Manual Chapter : Managing Devices for F5 Access

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

Managing Devices for F5 Access

About managing devices

With an MDM, you manage devices by enrolling them. Refer to your MDM documentation to enroll devices. With this release, your MDM vendor may not include built-in support. We provide general guidance for your MDM configuration, if it supports custom configurations.
A user must enroll the device with the MDM in order for you to manage the device. However, you can deploy VPN configurations to the devices that aren't under management. F5 Access must be installed on the device to deploy configurations. F5 Access can be installed either by the user, or deployed with the MDM solution.

Creating a configuration profile for the managed device

A configuration profile enables the per-app VPN feature on a managed device, and specifies which apps use the VPN.
  1. Create a configuration profile for the device.
    Configuration profiles are described at the Apple Configuration Profile Reference.
Configure Access Policy Manager® to provide the necessary support for per-app VPN features.

Device identification configuration profile settings

These are settings for identifying devices in an MDM profile.

Device identification settings

Hardware manufacturers have phased out support for many methods of device identification, including UDID, wireless MAC, and others. To identify devices, you can use the device IDs assigned by the MDM.
Device identification commands
Key
Type
Description
MdmAssignedId
String
The internal device ID assigned to the device by the MDM.
MdmInstanceId
String
An arbitrary string that identifies particular MDM instance.
MdmDeviceUniqueId
String
An assigned ID for the device.
MdmDeviceWifiMacAddress
String
The wireless MAC address of the device.
MdmDeviceSerialNumber
String
An assigned serial number for the device.

Device ID example for
macOS

In this example, the commands are deployed in the VendorConfig document.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> ... <key>VendorConfig</key> <dict> <key>MdmAssignedId</key> <string>
MDM assigned ID here
</string> <key>MdmInstanceId</key> <string>
some MDM instance ID here
</string> <key>MdmDeviceUniqueId</key> <string>
device macOS UDID here
</string> <key>MdmDeviceWifiMacAddress</key> <string>
device wifi mac address here
</string> <key>MdmDeviceSerialNumber</key> <string>
device serial number here
</string> </dict> ...

Always On VPN setting

This setting configures Always On mode in an MDM profile.

Always On configuration

In the MDM configuration profile, you can enable Always On VPN by setting an On Demand rule with the key URLStringProbe. This allows the On Demand VPN to start as soon as the "probed" URL is contacted.
The code is used as follows.
<key>OnDemandRules</key> <array> <dict> <key>Action</key> <string>Connect</string> <key>URLStringProbe</key> <array> <string>https://on.example.com</string> </array> </dict> </array>
Example Always On VPN configuration profile
Includes a sample configuration profile for an Always On VPN profile.

Always On VPN configuration example profile

The following example uses sample data only. For your own configuration, items like the
PayloadDisplayName
,
PayloadUUID
,
UserDefinedName
, and the user name, password and certificate information must be customized to your network and installation.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>IPv4</key> <dict> <key>OverridePrimary</key> <integer>0</integer> </dict> <key>PayloadDescription</key> <string>Configures VPN settings, including authentication.</string> <key>PayloadDisplayName</key> <string>Always on VPN (URL probe)</string> <key>PayloadIdentifier</key> <string>com.f5.access.macos.vpn.profile</string> <key>PayloadOrganization</key> <string></string> <key>PayloadType</key> <string>com.apple.vpn.managed</string> <key>PayloadUUID</key> <string>3A0ED411-E55C-4551-AE35-950CE54B08D5</string> <key>PayloadVersion</key> <integer>1</integer> <key>Proxies</key> <dict/> <key>UserDefinedName</key> <string>OnDemandAlwaysOnConfig</string> <key>VPN</key> <dict> <key>AuthName</key> <string>username</string> <key>AuthPassword</key> <string>password</string> <key>AuthenticationMethod</key> <string>Password</string> <key>RemoteAddress</key> <string>https://vpn.example.com</string> <key>ProviderType</key> <string>packet-tunnel</string> <key>ProviderBundleIdentifier</key> <string>com.f5.access.macos.PacketTunnel</string> </dict> <key>VPNSubType</key> <string>com.f5.access.macos</string> <key>VPNType</key> <string>VPN</string> <key>VendorConfig</key> <dict/> <key>OnDemandEnabled</key> <integer>1</integer> <key>OnDemandRules</key> <array> <dict> <key>Action</key> <string>Connect</string> <key>URLStringProbe</key> <array> <string>https://vpn.example.com</string> </array> </dict> </array> </dict> </array> <key>PayloadDescription</key> <string>F5Access test</string> <key>PayloadDisplayName</key> <string>OnDemandRuleURLProbeTest</string> <key>PayloadIdentifier</key> <string>com.f5.access.macos.vpn.profile</string> <key>PayloadOrganization</key> <string></string> <key>PayloadRemovalDisallowed</key> <false/> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>A6F83919-B570-41FE-A84F-52DAC24838E8</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>

Device-wide VPN configuration profile settings

Settings for the device-wide VPN profiles in an MDM configuration.

Device-wide VPN settings

Configure a device-wide VPN by specifyng the VPN payload.
For the
PayloadType
value, specify
com.apple.vpn.managed
.
F5 Access
2.0
VPN configurations must define the following keys:
System-Wide VPN specific keys
Key
Type
Description
PayloadType
String
com.apple.vpn.managed
VPNType
String
VPN
VPNSubType
String
com.f5.access.macos
ProviderBundleIdentifier
String
Optional key:
com.f5.access.macos.PacketTunnel
OnDemandEnabled
Int
Optional key:
1
if the VPN connection should be brought up on demand, or else
0
.
OnDemandRules
Array of Dictionaries
Optional key. Determines when and how an on-demand VPN should be used. See On Demand Rules Dictionary Keys for details.
Example device-wide VPN configuration profile
Includes a sample configuration profile for the device-wide VPN configuration profile.

Device-wide VPN configuration example profile

The following example uses sample data only. For your own configuration, items like the
PayloadDisplayName
,
PayloadUUID
,
UserDefinedName
, and the user name, password and certificate information must be customized to your network and installation.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>IPv4</key> <dict> <key>OverridePrimary</key> <integer>0</integer> </dict> <key>PayloadDescription</key> <string>Configures VPN settings, including authentication.</string> <key>PayloadDisplayName</key> <string>VPN (Client Certificate)</string> <key>PayloadIdentifier</key> <string>com.f5.access.macos.vpn.profile</string> <key>PayloadOrganization</key> <string></string> <key>PayloadType</key> <string>com.apple.vpn.managed</string> <key>PayloadUUID</key> <string>3A0ED411-E55C-4551-AE35-650CE54B08D5</string> <key>PayloadVersion</key> <integer>1</integer> <key>Proxies</key> <dict/> <key>UserDefinedName</key> <string>vpn_test</string> <key>VPN</key> <dict> <key>AuthName</key> <string>
user_name
</string> <key>AuthPassword</key> <string>
user_password
</string> <key>AuthenticationMethod</key> <string>Password+Certificate</string> <key>PayloadCertificateUUID</key> <string>C9BF4927-E819-4521-88DE-2AEB6E1DC3D8</string> <key>RemoteAddress</key> <string>https://test.lab.example.com</string> <key>ProviderType</key> <string>packet-tunnel</string> <key>ProviderBundleIdentifier</key> <string>com.f5.access.macos.PacketTunnel</string> </dict> <key>VPNSubType</key> <string>com.f5.access.macos</string> <key>VPNType</key> <string>VPN</string> <key>VendorConfig</key> <dict/> </dict> <dict> <key>Password</key> <string>123456</string> <key>PayloadCertificateFileName</key> <string>identity.p12</string> <key>PayloadContent</key> <data> MIIJCQIBAzCCCM8GCSqGSIb3DQEHAaCCCMAEggi8MIIIuDCCA28GCSqGSIb3DQEHBqCCA2AwggNcAgEA MIIDVQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIzdOkMx7b/skCAggAgIIDKNjtUzTS2/diyoiU ... 1Ez4mnbrWzElMCMGCSqGSIb3DQEJFTEWBBQAFBOqYFJlbkBoqPfCMK5F1BXODDAxMCEwCQYFKw4DAhoF AAQUqF+54GDMxB3FcOmVKmAOIMKzxl8ECAKbcibSFUHZAgIIAA== </data> <key>PayloadDescription</key> <string>Provides device authentication (certificate or identity).</string> <key>PayloadDisplayName</key> <string>identity.p12</string> <key>PayloadIdentifier</key> <string>com.f5.access.macos.vpn.credential</string> <key>PayloadOrganization</key> <string/> <key>PayloadType</key> <string>com.apple.security.pkcs12</string> <key>PayloadUUID</key> <string>C9BF4927-E819-4521-88DE-2AEB6E1DC3D8</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </array> <key>PayloadDescription</key> <string>f5 mac tunnel test</string> <key>PayloadDisplayName</key> <string>mac_vpn_mdm_profile</string> <key>PayloadIdentifier</key> <string>com.f5.access.macos.vpn.profile</string> <key>PayloadOrganization</key> <string></string> <key>PayloadRemovalDisallowed</key> <false/> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>A6F83919-B570-41FE-A84F-52DAC24838D8</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>

Per-App VPN configuration profile settings

Settings for the per-app VPN profile in an MDM.

Per-App VPN settings

The per-app VPN payload supports all of the keys described in the Apple Configuration Profile Reference. These keys, specific to the per-app VPN payload, are described in that reference as well.
Per-App VPN keys
Key
Type
Description
PayloadType
String
com.apple.vpn.managed.applayer
VPNType
String
VPN
ProviderType
String
packet-tunnel
VPNSubType
String
com.f5.access.macos
ProviderBundleIdentifier
String
Optional key:
com.f5.access.macos.PacketTunnel
VPNUUID
String
A globally-unique identifier for this VPN configuration. This identifier is used to configure apps so that they use the per-app VPN service for all of their network communication.
OnDemandMatchAppEnabled (optional)
Boolean
If
true
, the per-app VPN connection starts automatically when apps linked to this per-app VPN service initiate network communication.
If
false
, the per-app VPN connection will not start.
If this key is not present, the value of the OnDemandEnabled key is used to determine the status of per-app VPN On Demand.
SafariDomains (optional)
Array
This key is a special case of App-to-Per App VPN Mapping. It sets up the app mapping for Safari with a specific identifier and a designated requirement.
The array contains strings, each of which is a domain that triggers a VPN connection in Safari. Do not specify a full URI; rule matching works only with the domain name. The rule matching behavior is as follows:
  • Before being matched against a host, all leading and trailing dots are stripped from the domain string. For example, if the domain string is
    .com
    the domain string used to match is
    com
    .
  • Each label in the domain string must match an entire label in the host string. For example, a domain of
    example.com
    matches "
    www.example.com
    ", but not
    old.badexample.com
    .
  • Domain strings with only one label must match the entire host string. For example, a domain of
    com
    matches
    com
    , not
    www.example.com
    .
Example per-app VPN configuration profile
Includes a sample configuration profile for the per-app VPN configuration profile.

Per-App VPN configuration example profile

The following example uses sample data only. For your own configuration, items like the
PayloadDisplayName
,
PayloadUUID
,
UserDefinedName
, and the user name, password and certificate information must be customized to your network and installation.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>IPv4</key> <dict> <key>OverridePrimary</key> <integer>0</integer> </dict> <key>PayloadDescription</key> <string>Configures VPN settings, including authentication.</string> <key>PayloadDisplayName</key> <string>VPN (Per-App VPN Test)</string> <key>PayloadIdentifier</key> <string>com.f5.mdm.perapp.vpn.vpn</string> <key>PayloadOrganization</key> <string/> <key>PayloadType</key> <string>com.apple.vpn.managed.applayer</string> <key>PayloadUUID</key> <string>5A015006-D559-4C5C-B197-737CF4DCFA96</string> <key>PayloadVersion</key> <integer>1</integer> <key>Proxies</key> <dict/> <key>UserDefinedName</key> <string>Per-App VPN Test</string> <key>VPN</key> <dict> <key>AuthName</key> <string>test</string> <key>AuthPassword</key> <string>test</string> <key>AuthenticationMethod</key> <string>Certificate</string> <key>PayloadCertificateUUID</key> <string>C9BF4927-E819-4521-88DE-2AEB6E1DC3D8</string> <key>RemoteAddress</key> <string>https://portal.example.com</string> <key>OnDemandMatchAppEnabled</key> <true/> <key>ProviderType</key> <string>packet-tunnel</string> <key>ProviderBundleIdentifier</key> <string>com.f5.access.macos.PacketTunnel</string> </dict> <key>VPNSubType</key> <string>com.f5.access.macos</string> <key>VPNType</key> <string>VPN</string> <key>VendorConfig</key> <dict/> <key>SafariDomains</key> <array> <string>example.com</string> <string>main.example.com</string> </array> <key>VPNUUID</key> <string>FEC8510C-3F8A-4C51-8EFC-21A21D485C3C</string> </dict> <dict> <key>Password</key> <string>123456</string> <key>PayloadCertificateFileName</key> <string>identity.p12</string> <key>PayloadContent</key> <data> MIIL2QIBAzCCC58GCSqGSIb3DQEHAaCCC5AEgguMMIILiDCCBj8G CSqGSIb3DQEHBqCCBjAwggYsAgEAMIIGJQYJKoZIhvcNAQcBMBwG ... BBQAFBOqYFJlbkBoqPfCMK5F1BXODDAxMCEwCQYFKw4DAhoFAAQU hxd6YPi7JKB/24dSls9gKO/DHVoECHap2RUyKvQTAgIIAA== </data> <key>PayloadDescription</key> <string>Provides device authentication (certificate or identity).</string> <key>PayloadDisplayName</key> <string>identity.p12</string> <key>PayloadIdentifier</key> <string>com.f5.mdm.perapp.vpn.credential</string> <key>PayloadOrganization</key> <string/> <key>PayloadType</key> <string>com.apple.security.pkcs12</string> <key>PayloadUUID</key> <string>C9BF4927-E819-4521-88DE-2AEB6E1DC3D8</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </array> <key>PayloadDescription</key> <string>PerApp VPN Payload Test</string> <key>PayloadDisplayName</key> <string>MDM - Per-App VPN</string> <key>PayloadIdentifier</key> <string>com.f5.mdm.perapp.vpn</string> <key>PayloadOrganization</key> <string/> <key>PayloadRemovalDisallowed</key> <false/> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>06A850CC-BC81-43FB-AA16-42BE472D2421</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>

App to Per-App VPN mapping

Settings for mapping an app to Per-App VPN.

App to Per-App VPN mapping

If you want applications to use Per-App VPN service for all of their network communication, add a payload dictionary with the following keys to the configuration profile.
App to Per-App VPN payload dictionary keys
Key
Type
Value
PayloadType
String
com.apple.vpn.managed.appmapping
AppLayerVPNMapping
Array of dictionaries
An array of mapping dictionaries.
AppLayerVPNMapping dictionary entry array keys
Key
Type
Value
Identifier
String
The app's bundle ID. For example, for Google Chrome:
Identifier: com.google.Chrome
Identifier: org.mozilla.firefox
VPNUUID
String
The VPNUUID of the Per-App VPN defined in a Per-App VPN payload
DesignatedRequirement
String
The code signature designated requirement of the app that will use the Per-App VPN.
SigningIdentifier
String
The code signature signing identifier of the app that will use the Per-App VPN.
Example app to Per-App VPN mapping profile
Includes a sample configuration profile for app to per-app VPN mapping.

App to Per-App VPN configuration example profile

The following example uses sample data only. For your own configuration, items like the
PayloadDisplayName
,
PayloadUUID
,
UserDefinedName
, and the user name, password and certificate information must be customized to your network and installation.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>PayloadDescription</key> <string>Configures VPN app mapping settings</string> <key>PayloadDisplayName</key> <string>VPN (Per-App VPN TCP App Mapping)</string> <key>PayloadIdentifier</key> <string>com.f5.access.macos.perapp.vpn.appmapping</string> <key>PayloadOrganization</key> <string/> <key>PayloadType</key> <string>com.apple.vpn.managed.appmapping</string> <key>PayloadUUID</key> <string>6B015006-D559-4C5C-B197-737CF4DCFA96</string> <key>PayloadVersion</key> <integer>1</integer> <key>AppLayerVPNMapping</key> <array> <dict> <key>Identifier</key> <string>com.google.Chrome</string> <key>VPNUUID</key> <string>6A015006-D559-4C5C-B197-737CF4DCFA96</string> <key>SigningIdentifier</key> <string>com.google.Chrome</string> <key>DesignatedRequirement</key> <string>(identifier "com.google.Chrome" or identifier "com.google.Chrome.beta" or identifier "com.google.Chrome.dev" or identifier "com.google.Chrome.canary") and (certificate leaf = H"85cee8254216185620ddc8851c7a9fc4dfe120ef" or certificate leaf = H"c9a99324ca3fcb23dbcc36bd5fd4f9753305130a")</string> </dict> <dict> <key>Identifier</key> <string>org.mozilla.firefox</string> <key>VPNUUID</key> <string>6A015006-D559-4C5C-B197-737CF4DCFA96</string> <key>SigningIdentifier</key> <string>org.mozilla.firefox</string> <key>DesignatedRequirement</key> <string>anchor apple generic and certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "43AQ936H96"</string> </dict> </array> </dict> <dict> <key>PayloadType</key> <string>com.apple.vpn.managed.applayer</string> <key>PayloadDescription</key> <string>Configures VPN settings, including authentication.</string> <key>PayloadDisplayName</key> <string>VPN (Per-App VPN App Mapping)</string> <key>PayloadIdentifier</key> <string>com.f5.access.macos.perapp.vpn.vpn</string> <key>PayloadOrganization</key> <string/> <key>PayloadUUID</key> <string>5A015006-D559-4C5C-B197-737CF4DCFA96</string> <key>PayloadVersion</key> <integer>1</integer> <key>Proxies</key> <dict/> <key>UserDefinedName</key> <string>App Mapping</string> <key>VPN</key> <dict> <key>AuthName</key> <string>test</string> <key>AuthPassword</key> <string>test</string> <key>AuthenticationMethod</key> <string>Password</string> <key>RemoteAddress</key> <string>https://portal.example.com</string> <key>OnDemandMatchAppEnabled</key> <true/> <key>ProviderType</key> <string>packet-tunnel</string> <key>ProviderBundleIdentifier</key> <string>com.f5.access.macos.PacketTunnel</string> </dict> <key>VPNSubType</key> <string>com.f5.access.macos</string> <key>VPNType</key> <string>VPN</string> <key>VendorConfig</key> <dict/> <key>VPNUUID</key> <string>6A015006-D559-4C5C-B197-737CF4DCFA96</string> </dict> </array> <key>PayloadDescription</key> <string>PerApp VPN Payload TCP Test</string> <key>PayloadDisplayName</key> <string>MDM - Per-App VPN TCP</string> <key>PayloadIdentifier</key> <string>com.f5.access.macos.perapp.vpn</string> <key>PayloadOrganization</key> <string/> <key>PayloadRemovalDisallowed</key> <false/> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>06A850CC-BC81-43FB-AA16-42BE472D2421</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>