F5 Logo MyF5
Search
  1. MyF5 Home
  2. BIG-IP APM and F5 Access for iOS 3.0.9
  3. Overview: F5 Access for iOS
Manual Chapter : Overview: F5 Access for iOS

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

Overview: F5 Access for
iOS

Introducing F5 Access 3.x

F5 Access for iOS 3.x is a new client, built on the latest Apple VPN architecture. Apple's new Network Extension architecture allows for some features that were not previously included in our iOS client, including the ability to use UDP apps with Per-App VPN. Apple has deprecated their previous VPN technology, which will not be supported in the future, so our previous clients based on older technology will eventually be deprecated as well.
This is not a one-to-one upgrade from the previous version (F5 Access 2.x). A number of incompatibilities, possible incompatibilities, and configuration changes are outlined in this document that may affect your migration to F5 Access for iOS 3.x. MDM support for this new client is still in development. Please check with your MDM vendor for more information.
There are access policy changes required to support this client. If you are planning to migrate users to the new client, please review all of the differences between the clients outlined in this document before you migrate your users. We expect to add features and to support to this client in the future, and eventually we expect the same level of support from MDM vendors with our existing client.
With this release, your MDM vendor may not include built-in support. We provide general guidance for your MDM configuration, if it supports custom configurations.

Differences between F5 Access 3.x and F5 Access Legacy 2.1.x

There are a number of differences between F5 Access 3.x and F5 Access Legacy 2.1.x.

Configuration deployment changes

When deploying configurations, there are several differences between F5 Access 3.x and F5 Access Legacy 2.1.x.
Deployment differences
VPN type
Manually configured
MDM configured
Device-wide VPN
User has to accept a permission dialog to add the first VPN configuration
The key
VPNSubType
 has changed.
  • In F5 Access Legacy 2.1.x:
    com.f5.F5-Edge-Client.vpnplugin
  • In F5 Access 3.x:
    com.f5.access.ios
Per-App VPN
No manual configuration
  • The key
    VPNSubType
     has changed:
    • In F5 Access Legacy 2.1.x:
      com.f5.F5-Edge-Client.vpnplugin
    • In F5 Access 3.x:
      com.f5.access.ios
  • The key
    ProviderType
     must be set to
    packet-tunnel
     in F5 Access 3.x.
  • The key
    PerAppVpn
     is no longer required in the VendorConfig dictionary in F5 Access 3.x.

Device UDID change

Device UDID is no longer provided, due to iOS changes. With an MDM, the device can be assigned an ID. This is assigned with the
MdmDeviceUniqueId
 or
UDID
 attribute. This assigned value populates the session variables
session.client.mdm_device_unique_id
 and
session.client.unique_id
. If neither is provided this session variable is not present. If either field is provided by the MDM, both session variables are present. An example value is
RC1KQLCJFOJEEM0XIOB3P52OMUQ3UN9Y3SDA5RWR
.

VPN establishment changes

When establishing VPNs, there are several differences between F5 Access 3.x and F5 Access Legacy 2.1.x.
VPN establishment changes
VPN type
Manual
On-demand
Device-wide VPN
  • In F5 Access 3.x, notifications must be enabled for any user prompts or Web Logon interactions.
  • In F5 Access 3.x, the user is able to save the password when connecting in native logon mode if the
    Save Password Method
     option in the Access Policy Manager Connectivity Profile is set to
    disk
    .
In F5 Access 3.x, notifications must be enabled for any user prompts or Web Logon interactions. With notifications enabled, these prompts and features are supported.
  • Web Logon mode
  • Authentication prompts in native mode
  • Device authentication
Per-App VPN
No manual configuration
A Per-App VPN connection cannot be established if user interaction is required. For F5 Access 3.x, configure the access policy so user interaction is not required to establish the VPN connection.

Access Policy Manager configuration changes

When configuring Access Policy Manager, there are several differences between F5 Access 3.x and F5 Access Legacy 2.1.x.
Enforcing logon mode
APM configuration item
Change
Enforce Logon Mode
In the Connectivity Profile, the administrator can now enforce a specific logon mode, using the setting
Enforce Logon Mode
. The logon mode can be enforced as
native
 or
web
.
Web Logon mode in F5 Acesss for iOS app
If
Enforce Logon Mode
 is enabled in the Connectivity Profile, the user cannot change the Web Logon option.
APM Per-App VPN changes
Per-App VPN configuration item
Change
Virtual Server
In the Virtual Server configuration, the option
Application Tunnels (Java & Per-App VPN)
 is no longer required to be enabled
Access policy
With F5 Access 3.x, Per-App VPN now uses an L3 tunnel. As such, the following items must be added to the applicable access policy branch:
  • Network Access resource
  • Webtop
iOS device
The iOS device enforces the applications that are allowed to access the VPN, according to the Per-App VPN configuration.

Apple App Transport Security (ATS) changes

Apple Transport Security (ATS), implemented in F5 Access 3.x, requires the following security changes for communications between F5 Access 3.x and the corresponding BIG-IP.
  • Plain text HTTP connections are no longer allowed.
  • HTTPS requires the strongest TLS configuration (TLS 1.2 and PFS cipher suites).
  • Self-signed certificates are not supported unless the CA certificate is first Trusted on the device.
These Apple Transport Security changes are also required for Web Logon connections with F5 Access legacy 2.1.x.

Client Certificate authentication

Client Certificate Authentication is not supported in Web Logon mode on iOS 11. on iOS 12, Web Logon mode does support Client Certificate Authentication.

Client Certificates

Client certificates installed in F5 Access 2.1.x are not used by F5 Access 3.0.x. Client certificates must be reinstalled to be used with F5 Access 3.0.x.
On iOS 10.3 and later, certificates imported to an iOS device are not automatically trusted unless they are added with an MDM or with Apple Configurator. Manually imported certificates must be manually trusted.

F5 Access and mobile devices

F5 Access for mobile devices provides full network access through
BIG-IP® Access Policy Manager®
. With network access, users can run applications such as RDP, SSH, Citrix, VMware View, and other enterprise applications on their mobile devices.
For information about how to use F5 Access on your device, refer to the
F5 Access for
iOS
 User Guide
.
F5 Access features include:
  • N-factor authentication (at least two input fields, password and passcode) support
  • User name and password, client certificate, and RSA SecurID support
  • Multiple input field support
  • Credential caching support
  • Support for TouchID authentication, PIN, or a device password to make a connection, when using cached credentials
  • Support for DNS address space for split-tunneling configurations
  • Support for checking information from client devices
  • Support for automatically launching applications on client devices
  • Support for roaming between cellular and WiFi networks
  • Landing URI support
  • Logging support to report issues
  • Support for private-side internal proxy servers. Public-side proxy servers are not currently supported.
  • Per-app VPN support for TCP and UDP applications
  • Application notifications
  • Diagnostics
  • Traffic Graphs
  • Support for SAML 2.0 features in BIG-IP®Access Policy Manager®
  • iOS widget support
  • Support for VPN tunnel on IPv6 single stack
  • Support for APM VPN Proxy

About app notifications

F5 Access for iOS 3.x requires that notifications be enabled for most user configurations. This requires that the app be started by the user and accept notifications.
The user is prompted to enable notifications only the first time the app is started. After the first app start, if the notifications dialog is dismissed, the user must manually enable notifications. If the user dismisses the notification dialog, the user can enable notifications manually. To enable notifications, in the
Settings
 app, go to
F5 Access
Notifications
, and enable the
Allow Notifications
 setting.
Notifications are not required to be enabled, only in a Per-App VPN scenario where no user intervention is required.

About SAML support

F5 Access for
iOS devices
 provides the following SAML support:
  • Service provider-initiated access only, for example, APM acting as the service provider (SP)
  • Web Logon mode only
  • Single Log-Out (SLO): supported only when the logout action is initiated from the client
When you use F5 Access as a client performing the SP-initiated access, F5 Access first connects to BIG-IP® Access Policy Manager® (APM®). Because there is no assertion, APM redirects the client to the IdP. The IdP then authenticates the user and redirects F5 Access back to the SP with an assertion. APM then accepts the assertion and establishes a VPN connection. You can then access back-end resources through F5 Access.
You can configure a BIG-IP system by configuring APM as an SP. The access policy associated with the configuration assigns a SAML AAA resource followed by a Network Access Resource. For more information about SAML configurations, refer to the
BIG-IP® Access Policy Manager®: SAML Configuration
 guide.

About supported authentication types

F5 Access for iOS 3.x supports these authentication and connection type combinations.
You can create a .mobileconfig file with Apple Configurator 2. Read Apple Configurator 2 documentation for more information.
Authentication type
Connection type
Username and password
Runtime prompts (login dialogs, device authentication, and other user input prompts) are allowed for:
  • User-initiated connections, in native mode or Web Logon mode
  • Device-wide VPN On-Demand connections, in native mode or Web Logon mode
For a Per-App VPN connection, runtime prompts are not supported, so the username and password must be specified in device configuration specified by the MDM, or in the .mobileconfig file. Per-App VPN does not support Web Logon mode.
Client certificate
  • User-initiated connections, in native mode only
  • Device-wide VPN On-Demand, in native mode only
  • Per-App VPN connections
Client certificate + username and password
Runtime prompts (login dialogs, device authentication, and other user input prompts) are allowed for:
  • User-initiated connections, in native mode only.
  • Device-wide VPN On-Demand connections, in native mode only.
For a Per-App VPN connection, runtime prompts are not supported, so the username and password must be specified in the configuration. Per-App VPN does not support Web Logon mode.

About establishing VPN connections

The F5 Access application (app) for
mobile devices
 provides users with two options to establish a VPN tunnel connection. A user can start a tunnel connection explicitly with the F5 Access application, or implicitly through the VPN On-Demand functionality.
For example, a connection can be configured to automatically trigger whenever a certain domain or host name pattern is matched.
For Per-App VPN, the following on demand considerations apply. These do not apply to On-Demand device-wide VPN connections.
  • When a Per-App VPN connection is initiated On-Demand, user intervention is not allowed. For example, if a password is needed for authentication, but is not supplied in the configuration, the connection fails. Note that RSA authentication is not supported.
  • On-Demand Per-App VPN does not work with Web Logon.

About pre-logon checks supported for
iOS
 devices

Access Policy Manager® can check unique identifying information from
an iOS
 device. The supported session variables, which become populated with the
iOS
 device information, are gathered automatically, and can easily be combined with an LDAP or AD query to implement white-listing in a custom action to improve access context. This information allows the Access Policy Manager to perform pre-logon sequence checks and operations based on information about the connecting device. Using such information, the Access Policy Manager can perform the following tasks:
  • Deny access if the
    iOS
     version is less than the required level.
  • Deny access if the app version is less than required.
This example displays an access policy with a custom action to check the app version.
Example of a custom action for checking the F5 Access app version

About automatically launching applications from mobile devices

You can configure F5 Access to launch an app with a registered URL scheme after a VPN connection is established.

Auto-launching applications from F5 Access

You can configure applications to automatically start on F5 Access once a connection is initiated.
  1. On the Main tab, click
    Access
    Connectivity / VPN
    Network Access (VPN)
    Network Access Lists
    .
  2. Click the name of your network access resource on the list.
  3. Click the
    Launch Applications
     tab.
  4. Click
    Add
    .
  5. In the
    Application Path
     field, type in your application path in the form of a URL scheme, for example,
    skype://14082734800?call
    .
  6. Type any required parameters in the
    Parameters
     field.
  7. From the
    Operating System
     list, select iOS.
  8. Click
    Finished.
    On the device, a warning is issued before the local application executes.

About network integration on
iOS
 devices

Access Policy Manager® provides web application-level security to prevent malware attacks. As an administrator, you can enforce all web access through a secured gateway, as well as bypass secure gateways for internal resources. This is especially helpful, for example, when you have clients using corporate tablets, smartphones, or other mobile devices to browse the web.

Setting up network access

You can force traffic through a tunnel on F5 Access.
Although you disable
Allow local subnet access
 while enabling
Force all traffic through tunnel
, the client still permits local subnet traffic to travel outside of the tunnel. This is a limitation of
iOS
 and not of F5 Access.
  1. On the Main tab, click
    Access Policy
    Network Access
    Network Access List
    .
    The Network Access List screen opens.
  2. Click the name to select a network access resource on the Resource List.
    The Network Access editing screen opens.
  3. To configure the network settings for the network access resource, click
    Network Settings
     on the menu bar.
  4. To optionally force all traffic through the tunnel, next to
    Traffic Options
    , enable
    Force all traffic through tunnel
    .
    If you enable
    Use split tunneling for traffic
    , you must also specify either a DNS suffix or DNS Address Space pattern to use the VPN DNS servers. If the "DNS Suffix" and "DNS Address Space" fields are both left blank, then F5 Access does not use the VPN DNS servers and sends all DNS traffic to public DNS servers.
  5. To allow local subnet traffic to bypass the tunnel, select the
    Enable
     check box for
    Allow Local Subnet
    . This traffic bypasses the tunnel.
  6. Click
    Update
    .

About IPv6 single stack support

F5 Access supports VPN tunnel on IPv6 single stack devices.

Supported APM deployment scenario

F5 Access running on devices with IPv6 single stack can establish VPN connection with BIG-IP APM that communicates over IPv4. However, it requires a NAT64 translator to perform the required IPv6 to IPv4 protocol conversion. Refer to the APM supported configuration section for more information.
F5 Access client supports the specified deployment scenario as long as the NAT64 conversion device is used between the client and BIG-IP APM.
Following is the simple block diagram that illustrates the supported deployment scenario:
APM supported configuration:
Basic IPv4 APM network access configuration with IPv4 lease pool.

Map IPv6 to IPv4 protocol conversion through NAT64

For the BIG-IP system, Network Address Translation (NAT64) functions as a translator that maps F5 Access client IPv6 private addresses to BIG-IP IPv4 internet public addresses. NAT64 translates the client IPv6 addresses to the BIG-IP IPv4 addresses and allows Internet traffic from an IPv6 client to reach a public IPv4 server.
When IPv6 client initiates a request to the IPv4 server, the NAT64 translates the IPv6 into an IPv4 and sends the translated packet to the IPv4 server. After receiving the IPv4 server packet, the NAT64 translates the IPv4 into an IPv6 and sends the response to the client.
Note
: In the real-world deployments, the ISP may possess the NAT64 capabilities required for IPv6 to IPv4 protocol conversion and vice-versa.

Prerequisites for configuring F5 Access

Before configuring F5 Access
for iOS
 devices, you must complete the following requirements:
  • Set up BIG-IP® Access Policy Manager®.
  • Run the Network Access Setup Wizard.
Additional information about network access and connectivity profiles can be found in the
BIG-IP® Access Policy Manager®: Network Access Configuration
 guide.
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information