifier associated with the client device, an operating system version of the client device, geolocation parameters, or a network address of the client device” (Murphy: Para 0117, device identifier).

Regarding claim 3, in view of claim 1, Murphy discloses “wherein the authentication request is secured with transport layer security (TLS) and the security layer comprises an additional TLS layer applied to the authentication request” (Murphy: Para 0030, security layer; and Para 0049).  

Regarding claim 4, in view of claim 3, Murphy discloses “wherein the additional TLS layer is secured with the certificate installed on the client device” (Murphy: Para 0130, certificate; Para 0030; and Para 0049).  

wherein the identity provider is in communication with the at least one computing device, the identity provider causing the at least one computing device to at least:
receive the authentication request from the client device; 
remove the security layer from the authentication request; and  
W307.01.C133authenticate the authentication request based upon the at least one device identification parameter or a certificate signature based upon the certificate” (Murphy: Para 0054; and Para 0130).  

[Based on the 112 rejection above] Regarding claim 6, in view of claim 1, Murphy discloses “wherein the compliance status is based upon whether the client device complies with at least one compliance rule” (Murphy, Para 0054: device policy control; and Para 0130).  

Regarding claim 7, in view of claim 1, Murphy discloses “wherein the identity provider further causes the at least one computing device to at least authenticate a user associated with the client device without requiring an additional credential to be entered by the user” (Murphy: Para 0054 and Para 0088, satisfied with user identity).  

[Based on 112 Rejection and Claim Objection above] Regarding claim 8, Murphy discloses “A method for performing a device posture assessment during authentication of a user, comprising” (Para 0061, methods and systems for creating a VPN tunnel is disclosed. Also, Para 0134, and 0136):
“initiating enrollment of a client device with a management service as a managed device” (Para 0007: a mobile device i.e., a “client device” tries to log-on or enroll to an enterprises network i.e., a “management service”; and 0088: uses certificate to negotiate enrollment);
 
“transmitting a request to install an application on the client device as a managed application” (Para 0030: a secure app 106 i.e., an “application” is installed on the mobile device);   
“generating a virtual private network (VPN) configuration associated with the application ” (Para 0061: the secure app 106  is used to create a VPN connection; and Fig. 7),
[wherein the VPN configuration routes an authentication request associated with the application through a VPN connection]; 
“initiating installation of the VPN configuration on the client device ”(Para 0061, using the secure app 106   a VPN connection is established; and Para 0063); 
“obtaining an indication of a device identification parameter from an identity provider configured to perform user authentication of a user, the device identification W307.01.C134parameter received in the authentication request made to the identity provider by the application ” (Para 0134, obtains a ticket i.e., an “indication of a device identification parameter” and an Active Directory i.e., an “identity provider” is consulted); 
“determining that the client device is in compliance with at least one compliance rule maintained by the management service ” (Murphy, Para 0054: device policy control; and Para 0130);
“and transmitting the indication that the client device is in compliance with the at least one compliance rule to the identity provider” ” (Para 00134, the ticket i.e., the “indication” is provided to a Web Services to establish trust),  
[wherein the identity provider grants access the client device access to a resource].
	But Murphy fails to specially disclose a VPN configuration routes an authentication request associated with an application through a VPN connection and returning a result of an authentication request to a requested party.
However, Goldschlag discloses “wherein the VPN configuration routes an authentication request associated with the application through a VPN connection” (Goldschlag, Para 0072; and Para 0073).
“wherein the identity provider grants access the client device access to a resource” (Goldschlag, Para 0073).
It would have been obvious to an ordinary person skilled in the art before the effective filing date of the claimed invention to employ the teachings of  a “VPN configuration routes an authentication request associated with the application through the VPN configuration and returning a result of authentication request to a requested party” of Goldschlag to the system of Murphy to create a system where the VPN configuration information can be used to establish bidirectional interaction and the ordinary person skilled in the art would have been motivated to combine to facilitate confidential communication between the devices (Goldschlag: Para 0087).

Regarding claim 9, in view of claim 8, Murphy discloses “wherein the at least one device identification parameter comprises at least one of: an application identifier associated with the application, a timestamp, a device identifier associated with the client device, an operating system version of the client device, geolocation parameters, or a network address of the client device” (See rejection claim 2).  

Regarding claim 10, in view of claim 8, Murphy discloses “wherein the authentication request is secured with transport layer security (TLS) and the security layer comprises an additional TLS layer applied to the authentication request” (See rejection claim 3). 

Regarding claim 11, in view of claim 10, Murphy discloses “wherein the additional TLS layer is secured with the certificate installed on the client device” (See rejection claim 4).  

Regarding claim 12, in view of claim 8, Murphy discloses “further comprising: receiving the authentication request from the client device; W307.01.C135removing the security layer from the authentication request; and authenticating the authentication request based upon the at least one device identification parameter or a certificate signature based upon the certificate” (See rejection claim 5).  

[Based on the 112 rejection above] Regarding claim 13, in view of claim 8, Murphy discloses “further comprising: authenticating the authentication request by querying the management service for a compliance status of the client device, wherein the compliance status is based upon whether the client device complies with at least one compliance rule” (Murphy, Para 0054: device policy control; and Para 0130: the client device is authenticated by policy).    

further comprising authenticating a user associated with the client device without requiring an additional credential” (See rejection claim 7). 

[Based on 112 Rejection and Claim Objection above] Regarding claim 15, Murphy discloses “A non-transitory computer-readable medium comprising machine-readable instructions for performing a device posture assessment during authentication of a user, wherein when executed by a processor of a computing device, the machine-readable instructions cause the computing device to at least” (Para 0135, computer-readable medium; and Para 0134, and Para 0136) 
“initiate enrollment of a client device with the management service as a managed device” (Para 0007: a mobile device i.e., a “client device” tries to log-on or enroll to an enterprises network i.e., a “management service”; and Para 0088-0089: uses certificate to negotiate enrollment); 
“transmit a request to install an application on the client device as a managed application ” (Para 0030: a secure app 106 i.e., an “application” is installed on the mobile device);   
“generate a virtual private network (VPN) configuration associated with the application” (Para 0061: the secure app 106 is used to create a VPN connection; and Fig. 7),  
[wherein the VPN configuration routes an authentication request associated with the application through a VPN connection]; 
“W307.01.C136initiate installation of the VPN configuration on the client device ” (Para 0061, using the secure app 106  a VPN connection is established; and Para 0063);
“obtain an indication of a device identification parameter from an identity provider configured to perform user authentication of a user, the device identification parameter received in the authentication request made to the identity provider by the application ” (Para 0134, obtains a ticket i.e., an “indication of a device identification parameter” an Active Directory i.e., an “identity provider”);  
“determine that the client device is in compliance with at least one compliance rule maintained by the management service ” (Murphy, Para 0054: device policy control; and Para 0130);
“and transmit the indication that the client device is in compliance with the at least one compliance rule to the identity provider ” (Para 00134, the ticket i.e., the “indication” is provide to Web Services for established trust), 
[wherein the identity provider grants access the client device access to a resource].
	But Murphy fails to specially disclose a VPN configuration routes an authentication request associated with an application through a VPN connection and returning a result of an authentication request to a requested party.
However, Goldschlag discloses “wherein the VPN configuration routes an authentication request associated with the application through a VPN connection” (Goldschlag, Para 0072; and Para 0073).
“wherein the identity provider grants access the client device access to a resource” (Goldschlag, Para 0073).
It would have been obvious to an ordinary person skilled in the art before the effective filing date of the claimed invention to employ the teachings of  a “VPN configuration routes an authentication request associated with the application through the VPN configuration and   

Regarding claim 16, in view of claim 15, Murphy discloses “wherein the at least one device identification parameter comprises at least one of an application identifier associated with the application, a timestamp, a device identifier associated with the client device, an operating system version of the client device, geolocation parameters, or a network address of the client device” (See rejection claim 2).

Regarding claim 17, in view of claim 15, Murphy discloses “wherein the authentication request is secured with transport layer security (TLS) and the security layer comprises an additional TLS layer applied to the authentication request” (See rejection claim 3).  

Regarding claim 18, in view of claim 15, Murphy discloses “wherein the additional TLS layer is secured with the certificate installed on the client device” (See rejection claim 4). 

Regarding claim 19, in view of claim 15, Murphy discloses “wherein the machine-readable instructions further cause the computing device to at least: 
receive the authentication request from the client device; 
remove the security layer from the authentication request; and 
authenticate the authentication request based upon the at least one device identification parameter or a certificate signature based upon the certificate” (See rejection claim 5).  
[Based on the 112 rejection above] Regarding claim 20, in view of claim 15, Murphy discloses “wherein the machine-readable instructions further cause the computing device to at least authenticate the authentication request by querying the management service for a compliance status of the client device, wherein the compliance status is based upon whether the client device complies with at least one compliance rule” (Murphy, Para 0054: device policy control; and Para 0130: the client device is authenticated by policy).    

Relevant Prior Arts
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Aluvala et al. (US 2018/0337887 A1) discloses: 
[0030] …Network traffic originating from the application 130 can be routed from the network interface 129 to the tunnel client 121 rather than directly to the network 109. The tunnel client 121 can secure the traffic by applying a security layer, such as encryption layer, to the traffic. In other words, the tunnel client 121 can wrap the traffic with an encryption layer. The operating system of the client device 106, in some examples, can also allow virtual private network (VPN) capabilities to be bound to one or more applications 130. In other words, the tunnel client 121 can provide per-app VPN capabilities where some or all network traffic originating from an application 130 is routed through the tunnel client 121. In some examples, traffic 

Singh et al. (U.S. Patent Application Publication No.: US 2015/0271013 A1 [Provided by applicant]) discloses:
[0071] … The mobile device may connect to enterprise resources 504 and enterprise services 508 through virtual private network connections. The virtual private network connections, also referred to as microVPN or application-specific VPN, may be specific to particular applications 550, particular devices, particular secured areas on the mobile device, and the like 552. For example, each of the wrapped applications in the secured area of the phone may access enterprise resources through an application specific VPN such that access to the VPN would be granted based on attributes associated with the application, possibly in conjunction with user or device attribute information. … The virtual private network connections may support and enable single-sign-on authentication processes 554. The single-sign-on processes may allow a user to provide a single set of authentication credentials, which are then verified by an authentication service 558. The authentication service 558 may then grant to the user access to multiple enterprise resources 504, without requiring the user to provide authentication credentials to each individual enterprise resource 504. 

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ABDULLAH ALMAMUN whose telephone number is         (571) 270-3392.  The examiner can normally be reached on 8 AM - 5 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn Feild can be reached on (571) 272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/ABDULLAH ALMAMUN/Examiner, Art Unit 2431