Manual Chapter : Access Policy Manager configuration tips

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

Access Policy Manager configuration tips

The following table provides tips for setting up F5 Access for devices.
Feature
Information
Client endpoint checks
Client end-point checks are not currently supported.
Require Device Authentication
For devices with iOS 9 or later, F5 Access can require device authentication with one of the device locking methods, including biometric authentication (Touch ID), a PIN, or a passphrase. To enable device authentication for F5 Access, in the
Connectivity Profile
under
iOS Edge Client
, enable the options
Allow Password Caching
and
Require Device Authentication
.
Password caching policy
  • In the Connectivity profile, you can configure password caching by enabling the setting
    Allow Password Caching
    . When this setting is enabled, after a successful logon the submitted credentials are cached.
  • Specify a
    Save Password Method
    .
    • If you select
      disk
      , an encrypted password is cached on the device with no expiration time.
    • If you select
      memory
      , an encrypted password is cached on the device for the time specified in the
      Password Cache Expiration (minutes)
      field.
  • Credentials are not cleared if the user disconnects or restarts the device.
  • If credentials are cached and the
    Save Password Method
    is
    memory
    , then credentials are cached until one of the following events occurs:
    • The specified credential cache duration expires.
    • The server address of the configuration within the application changes.
    • The username of the configuration within the application changes.
    • The F5Access user switches between configurations.
  • To require the user to authenticate on the device before unlocking the cached credentials, select
    Require Device Authentication.
Enforce Logon Mode
You can enforce the logon mode for the iOS client. In the Connectivity Profile, select
iOS Edge Client
, and click
Enforce Logon Mode
. Select
Native
or
Web
and click
OK
. The logon mode will be enforced for all clients that use the connectivity profile.
Client certificates
Client certificate authentication is supported, either with a certificate alone or with a certificate secured with a user name and password.
On-Demand Cert Auth
If used, the
On-Demand Cert Auth
action must be placed after other authentication actions in the access policy.