Manual Chapter : Configuring Per-App VPN with APM and F5 Access

Applies To:

Show Versions Show Versions


  • 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

Configuring Per-App VPN with APM and F5 Access

What is a per-app VPN?

Apple's VPN framework supports layer-3 tunneling for TCP and UDP connections. Apps can be configured to automatically connect to a VPN when they are started. Safari can be configured for per-app VPN with a configuration profile and without an MDM, and on a per-URL basis.
An access policy for Per-App VPN on macOS is similar to a device-wide VPN access policy, except that items that require Web Logon, such as multi-factor authentication, are not supported.
A per-app VPN configuration requires two configuration components.
Per-app VPN is currently not supported for Android apps on Chrome OS.

About deploying MDM apps over VPNs

The per-app VPN framework allows the administrator to limit VPN access to explicit apps only. Specifically, it allows applications to use one F5 Access configuration (or VPN connection).
If the F5 Access configuration is not connected when the app starts, all traffic from the app is blocked.
In practice, some applications may be associated with one F5 Access configuration, and other applications may be associated with other F5 Access configurations.
Once an app is associated with an F5 Access configuration by the MDM, it must use that VPN only.
In this example, only App 1 or App 2 can be active at one time.
Apps associated with different VPN configurations
On macos, you can only activate one device-wide or Per-App VPN configuration at a time.

About access policies for per-app VPN

For per-app VPN, an access policy requires a specific configuration. The per-app VPN process does allow prompts or requests for information (logon and password) during logon. However, Web Logon is not supported.

Creating an access profile

You create an access profile to provide the secured connection between the per-app VPN and the virtual server.
  1. On the Main tab, click
    Access Policy
    Access Profiles
    The Access Profiles List screen opens.
  2. Click
    The New Profile screen opens.
  3. In the
    field, type a name for the access profile.
  4. In the Language Settings area, add and remove accepted languages, and set the default language.
    A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  5. Click
The access profile appears in the Access Profiles List.

Adding a client certificate check to the access policy

A client certificate check or on-demand cert auth check allows you to authenticate the device to the access policy.
  1. Click
    Profiles / Policies
    Access Profiles (Per-Session Policies)
  2. In the Per-Session Policy column, click the
    link for the access profile you want to configure to launch the visual policy editor.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the
    sign anywhere in the access policy to add a new action item.
    An Add Item screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. Click
    Add Item
    The screen is not active while the visual policy editor creates the action. The screen closes and a Properties screen displays.
  5. Click the
  6. Select the
    Client Cert Inspection
    item or
    On-Demand Cert Auth
    item, and click
    Add Item
  7. Click
    Apply Access Policy
    to save your configuration.
  8. The properties screen opens. Click
  9. On the
    branch following the Client Cert Inspection or On-Demand Cert Auth item, click the Deny ending.
  10. Change the Deny ending to Allow, and click
  11. Click
    Apply Access Policy
    to save your configuration.
The access profile appears in the Access Profiles List.
Configure the virtual server to include this access policy, and make sure the Client SSL profile is enabled on the server.