Manual Chapter :
Configuring Access Policy Manager for MDM applications
Applies To:
Show VersionsBIG-IP APM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Configuring Access Policy Manager for MDM applications
Overview: Configuring APM for device posture checks with endpoint
management systems
MDM solutions are responsible for managing user devices, where a user
enrolls a device (or devices) and sets certain compliance policy which dictates whether a device
is compliant or non-compliant. The endpoint management system determines whether the APM
recognizes the device before allowing access from the access policy. An endpoint management
system also controls the corporate data on mobile devices. Edge Client establishes a VPN
connection with APM, and an endpoint management system (Airwatch, MaaS360, or Intune) manages and
sends device details to APM.
To reduce the number of queries to the MDM server, the Database Synchronization Manager lists
all the compliant devices in the case of Airwatch and MaaS360 & non-compliant devices in the
case of Microsoft Intune and stores the information in the local cache. The synchronization
interval is configurable to fit your situation and is refreshed after every 4 hours by default to
get a new list of devices. When a device tries to connect through the F5 Access client, the local
cache is queried for the device ID. When the device ID is not found, the device is verified by
the MDM server. When the device is found compliant, the device ID is added to the local cache
after the user logs in.
Supported Devices
Only iOS devices and Android devices with VPN access to APM from specific
mobile device apps that are being managed by MDM (F5 Access Client Apps) are supported. For
example, if you connect to APM WebTop from a browser in a device, then APM will not get a device
ID and cannot check for device compliance.
F5 Access for macOS and Windows are currently not
supported.
For devices with iOS 12 and later, F5 Access client could not retrieve
device ID from iOS due to Apple imposed constraints, and compliance check failed. Microsoft's
Network Access Control (NAC) integration with Intune provides a new temporary NAC ID to identify
the device. This ID is pushed to the F5 Access client through the F5 Access profile in Intune.
For iOS devices, the device is always verified by the MDM server as the NAC ID is not stored in
the local cache.
To use NAC on iOS devices, the
Enable network access control (NAC)
option must
be selected when configuring the VPN profile for F5 Access in Microsoft Intune. Creating an endpoint management system connector with Airwatch
You must create a Server SSL profile on a BIG-IP system and
have access to an Airwatch system.
An endpoint management system on BIG-IP Access
Policy Manager (APM) is an object that stores information about the device management
server, such as IP addresses and API credentials. You can configure more than one
endpoint management system on the same BIG-IP system. APM polls devices connected to the
configured endpoint management systems.
- Log in to the Airwatch console using the administrator user name and password.
- On the left panel, clickAccounts.The View Role screen displays.
- For theCategoriessetting, click .
- Enable API access for the administrator.
- On the left panel on the main screen, clickGroups & Settings.The Settings popup screen opens.
- Under the System tab, clickThe System/Advanced/API/REST popup screen opens.
- On the System/Advanced/API/REST screen, select theGeneraltab.
- Select theOverridesetting.
- SelectEnable API Access.
- Copy the API key displayed next toAPI key.
- ClickSave.
- On the BIG-IP system, on the Main tab, click.The Endpoint Management Systems screen opens.
- ClickCreate.
- In theNamefield, type a name for the endpoint management system.
- In theTypelist, selectAirwatchfor the endpoint management system.
- In theFQDNfield, type a fully qualified domain name.
- In thePortfield, type443.
- From theServer SSL Profilelist, select a previously created Server SSL profile in BIG-IP Local Traffic Manager.
- InUpdate Interval (minutes)field, type a number in minutes that represents how often APM updates the device database.
- In theUsernamefield, type the Airwatch administrator user name.
- In thePasswordfield, type the Airwatch administrator password.
- In theAPI Tokenfield, type or paste the API key copied from the Airwatch screen.
- ClickFinished.
You have created an endpoint management system. APM tests the connection to the
device management server, and prints a test status in the
Status
field. If the status displays OK
, APM starts the device database
synchronization for the created endpoint management system. The Airwatch interface might change.
Creating an endpoint management system connector with MaaS360
You must create a Server SSL profile on a BIG-IP system and
have access to an MaaS360 system.
An endpoint management system on BIG-IP Access
Policy Manager (APM) is an object that stores information about the device management
server, such as IP addresses and API credentials. You can configure more than one
endpoint management system on the same BIG-IP system. APM polls devices connected to the
configured endpoint management systems.
- Contact MaaS360 to obtain information needed to access the API.The information required includes the following data:
- Application ID
- Platform version
- Version number
- Access key
- Service URL
- Log in to the MaaS360 console using the administrator user name and password.
- At the bottom of the screen, copy the Account ID.
- On the BIG-IP system, on the Main tab, click.The Endpoint Management Systems screen opens.
- ClickCreate.The New endpoint management system screen opens.
- In theNamefield, type a name for the endpoint management system.
- In theTypelist, selectMaaS360for the endpoint management system.The Network location and API Credentials sections display.
- In theFQDNfield, type the service URL provided by MaaS360.
- In thePortfield, type443.
- From theServer SSL Profilelist, select a previously created Server SSL profile in BIG-IP Local Traffic Manager.
- InUpdate Interval (minutes)field, type a number in minutes that represent how often APM updates the device database.
- In theUsernamefield, type the MaaS360 administrator user name.
- In thePasswordfield, type the MaaS360 administrator password.
- In theBilling Idfield, type or paste the billing ID copied from the MaaS360 screen.
- In theApplication Idfield, type the application ID provided by MaaS360.
- In theAccess Keyfield, type the access key provided by MaaS360.
- In thePlatformfield, type the platform version of the MaaS360 console.
- In theApp Versionfield, type the current version number of the application that is linked to the account.
- ClickFinished.
You have created an endpoint management system. APM tests the connection to the
device management server, and prints a test status in the
Status
field. If the status displays OK
, APM starts the device database
synchronization for the created endpoint management system.The MaaS360 interface might change.
Creating an Azure web application with Microsoft Intune for
APM
Before you can configure a web application, contact Microsoft to purchase a Microsoft Intune subscription.
BIG-IP APM integrates Microsoft
Intune by configuring a Microsoft Azure Client web application on the Microsoft Azure
portal. This topic describes how to create a web application to obtain a client ID and a
client secret.
- On Microsoft Azure, on the main tab, clickAzure Active Directory.The Azure Active Directory screen opens.
- ClickApp registration.The App registrations screen opens.
- ClickNew registration.The Register an application screen opens.
- In theNamefield, type a name for the new web application.
- From theApplicationtype dropdown menu, selectWeb app / API.
- In theSign-on URLfield, type a URL.This can be any URL, such ashttps://localhost.
- ClickRegister.A newly-created application's page displays the registration details.
- Copy the Application ID to your records.You use this ID as a client id when configuring an EMS object on the BIG-IP system.
- In theManagesection, clickCertificates & secrets.TheCertificates & secretsscreen opens.
- Under Client secrets, clickNew Client Secretto create a secret key.
- In theDescriptionfield, enter any description for this secret key.
- In theExpiressection, selectNever.
- ClickAdd.You should copy the key to the administrator records. You use this key as a client secret when configuring an EMS object on the BIG-IP system.A new key displays in theCertificates & secretsscreen.
- ClickOverviewto navigate to the app screen with registration details. In theManagesection, clickAPI permissions.The API permissions screen opens.
- ClickAdd a permission.The Request API permissions screen opens.
- SelectIntunefrom the list of Microsoft APIs, and then selectApplication Permissions.
- From thePermissionslist, selectGet device state and compliance information from Microsoft Intune.
- ClickAdd permissions.A list of added permissions displays.
- ClickAdd a Permissionagain.
- SelectMicrosoft Graphfrom the list of Microsoft APIs, and then selectApplication Permissions.
- Select one of the following under Application dropdown:
- Application.Read.All(This is required for Microsoft Graph)
- Application.ReadWrite.All
- Application.OwnedBy
- Directory.Read.All
ClickAdd Permissions.A list of added permissions displays. - On the API permissions screen, clickGrant admin consent forbutton. When asked to confirm grant consent for all accounts in the Azure domain, clickYes.
You now have a tenant ID, client ID, and client
secret.
Note:
In June 2020, Microsoft announced the deprecation
of the Azure Active Directory (AD) Graph API. The Microsoft Graph will replace the
Azure AD Graph, offering improved security and resilience, starting June 30, 2022.
When adding new API permission, the Azure Active Directory Graph option is greyed
out and is not available as Microsoft recommends using Microsoft Graph APIs for new
permission requests. If you still want to continue adding Azure Active Directory
Graph permission, click and grant legacy permissions as per your requirement.Creating an endpoint management system
connector with Microsoft Intune
You must create a Server SSL profile
on a BIG-IP system and have access to a Microsoft Intune
system.
An endpoint management system on BIG-IP Access
Policy Manager (APM) is an object that stores information about the device management
server, such as IP addresses and API credentials. You can configure more than one
endpoint management system on the same BIG-IP system. APM polls devices connected to the
configured endpoint management systems.
- On the BIG-IP system, on the Main tab, click.The Endpoint Management Systems screen opens.
- ClickCreate.The New endpoint management system screen opens.
- In theNamefield, type a name for the endpoint management system.
- In theTypelist, selectMicrosoft Intunefor the endpoint management system.The Network location and API Credentials sections display.
- From theServer SSL Profilelist, select a previously created Server SSL profile in BIG-IP Local Traffic Manager.
- From theDNS Resolverlist, select a previously created DNS Resolver in BIG-IP Local Traffic Manager.Create a DNS Resolver the same way you create a Server SSL profile.
- InUpdate Interval (minutes)field, type a number in minutes that represent how often APM updates the device database.
- In theTenant Idfield, type the tenant ID that comes with a Microsoft Intune subscription.
- In theClient Idfield, type the client ID that becomes available after creating a web application.
- In theClient Secretfield, type the client secret that becomes available after creating a web application.
- ClickFinished.
You have created an endpoint
management system. APM tests the connection to the device management server, and prints
a test status in the
Status
field. If the status displays
OK
, APM starts the device database synchronization for the created
endpoint management system.Editing an endpoint
management system configuration
You can create an endpoint management system on BIG-IP APM with either Airwatch,
MaaS360 or Intune.
You can edit an endpoint management
system.
- On the BIG-IP system, on the Main tab, click.The Endpoint Management Systems screen with a list of endpoint management systems opens.
- In the Name column, click the name of the endpoint management system you want to edit.The properties screen for that endpoint management system opens.
- Edit one or more fields.The status of the endpoint management system updates during each sync interval. If you edit theUsername,FQDN, orPortfields, theStatusfield displays the same status as the actual configuration status. If you edit other property fields, theStatusfield might be different than the actual configuration status. The correct status appears when the next sync interval begins
- ClickUpdate.
You have updated an endpoint management system.
Create an access profile
You create an access profile to provide the access policy configuration for a
virtual server that establishes a secured session.
- On the Main tab, click.The Access Profiles (Per-Session Policies) screen opens.
- ClickCreate.The New Profile screen opens.
- In theNamefield, type a unique name for the access profile.
- From theProfile Typelist, select one these options:
- ALL: Select to support LTM-APM and SSL-VPN access types.
- LTM-APM: Select for a web access management configuration.
- OAuth-Resource Server: For configuring APM to act as an OAuth resource server that provides an OAuth authorization layer into an API gateway.
- RDG-RAP: Select to validate connections to hosts behind APM when APM acts as a gateway for RDP clients.
- SSL-VPN: Select to configure network access, portal access, or application access. (Most access policy items are available for this type.)
- SSO: Select to configure matching virtual servers for Single Sign-On (SSO).No access policy is associated with this type of access profile
- SWG - Transparent: Select to configure access using Secure Web Gateway transparent forward proxy.
- SWG - Explicit: Select to configure access using Secure Web Gateway explicit forward proxy.
- System Authentication: Select to configure administrator access to the BIG-IP system (when using APM as a pluggable authentication module).
- Identity Service: Used internally to provide identity service for a supported integration. Only APM creates this type of profile.You can edit Identity Service profile properties.
Depending on licensing, you might not see all of these profile types.Additional settings display. - From theProfile Scopelist, select one these options to define user scope:
- Profile: Access to resources behind the profile.
- Virtual Server: Access to resources behind the virtual server.
- Global: Access to resources behind any access profile with global scope.
- Named: Access for SSL Orchestrator users to resources behind any access profile with global scope.
- Public: Access to resources that are behind the same access profile when the Named scope has configured the session and is checked based on the value and string configured in the Named scope field.
- For theCustomization Type, use the default valueModern.
- In the Language Settings area, add and remove accepted languages, and set the default language.If no browser language matches one in the accepted languages list, the browser uses the default language.
- ClickFinished.
The access
profile displays in the Access Profiles List. Default-log-setting is assigned to the
access profile.
Configuring an access policy to include endpoint management
integration
You can configure an access policy to perform
compliance checks for connected devices. The Managed Endpoint Status action determines
whether APM recognizes a device with a device ID. The Managed Endpoint Notification
action sends a push notification message to a device. You can create access policy
checks using session variables and device posture information to allow or deny access.
- On the Main tab, click.The Access Profiles (Per-Session Policies) screen opens.
- In the Access Policy column, click theEditlink for the endpoint management type access profile you want to configure.The visual policy editor opens the access policy in a separate screen.
- Click the(+)icon anywhere in the access policy to add a new item.Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
- Add a Managed Endpoint Status action:
- From the Endpoint Security (Server-Side) list, selectManaged Endpoint Statusand clickAdd Item.A popup Properties screen opens.
- In theNamefield, type a name for the access policy action.
- For theEndpoint Management System, select the endpoint management system that you previously created.
- ClickSave.
The visual policy editor screen displays. - In both the compliant branch and not compliant branch of the Managed Device Status action, click the(+)icon anywhere in the access policy to add a new action item.For example, as shown in theAccess policy with endpoint management integrationimage below, the Managed Device Status action performs the compliance checks on the device for allowing network access and sends notification messages to the non-compliant device.
- To add a Managed Endpoint Notification action, perform the following steps:
- From the Endpoint Security (Server-Side) list, selectManaged Endpoint Notification.A popup Properties screen opens.
- In theNamefield, type a name for the access policy action.
- From the endpoint management system list, select the endpoint management system that you previously created.The Intune endpoint management system does not support Endpoint Notification agent.
- In theMessagefield, type a message that displays on a device.
- ClickSave.
The visual policy editor screen displays.
You have an access policy that presents
endpoint management integration with VPN access.
Creating a virtual server
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- From theConfigurationlist, selectAdvanced.
- In theDestination Addressfield, type the IP address for the Virtual Server.When you type the IP address for a single host, it is not necessary to append a prefix to the address.
- In theService Portfield, type the port number.
- From theSSL Profile (Client)list, selectclientssl.
- From theSource Address Translationlist, selectAuto Map.
- ClickFinished.
- From the Access Profile list, select the access profile that you previously created.
- From the Connectivity Profile list, select the connectivity profile that you previously created.
Your access policy is now associated with the
newly created virtual server.