DETAILED ACTION
Claims 1-20 are pending and have been examined.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
The term “acceptable” in claim 13 is a relative term which renders the claim indefinite. The term is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention.
Double Patenting
Claims 1-20 are provisionally rejected under the judicially created doctrine of obviousness-type double patenting as being unpatentable over claims of Patent Nos. 10218697 and 11038876.  Although the conflicting claims are not identical, they are not patentably distinct from each other because 
“A method, comprising: receiving, by a first computing device, a request from a second computing device, the request for access by the second computing device to a service provided by a third computing device; in response to receiving the request, performing, by the first computing device, an evaluation of the second computing device, wherein the evaluation comprises determining a risk level; generating, by the first computing device based on the evaluation, a token for the second computing device, the token comprising first data encoding the risk level; and sending the token to at least one of the second computing device or the third computing device, wherein the first data is used to configure the service provided to the second computing device” (claim 1, instant application) is analogous to 
“A method, comprising: receiving data in a communication from a computing device of an identity provider; subsequent to receiving the data, receiving, by a second computing device, a request from a first computing device, the request for access by the first computing device to a service, wherein the access requires authorization by the computing device of the identity provider, and access to the service requires that a software component is installed on the first computing device; in response to the request, performing, by the second computing device, an evaluation of a configuration of the first computing device, wherein the evaluation comprises determining a risk level, and wherein the evaluation is based at least in part on the received data from the identity provider; performing, by the second computing device, an action based on the evaluation, wherein the action comprises sending a first communication to the computing device of the identity provider, the first communication indicating the risk level, wherein the identity provider is of record with the second computing device to use for authorizing requests for access to the service, and wherein the identity provider is configured to authorize access to the service in response to receiving the first communication; determining whether the software component is installed on the first computing device; and in response to determining that the software component is not installed on the first computing device: creating a fingerprint of the first computing device, the fingerprint including data extracted from at least one communication from the first computing device; and determining whether the fingerprint matches a fingerprint of another computing device that has previously communicated with the second computing device” (claim 1, patent 10218697) and analogous to 
“A method, comprising: receiving, by a first computing device, a request from a second computing device, wherein the request is for access by the second computing device to a service, and wherein access to the service requires that a software component is installed on the second computing device; in response to the request, determining whether the software component is installed on the second computing device; in response to determining that the software component is not installed on the second computing device, creating a fingerprint of the second computing device, the fingerprint including network behavior information, the network behavior information including data from an evaluation that runs at least one behavioral test on at least one network to which the second computing device connects to determine whether the second computing device is sending at least one vulnerable communication to at least one unknown computing device, a network communication path between the first computing device and the second computing device, and further including communications by the second computing device with other computing devices; and determining whether the fingerprint matches a fingerprint of a different computing device that has previously communicated with the first computing device” (claim 1, patent 11038876).
This is a provisional obviousness-type double patenting rejection because the conflicting claims of the instant application have not in fact been patented.
The claims of the conflicting patents and/or applications contain every element of claims 1-20 of the instant application and thus anticipate the claims of the instant application. Claims 1-20 of the instant application therefore are not patently distinct from the copending application claims and as such are unpatentable for obvious-type double patenting. A later patent/application claim is not patentably distinct from an earlier claim if the later claim is anticipated by the earlier claim.
“A later patent claim is not patentably distinct from an earlier patent claim if the later claim is obvious over, or anticipated by, the earlier claim. In re Longi, 759 F.2d at 896, 225 USPQ at 651 (affirming a holding of obviousness-type double patenting because the claims at issue were obvious over claims in four prior art patents); In re Berg, 140 F.3d at 1437, 46 USPQ2d at 1233 (Fed. Cir. 1998) (affirming a holding of obviousness-type double patenting where a patent application claim to a genus is anticipated by a patent claim to a species with that genus). “ELI LILLY AND COMPANY v BARR LABORATORIES, INC., United States Court of Appeals for the Federal Circuit, ON PETITION FOR REHEARING EN BANC (DECIDED: May 30, 2001).
“Claim 12 and Claim 13 are generic to the species of invention covered by claim 3 of the patent. Thus, the generic invention is “anticipated” by the species of the patented invention. Cf., Titanium Metals Corp. v. Banner, 778 F.2d 775, 227 USPQ 773 (Fed. Cir. 1985) (holding that an earlier species disclosure in the prior art defeats any generic claim) 4. This court’s predecessor has held that, without a terminal disclaimer, the species claims preclude issuance of the generic claim. In re Van Ornum, 686 F.2d 937, 944, 214 USPQ 761, 767 (CCPA 1982); Schneller, 397 F.2d at 354. Accordingly, absent a terminal disclaimer, claims 12 and 13 were properly rejected under the doctrine of obviousness-type double patenting.” (In re Goodman (CA FC) 29 USPQ2d 2010 (12/3/1993).

Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.
(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Kumar (20130298242).
Regarding claims 1 and 18, Kumar teaches A method, comprising: / A non-transitory computer-readable storage medium storing instructions, which when executed, cause a first computing device to (abstract):
receiving, by a first computing device, a request from a second computing device, the request for access by the second computing device to a service provided by a third computing device; in response to receiving the request, performing, by the first computing device, an evaluation of the second computing device, wherein the evaluation comprises determining a risk level (par.89-96, 190-200); 
generating, by the first computing device based on the evaluation, a token for the second computing device, the token comprising first data encoding the risk level (par.107-115, 119-126); and 
sending the token to at least one of the second computing device or the third computing device, wherein the first data is used to configure the service provided to the second computing device (par.65-73, 140-156, 280-300).
Regarding claim 9, Kumar teaches A system comprising: at least one processor of a first computing device; and memory storing instructions configured to instruct the at least one processor to (abstract): 
receive a request from a second computing device, wherein the request is for access by the second computing device to a service provided by a third computing device; in response to receiving the request, perform an evaluation of the second computing device, wherein the evaluation comprises generating data regarding a security state of the second computing device (par.89-96, 190-200); 
send at least a first portion of the data regarding the security state to a fourth computing device of an identity provider, wherein the fourth computing device is configured to authenticate the second computing device using the first portion of the data (par.107-115, 119-126); 
receive, from the fourth computing device, an authentication of the second computing device; and in response to receiving the authentication, send at least a second portion of the data regarding the security state to the third computing device, wherein the second portion of the data is used by the third computing device to configure the service provided to the second computing device (par.65-73, 140-156, 280-300).
Regarding claim 2, Kumar teaches wherein the service provided to the second computing device is configured by the third computing device according to a security state on the second computing device (par.153-156).
Regarding claim 3, Kumar teaches wherein the security state is determined by the third computing device based at least on the risk level determined from the evaluation by the first computing device (par.28-38, 282-300).
Regarding claim 4, Kumar teaches receiving data from security software on the second computing device, and determining the security state on the second computing device using the data received from the security software (fig.5, par.101-104).
Regarding claim 5, Kumar teaches wherein the third computing device is configured to grant, deny, or limit the access to the service based on the security state of the second computing device (par.153-156).
Regarding claim 6, Kumar teaches wherein the access requires authorization by a fourth computing device of an identity provider, and wherein the evaluation is based at least in part on data received from the fourth computing device (par.7-15, 85-95, 138-145, 184-193).
Regarding claim 7, Kumar teaches sending a communication to a fourth computing device of an identity provider, wherein the communication indicates the risk level, and wherein access to the service requires authorization by the fourth computing device (par.138-145, 184-193).
Regarding claim 8, Kumar teaches wherein an extent of access to the service provided to the second computing device is based on the risk level (par.153-156).
Regarding claim 10, Kumar teaches receive data from the fourth computing device, and wherein the evaluation is based at least in part on the data received from the fourth computing device (par.164-170).
Regarding claim 11, Kumar teaches wherein software on the second computing device is used to access the service, and the evaluation further comprises determining a source of the software (fig.5, par.101-104).
Regarding claim 12, Kumar teaches wherein the security state is based at least in part on a source of software on the second computing device (fig.5, par.101-104).
Regarding claim 13, Kumar teaches wherein the third computing device sets an acceptable security state for the second computing device (par.12-13, 94-99).
Regarding claim 14, Kumar teaches periodically perform subsequent evaluations of the second computing device to determine updated security states of the second computing device; and send data regarding the updated security states to the third computing device, wherein the third computing device is configured to change a level of access to the service based on one or more of the updated security states (par.68-82).
Regarding claim 15, Kumar teaches after the second computing device has started receiving the service, perform a subsequent evaluation of the second computing device to determine an updated security state of the second computing device; and send a communication regarding the updated security state to the third computing device, wherein the third computing device is configured to, in response to receiving the communication, terminate access to the service or decrease a level of access to the service (par.68-82).
Regarding claim 16, Kumar teaches wherein data extracted from one or more communications received from the third computing device is used in performing the evaluation (par.22-35, 66-69, 72-78, 155-158).
Regarding claim 17, Kumar teaches wherein data extracted from one or more communications received from the fourth computing device of the identity provider is used in performing the evaluation (par.22-35, 66-69, 72-78, 155-158).
Regarding claim 19, Kumar teaches perform a subsequent evaluation of the second computing device; determine, based on the subsequent evaluation, that a risk level of the second computing device exceeds a threshold; and in response to determining that the risk level of the second computing device exceeds the threshold, revoke the token (par.68-82, 191-200, 254-260, 281-295).
Regarding claim 20, Kumar teaches wherein the second computing device accesses the service over a network, and wherein the evaluation is based at least in part on a security feature of the network (par.22-35, 66-69, 72-78, 155-158).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Van Dijk (8819769) teaches managing access of a user of a computing machine to a remote network collects device posture information about the user's mobile device. The mobile device runs a soft token, and the collected posture information pertains to various aspects of the mobile device, such as the mobile device's hardware, software, environment, and/or users, for example. The server applies the collected device posture information along with token codes from the soft token in authenticating the user to the remote network. 
Sim (20180234464) teaches authentication brokering systems where an authentication broker issues security tokens that represent its authentications of users. Client devices operated by the users store the security tokens and send them to resource providers. The resource providers authenticate and grant access to the users based on validation of the security tokens. Authentication related messages exchanged between the resource providers and the authentication broker are used to exchange authentication risk data that is obtained or derived by the resource providers and the authentication broker. The resource providers obtain authentication risk data directly from the authentication broker and indirectly, via the authentication broker, from each other. As security tokens are used or managed, authentication risk data is shared among the participants in the authentication brokering system. The participants are able to modify their authentication procedures or make authentication decisions based on shared authentication risk data.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to David Garcia Cervetti whose telephone number is (571)272-5861. The examiner can normally be reached Monday-Friday 8AM-5PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, HADI ARMOUCHE can be reached on (571)270-3618. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/David Garcia Cervetti/Primary Examiner, Art Unit 2419