Configuring Access Policy Manager for MDM applications
Overview: Configuring APM for device posture checks with endpoint
management systems
MDM solutions enable administrators to monitor, manage, and secure mobile
devices within an organization. The user enrolls a device (or devices), and the administrator
manages access by setting compliance policies that dictate whether a device is compliant or
non-compliant. An endpoint management system also controls the corporate data on mobile devices.
F5 Access and Edge Client establishes a VPN connection with APM, and an endpoint management
system (Airwatch, MaaS360, or Intune) manages and sends device details to APM.
To reduce the number of queries to the MDM server, the Database
Synchronization Manager lists all the compliant devices in the case of Airwatch and MaaS360 &
non-compliant devices in the case of Microsoft Intune and stores the information in the local
cache. The synchronization interval on BIG-IP is configurable to fit your situation and is
refreshed after every 4 hours by default to get a new list of devices. The local cache is queried
for the device ID when a device tries to connect through the F5 Access client. The MDM server
verifies the device when the device ID is not found. When the device status is received, the
device ID and the device status are added to the local cache after the user logs in.
For Microsoft Intune, the Database Synchronization Manager syncs
non-compliant devices using Microsoft's Intune NAC API and queries for the device and compliance
status. Currently, there are two ways for getting the device compliance status using Microsoft's
Network Access Control (NAC) API.
Device ID based compliance
check
: Information such as the IMEI, Wi-Fi MAC address, and device ID is placed
inside the VPN profile and pushed to the device by Intune when the device is enrolled. This
information is available to the F5 Access client, which then sends device details to APM.
In June 2021, Microsoft released the
Compliance Retrieval service. This service will replace the Intune NAC service, offering
improved security and reliability. This means Microsoft is moving away from the device ID based
compliance check towards Intune ID in the certificate based compliance check. For details,
click New Microsoft Intune service for network
access control.
Intune ID in certificate
based compliance check
: The Device ID is not provided in the VPN profile. Instead,
a device certificate with the Intune device ID is pushed to the device during the enrollment
process. The F5 Access client presents this certificate to the APM during the SSL handshake. APM
uses the Intune device ID obtained from the certificate to get the compliance status of the
device. In Intune, there is a static interval of 4 hours to sync devices from the non-compliance
endpoint for the new compliance retrieval service.
To support Intune ID in
certificate based compliance check, refer to the
Configuring
settings for Intune ID in certificate based compliance check
section in this guide for
details.
Supported
Devices
For mobile device apps:
iOS and Android devices with VPN access to APM from specific mobile device apps
managed by MDM (F5 Access Client Apps) are supported. For example, if you connect to APM WebTop
from a browser in a device, then APM will not get a device ID and cannot check for device
compliance.
For devices with iOS 12 and later, the F5 Access client could not retrieve
device ID from iOS due to Apple imposed constraints, and failure in a compliance check.
To use NAC on iOS devices, the
Enable network access control (NAC)
option must be selected when configuring the VPN profile for F5 Access in Microsoft Intune.
For desktop apps:
F5 Access for Windows is supported when the
Client Certificate
is set to
ignore
, and the On Demand Cert Auth agent is
configured.
Creating an endpoint management system connector with Airwatch
You must create a Server SSL profile on a BIG-IP system and
have access to an Airwatch system.
An endpoint management system on BIG-IP Access
Policy Manager (APM) is an object that stores information about the device management
server, such as IP addresses and API credentials. You can configure more than one
endpoint management system on the same BIG-IP system. APM polls devices connected to the
configured endpoint management systems.
Log in to the Airwatch console using the administrator user name and
password.
On the left panel, click
Accounts
.
The View Role screen displays.
For the
Categories
setting, click
API
REST
.
Enable API access for the administrator.
On the left panel on the main screen, click
Groups &
Settings
.
The Settings popup screen opens.
Under the System tab, click
API
REST API
The System/Advanced/API/REST popup screen opens.
On the System/Advanced/API/REST screen, select the
General
tab.
Select the
Override
setting.
Select
Enable API Access
.
Copy the API key displayed next to
API key
.
Click
Save
.
On the BIG-IP system, on the Main tab, click
Access Policy
Authentication
Endpoint Management Systems
.
The Endpoint Management Systems screen opens.
Click
Create
.
In the
Name
field, type a name for the endpoint
management system.
In the
Type
list, select
Airwatch
for the endpoint management system.
In the
FQDN
field, type a fully qualified domain
name.
In the
Port
field, type
443
.
From the
Server SSL Profile
list, select a previously
created Server SSL profile in BIG-IP Local Traffic
Manager.
In
Update Interval (minutes)
field, type a
number in minutes that represents how often APM updates the device
database.
In the
Username
field, type the Airwatch administrator
user name.
In the
Password
field, type the Airwatch administrator
password.
In the
API Token
field, type or paste the API key
copied from the Airwatch screen.
Click
Finished
.
You have created an endpoint management system. APM tests the connection to the
device management server, and prints a test status in the
Status
field. If the status displays
OK
, APM starts the device database
synchronization for the created endpoint management system.
The Airwatch interface might change.
Creating an endpoint management system connector with MaaS360
You must create a Server SSL profile on a BIG-IP system and
have access to an MaaS360 system.
An endpoint management system on BIG-IP Access
Policy Manager (APM) is an object that stores information about the device management
server, such as IP addresses and API credentials. You can configure more than one
endpoint management system on the same BIG-IP system. APM polls devices connected to the
configured endpoint management systems.
Contact MaaS360 to obtain information needed to access the API.
The information required includes the following data:
Application ID
Platform version
Version number
Access key
Service URL
Log in to the MaaS360 console using the administrator user name and
password.
At the bottom of the screen, copy the Account ID.
On the BIG-IP system, on the Main tab, click
Access
Authentication
Endpoint Management Systems
.
The Endpoint Management Systems screen opens.
Click
Create
.
The New endpoint management system screen opens.
In the
Name
field, type a name for the endpoint
management system.
In the
Type
list, select
MaaS360
for the endpoint management system.
The Network location and API Credentials sections display.
In the
FQDN
field, type the service URL provided by
MaaS360.
In the
Port
field, type
443
.
From the
Server SSL Profile
list, select a previously
created Server SSL profile in BIG-IP Local Traffic
Manager.
In
Update Interval (minutes)
field, type a number in
minutes that represent how often APM updates the device database.
In the
Username
field, type the MaaS360 administrator
user name.
In the
Password
field, type the MaaS360 administrator
password.
In the
Billing Id
field, type or paste the billing ID
copied from the MaaS360 screen.
In the
Application Id
field, type the application ID
provided by MaaS360.
In the
Access Key
field, type the access key provided by
MaaS360.
In the
Platform
field, type the platform version of the
MaaS360 console.
In the
App Version
field, type the current version
number of the application that is linked to the account.
Click
Finished
.
You have created an endpoint management system. APM tests the connection to the
device management server, and prints a test status in the
Status
field. If the status displays
OK
, APM starts the device database
synchronization for the created endpoint management system.
The MaaS360 interface might change.
Creating an Azure web application with Microsoft Intune for
APM
Before you can configure a web application,
contact Microsoft to purchase a Microsoft Intune subscription.
BIG-IP APM integrates Microsoft Intune by
configuring a Microsoft Azure Client web application on the Microsoft Azure portal. This
topic describes how to create a web application to obtain a client ID and a client
secret.
On Microsoft Azure, on the main tab, click
Azure Active
Directory
.
The Azure Active Directory
screen opens.
Click
App registration
.
The App registrations screen
opens.
Click
New registration
.
The Register an application
screen opens.
In the
Name
field, type a name for
the new web application.
From the
Application
type dropdown
menu, select
Web app /
API
.
In the
Sign-on URL
field, type a
URL.
This can be any URL, such as
https://localhost
.
Click
Register
.
A newly-created application's
page displays the registration details.
Copy the Application ID to your records.
You use this ID as a client id when
configuring an EMS object on the BIG-IP system.
In the
Manage
section,
click
Certificates &
secrets
.
The
Certificates & secrets
screen opens.
Under Client secrets, click
New Client Secret
to create a
secret key.
In the
Description
field,
enter any description for this secret key.
In the
Expires
section, select
Never
.
Click
Add
.
You should copy the key to the
administrator records. You use this key as a client secret when configuring an
EMS object on the BIG-IP system.
A new key displays in the
Certificates &
secrets
screen.
Click
Overview
to navigate
to the app screen with registration details. In the
Manage
section, click
API permissions
.
The API permissions screen
opens.
Click
Add a permission
.
The Request API permissions screen opens.
Select
Intune
from the list
of Microsoft APIs, and then select
Application
Permissions
.
From the
Permissions
list, select
Get device state and
compliance information from Microsoft Intune
button. When asked to confirm grant consent for all accounts in the Azure
domain, click
Yes
.
You now have a tenant ID, client ID, and client
secret.
Note:
In June 2020, Microsoft announced the deprecation
of the Azure Active Directory (AD) Graph API. The Microsoft Graph will replace the
Azure AD Graph, offering improved security and resilience, starting June 30, 2022.
When adding new API permission, the Azure Active Directory Graph option is greyed
out and is not available as Microsoft recommends using Microsoft Graph APIs for new
permission requests. If you still want to continue adding Azure Active Directory
Graph permission, click
Add a Permission
APIs my organization
users
Search for "Windows Azure Active
Directory"
and grant legacy permissions as per your requirement.
Creating an endpoint management system
connector with Microsoft Intune
You must create a Server SSL profile
on a BIG-IP system and have access to a Microsoft Intune
system.
An endpoint management system on BIG-IP Access
Policy Manager (APM) is an object that stores information about the device management
server, such as IP addresses and API credentials. You can configure more than one
endpoint management system on the same BIG-IP system. APM polls devices connected to the
configured endpoint management systems.
On the BIG-IP system, on the Main tab, click
Access
Authentication
Endpoint Management Systems
.
The Endpoint Management Systems screen opens.
Click
Create
.
The New endpoint management system screen opens.
In the
Name
field, type a name for the endpoint
management system.
In the
Type
list, select
Microsoft
Intune
for the endpoint management system.
The Network location and API Credentials sections display.
From the
Server SSL Profile
list, select a previously
created Server SSL profile in BIG-IP Local Traffic
Manager.
From the
DNS Resolver
list, select a previously created DNS Resolver in BIG-IP Local Traffic
Manager.
Create a DNS Resolver the same way you create a Server SSL profile.
In
Update Interval (minutes)
field, type a number in
minutes that represent how often APM updates the device database.
In the
Tenant Id
field, type the tenant ID that comes
with a Microsoft Intune subscription.
In the
Client Id
field, type the client ID that becomes
available after creating a web application.
In the
Client Secret
field, type the client secret that
becomes available after creating a web application.
Click
Finished
.
You have created an endpoint
management system. APM tests the connection to the device management server, and prints
a test status in the
Status
field. If the status displays
OK
, APM starts the device database synchronization for the created
endpoint management system.
Configuring settings for Intune ID in certificate based compliance
check
When a device is enrolled, Intune pushes a device certificate with the Intune device ID to the
devices. The F5 Access client presents this certificate to the APM during the SSL handshake. APM
uses the Intune device ID obtained from the certificate to get the compliance status of the
device. To support Intune ID in certificate based compliance check, you need to configure some
settings on the BIG-IP system and the Microsoft Endpoint Manager. The following sections describe
creating Client SSL profile configurations and the different certificates required on Intune.
The Client SSL profile configurations differ based on where the device ID is
located. This allows the BIG-IP system to negotiate secure client connections based on the
client's preference. Let us consider the following use cases:
All devices have Intune device ID in the device certificate.
Not all devices have Intune device ID in the device certificate. Some
devices have Intune device IDs in the device certificate, and others have internal device IDs
such as IMEI, serial number in the VPN profile.
Configuring access policy when all devices have Intune ID in the
certificate
Creating a Client
SSL profile
This topic describes creating a Client SSL profile when all client
devices have Intune ID in the device certificate. The settings below enable the
client SSL profile to demand client authentication during SSL handshake. The client
then presents the device certificate containing the Intune ID to the APM.
On the BIG-IP system, on the Main tab, click
Local Traffic
Profiles
SSL
Client
.
The Client profile list
screen opens.
Click
Create
.
The New Client SSL Profile
screen opens.
From the
Parent Profile
list, select
clientssl
.
Using the
Certificate Key
Chain
setting, specify one or more server certificate key
chains.
From the
Client Certificate
list,
select
require
.
From the
Trusted Certificate
Authorities
list, upload the CA cert generated from the
certificate authority server. This will be used to trust the device certificate
sent by the F5 Access client.
Configure all other profile settings as needed.
Click
Finished
.
You can see the custom Client SSL profile in
the list of Client SSL profiles on the system.
Connection diagram
The process flow when the
Client Certificate
is set to
require
is depicted in this diagram.
Connection diagram - client certificate set to require
Creating an access policy
An example access policy for this use case is shown below. In this use case,
let us consider that all devices have device ID in the authentication certificate.
With the
Client
Certificate
set to
require
in the client SSL profile, the BIG-IP virtual server
demands a client certificate for all devices.
The
Managed Endpoint Status
action checks for device compliance
against the configured Endpoint Management System (EMS).
The
Advanced Resource Assign
action enables the assignment of
resources to the access policy.
Example access policy
Configuring access policy when not all devices have Intune device
ID in device certificate
Creating a Client SSL
profile
This topic describes creating a Client SSL profile when not all
client devices have Intune device ID in the device certificate. The use case here could
be that some devices have Intune device ID in the device certificate and others have
device ID in the VPN profile. The settings below for client SSL profile and On Demand
Cert Auth agent allow APM to renegotiate SSL connection with F5 Access client and
enforce client authentication during SSL handshake. It enables APM to receive device
certificate from all devices which have Intune device ID.
On the BIG-IP system, on the Main tab, click
Local Traffic
Profiles
SSL
Client
.
The Client profile list
screen opens.
Click
Create
.
The New Client SSL Profile
screen opens.
From the
Parent Profile
list, select
clientssl
.
Using the
Certificate Key Chain
setting, specify one or more server certificate key chains.
From the
Client Certificate
list,
select
ignore
.
From the
Trusted Certificate
Authorities
list, upload the CA cert generated from the
certificate authority server. This will be used to trust the device certificate
sent by the F5 Access client.
Configure all other profile settings as
needed.
Click
Finished
.
You can see the custom Client SSL profile in
the list of Client SSL profiles on the system.
Connection diagram
The process flow when the
Client Certificate
is set to
ignore
is depicted in this diagram.
Connection diagram - client certificate set to ignore
Creating an access policy
An example access policy for this use case is shown below. In this use case, let us consider that
the iOS devices have device ID in the VPN profile, and the Android devices have
device ID in the authentication certificate. With the
Client
Certificate
set to
ignore
in the client SSL
profile, the access policy ignores and does not request a client certificate for iOS
devices but demands a client certificate for Android devices.
The
Managed Endpoint Status
action checks for device
compliance against the configured Endpoint Management System (EMS).
The
Advanced Resource Assign
action enables the
assignment of resources to the access policy.
Set the
On
Demand Cert Auth
action to
Require
to override the
Client SSL settings and re-negotiate the SSL connection with the client. A
certificate request is sent to the Android user. After the user provides a
valid certificate, the On-Demand Cert Auth agent verifies the value of the
session variable
session.ssl.cert.valid
to determine whether authentication
was a success. If the client does not provide a valid certificate, the
connection terminates, and the F5 Access client stops responding.
Example access policy
Configuring the Variable Assign action
Intune device ID identifier in the SAN field in Intune
When you use a custom identifier prefix for Intune device ID in the
Subject alternative name
in Intune, you need to
create a session variable
session.mdm.intune.id_prefix
using Variable assignment agent and assign the custom
identifier prefix to it. This agent derives the value of the identifier prefix and assigns it to
the session variable
session.mdm.intune.id_prefix
.
If the value of the identifier prefix in Intune is
customIntuneDeviceId://
then the assignment in
the Variable Assign action would be
An example access policy with the variable assignment action is shown below.
Example access policy
If you use the Microsoft recommended default identifier
IntuneDeviceId://
in Intune, then the
Variable Assign action is not required in the access policy.
Intune device ID not in the SAN field in Intune
If provided in the SAN field of the certificate, Intune device ID is
available on APM in session variable value of the
session.ssl.cert.x509extension
. By default, the MDM agent searches for Intune
device ID in this session variable to query the device status.
Suppose you are not providing Intune device ID in the SAN field of the
certificate but are making it available to APM through other means or through a different
session variable. In that case, you can create a session variable
session.mdm.intune.id
using the Variable
assignment agent or by using iRules and assign the extracted Intune device ID value to this
session variable.
An example of iRule usage is shown below. Here, the Intune device ID is
present in the SAN field and is available in the session variable value of the
session.ssl.cert.x509extension
. You can extract
the Intune Device ID from this variable and assign it to
session.mdm.intune.id
, which will be used to
query the device status. Different scenarios can be authored in iRule using the same logic.
Session variable assignment in iRule
Configuring Trusted certificate profile with Microsoft
Intune
You must create a CA authority server and have
access to a Microsoft Intune system.
Create and deploy a trusted certificate
profile before you create a PKCS profile. You must create a separate trusted certificate
profile for each device platform you want to support. This topic describes creating a
Trusted certificate profile with Microsoft Intune. The profile should be created for
devices having device IDs in their authentication certificates.
Sign in to the Microsoft Endpoint Manager admin
center.
Navigate to
Devices
Configuration
profiles
Create profile
.
In
Create a profile
,
specify the following properties:
Platform
: Select the platform of the devices
that will receive this profile.
Profile type
: Select
Trusted
certificate
.
Click
Create
.
In
Basic
, specify the following properties:
Name
: Enter a descriptive name for the
profile.
Description
: Enter a
description for the profile. This setting is optional.
In
Configuration settings
, specify the .cer file for the
trusted Root CA Certificate.
Select
Next
.
In
Assignments
, select the user or groups that will receive your
profile. This certificate profile should be deployed to the same groups that
receive the PKCS certificate profile.
In
Review + create
, review your settings.
When you select Create, your changes are saved,
and the profile is assigned. The policy is also shown in the profiles list.
Next, configure a PKCS certificate profile on
Intune.
Configuring PKCS certificate profile with Microsoft Intune
You must create a CA authority server and have
access to a Microsoft Intune system.
This topic describes creating a PKCS
certificate profile with Microsoft Intune and adding it to an Intune device
configuration profile. The profile should be created for devices having device IDs in
their authentication certificates.
Sign in to the Microsoft Endpoint Manager admin
center.
Navigate to
Devices
Configuration
profiles
Create profile
.
In
Create a profile
, specify the following properties:
Platform
: Select the
platform of the devices that will receive this profile.
Profile type
: Select
PKCS
certificate
.
Click
Create
.
In
Basic
, specify the following properties:
Name
: Enter a
descriptive name for the profile.
Description
: Enter a
description for the profile. This setting is optional.
In
Configuration settings
, specify the following properties:
Certificate
authority
: Enter a fully qualified domain name (FQDN) of
your Enterprise CA.
Certificate authority
name
: Enter the name of your Enterprise CA.
Certificate template
: Enter the name of your
certificate template.
Certificate type
: Select
Device
.
Root certificate
:
Select a root CA certificate profile. Root certificate field is
available only for Android platform. This option is not available for
iOS devices.
Subject name format
: Enter
CN={{AAD_Device_ID}}
for iOS or Android
devices.
Subject alternative name
: For
Attribute
, select
URI
and enter the corresponding
Value
. If you are
using the default value
https://intunedeviceid/{{DeviceId}}
, then the
Variable Assign
action is not required while
creating an access policy in Visual Policy Editor (VPE). If you are
using a custom identifier, then you must add a
Variable
Assign
action to the access policy on VPE. The
{{DeviceId}} in the value field is the Intune device ID. Refer to the
Configuring the Variable Assign action
section above
for details.
Select
Next
.
In
Assignments
, select the user or groups that will receive your
profile. This certificate profile should be deployed to the same groups that
receive the trusted certificate profile.
In
Review + create
, review your settings.
When you select Create, your changes are saved,
and the profile is assigned. The policy is also shown in the profiles list.
Next, configure a VPN profile on Intune.
Configuring SCEP certificate profile with Microsoft Intune
You must create a CA
authority server and have access to a Microsoft Intune system.
You can create a
SCEP certificate profile with Microsoft Intune and assign SCEP certificate profiles to
users and devices in Intune.
You must create a CA authority server and have
access to a Microsoft Intune system.
This topic describes creating a VPN profile
with Microsoft Intune. The VPN profiles in Microsoft Intune assign VPN settings to users
and devices. The profile should be created for devices having device IDs in their
authentication certificates.
Sign in to the Microsoft Endpoint Manager admin
center.
Navigate to
Devices
Configuration
profiles
Create profile
.
In
Create a profile
, specify the following properties:
Platform
: Select the
platform of the devices that will receive this profile.
Profile type
: Select
VPN
.
Click
Create
.
In
Basic
, specify the following properties:
Name
: Enter a
descriptive name for the profile.
Description
: Enter a
description for the profile. This setting is optional.
In
Configuration settings
, specify the following properties:
Connection type
:
Enter
F5 Access
.
Connection name
:
Enter the name of your connection. End users see this name when they
browse their device for a list of available VPN connections.
VPN server address
:
Enter the IP address or fully qualified domain name (FQDN) of the
virtual server that devices connect with.
Authentication
method
: Select
Certificates
.
Authentication
certificate
: Select an existing PKCS certificate profile
to authenticate the connection.
Select
Next
.
In
Assignments
, select the user or groups that will receive your
profile. This certificate profile should be deployed to the same groups that
receive the trusted certificate profile.
In
Review + create
, review your settings.
When you select Create, your changes are saved,
and the profile is assigned. The policy is also shown in the profiles list.
To sync changes to the device, navigate to
Devices
All devices
.
In the list of devices, select the device to sync and get the latest policies
and actions with Intune.
In the Overview screen, click
Sync
.
To confirm, click
Yes
.
Editing an endpoint
management system configuration
You can create an endpoint management system on BIG-IP APM with either Airwatch,
MaaS360 or Intune.
You can edit an endpoint management
system.
On the BIG-IP system, on the Main tab, click
Access
Authentication
Endpoint Management Systems
.
The Endpoint Management Systems screen with a list of endpoint
management systems opens.
In the Name column, click the name of the endpoint management system you want
to edit.
The properties screen for that endpoint management system
opens.
Edit one or more fields.
The status of the endpoint management system updates during each sync
interval. If you edit the
Username
,
FQDN
, or
Port
fields, the
Status
field displays the same status as the actual
configuration status. If you edit other property fields, the
Status
field might be different than the actual
configuration status. The correct status appears when the next sync interval
begins
Click
Update
.
You have updated an endpoint management system.
Create an access profile
You create an access profile to provide the access policy configuration for a
virtual server that establishes a secured session.
On the Main tab, click
Access
Profiles /
Policies
Access Profiles (Per-Session Policies)
.
The Access Profiles
(Per-Session Policies) screen displays.
Click
Create
.
The New Profile screen
displays.
In the
Name
field, type a unique name for
the access profile.
From the
Profile Type
list, select one
these options:
ALL
: Select to support
LTM-APM and SSL-VPN access types.
LTM-APM
: Select for a web
access management configuration.
OAuth-Resource
Server
: For configuring APM to act as an OAuth resource
server that provides an OAuth authorization layer into an API
gateway.
RDG-RAP
: Select to
validate connections to hosts behind APM when APM acts as a gateway for RDP
clients.
SSL-VPN
: Select to
configure network access, portal access, or application access. (Most access
policy items are available for this type.)
SSO
: Select to configure
matching virtual servers for Single Sign-On (SSO).
No access policy is associated with this type of
access profile
SWG - Transparent
: Select
to configure access using Secure Web Gateway transparent forward
proxy.
SWG - Explicit
: Select to
configure access using Secure Web Gateway explicit forward proxy.
System Authentication
:
Select to configure administrator access to the BIG-IP system (when using
APM as a pluggable authentication module).
Identity Service
: Used
internally to provide identity service for a supported integration. Only APM
creates this type of profile.
You can edit Identity Service profile
properties.
Depending on licensing, you might not see all of these
profile types.
Additional settings display.
From the
Profile Scope
list, select one these
options to define user scope:
Profile
: Access to
resources behind the profile.
Virtual Server
:
Access to resources behind the virtual
server.
Global
: Access to
resources behind any access profile with global
scope.
Named
: Access for
SSL Orchestrator users to resources behind any
access profile with global scope.
Public
: Access to
resources that are behind the same access profile
when the Named scope has configured the session
and is checked based on the value and string
configured in the Named scope field.
For the
Customization
Type
, use the default value
Modern
.
In the Language Settings area, add and remove
accepted languages, and set the default language.
If any browser language does not match
with the accepted languages list, the browser uses the default language.
Click
Finished
.
The access
profile displays in the Access Profiles List. Default-log-setting is assigned to the
access profile.
Configuring an access policy to include endpoint management
integration
You can configure an access policy to perform
compliance checks for connected devices. The Managed Endpoint Status action determines
whether APM recognizes a device with a device ID. The Managed Endpoint Notification
action sends a push notification message to a device. You can create access policy
checks using session variables and device posture information to allow or deny access.
On the Main tab, click
Access
Profiles /
Policies
Access Profiles (Per-Session Policies)
.
The Access Profiles
(Per-Session Policies) screen displays.
In the Access Policy column, click the
Edit
link for the endpoint
management type access profile you want to configure.
The visual policy editor
opens the access policy in a separate screen.
Click the
(+)
icon anywhere in the
access policy to add a new item.
Only an applicable subset of access policy items is
available for selection in the visual policy editor for any access profile
type.
A popup screen opens, listing
predefined actions on tabs such as General Purpose, Authentication, and so
on.
Add a Managed Endpoint Status action:
From the Endpoint Security (Server-Side)
list, select
Managed
Endpoint Status
and click
Add Item
.
A popup Properties
screen opens.
In the
Name
field, type a
name for the access policy action.
For the
Endpoint Management
System
, select the endpoint management system that you
previously created.
Click
Save
.
The visual policy editor
screen displays.
In both the compliant branch and not compliant
branch of the Managed Device Status action, click the
(+)
icon anywhere in the
access policy to add a new action item.
For example, as shown in the
Access policy with endpoint management
integration
image below, the Managed Device Status action performs the
compliance checks on the device for allowing network access and sends
notification messages to the non-compliant device.
To add a Managed Endpoint Notification action,
perform the following steps:
From the Endpoint Security (Server-Side)
list, select
Managed
Endpoint Notification
.
A popup Properties
screen opens.
In the
Name
field, type a
name for the access policy action.
From the endpoint management system list,
select the endpoint management system that you previously created.
The Intune endpoint management system does not
support Endpoint Notification agent.
In the
Message
field, type a
message that displays on a device.
Click
Save
.
The visual policy editor
screen displays.
You have an access policy that presents
endpoint management integration with VPN access.
Example of Access policy with endpoint management
integration
Creating a virtual server
On the Main tab, click
Local Traffic
Virtual Servers
.
The Virtual Server List
screen opens.
Click
Create
.
The New Virtual Server screen
opens.
In the
Name
field, type a unique
name for the virtual server.
From the
Configuration
list, select
Advanced
.
In the
Destination Address
field,
type the IP address for the Virtual Server.
When you type the IP address for a single
host, it is not necessary to append a prefix to the address.
In the
Service Port
field, type the
port number.
From the
SSL Profile (Client)
list,
select
clientssl
.
From the
Source Address Translation
list, select
Auto
Map
.
Click
Finished
.
From the Access Profile list, select the access
profile that you previously created.
From the Connectivity Profile list, select the
connectivity profile that you previously created.
Your access policy is now associated with the
newly created virtual server.
