Manual Chapter :
Configuring Per-App VPN with APM and F5 Access
Applies To:
Show VersionsBIG-IP APM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Configuring Per-App VPN with APM and F5 Access
What is a per-app VPN?
Apple's VPN framework supports layer-3 tunneling for TCP and UDP connections.
Apps can be configured to automatically connect to a VPN when they are started. Safari can be
configured for per-app VPN with a configuration profile and without an MDM, and on a per-URL
basis.
An access policy for Per-App VPN on macOS is similar to a
device-wide VPN access policy, except that items that require Web Logon, such as multi-factor
authentication, are not supported.
A per-app VPN configuration requires two configuration components.
- A device under MDM management or a configuration profile installed manually. For more information, see macOS Sierra: Use configuration profiles.
- F5 Access for macOS installed on the device.
Per-app VPN is currently not supported for Android apps on Chrome OS.
About deploying MDM apps over VPNs
The per-app VPN framework allows the administrator to limit VPN access to explicit apps only.
Specifically, it allows applications to use one F5 Access configuration (or VPN connection).
If the F5 Access configuration is not connected when the app starts, all
traffic from the app is blocked.
In practice, some applications may be associated with one F5 Access configuration, and other
applications may be associated with other F5 Access configurations.
Once an app is associated with an F5 Access configuration by the MDM, it
must use that VPN only.
In this example, only App 1 or App 2 can be active at one time.
On macos, you can only activate one device-wide or Per-App VPN configuration
at a time.
About access policies for per-app VPN
For per-app VPN, an access policy requires a specific configuration. The per-app VPN process does allow prompts or requests for information (logon and password) during logon.
However, Web Logon is not supported.
Creating an access profile
You create an access profile to provide the
secured connection between the per-app VPN and the virtual server.
- On the Main tab, click.The Access Profiles List screen opens.
- ClickCreate.The New Profile screen opens.
- In theNamefield, type a name for the access profile.
- In the Language Settings area, add and remove accepted languages, and set the default language.A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
- ClickFinished.
The access profile appears in the Access
Profiles List.
Adding a client certificate check to the access policy
A client certificate check or on-demand cert auth check allows you to authenticate
the device to the access policy.
- Click.
- In the Per-Session Policy column, click theEditlink for the access profile you want to configure to launch the visual policy editor.The visual policy editor opens the access policy in a separate screen.
- Click the(+)sign anywhere in the access policy to add a new action item.An Add Item screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
- ClickAdd Item.The screen is not active while the visual policy editor creates the action. The screen closes and a Properties screen displays.
- Click theAuthenticationtab.
- Select theClient Cert Inspectionitem orOn-Demand Cert Authitem, and clickAdd Item.
- ClickApply Access Policyto save your configuration.
- The properties screen opens. ClickSave.
- On theSuccessfulbranch following the Client Cert Inspection or On-Demand Cert Auth item, click the Deny ending.
- Change the Deny ending to Allow, and clickSave.
- ClickApply Access Policyto save your configuration.
The access profile appears in the Access Profiles List.
Configure the virtual server to include this access policy, and make sure the
Client SSL profile is enabled on the server.