Manual Chapter : Managing Devices for F5 Access

Applies To:

  • BIG-IP APM

    21.0.0, 17.5.1, 17.5.0, 17.1.3, 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.6, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

back-action BIG-IP APM and F5 Access for iOS 3.0.9

Updated Date: 06/05/2026

Managing Devices for F5 Access

With an MDM, you manage devices by enrolling them. Refer to your MDM documentation to enroll devices. With this release, your MDM vendor may not include built-in support. We provide general guidance for your MDM configuration, if it supports custom configurations.

Important: A user must enroll the device with the MDM in order for you to manage the device. However, you can deploy VPN configurations to the devices that aren’t under management. F5 Access must be installed on the device to deploy configurations. F5 Access can be installed either by the user, or deployed with the MDM solution.

Your MDM may not currently support F5 Access for iOS 3.x. The VPN MDM profile for previous versions of F5 Access is not compatibile with F5 Access for iOS 3.x. If your MDM allows you to create custom configuration profiles, use these generic settings to configure the profile.

Important: Consult with your MDM vendor to determine support. Refer to your MDM documentation before making changes.

  1. Add a VPN profile.

  2. For the Connection Type, specify Custom.

  3. For the Identifier, specify com.f5.access.ios.

  4. Complete the rest of the configuration as required.

Your MDM may not currently support F5 Access for iOS 3.x. The VPN MDM profile for previous versions of F5 Access is not compatibile with F5 Access for iOS 3.x. If your MDM allows you to create custom configuration profiles, use these generic settings to configure the profile.

Important: Consult with your MDM vendor to determine support. Refer to your MDM documentation before making changes.

  1. Add a VPN profile.

  2. For the Connection Type, specify Custom.

  3. For the Identifier, specify com.f5.access.ios.

  4. For the Provider Type, specify Packet Tunnel.

  5. Complete the rest of the configuration as required.

Before you assign a configuration profile to a device, that device must be enrolled with your MDM. Additionally, F5 Access must be installed on the device.

A configuration profile enables the per-app VPN feature on a managed device, and specifies which apps use the VPN.

  1. Create a configuration profile for the device.

    Configuration profiles are described at the Apple Configuration Profile Reference.

  2. Specify whether to use Managed User mode, and any settings for Managed User mode, by sending the ManagedUserConfigurationMode command, and specifying a custom message. This message can also be localized.
    To configure Managed User Mode in Intune:

    • In the Intune admin center, navigate to Apps > iOS/iPadOS > Configuration > Properties and create the keys:
      • ManagedUserConfigurationMode: Set to ‘True’ to enable, ‘False’ to disable.
      • ManagedUserConfigurationModeMessage_en: Enter your custom message. Use the language code suffix for localization (e.g., ManagedUserConfigurationModeMessage_fr).

  3. Specify a connection screen message, if required, by sending the ShowConnectionScreenMessage. This message can also be localized.
    To configure a connection screen message in Intune:

    • In the Intune admin center, navigate to Apps > iOS/iPadOS > Configuration > Properties and create the keys:
      • ShowConnectionScreenMessage: Set to ‘True’ to display the message, ‘False’ to hide it.
      • ConnectionScreenMessage_en: Enter your custom message. Use the language code suffix for localization (e.g., ConnectionScreenMessage_fr).

Configure Access Policy Manager® to provide the necessary support for per-app VPN features.

These are settings for identifying devices in an MDM profile.

Hardware manufacturers have phased out support for many methods of device identification, including UDID, wireless MAC, and others. To identify devices, you can use the device IDs assigned by the MDM.

Key Type Description
MdmAssignedId String The internal device ID assigned to the device by the MDM.
MdmInstanceId String An arbitrary string that identifies particular MDM instance.
MdmDeviceUniqueId String An assigned ID for the device.
MdmDeviceWifiMacAddress String The wireless MAC address of the device.
MdmDeviceSerialNumber String An assigned serial number for the device.

In this example, the commands are deployed in the VendorConfig document.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
...
    <key>VendorConfig</key>
    <dict>
     
       <key>MdmAssignedId</key>
       <string>`MDM assigned ID here`</string>
       <key>MdmInstanceId</key>
       <string>`some MDM instance ID here`</string>
       <key>MdmDeviceUniqueId</key>
       <string>`device iOS UDID here`</string>
       <key>MdmDeviceWifiMacAddress</key>
       <string>`device wifi mac address here`</string>
       <key>MdmDeviceSerialNumber</key>
       <string>`device serial number here`</string>
    </dict>
...

This setting configures Web Logon mode in an MDM profile.

In the MDM configuration profile, you can use the command WebLogon to specify whether Web Logon is enabled. Use the syntax <key>WebLogon</key><string>true|false</string>.

If you configure Enforce Logon Mode in the Connectivity Profile on Access Policy Manager, that setting overrides the Web Logon setting configured in the MDM profile, or in a manual configuration. This setting is available on BIG-IP 12.1.3, 13.1.0, and 14.0.0. This setting is note available on 11.5.1, 11.5.7, or 11.6.3.

Note: Web Logon is not supported with Per-App VPN.

Settings for the device-wide VPN profiles in an MDM configuration.

Configure a device-wide VPN by specifyng the VPN payload. For the PayloadType value, specify com.apple.vpn.managed. F5 Access 3.0 VPN configurations must define the following keys:

Key Type Description
PayloadType String com.apple.vpn.managed
VPNType String VPN
VPNSubType String com.f5.access.ios
OnDemandEnabled Int Optional key: 1 if the VPN connection should be brought up on demand, or else 0.
OnDemandRules Array of Dictionaries Optional key. Determines when and how an on-demand VPN should be used. See On Demand Rules Dictionary Keys for details.

Includes a sample configuration profile for the device-wide VPN configuration profile.

The following example uses sample data only. For your own configuration, items like the PayloadDisplayName, PayloadUUID, UserDefinedName, and the user name, password and certificate information must be customized to your network and installation.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
   <key>PayloadContent</key>
   <array>
      <dict>
         <key>IPv4</key>
         <dict>
            <key>OverridePrimary</key>
            <integer>0</integer>
         </dict>
         <key>PayloadDescription</key>
         <string>Configures VPN settings</string>
         <key>PayloadDisplayName</key>
         <string>VPN</string>
         <key>PayloadIdentifier</key>
         <string>com.apple.vpn.managed.E3C31113-0AC1-4085-BD77-6315F2ADA1EE</string>
         **&lt;!-- F5 COMMENT: PayloadType key: for System-Wide VPN 
         the value is "com.apple.vpn.managed" --&gt;**
         <key>PayloadType</key>
         <string>com.apple.vpn.managed</string>
         <key>PayloadUUID</key>
         <string>E3C31113-0AC1-4085-BD77-6315F2ADA1EE</string>
         <key>PayloadVersion</key>
         <integer>1</integer>
         <key>Proxies</key>
         <dict>
            <key>HTTPEnable</key>
            <integer>0</integer>
            <key>HTTPSEnable</key>
            <integer>0</integer>
         </dict>
         <key>UserDefinedName</key>
         <string>VPN Config</string>
         <key>VPN</key>
         <dict>
            <key>AuthName</key>
            <string>username</string>
            <key>AuthPassword</key>
            <string>password</string>
            <key>AuthenticationMethod</key>
            <string>Password</string>
            <key>RemoteAddress</key>
            <string>https://demo-na-bigip.com</string>
         </dict>
         **&lt;!-- F5 COMMENT: VPNSubType key: For F5 Access the value 
         should be "com.f5.access.ios" --&gt;**
         <key>VPNSubType</key>
         <string>com.f5.access.ios</string>
         **&lt;!-- F5 COMMENT: VPNType key: Specifies VPN type, 
         for F5 Access VPN should be "VPN" --&gt;**
         <key>VPNType</key>
         <string>VPN</string>
         <key>VendorConfig</key>
         <dict/>
      </dict>
   </array>
   <key>PayloadDisplayName</key>
   <string>SystemwideVPNDemo</string>
   <key>PayloadIdentifier</key>
   <string>XYZ-ML-00003638.DBCD844F-1B48-55AF-A262-82B10131000D</string>
   <key>PayloadRemovalDisallowed</key>
   <false/>
   <key>PayloadType</key>
   <string>Configuration</string>
   <key>PayloadUUID</key>
   <string>842BF859-9305-4E86-A73F-8C44E1E36D72</string>
   <key>PayloadVersion</key>
   <integer>1</integer>
</dict>
</plist>

Settings for the per-app VPN profile in an MDM.

The per-app VPN payload supports all of the keys described in the Apple Configuration Profile Reference. These keys, specific to the per-app VPN payload, are described in that reference as well.

Key

Type

Description

PayloadType

String

com.apple.vpn.managed.applayer

VPNType

String

VPN

ProviderType

String

packet-tunnel

VPNSubType

String

com.f5.access.ios

VPNUUID

String

A globally-unique identifier for this VPN configuration. This identifier is used to configure apps so that they use the per-app VPN service for all of their network communication.

OnDemandMatchAppEnabled (optional)

Boolean

If true, the per-app VPN connection starts automatically when apps linked to this per-app VPN service initiate network communication.

If false, the per-app VPN connection will not start.

If this key is not present, the value of the OnDemandEnabled key is used to determine the status of per-app VPN On Demand.

SafariDomains (optional)

Array

This key is a special case of App-to-Per App VPN Mapping. It sets up the app mapping for Safari with a specific identifier and a designated requirement.

The array contains strings, each of which is a domain that triggers a VPN connection in Safari. Do not specify a full URI; rule matching works only with the domain name. The rule matching behavior is as follows:

  • Before being matched against a host, all leading and trailing dots are stripped from the domain string. For example, if the domain string is .com the domain string used to match is com.
  • Each label in the domain string must match an entire label in the host string. For example, a domain of example.com matches “www.example.com”, but not old.badexample.com.
  • Domain strings with only one label must match the entire host string. For example, a domain of com matches com, not www.example.com.

Includes a sample configuration profile for the per-app VPN configuration profile.

The following example uses sample data only. For your own configuration, items like the PayloadDisplayName, PayloadUUID, UserDefinedName, and the user name, password and certificate information must be customized to your network and installation.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
   <key>PayloadContent</key>
   <array>
      <dict>
         <key>IPv4</key>
         <dict>
            <key>OverridePrimary</key>
            <integer>0</integer>
         </dict>
         <key>PayloadDescription</key>
         <string>Configures VPN settings</string>
         <key>PayloadDisplayName</key>
         <string>VPN</string>
         <key>PayloadIdentifier</key>
         <string>com.apple.vpn.managed.CF2C73E8-B7AD-442F-BF91-2682777023CC</string>
         **&lt;!-- F5 COMMENT: PayloadType key: for Per-App VPN the value 
         is "com.apple.vpn.managed.applayer" --&gt;**
         <key>PayloadType</key>
         <string>com.apple.vpn.managed.applayer</string>
         <key>PayloadUUID</key>
         <string>CF2C73E8-B7AD-442F-BF91-2682777023CC</string>
         <key>PayloadVersion</key>
         <integer>1</integer>
         <key>Proxies</key>
         <dict>
            <key>HTTPEnable</key>
            <integer>0</integer>
            <key>HTTPSEnable</key>
            <integer>0</integer>
         </dict>
         <key>UserDefinedName</key>
         <string>Per-App VPN Demo</string>
         <key>VPN</key>
         <dict>
            <key>AuthName</key>
            <string>username</string>
            <key>AuthPassword</key>
            <string>password</string>
            <key>AuthenticationMethod</key>
            <string>Password</string>
            **&lt;!-- F5 COMMENT: ProviderType key: F5 Access 3.x supports 
            only "packet-tunnel" value for this key --&gt;**
            <key>ProviderType</key>
            <string>packet-tunnel</string>
            <key>OnDemandMatchAppEnabled</key>
            <true/>
            <key>RemoteAddress</key>
            <string>https://demo.siterequest.com</string>
         </dict>
          **&lt;!-- F5 COMMENT: VPNUUID key: A globally-unique identitifer 
          for the VPN configuration. This identifier is used to configure 
          apps so that they use the Per-App VPN service for 
          all of their network communication --&gt;**
         <key>VPNUUID</key>
         <string>17027186-61c3-470d-afaa-5a9e4d519da1</string>
         **&lt;!-- F5 COMMENT: VPNSubType key: For F5 Access the value 
         is "com.f5.access.ios" --&gt;**
         <key>VPNSubType</key>
         <string>com.f5.access.ios</string>
         **&lt;!-- F5 COMMENT: VPNType key: Specifies VPN type, 
         for F5 Access VPN is "VPN" --&gt;**
         <key>VPNType</key>
         <string>VPN</string>
         <key>VendorConfig</key>
         <dict/>
         <key>SafariDomains</key>
         <array>
            <string>test.siterequest.com</string>
         </array>
      </dict>
   </array>
   <key>PayloadDisplayName</key>
   <string>PerAppVPNDemo</string>
   <key>PayloadIdentifier</key>
   <string>XYZ-ML-00003638.C4B7F07B-9C1C-F3F2-BB80-A30390AD085F</string>
   <key>PayloadRemovalDisallowed</key>
   <false/>
   <key>PayloadType</key>
   <string>Configuration</string>
   <key>PayloadUUID</key>
   <string>BD56E80E-BFCE-4FD6-AEDB-543014C6ADE8</string>
   <key>PayloadVersion</key>
   <integer>1</integer>
</dict>
</plist>