Manual Chapter : F5 Access Apps

Applies To:

  • BIG-IP APM

    21.0.0, 17.5.1, 17.5.0, 17.1.3, 17.1.2, 17.1.1, 17.1.0

back-action Defining Connectivity Options

Updated Date: 04/01/2026

F5 Access Apps

F5 Access for Android, F5 Access for iOS, F5 Access for Chrome OS, and F5 Access for macOS enable secure network access for supported mobile clients. Previously, the Android and iOS products were called BIG-IP Edge Client® for Android and BIG-IP Edge Client for iOS. For the clients to connect, you need a Network Access configuration on BIG-IP Access Policy Manager. The Network Access Wizard creates a Network Access configuration with authentication, an access policy, and a virtual server with connectivity and access profiles.

You might need to update the connectivity profile or the network access resource to complete the configuration on APM®. Optionally, you can also configure SSO and ACLs, and add items to the access policy to enable SSO and enforce ACLs.

  1. Running the Network Access Setup wizard

  2. Configuring a connectivity profile for F5 Access for iOS

  3. Configuring a connectivity profile for F5 Access for Android

  4. Configuring a connectivity profile for F5 Access for Chrome OS

  5. Configuring a connectivity profile for F5 Access for macOS

Your DNS server must be configured to resolve internal addresses with DNS.

Configure Access Policy Manager to provide users with full network access when they use F5 Access for iOS or F5 Access for Android.

Important: You must specify either the DNS Default Domain Suffix or the DNS Address Space in the Network Access configuration. Otherwise, the system cannot resolve internal DNS addresses.

  1. On the Main tab, click Wizards > Device Wizards.

    The Device Wizards screen opens.

  2. Select Network Access Setup Wizard for Remote Access, and then click Next.

    Tip: Follow the instructions in the wizard to create your access policy and virtual server.

  3. To ensure that the apps can connect from supported mobile devices, for Client Side Checks, clear the Enable Antivirus Check in Access Policy check box.

    Tip: Follow the instructions in the wizard to create your access policy and virtual server.

  4. To specify the DNS Address Space setting, on the Network Access screen perform these substeps:

    1. From Traffic Options, select Force Use split tunneling for traffic.

      Additional settings display.

    2. In the DNS Address Space setting, for each address space, type the address in the form site.siterequest.com or *.siterequest.com , and click Add.

  5. On the DNS Hosts screen, you can type a value in the DNS Default Domain Suffix field.

  6. After you complete the wizard screens and create the configuration, on the Setup Summary screen click Finished.

You now have a network access configuration that supports F5 Access apps for mobile devices. All configuration object names are prefixed with the policy name that you entered in the wizard.

A connectivity profile automatically contains default settings for F5 Access for iOS. You should configure the connectivity profile settings to fit your needs.

  1. On the Main tab, click Access > Connectivity / VPN > Connectivity > Profiles.

    A list of connectivity profiles displays.

  2. Select the connectivity profile that you want to update and click Edit Profile.

    The Edit Connectivity Profile popup screen opens and displays General Settings.

  3. From Mobile Client Settings in the left pane, select iOS Edge Client.

    Settings for the iOS Edge Client display in the right pane.

  4. To enable users to save their passwords for reconnection purposes within a specified time period, select the Allow Password Caching check box.

    The additional fields in the area become available.

  5. To enable device authentication on the client, select Require Device Authentication.

    This option links the option to use a saved password to a device authentication method. Supported device authentication methods include PIN, passphrase, and biometric (fingerprint) authentication on iOS and Android. Android devices also support pattern unlocking.

  6. For Save Password Method, specify how to perform password caching:

    • To allow the user to save the encrypted password on the device without a time limit, select disk.
    • To specify that the user password is cached in the application on the user’s device for a configurable period of time, select memory. If you select memory, the Password Cache Expiration (minutes) field becomes available.

  7. If the Password Cache Expiration (minutes) field displays, type the number of minutes you want the password to be cached in memory.

  8. In the On Demand Disconnect Timeout (minutes) field, retain the default 2, or type a different number of minutes before VPN on demand times out.

  9. To force the app to use a selected logon mode and prevent users from changing it:

    1. Select the Enforce Logon Mode check box.

    2. From the Logon Method list, select web or native.

    Note: This feature is supported with F5 Access for iOS and F5 Access for Android.

  10. Click OK.

    The popup screen closes, and the Connectivity Profile List displays.

You have now configured the security settings for F5 Access for iOS.

To provide functionality with a connectivity profile, you must add the connectivity profile and an access profile to a virtual server.

A connectivity profile automatically contains settings for F5 Access for Android. You should configure the settings to fit your situation.

  1. On the Main tab, click Access > Connectivity / VPN > Connectivity > Profiles.

    A list of connectivity profiles displays.

  2. Select the connectivity profile that you want to update and click Edit Profile.

    The Edit Connectivity Profile popup screen opens and displays General Settings.

  3. From Mobile Client Settings in the left pane, select Android Edge Client.

    Settings for the Android Edge Client display in the right pane.

  4. To enable users to save their passwords for reconnection purposes within a specified time period, select the Allow Password Caching check box.

    The additional fields in the area become available.

  5. To enable device authentication on the client, select Require Device Authentication.

    This option links the option to use a saved password to a device authentication method. Supported device authentication methods include PIN, passphrase, and biometric (fingerprint) authentication on iOS and Android. Android devices also support pattern unlocking.

  6. For Save Password Method, specify how to perform password caching:

    • To allow the user to save the encrypted password on the device without a time limit, select disk.
    • To specify that the user password is cached in the application on the user’s device for a configurable period of time, select memory. If you select memory, the Password Cache Expiration (minutes) field becomes available.

  7. If the Password Cache Expiration (minutes) field displays, type the number of minutes you want the password to be cached in memory.

  8. To enhance security on the client, retain the selection of the Enforce Device Lock check box (or clear the check box).

    This check box is selected by default. Edge Portal and Edge Client support password locking, but do not support pattern locking. If you clear this check box, the remaining settings in the area become unavailable.

  9. For Device Lock Method, select the specific device locking method. Default is numeric. Available options are alphabetic, alphanumeric, any, and numeric. The following rules are applicable for the selected device locking method:

    • alphabetic: Password should contain alphabets only.
    • alphanumeric: Password should contain the combination of alphabets and numbers.
    • any: Password can include both alphabets and numbers without any restriction.
    • numeric: Password should contain numerical PIN only.

  10. For Minimum Passcode Length, retain the default 4, or type a different passcode length.

  11. For Device Lock Complexity, select the specific device locking complexity type. This option allows you to configure new password policies for devices running Android 10 or higher and using F5 Access 3.0.8 or later. You can continue to use the older method that enforced device lock on devices running on Android 9 and lower.

    Note: This device lock complexity criteria is controlled and subjected to be changed by Google and Android. Refer to Android New Password Complexity for updates.

    Available options in the Device Lock Complexity option are high, low, medium, and none. The following password rules are applicable for the selected device lock complexity:

    • high: Password should meet one of the following rules:

      alphabetic: Minimum length of six characters.

      alphanumeric: Minimum length of six characters.

      numeric: Minimum length of eight characters without repetition or ordered sequences.

    • medium: Password should meet one of the following rules:

      alphabetic: Minimum length of four characters.

      alphanumeric: Minimum length of four characters.

      numeric: Minimum length of four characters without repetition or ordered sequences.

    • low: Password can be a Pattern or a PIN with repeating numbers or ordered sequences.

    • none:: Password is not required. Note: You cannot enforce the presence of alphabets in device locks. This limitation is from Android, as none of the device complexity levels (None, Low, Medium, or High) enforces the use of alphabets. For details, refer to the Android New Password Complexity.

    The following table displays the password policy features supported with BIG-IP and Android device versions:

BIG-IP Version

F5 Access Android Version

Android OS Version

Behavior and Password Policy Features

Upcoming BIG-IP maintenance releases having the Device Lock Complexity option

3.0.8 or above

10 or later

The following password policy features are supported:

  • Max. Inactivity Time (minutes)
  • Device Lock Complexity

For all BIG-IP versions except versions specified in the first row

3.0.8 or above

10 or later

The following password policy features are supported for BIG-IP releases not having the Device Lock Complexity option:

  • Max. Inactivity Time (minutes) Device Lock Complexity is fixed to Medium by default. - Users having their device lock less than four digits (not meeting the medium complexity criteria) are asked to update their device password.
  • For users having their device lock more complex than medium, the administrator cannot enforce the device lock password length to be more than four digits. Users can, however, still set up their passwords with a length of more than four digits. This issue is resolved by upgrading the BIG-IP system to versions having the Device Lock Complexity option and setting the Device Lock Complexity to High.

For all BIG-IP versions

3.0.8 or above

9 or below

The behavior remains same as existing with the following password policy features supported:

  • Device Lock Method
  • Min. Passcode Length
  • Max. Inactivity Time (minutes)

For all BIG-IP versions

3.0.7 or below

All

The following password policy features are supported:

  • Device Lock Method
  • Min. Passcode Length
  • Max. Inactivity Time (minutes)
12. For **Maximum Inactivity Time \(minutes\)**, retain the default `5`, or type a different number of minutes.

  1. To force the app to use a selected logon mode and prevent users from changing it:

    1. Select the Enforce Logon Mode check box.

    2. From the Logon Method list, select web or native.

    Note: This feature is supported with F5 Access for iOS and F5 Access for Android.

  2. Click OK.

    The popup screen closes, and the Connectivity Profile List displays.

You have now configured the security settings for F5 Access for Android.

A connectivity profile automatically contains default settings for F5 Access for Chrome. You should configure the connectivity profile settings to fit your needs.

  1. On the Main tab, click Access > Connectivity / VPN > Connectivity > Profiles.

    A list of connectivity profiles displays.

  2. Select the connectivity profile that you want to update and click Edit Profile.

    The Edit Connectivity Profile popup screen opens and displays General Settings.

  3. Click F5 Access for Chrome OS in the left pane.

    Settings for the F5 Access for Chrome OS display in the right pane.

  4. To enable users to save their passwords for reconnection purposes within a specified time period, select the Allow Password Caching check box.

    The additional fields in the area become available.

  5. For Save Password Method, specify how to perform password caching:

    • To allow the user to save the encrypted password on the device without a time limit, select disk.
    • To specify that the user password is cached in the application on the user’s device for a configurable period of time, select memory. If you select memory, the Password Cache Expiration (minutes) field becomes available.

  6. If the Password Cache Expiration (minutes) field displays, type the number of minutes you want the password to be cached in memory.

  7. To force the app to use a selected logon mode and prevent users from changing it:

    1. Select the Enforce Logon Mode check box.

    2. From the Logon Method list, select web or native.

      The password caching is only supported with Native logon mode. In Web authentication mode, user will be prompted to enter username/password on the Web page.

  8. Click OK.

    The popup screen closes, and the Connectivity Profile List displays.

You have now configured the security settings for F5 Access for Chrome.

To provide functionality with a connectivity profile, you must add the connectivity profile and an access profile to a virtual server.

A connectivity profile automatically contains default settings for F5 Access for macOS. You should configure the connectivity profile settings to fit your needs.

  1. On the Main tab, click Access > Connectivity / VPN > Connectivity > Profiles.

    A list of connectivity profiles displays.

  2. Select the connectivity profile that you want to update and click Edit Profile.

    The Edit Connectivity Profile popup screen opens and displays General Settings.

  3. Click F5 Access for Mac OS in the left pane.

    Settings for the F5 Access for macOS display in the right pane.

  4. To enable users to save their passwords for reconnection purposes within a specified time period, select the Allow Password Caching check box.

    The additional fields in the area become available.

  5. For Save Password Method, specify how to perform password caching:

    • To allow the user to save the encrypted password on the device without a time limit, select disk.
    • To specify that the user password is cached in the application on the user’s device for a configurable period of time, select memory. If you select memory, the Password Cache Expiration (minutes) field becomes available.

  6. If the Password Cache Expiration (minutes) field displays, type the number of minutes you want the password to be cached in memory.

  7. To force the app to use a selected logon mode and prevent users from changing it:

    1. Select the Enforce Logon Mode check box.

    2. From the Logon Method list, select web or native.

      The password caching is only supported with Native logon mode. In Web authentication mode, user will be prompted to enter username/password on the Web page.

  8. Click OK.

    The popup screen closes, and the Connectivity Profile List displays.

You have now configured the security settings for F5 Access for macOS.

To provide functionality with a connectivity profile, you must add the connectivity profile and an access profile to a virtual server.

BIG-IP Edge Portal® for Android and BIG-IP Edge Portal for iOS streamline access to portal access web sites and applications that reside behind BIG-IP Access Policy Manager (APM®). To support the clients, you need a Portal Access configuration on APM. The Portal Access Wizard creates a configuration with authentication, an access policy, and a virtual server with connectivity and access profiles.

You might need to update the connectivity profile or the access policy to complete the configuration on APM.

  1. Running the Portal Access wizard

  2. Configuring an access policy to support Edge Portal app

  3. Assigning ACLs to your access policy

  4. Disabling the Home Tab

  5. Configuring a connectivity profile for Edge Portal for Android

  6. Configuring connectivity profiles for Edge Portal for iOS

Run the Portal Access Setup Wizard to quickly set up an access policy and a virtual server for your users.

  1. On the Main tab, click Wizards > Device Wizards.

    The Device Wizards screen opens.

  2. Select Portal Access Setup Wizard and click Next.

  3. On the Basic Properties screen in the Policy Name field, type a name for the access policy.

    Note: The name you type here prepends the name of the objects (for example, the virtual server) that the wizard creates for this configuration.

  4. To ensure that the apps can connect from supported mobile devices, for Client Side Checks, clear the Enable Antivirus Check in Access Policy check box.

    Tip: Follow the instructions in the wizard to create your access policy and virtual server.

  5. Click Finished.

You have created the configuration objects that are required for a Portal Access configuration to support BIG-IP Edge Portal mobile apps.

Configure an access policy to process access correctly for various client types, including the Edge Portal app.

  1. On the Main tab, click Access > Profiles / Policies > Access Profiles (Per-Session Policies).

    The Access Profiles (Per-Session Policies) screen displays.

  2. In the Per-Session Policy column, click the Edit link for the access profile you want to configure.

    The visual policy editor opens the access policy in a separate screen.

  3. Click Add New Macro.

  4. In the Select macro template: select Client Classification and Prelogon checks from the drop-down list.

    The macro inserts an antivirus check for those clients that can support it, and provides the appropriate terminal for each type of client.

  5. Click Save.

  6. Click the plus [+] sign that appears before the Logon Page action.

  7. In the Macrocalls area, click the Client Classification and Prelogon checks button.

  8. Click Add item.

    The Client Classification and Prelogon checks action appears in the access policy sequence.

  9. Click the underlined word Deny in the ending field.

  10. In the Select Ending area, click Allow.

  11. Click Save.

Assign ACLs to limit access to resources.

  1. On the Main tab, click Access > Profiles / Policies > Access Profiles (Per-Session Policies).

    The Access Profiles (Per-Session Policies) screen displays.

  2. In the Per-Session Policy column, click the Edit link for the access profile you want to configure.

    The visual policy editor opens the access policy in a separate screen.

  3. Click the Resource Assign agent in the access policy branch.

    The Properties screen opens.

  4. Click the Add/Delete Resources link.

    A popup screen with a tab for each resource type displays.

  5. Select the tab, select the ACLs to add to the access policy, and click Update when finished.

  6. Click Apply Access Policy.

Disabling the Home Tab ensures that the BIG-IP Edge Portal app renders properly.

Note: The Home Tab property exists for each portal access resource item.

  1. On the Main tab, click Access > Connectivity / VPN > Portal Access > Portal Access Lists.

    The Portal Access List screen opens.

  2. Click the name of a resource item for the portal access resource that you created.

    The properties screen for that resource item opens.

  3. In the Resource Items Properties area, select Advanced and for Home Tab, make sure the Enabled check box is cleared.

  4. Click Update.

Repeat this task for each portal access resource item.

A connectivity profile automatically contains settings for BIG-IP Edge Portal for Android clients. You should configure the settings to fit your situation.

  1. On the Main tab, click Access > Connectivity / VPN > Connectivity > Profiles.

    A list of connectivity profiles displays.

  2. Select the connectivity profile that you want to update and click Edit Profile.

    The Edit Connectivity Profile popup screen opens and displays General Settings.

  3. From Mobile Client Settings in the left pane, select Android Edge Portal.

    Settings for the Android Edge Portal display in the right pane.

  4. To enable users to save their passwords for reconnection purposes within a specified time period, select the Allow Password Caching check box.

    The additional fields in the area become available.

  5. For Save Password Method, specify how to perform password caching:

    • To allow the user to save the encrypted password on the device without a time limit, select disk.
    • To specify that the user password is cached in the application on the user’s device for a configurable period of time, select memory. If you select memory, the Password Cache Expiration (minutes) field becomes available.

  6. If the Password Cache Expiration (minutes) field displays, type the number of minutes you want the password to be cached in memory.

  7. To enhance security on the client, retain the selection of the Enforce Device Lock check box (or clear the check box).

    This check box is selected by default. Edge Portal and Edge Client support password locking, but do not support pattern locking. If you clear this check box, the remaining settings in the area become unavailable.

  8. For Device Lock Method, select the specific device locking method. Default is numeric. Available options are alphabetic, alphanumeric, any, and numeric. The following rules are applicable for the selected device locking method:

    • alphabetic: Password should contain alphabets only.
    • alphanumeric: Password should contain the combination of alphabets and numbers.
    • any: Password can include both alphabets and numbers without any restriction.
    • numeric: Password should contain numerical PIN only.

  9. For Minimum Passcode Length, retain the default 4, or type a different passcode length.

  10. For Maximum Inactivity Time (minutes), retain the default 5, or type a different number of minutes.

  11. To force the app to use a selected logon mode and prevent users from changing it:

    1. Select the Enforce Logon Mode check box.

    2. From the Logon Method list, select web or native.

    Note: This feature is supported with F5 Access for iOS and F5 Access for Android.

  12. Click OK.

    The popup screen closes, and the Connectivity Profile List displays.

You have now configured the security settings for BIG-IP Edge Portal for Android clients.

A connectivity profile automatically contains settings for BIG-IP Edge Portal for iOS. You should configure the settings to fit your situation.

  1. On the Main tab, click Access > Connectivity / VPN > Connectivity > Profiles.

    A list of connectivity profiles displays.

  2. Select the connectivity profile that you want to update and click Edit Profile.

    The Edit Connectivity Profile popup screen opens and displays General Settings.

  3. From Mobile Client Settings in the left pane, select iOS Edge Portal.

    Settings for the iOS Edge Portal display in the right pane.

  4. To enable users to save their passwords for reconnection purposes within a specified time period, select the Allow Password Caching check box.

    The additional fields in the area become available.

  5. For Save Password Method, specify how to perform password caching:

    • To allow the user to save the encrypted password on the device without a time limit, select disk.
    • To specify that the user password is cached in the application on the user’s device for a configurable period of time, select memory. If you select memory, the Password Cache Expiration (minutes) field becomes available.

  6. If the Password Cache Expiration (minutes) field displays, type the number of minutes you want the password to be cached in memory.

  7. Specify security by keeping Enforce PIN Lock set to Yes.

    Edge Portal supports PIN locking, but does not support pattern locking.

  8. For Maximum Grace Period (minutes), retain the default 2, or type a different number of minutes.

  9. To force the app to use a selected logon mode and prevent users from changing it:

    1. Select the Enforce Logon Mode check box.

    2. From the Logon Method list, select web or native.

    Note: This feature is supported with F5 Access for iOS and F5 Access for Android.

  10. Click OK.

    The popup screen closes, and the Connectivity Profile List displays.

You have now configured the security settings for BIG-IP Edge Portal for iOS.