Manual Chapter :
Managing Devices for F5 Access
Applies To:
Show Versions
BIG-IP APM
- 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Managing Devices for F5 Access
About managing devices
With an MDM, you manage devices by enrolling them. Refer to your MDM documentation to enroll
devices. With this release, your MDM vendor may not include built-in support. We provide general
guidance for your MDM configuration, if it supports custom configurations.
A user must enroll the device with the MDM in order for you to manage the
device. However, you can deploy VPN configurations to the devices that aren't under management.
F5 Access must be installed on the device to deploy configurations. F5 Access can be installed
either by the user, or deployed with the MDM solution.
Creating a configuration profile for the managed device
A configuration profile enables the per-app VPN feature on a managed device, and
specifies which apps use the VPN.
- Create a configuration profile for the device.Configuration profiles are described at the Apple Configuration Profile Reference.
Configure Access Policy Manager® to provide the necessary
support for per-app VPN features.
Device identification configuration profile settings
These are settings for identifying devices in an MDM profile.
Device identification settings
Hardware manufacturers have phased out support for many methods of device
identification, including UDID, wireless MAC, and others. To identify devices, you
can use the device IDs assigned by the MDM.
Key |
Type |
Description |
|---|---|---|
MdmAssignedId |
String |
The internal device ID assigned to the device by the MDM. |
MdmInstanceId |
String |
An arbitrary string that identifies particular MDM instance. |
MdmDeviceUniqueId |
String |
An assigned ID for the device. |
MdmDeviceWifiMacAddress |
String |
The wireless MAC address of the device. |
MdmDeviceSerialNumber |
String |
An assigned serial number for the device. |
Device ID example for macOS
macOS
In this example, the commands are deployed in the VendorConfig document.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> ... <key>VendorConfig</key> <dict> <key>MdmAssignedId</key> <string>MDM assigned ID here</string> <key>MdmInstanceId</key> <string>some MDM instance ID here</string> <key>MdmDeviceUniqueId</key> <string>device macOS UDID here</string> <key>MdmDeviceWifiMacAddress</key> <string>device wifi mac address here</string> <key>MdmDeviceSerialNumber</key> <string>device serial number here</string> </dict> ...
Always On VPN setting
This setting configures Always On mode in an MDM profile.
Always On configuration
In the MDM configuration profile, you can
enable Always On VPN by setting an On Demand rule with the key URLStringProbe. This
allows the On Demand VPN to start as soon as the "probed" URL is contacted.
<key>OnDemandRules</key> <array> <dict> <key>Action</key> <string>Connect</string> <key>URLStringProbe</key> <array> <string>https://on.example.com</string> </array> </dict> </array>
Example Always On VPN configuration profile
Includes a sample configuration profile for an Always On VPN profile.
Always On VPN configuration example profile
The following example uses sample data only. For your own configuration, items like the
PayloadDisplayName
, PayloadUUID
,
UserDefinedName
, and the user name, password and certificate information
must be customized to your network and installation.<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>IPv4</key> <dict> <key>OverridePrimary</key> <integer>0</integer> </dict> <key>PayloadDescription</key> <string>Configures VPN settings, including authentication.</string> <key>PayloadDisplayName</key> <string>Always on VPN (URL probe)</string> <key>PayloadIdentifier</key> <string>com.f5.access.macos.vpn.profile</string> <key>PayloadOrganization</key> <string></string> <key>PayloadType</key> <string>com.apple.vpn.managed</string> <key>PayloadUUID</key> <string>3A0ED411-E55C-4551-AE35-950CE54B08D5</string> <key>PayloadVersion</key> <integer>1</integer> <key>Proxies</key> <dict/> <key>UserDefinedName</key> <string>OnDemandAlwaysOnConfig</string> <key>VPN</key> <dict> <key>AuthName</key> <string>username</string> <key>AuthPassword</key> <string>password</string> <key>AuthenticationMethod</key> <string>Password</string> <key>RemoteAddress</key> <string>https://vpn.example.com</string> <key>ProviderType</key> <string>packet-tunnel</string> <key>ProviderBundleIdentifier</key> <string>com.f5.access.macos.PacketTunnel</string> </dict> <key>VPNSubType</key> <string>com.f5.access.macos</string> <key>VPNType</key> <string>VPN</string> <key>VendorConfig</key> <dict/> <key>OnDemandEnabled</key> <integer>1</integer> <key>OnDemandRules</key> <array> <dict> <key>Action</key> <string>Connect</string> <key>URLStringProbe</key> <array> <string>https://vpn.example.com</string> </array> </dict> </array> </dict> </array> <key>PayloadDescription</key> <string>F5Access test</string> <key>PayloadDisplayName</key> <string>OnDemandRuleURLProbeTest</string> <key>PayloadIdentifier</key> <string>com.f5.access.macos.vpn.profile</string> <key>PayloadOrganization</key> <string></string> <key>PayloadRemovalDisallowed</key> <false/> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>A6F83919-B570-41FE-A84F-52DAC24838E8</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>
Device-wide VPN configuration profile settings
Settings for the device-wide VPN profiles in an MDM configuration.
Device-wide VPN settings
Configure a device-wide VPN by specifyng the VPN payload.
For the
F5 Access PayloadType
value, specify
com.apple.vpn.managed
. 2.0
VPN configurations must define
the following keys: Key |
Type |
Description |
|---|---|---|
PayloadType |
String |
com.apple.vpn.managed |
VPNType |
String |
VPN |
VPNSubType |
String |
com.f5.access.macos |
ProviderBundleIdentifier |
String |
Optional key: com.f5.access.macos.PacketTunnel |
OnDemandEnabled |
Int |
Optional key: 1 if the VPN connection should be brought up on demand, or else
0 . |
OnDemandRules |
Array of Dictionaries |
Optional key. Determines when and how an on-demand VPN should be used. See On Demand Rules Dictionary Keys for details. |
Example device-wide VPN configuration profile
Includes a sample configuration profile for the device-wide VPN configuration
profile.
Device-wide VPN configuration example profile
The following example uses sample data only. For your own configuration, items like the
PayloadDisplayName
, PayloadUUID
,
UserDefinedName
, and the user name, password and certificate information
must be customized to your network and installation.<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>IPv4</key> <dict> <key>OverridePrimary</key> <integer>0</integer> </dict> <key>PayloadDescription</key> <string>Configures VPN settings, including authentication.</string> <key>PayloadDisplayName</key> <string>VPN (Client Certificate)</string> <key>PayloadIdentifier</key> <string>com.f5.access.macos.vpn.profile</string> <key>PayloadOrganization</key> <string></string> <key>PayloadType</key> <string>com.apple.vpn.managed</string> <key>PayloadUUID</key> <string>3A0ED411-E55C-4551-AE35-650CE54B08D5</string> <key>PayloadVersion</key> <integer>1</integer> <key>Proxies</key> <dict/> <key>UserDefinedName</key> <string>vpn_test</string> <key>VPN</key> <dict> <key>AuthName</key> <string>user_name</string> <key>AuthPassword</key> <string>user_password</string> <key>AuthenticationMethod</key> <string>Password+Certificate</string> <key>PayloadCertificateUUID</key> <string>C9BF4927-E819-4521-88DE-2AEB6E1DC3D8</string> <key>RemoteAddress</key> <string>https://test.lab.example.com</string> <key>ProviderType</key> <string>packet-tunnel</string> <key>ProviderBundleIdentifier</key> <string>com.f5.access.macos.PacketTunnel</string> </dict> <key>VPNSubType</key> <string>com.f5.access.macos</string> <key>VPNType</key> <string>VPN</string> <key>VendorConfig</key> <dict/> </dict> <dict> <key>Password</key> <string>123456</string> <key>PayloadCertificateFileName</key> <string>identity.p12</string> <key>PayloadContent</key> <data> MIIJCQIBAzCCCM8GCSqGSIb3DQEHAaCCCMAEggi8MIIIuDCCA28GCSqGSIb3DQEHBqCCA2AwggNcAgEA MIIDVQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIzdOkMx7b/skCAggAgIIDKNjtUzTS2/diyoiU ... 1Ez4mnbrWzElMCMGCSqGSIb3DQEJFTEWBBQAFBOqYFJlbkBoqPfCMK5F1BXODDAxMCEwCQYFKw4DAhoF AAQUqF+54GDMxB3FcOmVKmAOIMKzxl8ECAKbcibSFUHZAgIIAA== </data> <key>PayloadDescription</key> <string>Provides device authentication (certificate or identity).</string> <key>PayloadDisplayName</key> <string>identity.p12</string> <key>PayloadIdentifier</key> <string>com.f5.access.macos.vpn.credential</string> <key>PayloadOrganization</key> <string/> <key>PayloadType</key> <string>com.apple.security.pkcs12</string> <key>PayloadUUID</key> <string>C9BF4927-E819-4521-88DE-2AEB6E1DC3D8</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </array> <key>PayloadDescription</key> <string>f5 mac tunnel test</string> <key>PayloadDisplayName</key> <string>mac_vpn_mdm_profile</string> <key>PayloadIdentifier</key> <string>com.f5.access.macos.vpn.profile</string> <key>PayloadOrganization</key> <string></string> <key>PayloadRemovalDisallowed</key> <false/> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>A6F83919-B570-41FE-A84F-52DAC24838D8</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>
Per-App VPN configuration profile settings
Settings for the per-app VPN profile in an MDM.
Per-App VPN settings
The per-app VPN payload supports all of the keys described in the Apple Configuration Profile Reference. These keys,
specific to the per-app VPN payload, are described in that reference as well.
Key |
Type |
Description |
|---|---|---|
PayloadType |
String |
com.apple.vpn.managed.applayer |
VPNType |
String |
VPN |
ProviderType |
String |
packet-tunnel |
VPNSubType |
String |
com.f5.access.macos |
ProviderBundleIdentifier |
String |
Optional key: com.f5.access.macos.PacketTunnel |
VPNUUID |
String |
A globally-unique identifier for this VPN configuration. This identifier is used to
configure apps so that they use the per-app VPN service for all of their network
communication. |
OnDemandMatchAppEnabled (optional) |
Boolean |
If true , the per-app VPN connection starts automatically when apps
linked to this per-app VPN service initiate network communication.If false , the per-app VPN connection will not start.If this key is not present, the value of the OnDemandEnabled key is used to determine the
status of per-app VPN On Demand. |
SafariDomains (optional) |
Array |
This key is a special case of App-to-Per App VPN Mapping. It sets up the app mapping for Safari
with a specific identifier and a designated requirement. The array contains strings, each of which is a domain that triggers a VPN connection in
Safari. Do not specify a full URI; rule matching works only with the domain name. The rule
matching behavior is as follows:
|
Example per-app VPN configuration profile
Includes a sample configuration profile for the per-app VPN configuration
profile.
Per-App VPN configuration example profile
The following example uses sample data only. For your own configuration, items like the
PayloadDisplayName
, PayloadUUID
,
UserDefinedName
, and the user name, password and certificate information
must be customized to your network and installation.<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>IPv4</key> <dict> <key>OverridePrimary</key> <integer>0</integer> </dict> <key>PayloadDescription</key> <string>Configures VPN settings, including authentication.</string> <key>PayloadDisplayName</key> <string>VPN (Per-App VPN Test)</string> <key>PayloadIdentifier</key> <string>com.f5.mdm.perapp.vpn.vpn</string> <key>PayloadOrganization</key> <string/> <key>PayloadType</key> <string>com.apple.vpn.managed.applayer</string> <key>PayloadUUID</key> <string>5A015006-D559-4C5C-B197-737CF4DCFA96</string> <key>PayloadVersion</key> <integer>1</integer> <key>Proxies</key> <dict/> <key>UserDefinedName</key> <string>Per-App VPN Test</string> <key>VPN</key> <dict> <key>AuthName</key> <string>test</string> <key>AuthPassword</key> <string>test</string> <key>AuthenticationMethod</key> <string>Certificate</string> <key>PayloadCertificateUUID</key> <string>C9BF4927-E819-4521-88DE-2AEB6E1DC3D8</string> <key>RemoteAddress</key> <string>https://portal.example.com</string> <key>OnDemandMatchAppEnabled</key> <true/> <key>ProviderType</key> <string>packet-tunnel</string> <key>ProviderBundleIdentifier</key> <string>com.f5.access.macos.PacketTunnel</string> </dict> <key>VPNSubType</key> <string>com.f5.access.macos</string> <key>VPNType</key> <string>VPN</string> <key>VendorConfig</key> <dict/> <key>SafariDomains</key> <array> <string>example.com</string> <string>main.example.com</string> </array> <key>VPNUUID</key> <string>FEC8510C-3F8A-4C51-8EFC-21A21D485C3C</string> </dict> <dict> <key>Password</key> <string>123456</string> <key>PayloadCertificateFileName</key> <string>identity.p12</string> <key>PayloadContent</key> <data> MIIL2QIBAzCCC58GCSqGSIb3DQEHAaCCC5AEgguMMIILiDCCBj8G CSqGSIb3DQEHBqCCBjAwggYsAgEAMIIGJQYJKoZIhvcNAQcBMBwG ... BBQAFBOqYFJlbkBoqPfCMK5F1BXODDAxMCEwCQYFKw4DAhoFAAQU hxd6YPi7JKB/24dSls9gKO/DHVoECHap2RUyKvQTAgIIAA== </data> <key>PayloadDescription</key> <string>Provides device authentication (certificate or identity).</string> <key>PayloadDisplayName</key> <string>identity.p12</string> <key>PayloadIdentifier</key> <string>com.f5.mdm.perapp.vpn.credential</string> <key>PayloadOrganization</key> <string/> <key>PayloadType</key> <string>com.apple.security.pkcs12</string> <key>PayloadUUID</key> <string>C9BF4927-E819-4521-88DE-2AEB6E1DC3D8</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </array> <key>PayloadDescription</key> <string>PerApp VPN Payload Test</string> <key>PayloadDisplayName</key> <string>MDM - Per-App VPN</string> <key>PayloadIdentifier</key> <string>com.f5.mdm.perapp.vpn</string> <key>PayloadOrganization</key> <string/> <key>PayloadRemovalDisallowed</key> <false/> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>06A850CC-BC81-43FB-AA16-42BE472D2421</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>
App to Per-App VPN mapping
Settings for mapping an app to Per-App VPN.
App to Per-App VPN mapping
If you want applications to use Per-App VPN service for all of their network communication,
add a payload dictionary with the following keys to the configuration profile.
Key |
Type |
Value |
|---|---|---|
PayloadType |
String |
com.apple.vpn.managed.appmapping |
AppLayerVPNMapping |
Array of dictionaries |
An array of mapping dictionaries. |
Key |
Type |
Value |
|---|---|---|
Identifier |
String |
The app's bundle ID. For example, for Google Chrome:
Identifier: com.google.Chrome Identifier: org.mozilla.firefox |
VPNUUID |
String |
The VPNUUID of the Per-App VPN defined in a Per-App VPN payload |
DesignatedRequirement |
String |
The code signature designated requirement of the app that will use the Per-App
VPN. |
SigningIdentifier |
String |
The code signature signing identifier of the app that will use the Per-App
VPN. |
Example app to Per-App VPN mapping profile
Includes a sample configuration profile for app to per-app VPN mapping.
App to Per-App VPN configuration example profile
The following example uses sample data only. For your own configuration, items like the
PayloadDisplayName
, PayloadUUID
,
UserDefinedName
, and the user name, password and certificate information
must be customized to your network and installation.<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>PayloadDescription</key> <string>Configures VPN app mapping settings</string> <key>PayloadDisplayName</key> <string>VPN (Per-App VPN TCP App Mapping)</string> <key>PayloadIdentifier</key> <string>com.f5.access.macos.perapp.vpn.appmapping</string> <key>PayloadOrganization</key> <string/> <key>PayloadType</key> <string>com.apple.vpn.managed.appmapping</string> <key>PayloadUUID</key> <string>6B015006-D559-4C5C-B197-737CF4DCFA96</string> <key>PayloadVersion</key> <integer>1</integer> <key>AppLayerVPNMapping</key> <array> <dict> <key>Identifier</key> <string>com.google.Chrome</string> <key>VPNUUID</key> <string>6A015006-D559-4C5C-B197-737CF4DCFA96</string> <key>SigningIdentifier</key> <string>com.google.Chrome</string> <key>DesignatedRequirement</key> <string>(identifier "com.google.Chrome" or identifier "com.google.Chrome.beta" or identifier "com.google.Chrome.dev" or identifier "com.google.Chrome.canary") and (certificate leaf = H"85cee8254216185620ddc8851c7a9fc4dfe120ef" or certificate leaf = H"c9a99324ca3fcb23dbcc36bd5fd4f9753305130a")</string> </dict> <dict> <key>Identifier</key> <string>org.mozilla.firefox</string> <key>VPNUUID</key> <string>6A015006-D559-4C5C-B197-737CF4DCFA96</string> <key>SigningIdentifier</key> <string>org.mozilla.firefox</string> <key>DesignatedRequirement</key> <string>anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "43AQ936H96"</string> </dict> </array> </dict> <dict> <key>PayloadType</key> <string>com.apple.vpn.managed.applayer</string> <key>PayloadDescription</key> <string>Configures VPN settings, including authentication.</string> <key>PayloadDisplayName</key> <string>VPN (Per-App VPN App Mapping)</string> <key>PayloadIdentifier</key> <string>com.f5.access.macos.perapp.vpn.vpn</string> <key>PayloadOrganization</key> <string/> <key>PayloadUUID</key> <string>5A015006-D559-4C5C-B197-737CF4DCFA96</string> <key>PayloadVersion</key> <integer>1</integer> <key>Proxies</key> <dict/> <key>UserDefinedName</key> <string>App Mapping</string> <key>VPN</key> <dict> <key>AuthName</key> <string>test</string> <key>AuthPassword</key> <string>test</string> <key>AuthenticationMethod</key> <string>Password</string> <key>RemoteAddress</key> <string>https://portal.example.com</string> <key>OnDemandMatchAppEnabled</key> <true/> <key>ProviderType</key> <string>packet-tunnel</string> <key>ProviderBundleIdentifier</key> <string>com.f5.access.macos.PacketTunnel</string> </dict> <key>VPNSubType</key> <string>com.f5.access.macos</string> <key>VPNType</key> <string>VPN</string> <key>VendorConfig</key> <dict/> <key>VPNUUID</key> <string>6A015006-D559-4C5C-B197-737CF4DCFA96</string> </dict> </array> <key>PayloadDescription</key> <string>PerApp VPN Payload TCP Test</string> <key>PayloadDisplayName</key> <string>MDM - Per-App VPN TCP</string> <key>PayloadIdentifier</key> <string>com.f5.access.macos.perapp.vpn</string> <key>PayloadOrganization</key> <string/> <key>PayloadRemovalDisallowed</key> <false/> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>06A850CC-BC81-43FB-AA16-42BE472D2421</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>
