Manual Chapter : Overview: F5 Access for macOS Devices

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

Overview: F5 Access for macOS Devices

F5 Access for macOS general information

General F5 Access Information

F5 Access for macOS provides Layer 3 network access for the BIG-IP APM module. The F5 Access for macOS SSL VPN application complements the existing Edge Client VPN product line, addressing similar use-case and deployment scenarios.
F5 Access for macOS incorporates Apple's new Network Extension Framework. This change creates some major architectural shifts in the new F5 Access VPN application. As a result, there are currently feature differences between F5 Access and Edge Client for macOS.
Users can install and use both F5 Access and Edge Client for macOS on the same system.
Self-signed BIG-IP certificates are not supported unless the CA certificate is first Trusted on the device. Set the system keychain settings to
Always Trust
.
F5 Access for macOS is hosted in the Apple App Store, instead of on a BIG-IP system.
F5 Access for macOS has two components:
  • App Extension
    : built on the Network Extension framework to provide traffic tunneling.
  • F5 Access Container App
    : handles configuration management and state monitoring.

Supported Authentication Modes

Native
Native authentication mode is the default mode that the administrator can use to set the user logon by using username and password, optional client certificate, or both. Interactive authentication, including SAML and external logon pages, are not supported in this mode. Native mode does not require user interaction if all the credentials are previously saved.
Web (Web Logon)
Web-based Authentication is supported in this version. In web authentication mode, the administrator can specify interactive Web-based multi-factor authentication in the access policy. Web authentication mode can be used to support an external logon page, SAML authentication, 2-factor logon with a one-time passcode, or other interactive methods. A user can specify Web logon mode when creating a configuration. All Web logon feature are supported.
Client certificate required mode
In this version, client certificate required mode is supported.

About the F5 Access for macOS container app

Container app interface

After F5 Access for macOS is installed, the container app is available from the macOS menu bar.
The following functions and status items can be viewed and accessed from the container app:
  • Connection status
    : Shows the status of F5 Access, and the status of configured connections.
  • Connect to
    : This menu item allows you to connect to a VPN from the list of VPN configurations.
    Connect to
    defaults to the most recently used configuration.
  • List of VPN configurations
    : Shows the current configured VPN connections. The user can click a configuration to connect. Clicking another VPN configuration when connected causes the connection to switch VPN configurations.
  • Manage VPN Configurations
    : Allows the user to add, edit, and remove VPN configurations. Note that configurations managed by a Mobile Device Manager (MDM) cannot be removed by the user.
  • Open Network Preferences
    : Opens the network settings in the System Preferences app.
  • View Details
    : Displays the connection details window.
  • View Logs
    : Views the F5 Access logs. This can be useful for troubleshooting.
  • About F5 Access
    : Shows information about the installed version of F5 Access
  • Quit
    : Quits the container app. Note that this does not terminate the VPN connection.

Creating a VPN configuration from Container app

You create a configuration to establish a VPN connection to access network resources.
  1. From the F5 Container App click
    Manage VPN Configurations
    .
  2. Click
    +
    to add a configuration.
  3. In the
    VPN Name
    field, type a VPN name.
  4. In the
    Server
    field, type the server address.
  5. In the
    Username
    field, type the username.
  6. In the
    Password
    field, type the password.
  7. In the
    Client Certificate
    field, select a common name for the client certificate.
  8. To use a web page for logon, click
    Web Logon
    .
  9. To show the VPN Configuration in the F5 Container App menu, click
    Show VPN Configuration in Menu
    .
  10. Click
    Apply
    .
The VPN configuration is created. Start the VPN connection by selecting the configuration name from the F5 Container App menu.
Creating the Configuration in the Container App menu

Editing a VPN configuration from Container app

You can edit or delete a configuration from the Container app after you have created it.
  1. From the F5 Container App click
    Manage VPN Configurations
    .
  2. Click the name of a VPN configuration.
  3. To edit the configuration, click the pencil icon.
  4. To delete the configuration, click the minus icon.

Creating a VPN configuration from a plist file

You create a configuration to establish a VPN connection to access network resources.
You cannot edit or delete a VPN configuration created with a plist file from the VPN configurations dialog, though you can modify the username and password.
  1. Double-click a plist
    .mobileconfig
    file to install the VPN.
The VPN configuration is created. Start the VPN connection by selecting the configuration name from the F5 Container App menu.

Example plist mobileconfig VPN configuration file

This is a sample plist .mobileconfig file for VPN configuration.

VPN configuration with plist file example

The following example uses sample data only. For your own configuration, items like the
PayloadDisplayName
,
Payload UUID
, username, password and certificate information must be customized to your network and installation.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>IPv4</key> <dict> <key>OverridePrimary</key> <integer>0</integer> </dict> <key>PayloadDescription</key> <string>Configures VPN settings, including authentication.</string> <key>PayloadDisplayName</key> <string>VPN (test_vpn_config)</string> <key>PayloadIdentifier</key> <string>com.f5.access.macos.vpn.profile</string> <key>PayloadOrganization</key> <string></string> <key>PayloadType</key> <string>com.apple.vpn.managed</string> <key>PayloadUUID</key> <string>3A0ED411-G45D-4551-AE35-650CE54B08D5</string> <key>PayloadVersion</key> <integer>1</integer> <key>Proxies</key> <dict/> <key>UserDefinedName</key> <string>test_vpn_config</string> <key>VPN</key> <dict> <key>AuthName</key> <string>username</string> <key>AuthPassword</key> <string>password</string> <key>AuthenticationMethod</key> <string>Password+Certificate</string> <key>PayloadCertificateUUID</key> <string>CF12345D-E819-4521-88DE-2AEB6E1DC3D8</string> <key>RemoteAddress</key> <string>https://selfip.example.com</string> <key>ProviderType</key> <string>packet-tunnel</string> <key>ProviderBundleIdentifier</key> <string>com.f5.access.macos.PacketTunnel</string> </dict> <key>VPNSubType</key> <string>com.f5.access.macos</string> <key>VPNType</key> <string>VPN</string> <key>VendorConfig</key> <dict/> </dict> <dict> <key>Password</key> <string>123456</string> <key>PayloadCertificateFileName</key> <string>identity.p12</string> <key>PayloadContent</key> <data> MIIJCQIBAzCCCM8GCSqGSIb3DQEHAaCCCMAEggi8MIIIuDCCA28GCSqGSIb3DQEHBqCCA2AwggNcAgEA MIIDVQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIzdOkMx7b/skCAggAgIIDKNjtUzTS2/diyoiU ArGTs6vaAcb6PW7bjR/5gObmwV+NHT4BVqGVfm9L+F7zkhgtSx/gTVISOLphruYjSdpiqVN8IVcL6uVR ... (etc...) </data> <key>PayloadDescription</key> <string>Provides device authentication (certificate or identity).</string> <key>PayloadDisplayName</key> <string>identity.p12</string> <key>PayloadIdentifier</key> <string>com.f5.access.macos.vpn.credential</string> <key>PayloadOrganization</key> <string/> <key>PayloadType</key> <string>com.apple.security.pkcs12</string> <key>PayloadUUID</key> <string>C9BF4927-E819-4521-88DE-2AEB6E1DC3D8</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </array> <key>PayloadDescription</key> <string>f5 mac tunnel test</string> <key>PayloadDisplayName</key> <string>mac_vpn_mdm_profile</string> <key>PayloadIdentifier</key> <string>com.f5.access.macos.vpn.profile</string> <key>PayloadOrganization</key> <string></string> <key>PayloadRemovalDisallowed</key> <false/> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>A6F83919-B570-41FE-A84F-52DAC24838D8</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>

Starting a connection manually

Starting a connection on F5 Access for macOS requires a configured BIG-IP Network Access access policy to which you can connect. All configurations created from the Container app are also available in the
System Preference > Network
panel.
You start a connection to access network resources.
  1. Log in to the macOS device and launch the F5 Access application from the Finder or the Launch Pad.
  2. Start a connection by selecting an exisiting connection from the list.
  3. You can also start a connection from the
    System Preference > Network
    panel.