DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114 was filed in this application after a decision by the Patent Trial and Appeal Board, but before the filing of a Notice of Appeal to the Court of Appeals for the Federal Circuit or the commencement of a civil action. Since this application is eligible for continued examination under 37 CFR  1.114 and the fee set forth in 37 CFR 1.17(e) has been timely paid, the appeal has been withdrawn pursuant to 37 CFR 1.114 and prosecution in this application has been reopened pursuant to 37 CFR 1.114. Applicant’s submission filed on 11/08/2021 has been entered.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes
and/or additions be unacceptable to applicant, an amendment may be filed as provided
by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be
submitted no later than the payment of the issue fee.

Authorization for this examiner's amendment was given in an interview with
David Pointer (Reg. No: 73,654) on November 15, 2021. 
CLAIMS
The application has been amended as follows:

1.	(Currently Amended) A non-transitory computer-readable medium embodying at least one program executable in at least one computing device, the at least one program, when executed by the at least one computing device, being configured to cause the at least one computing device to at least:
determine a plurality of security groups for display on an administrator client based on security group data from a gateway data store, the security group data comprising a mapping of the security groups to a plurality of network address ranges for a plurality of virtual network segments in an internal network;
display a user interface that is configured for uploading and configuring a particular application to be added to an application catalog, the user interface comprises an upload component for receiving a package containing the particular application and a selection component for specifying a subset of the plurality of security groups for the particular application;
receive, from the administrator client, a specification of [[a]] the subset of the plurality of security groups for [[a]] the particular application executed in client devices on an external network, the subset of the security groups comprising: a compliant security group for compliant client devices, and a default security group for non-compliant client devices; 
configure a gateway that connects the external network to the internal network, the gateway being configured to permit the particular application to 
establish a virtual private network tunnel with a client device based on an evaluation of compliance of the client device, wherein the evaluation is based on: at least one compliance rule, and device management attribute data received from the client device; 
receive, from the administrator client, a specification of the at least one compliance rule that should be present on the client device on which the particular application is deployed in order to permit access to the first set of network resources; and 
configure the gateway to verify that the client device complies with the at least one device management attribute before permitting the virtual private network tunnel to be assigned to a virtual network segment that provides access to the first set of network resources. 

2.	(Canceled) 

3.	(Currently Amended) The non-transitory computer-readable medium of claim 1 [[2]], wherein the at least one device management attribute includes at least one of: a location of the client device, a user of the client device, an operating system of the client device, and a jailbreak status of the client device.

4.	(Currently Amended) The non-transitory computer-readable medium of claim 1, wherein when executed the at least one program further causes the at least one computing device to at least:
receive [[a]] the package containing the particular application from the administrator client; and
configure [[an]] the application catalog to make the particular application available for deployment to the client devices.

5.	(Currently Amended) A system, comprising:
at least one computing device; and
at least one program executable by the at least one computing device, the at least one program configured to cause the at least one computing device to at least:
determine a plurality of security groups for display on an administrator client based on security group data from a gateway data store, the security group data comprises a mapping of the security groups to a plurality of network address ranges for a plurality of virtual network segments in an internal network;
display a user interface that is configured for uploading and configuring a particular application to be added to an application catalog, the user interface comprises an upload component for receiving a package containing the particular application and a selection component for specifying a subset of the plurality of security groups for the particular application;
receive, from the administrator client, a specification of [[a]] the subset of the plurality of security groups for [[a]] the particular application executed in client devices on an external network, the subset of the security groups comprising: a compliant security group for compliant client devices, and a default security group for non-compliant client devices; 
configure a gateway that connects the external network to the internal network, the gateway being configured to permit the particular application to access network resources based on the subset of the security groups, wherein the compliant security group is associated with a first set of network resources, and the default security group is associated with a second set of network resources; [[and]]
establish a virtual private network tunnel with a client device based on an evaluation of compliance of the client device, wherein the evaluation is based on: at least one compliance rule, and device management attribute data received from the client device; 
receive, from the administrator client, a specification of the at least one compliance rule that should be present on the client device on which the particular application is deployed in order to permit access to the first set of network resources; and 
configure the gateway to verify that the client device complies with the at least one device management attribute before permitting the virtual private network tunnel to be assigned to a virtual network segment that provides access to the first set of network resources.
 
6.	(Previously Presented) The system of claim 5, wherein configuring the gateway further comprises configuring the gateway to assign a network address meeting predefined criteria to a tunnel endpoint associated with the particular application, wherein network traffic from network addresses meeting the predefined criteria is permitted to be forwarded to the first set of network resources by the internal network.

7.	(Canceled) 

8.	(Currently Amended) The system of claim [[7]] 5, wherein the at least one device management attribute includes at least one of: a location of the client device, a user of the client device, an operating system of the client device, and a jailbreak status of the client device.

9.	(Currently Amended) The system of claim [[7]] 5, wherein when executed the at least one program is further configured to cause the at least one computing the virtual network segment comprising the second set of network resources in response to determining, based on the evaluation, that the client device is a non-compliant device.

10.	(Previously Presented) The system of claim 9, wherein when executed the at least one program is further configured to cause the at least one computing device to at least receive a specification of the default network resource from the administrator client.

11.	(Currently Amended) The system of claim 5, wherein the gateway includes an endpoint for the virtual private network tunnel through the external network to the client device upon which the particular application is executed, and upon configuration the gateway is configured to assign a particular network address to the endpoint, wherein the internal network is configured to route network traffic from the particular network address to [[a]] the virtual network segment of the internal network through which the first set of network resources are accessible.

12.	(Original) The system of claim 5, wherein the client devices are managed by an organization, and the internal network is operated by the organization.

13.	(Cancelled)


receive a package containing the particular application from the administrator client; and
configure an application catalog to make the particular application available for deployment to the client devices.

15.	(Currently Amended) A method, comprising:
determining a plurality of security groups for display on an administrator client based on security group data from a gateway data store, the security group data comprising a mapping of the security groups to a plurality of network address ranges for a plurality of virtual network segments in an internal network;
displaying a user interface that is configured for uploading and configuring a particular application to be added to an application catalog, the user interface comprises an upload component for receiving a package containing the particular application and a selection component for specifying a subset of the plurality of security groups for the particular application;
receiving, from the administrator client, a specification of [[a]] subset of the plurality of security groups for [[a]] the particular application executed in client devices on an external network, the subset of the security groups comprising: a compliant security group for compliant client devices, and a default security group for non-compliant client devices; 

establishing a virtual private network tunnel with a client device based on an evaluation of compliance of the client device, wherein the evaluation is based on: at least one compliance rule, and at least one device management attribute data received from the client device; 
receiving, from the administrator client, a specification of the at least one compliance rule that should be present on the client device on which the particular application is deployed in order to permit access to the first set of network resources; and 
configuring the gateway to verify that the client device complies with the at least one device management attribute before permitting the virtual private network tunnel to be assigned to a virtual network segment that provides access to the first set of network resources. 

16.	(Previously Presented) The method of claim 15, further comprising receiving a mapping of the first set of network resources to a predefined criteria from a network controller.


receiving a package containing the particular application from the administrator client; and
configuring an application catalog to make the particular application available for deployment to the client devices.

18.	(Canceled) 

19.	(Currently Amended) The method of claim [[18]] 15, wherein the at least one device management attribute includes at least one of: a location of the client device, a user of the client device, an operating system of the client device, and a jailbreak status of the client device.
20.	(Currently Amended) The method of claim [[18]] 15, further comprising: 
configuring the gateway to assign a different virtual network segment in response to determining that the client device is non-compliant with the at least one device management attribute, wherein the different virtual network segment provides access to the second set of network resources.

21.	(Canceled) 




Examiner’s Statement of Reasons for Allowance
Claims 1, 3-6, 8-12, 14-17 and 19-20 (renumbered as claims 1-17) are allowed.
The present invention is directed to: for configuring network security based on device management characteristics. In one example, a specification of a set of network resources on an internal network is received from an administrator client. The set of network resources are those network resources that a particular application executed in client devices on an external network should be authorized to access. A gateway from the external network to the internal network is then configured to permit the particular application to have access to the set of network resources.
The closest prior art includes the following references: Qureshi et al (“Qureshi,” US 20140007192) in view of Barton et al (“Barton,” US 9521117). 
Qureshi is directed to: a system is disclosed that includes components and features for enabling enterprise users to securely access enterprise resources (documents, data, application servers, etc.) using their mobile devices. An enterprise can use some or all components of the system to, for example, securely but flexibly implement a BYOD (bring your own device) policy in which users can run both personal applications and secure enterprise applications on their mobile devices. The system may, for example, implement policies for controlling mobile device accesses to enterprise resources based on device attributes (e.g., what mobile applications are installed), user attributes (e.g., the user's position or department), behavioral attributes, and other criteria. Client-side code installed on the mobile devices may further enhance security by, for example, creating a secure container for locally storing enterprise data, 
Barton is directed to: methods and systems for providing a per-application policy-controlled virtual private network (VPN) tunnel. In some embodiments, tickets may be used to provide access to an enterprise resource without separate authentication of the application and, in some instances, can be used in such a manner as to provide a seamless experience to the user when reestablishing a per-application policy controlled VPN tunnel during the lifetime of the ticket. Additional aspects relate to an access gateway providing updated policy information and tickets to a mobile device. Other aspects relate to selectively wiping the tickets from a secure container of the mobile device. Yet further aspects relate to operating applications in multiple modes, such as a managed mode and an unmanaged mode, and providing authentication-related services based on one or more of the above aspects.
	For example, none of the cited prior art teaches or suggests the steps of independent claims 1, 5 and 15: determine a plurality of security groups for display on an administrator client based on security group data from a gateway data store, the security group data comprising a mapping of the security groups to a plurality of network address ranges for a plurality of virtual network segments in an internal network; display a user interface that is configured for uploading and configuring a particular application to be added to an application catalog, the user interface comprises an upload component for receiving a package containing the particular application and a selection component for specifying a subset of the plurality of security groups for the particular application; receive, from the administrator client, a specification of the at least one 
Therefore, the claims are allowable over the cited prior art.
Any comments considered necessary by applicant must be submitted no later
than the payment of the issue fee and, to avoid processing delays, should preferably
accompany the issue fee. Such submissions should be clearly labeled Comments on
Statement of Reasons for Allowance.


Conclusion

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMES J WILCOX whose telephone number is (571)270-3774. The examiner can normally be reached M-F: 8 A.M. to 5 P.M..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.

Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JAMES J WILCOX/Examiner, Art Unit 2439         



/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439