Associating service tags with remote data message flows based on remote device management attributes

The invention claimed is: 1. A non-transitory machine readable medium storing a program for processing mobile-device data messages entering a network, the program comprising sets of instructions for: receiving a data message sent by a remote device through a first tunnel that connects the remote device to the network; removing a first tunnel header of the first tunnel from the data message; identifying a set of remote device management (RDM) attributes associated with the received data message; based on the RDM attribute set, identifying a service tag to associate with the received data message; encapsulating the data message with a second tunnel header of a second tunnel to forward the data message along the second tunnel to a network element within the network; and inserting the identified service tag in the second tunnel header of the second tunnel, said service tag for allowing a set of network elements of the network to process the data message according to a set of policies of the network. 2. The non-transitory machine readable medium of claim 1 , wherein the service tag comprises a security descriptor that determines how at least one network element performs the service on the data message. 3. The non-transitory machine readable medium of claim 2 , wherein the service is one of a firewall operation, a load balancing operation, a logical network segmentation operation, and a destination network address translation operation on the data message. 4. The non-transitory machine readable medium of claim 2 , wherein the security descriptor specifies a trust level from a plurality of trust levels for the data message. 5. The non-transitory machine readable medium of claim 2 , wherein the security descriptor specifies whether the remote device is a trustworthy device. 6. The non-transitory machine readable medium of claim 2 , wherein the security descriptor specifies whether the remote device is a jail broken device. 7. The non-transitory machine readable medium of claim 1 , wherein the network is a network within a multi-tenant datacenter, the remote device is associated with a first tenant, the service tag associates the data message with a first set of users of the first tenant, which is different than a second set of users of the first tenant, and the service tag allows the data message to be processed according to a first set of policies defined for the first set of users and not a second set of policies defined for the second set of users. 8. The non-transitory machine readable medium of claim 7 , wherein the first set of policies require the data message to be processed by a first set of compute nodes that is for the first set of users, and not a second set of compute nodes that is for the second set of users. 9. The non-transitory machine readable medium of claim 7 , wherein the first and second sets of policies are different sets of service policies, the first set of service policies specifying a first group of services that should be performed on data messages from remote devices of the first set of users, while the second set of service policies specifies a second group of services that should be performed on data messages from remote devices of the second set of users. 10. The non-transitory machine readable medium of claim 9 , wherein each group of services includes at least one of a firewall service, a load balancing service, a logical network segmentation service, and a destination network address translation service on the data message. 11. The non-transitory machine readable medium of claim 1 , wherein the data message comprises a request for processing by a plurality of compute nodes comprising a first set of compute nodes and a second set of compute nodes, and the service tag directs the set of network elements to have a compute node in the first set of compute nodes process the data message's request instead of a compute node in the second set of compute nodes. 12. The non-transitory machine readable medium of claim 1 , wherein the service tag comprises a location descriptor that describes a location of the remote device and that determines how at least one network element performs at least one service on the data message. 13. The non-transitory machine readable medium of claim 1 , wherein the service tag is not a parameter in a header of the data message received from the remote device. 14. The non-transitory machine readable medium of claim 13 , wherein the service tag is also not an RDM attribute in the identified RDM attribute set. 15. The non-transitory machine readable medium of claim 1 , wherein the remote device supplies at least a subset of the RDM attribute set in a header of the first tunnel. 16. The non-transitory machine readable medium of claim 1 , wherein the set of instructions for identifying the RDM attribute set comprises a set of instructions for receiving at least a subset of the RDM attribute set from an RDM server that is used to authenticate a request from the remote device to establish a VPN session through the first tunnel. 17. The non-transitory machine readable medium of claim 16 , wherein the set of instructions for identifying the RDM attribute set further comprises a set of instructions for retrieving from a header of the first tunnel another subset of the RDM attribute set that is supplied by the remote device. 18. The non-transitory machine readable medium of claim 16 , wherein the set of instructions for receiving the RDM attribute subset comprises a set of instructions for receiving the RDM attribute subset as part of an authentication approval from the RDM server. 19. The non-transitory machine readable medium of claim 16 , wherein the program further comprises a set of instructions for receiving an authentication approval from the RDM server, wherein the set of instructions for receiving the RDM attribute subset comprises a set of instructions for receiving the RDM attribute subset in a communication from the RDM server that is separate from the authentication approval. 20. A method of processing remote-device data messages entering a network, the method comprising: receiving a data message sent by a remote device through a first tunnel that connects the remote device to the network; removing a first tunnel header of the first tunnel from the data message; identifying a set of remote device management (RDM) attributes associated with the received data message; based on the RDM attribute set, identifying a service tag to associate with the received data message; encapsulating the data message with a second tunnel header of a second tunnel to forward the data message along the second tunnel to a network element; and inserting the identified service tag in the second tunnel header of the second tunnel, said service tag for allowing a set of network elements of the network to process the data message according to a set of policies of the network. 21. The method of claim 20 , wherein the data message is received at a virtual private network (VPN) gateway that connects to the remote device through the first tunnel. 22. The method of claim 20 , wherein the service tag comprises a location descriptor that describes a location of the remote device and that determines how at least one network element performs at least one service on the data message. 23. The method of claim 20 , wherein the service tag is not a parameter in a header of the data message received from the remote device.