Configuring network security based on device management characteristics

Therefore, the following is claimed: 1. A non-transitory computer-readable medium embodying at least one program executable in at least one computing device, the at least one program, when executed by the at least one computing device, being configured to cause the at least one computing device to at least: receive, at a gateway that connects an external network with an internal network, a connection request from a client application executed by a client device, the connection request comprising a request for a connection to a network resource accessible on the internal network; identify a virtual network segment of the internal network associated with a group of resources comprising the network resource, based on a stored mapping of resources to virtual network segment identifiers, wherein the virtual network segment is accessible from a range of network addresses; determine one or more device management characteristics for the client device, the one or more device management characteristics comprising a device management characteristic that includes an application identifier; determine a compliance status for the client device based on one or more device management characteristics, wherein the compliance status is determined to be non-compliant; determine a security group for the client application based on the compliance status, the application identifier, and the identified virtual network segment; determine that the security group is a default security group for the client application executed on the client device; assign, from the range of network addresses, a network address to a virtual private network (VPN) tunnel endpoint of the gateway for a network connection for the client application executed by the client device; determine the network address assigned to the VPN tunnel endpoint for the network connection for the client application based on the security group, wherein the security group has access to a restricted portion of the network resource; and configure the gateway to provide access to the security group for client device. 2. The non-transitory computer-readable medium of claim 1 , wherein the one or more device management characteristics further comprise at least one of a user identifier, a device identifier, a source Internet Protocol (IP) address, or a destination IP address. 3. The non-transitory computer-readable medium of claim 1 , wherein the security group for the client application is determined based on a rule stored in a gateway configuration data store and at least one of the one or more device management characteristics. 4. The non-transitory computer-readable medium of claim 3 , wherein the rule comprises a mapping of at least one of the one or more device characteristics to a plurality of virtual network segment identifiers for the security group. 5. A system, comprising: a gateway that connects an internal network with an external network comprising at least one computing device; and an application executable by the at least one computing device, the application configured to cause the at least one computing device to at least: receive, at the gateway, a connection request from a client application executed by a client device, the connection request comprising a request for a connection to a network resource accessible on the internal network; identify a virtual network segment of the internal network associated with a group of resources comprising the network resource, based on a stored mapping of resources to virtual network segment identifiers, wherein the virtual network segment is accessible from a range of network addresses; determine one or more device management characteristics for the client device, the one or more device management characteristics comprising a device management characteristic that includes an application identifier; determine a compliance status for the client device based on one or more device management characteristics, wherein the compliance status is determined to be non-compliant; determine a security group for the client application based on the compliance status, the application identifier, and the identified virtual network segment; determine that the security group is a default security group for the client application executed on the client device; assign, from the range of network addresses, a network address to a virtual private network (VPN) tunnel endpoint of the gateway for a network connection for the client application executed by the client device; determine the network address assigned to the VPN tunnel endpoint for the network connection for the client application based on the security group, wherein the security group has access to a restricted portion of the network resource; and configure the gateway to provide access to the security group for client device. 6. The system of claim 5 , wherein the one or more device management characteristics further comprise at least one of a user identifier, a device identifier, a source Internet Protocol (IP) address, or a destination IP address. 7. The system of claim 5 , wherein the security group for the client application is determined based on a rule stored in a gateway configuration data store and at least one of the one or more device management characteristic. 8. The system of claim 7 , wherein the rule comprises a mapping of at least one of the one or more device characteristic to a plurality of virtual network segment identifiers for the security group. 9. The system of claim 5 , wherein the connection request is received from the client application through the external network. 10. A method, comprising: receiving, at a gateway that connects an external network with an internal network, a connection request from a client application executed by a client device, the connection request comprising a request for a connection to a network resource accessible on the internal network; identifying a virtual network segment of the internal network associated with a group of resources comprising the network resource, based on a stored mapping of resources to virtual network segment identifiers, wherein the virtual network segment is accessible from a range of network addresses; determining one or more device management characteristics for the client device, the one or more device management characteristics comprising a device management characteristic that includes an application identifier; determine a compliance status for the client device based on one or more device management characteristics, wherein the compliance status is determined to be non-compliant; determining a security group for the client application based on the compliance status, the application identifier, and the identified virtual network segment; determine that the security group is a default security group for the client application executed on the client device; assigning, from the range of network addresses, a network address to a virtual private network (VPN) tunnel endpoint of the gateway for a network connection for the client application executed by the client device; determine the network address assigned to the VPN tunnel endpoint for the network connection for the client application based on the security group, wherein the security group has access to a restricted portion of the network resource; and configure the gateway to provide access to the security group for client device. 11. The method of claim 10 , wherein the one or more device management characteristics further comprise at least one of a user identifier, an application identifier, a device identifier, a source Internet Protocol (IP) address, or a destination IP address. 12. T