Manual Chapter : F5 Access Apps

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

F5 Access Apps

Overview: Configuring APM for F5 Access Apps

F5 Access for Android, F5 Access for iOS, F5 Access for Chrome OS, and F5 Access for macOS enable secure network access for supported mobile clients. Previously, the Android and iOS products were called BIG-IP Edge Client® for Android and BIG-IP Edge Client for iOS. For the clients to connect, you need a Network Access configuration on BIG-IP Access Policy Manager. The Network Access Wizard creates a Network Access configuration with authentication, an access policy, and a virtual server with connectivity and access profiles.
You might need to update the connectivity profile or the network access resource to complete the configuration on APM®. Optionally, you can also configure SSO and ACLs, and add items to the access policy to enable SSO and enforce ACLs.

Running the Network Access Setup wizard

Your DNS server must be configured to resolve internal addresses with DNS.
Configure Access Policy Manager to provide users with full network access when they use F5 Access for iOS or F5 Access for Android.
You must specify either the DNS Default Domain Suffix or the DNS Address Space in the Network Access configuration. Otherwise, the system cannot resolve internal DNS addresses.
  1. On the Main tab, click
    Wizards
    Device Wizards
    .
    The Device Wizards screen opens.
  2. Select
    Network Access Setup Wizard for Remote Access
    , and then click
    Next
    .
    Follow the instructions in the wizard to create your access policy and virtual server.
  3. To ensure that the apps can connect from supported mobile devices, for
    Client Side Checks
    , clear the
    Enable Antivirus Check in Access Policy
    check box.
    Follow the instructions in the wizard to create your access policy and virtual server.
  4. To specify the
    DNS Address Space
    setting, on the Network Access screen perform these substeps:
    1. From
      Traffic Options
      , select
      Force Use split tunneling for traffic
      .
      Additional settings display.
    2. In the
      DNS Address Space
      setting, for each address space, type the address in the form
      site.siterequest.com
      or
      *.siterequest.com
      , and click
      Add
      .
  5. On the DNS Hosts screen, you can type a value in the
    DNS Default Domain Suffix
    field.
  6. After you complete the wizard screens and create the configuration, on the Setup Summary screen click
    Finished
    .
You now have a network access configuration that supports F5 Access apps for mobile devices. All configuration object names are prefixed with the policy name that you entered in the wizard.

Configuring a connectivity profile for F5 Access for iOS

A connectivity profile automatically contains default settings for F5 Access for iOS. You should configure the connectivity profile settings to fit your needs.
  1. On the Main tab, click
    Access
    Connectivity / VPN
    Connectivity
    Profiles
    .
    A list of connectivity profiles displays.
  2. Select the connectivity profile that you want to update and click
    Edit Profile
    .
    The Edit Connectivity Profile popup screen opens and displays General Settings.
  3. From Mobile Client Settings in the left pane, select
    iOS Edge Client
    .
    Settings for the iOS Edge Client display in the right pane.
  4. To enable users to save their passwords for reconnection purposes within a specified time period, select the
    Allow Password Caching
    check box.
    The additional fields in the area become available.
  5. To enable device authentication on the client, select
    Require Device Authentication
    .
    This option links the option to use a saved password to a device authentication method. Supported device authentication methods include PIN, passphrase, and biometric (fingerprint) authentication on iOS and Android. Android devices also support pattern unlocking.
  6. For
    Save Password Method
    , specify how to perform password caching:
    • To allow the user to save the encrypted password on the device without a time limit, select
      disk
      .
    • To specify that the user password is cached in the application on the user's device for a configurable period of time, select
      memory
      .
    If you select
    memory
    , the
    Password Cache Expiration (minutes)
    field becomes available.
  7. If the
    Password Cache Expiration (minutes)
    field displays, type the number of minutes you want the password to be cached in memory.
  8. In the
    On Demand Disconnect Timeout (minutes)
    field, retain the default
    2
    , or type a different number of minutes before VPN on demand times out.
  9. To force the app to use a selected logon mode and prevent users from changing it:
    1. Select the
      Enforce Logon Mode
      check box.
    2. From the
      Logon Method
      list, select
      web
      or
      native
      .
    This feature is supported with F5 Access for iOS and F5 Access for Android.
  10. Click
    OK
    .
    The popup screen closes, and the Connectivity Profile List displays.
You have now configured the security settings for F5 Access for iOS.
To provide functionality with a connectivity profile, you must add the connectivity profile and an access profile to a virtual server.

Configuring a connectivity profile for F5 Access for Android

A connectivity profile automatically contains settings for F5 Access for Android. You should configure the settings to fit your situation.
  1. On the Main tab, click
    Access
    Connectivity / VPN
    Connectivity
    Profiles
    .
    A list of connectivity profiles displays.
  2. Select the connectivity profile that you want to update and click
    Edit Profile
    .
    The Edit Connectivity Profile popup screen opens and displays General Settings.
  3. From Mobile Client Settings in the left pane, select
    Android Edge Client
    .
    Settings for the Android Edge Client display in the right pane.
  4. To enable users to save their passwords for reconnection purposes within a specified time period, select the
    Allow Password Caching
    check box.
    The additional fields in the area become available.
  5. To enable device authentication on the client, select
    Require Device Authentication
    .
    This option links the option to use a saved password to a device authentication method. Supported device authentication methods include PIN, passphrase, and biometric (fingerprint) authentication on iOS and Android. Android devices also support pattern unlocking.
  6. For
    Save Password Method
    , specify how to perform password caching:
    • To allow the user to save the encrypted password on the device without a time limit, select
      disk
      .
    • To specify that the user password is cached in the application on the user's device for a configurable period of time, select
      memory
      .
    If you select
    memory
    , the
    Password Cache Expiration (minutes)
    field becomes available.
  7. If the
    Password Cache Expiration (minutes)
    field displays, type the number of minutes you want the password to be cached in memory.
  8. To enhance security on the client, retain the selection of the
    Enforce Device Lock
    check box (or clear the check box).
    This check box is selected by default. Edge Portal and Edge Client support password locking, but do not support pattern locking. If you clear this check box, the remaining settings in the area become unavailable.
  9. For
    Device Lock Method
    , select the specific device locking method. Default is numeric. Available options are alphabetic, alphanumeric, any, and numeric. The following rules are applicable for the selected device locking method:
    • alphabetic
      : Password should contain alphabets only.
    • alphanumeric
      : Password should contain the combination of alphabets and numbers.
    • any
      : Password can include both alphabets and numbers without any restriction.
    • numeric
      : Password should contain numerical PIN only.
  10. For
    Minimum Passcode Length
    , retain the default
    4
    , or type a different passcode length.
  11. For
    Device Lock Complexity
    , select the specific device locking complexity type. This option allows you to configure new password policies for devices running Android 10 or higher and using F5 Access 3.0.8 or later. You can continue to use the older method that enforced device lock on devices running on Android 9 and lower.
    This device lock complexity criteria is controlled and subjected to be changed by Google and Android. Refer to Android New Password Complexity for updates.
    Available options in the
    Device Lock Complexity
    option are high, low, medium, and none. The following password rules are applicable for the selected device lock complexity:
    • high
      : Password should meet one of the following rules:
      alphabetic: Minimum length of six characters.
      alphanumeric: Minimum length of six characters.
      numeric: Minimum length of eight characters without repetition or ordered sequences.
    • medium
      : Password should meet one of the following rules:
      alphabetic: Minimum length of four characters.
      alphanumeric: Minimum length of four characters.
      numeric: Minimum length of four characters without repetition or ordered sequences.
    • low
      : Password can be a Pattern or a PIN with repeating numbers or ordered sequences.
    • none:
      : Password is not required.
    You cannot enforce the presence of alphabets in device locks. This limitation is from Android, as none of the device complexity levels (None, Low, Medium, or High) enforces the use of alphabets. For details, refer to the Android New Password Complexity.
    The following table displays the password policy features supported with BIG-IP and Android device versions:
    BIG-IP Version
    F5 Access Android Version
    Android OS Version
    Behavior and Password Policy Features
    Upcoming BIG-IP maintenance releases having the
    Device Lock Complexity
    option
    3.0.8 or above
    10 or later
    The following password policy features are supported:
    • Max. Inactivity Time (minutes)
    • Device Lock Complexity
    For all BIG-IP versions except versions specified in the first row
    3.0.8 or above
    10 or later
    The following password policy features are supported for BIG-IP releases not having the
    Device Lock Complexity
    option:
    • Max. Inactivity Time (minutes)
    Device Lock Complexity is fixed to
    Medium
    by default.
    • Users having their device lock less than four digits (not meeting the medium complexity criteria) are asked to update their device password.
    • For users having their device lock more complex than medium, the administrator cannot enforce the device lock password length to be more than four digits. Users can, however, still set up their passwords with a length of more than four digits. This issue is resolved by upgrading the BIG-IP system to versions having the Device Lock Complexity option and setting the Device Lock Complexity to
      High
      .
    For all BIG-IP versions
    3.0.8 or above
    9 or below
    The behavior remains same as existing with the following password policy features supported:
    • Device Lock Method
    • Min. Passcode Length
    • Max. Inactivity Time (minutes)
    For all BIG-IP versions
    3.0.7 or below
    All
    The following password policy features are supported:
    • Device Lock Method
    • Min. Passcode Length
    • Max. Inactivity Time (minutes)
  12. For
    Maximum Inactivity Time (minutes)
    , retain the default
    5
    , or type a different number of minutes.
  13. To force the app to use a selected logon mode and prevent users from changing it:
    1. Select the
      Enforce Logon Mode
      check box.
    2. From the
      Logon Method
      list, select
      web
      or
      native
      .
    This feature is supported with F5 Access for iOS and F5 Access for Android.
  14. Click
    OK
    .
    The popup screen closes, and the Connectivity Profile List displays.
You have now configured the security settings for F5 Access for Android.

Configuring a connectivity profile for F5 Access for Chrome OS

A connectivity profile automatically contains default settings for F5 Access for Chrome. You should configure the connectivity profile settings to fit your needs.
  1. On the Main tab, click
    Access
    Connectivity / VPN
    Connectivity
    Profiles
    .
    A list of connectivity profiles displays.
  2. Select the connectivity profile that you want to update and click
    Edit Profile
    .
    The Edit Connectivity Profile popup screen opens and displays General Settings.
  3. Click
    F5 Access for Chrome OS
    in the left pane.
    Settings for the F5 Access for Chrome OS display in the right pane.
  4. To enable users to save their passwords for reconnection purposes within a specified time period, select the
    Allow Password Caching
    check box.
    The additional fields in the area become available.
  5. For
    Save Password Method
    , specify how to perform password caching:
    • To allow the user to save the encrypted password on the device without a time limit, select
      disk
      .
    • To specify that the user password is cached in the application on the user's device for a configurable period of time, select
      memory
      .
    If you select
    memory
    , the
    Password Cache Expiration (minutes)
    field becomes available.
  6. If the
    Password Cache Expiration (minutes)
    field displays, type the number of minutes you want the password to be cached in memory.
  7. To force the app to use a selected logon mode and prevent users from changing it:
    1. Select the
      Enforce Logon Mode
      check box.
    2. From the
      Logon Method
      list, select
      web
      or
      native
      .
      The password caching is only supported with Native logon mode. In Web authentication mode, user will be prompted to enter username/password on the Web page.
  8. Click
    OK
    .
    The popup screen closes, and the Connectivity Profile List displays.
You have now configured the security settings for F5 Access for Chrome.
To provide functionality with a connectivity profile, you must add the connectivity profile and an access profile to a virtual server.

Configuring a connectivity profile for F5 Access for macOS

A connectivity profile automatically contains default settings for F5 Access for macOS. You should configure the connectivity profile settings to fit your needs.
  1. On the Main tab, click
    Access
    Connectivity / VPN
    Connectivity
    Profiles
    .
    A list of connectivity profiles displays.
  2. Select the connectivity profile that you want to update and click
    Edit Profile
    .
    The Edit Connectivity Profile popup screen opens and displays General Settings.
  3. Click
    F5 Access for Mac OS
    in the left pane.
    Settings for the F5 Access for macOS display in the right pane.
  4. To enable users to save their passwords for reconnection purposes within a specified time period, select the
    Allow Password Caching
    check box.
    The additional fields in the area become available.
  5. For
    Save Password Method
    , specify how to perform password caching:
    • To allow the user to save the encrypted password on the device without a time limit, select
      disk
      .
    • To specify that the user password is cached in the application on the user's device for a configurable period of time, select
      memory
      .
    If you select
    memory
    , the
    Password Cache Expiration (minutes)
    field becomes available.
  6. If the
    Password Cache Expiration (minutes)
    field displays, type the number of minutes you want the password to be cached in memory.
  7. To force the app to use a selected logon mode and prevent users from changing it:
    1. Select the
      Enforce Logon Mode
      check box.
    2. From the
      Logon Method
      list, select
      web
      or
      native
      .
      The password caching is only supported with Native logon mode. In Web authentication mode, user will be prompted to enter username/password on the Web page.
  8. Click
    OK
    .
    The popup screen closes, and the Connectivity Profile List displays.
You have now configured the security settings for F5 Access for macOS.
To provide functionality with a connectivity profile, you must add the connectivity profile and an access profile to a virtual server.

Overview: Configuring APM for Edge Portal Mobile Apps

BIG-IP Edge Portal® for Android and BIG-IP Edge Portal for iOS streamline access to portal access web sites and applications that reside behind BIG-IP Access Policy Manager (APM®). To support the clients, you need a Portal Access configuration on APM. The Portal Access Wizard creates a configuration with authentication, an access policy, and a virtual server with connectivity and access profiles.
You might need to update the connectivity profile or the access policy to complete the configuration on APM.

Running the Portal Access wizard

Run the Portal Access Setup Wizard to quickly set up an access policy and a virtual server for your users.
  1. On the Main tab, click
    Wizards
    Device Wizards
    .
    The Device Wizards screen opens.
  2. Select
    Portal Access Setup Wizard
    and click
    Next
    .
  3. On the Basic Properties screen in the
    Policy Name
    field, type a name for the access policy.
    The name you type here prepends the name of the objects (for example, the virtual server) that the wizard creates for this configuration.
  4. To ensure that the apps can connect from supported mobile devices, for
    Client Side Checks
    , clear the
    Enable Antivirus Check in Access Policy
    check box.
    Follow the instructions in the wizard to create your access policy and virtual server.
  5. Click
    Finished
    .
You have created the configuration objects that are required for a Portal Access configuration to support BIG-IP Edge Portal mobile apps.

Configuring an access policy to support Edge Portal app

Configure an access policy to process access correctly for various client types, including the Edge Portal app.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. In the Per-Session Policy column, click the
    Edit
    link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click
    Add New Macro
    .
  4. In the
    Select macro template:
    select Client Classification and Prelogon checks from the drop-down list.
    The macro inserts an antivirus check for those clients that can support it, and provides the appropriate terminal for each type of client.
  5. Click
    Save
    .
  6. Click the plus [+] sign that appears before the Logon Page action.
  7. In the Macrocalls area, click the
    Client Classification and Prelogon checks
    button.
  8. Click
    Add item
    .
    The Client Classification and Prelogon checks action appears in the access policy sequence.
  9. Click the underlined word
    Deny
    in the ending field.
  10. In the Select Ending area, click
    Allow
    .
  11. Click
    Save
    .

Assigning ACLs to your access policy

Assign ACLs to limit access to resources.
  1. On the Main tab, click
    Access
    Profiles / Policies
    .
    The Access Profiles (Per-Session Policies) screen opens.
  2. In the Per-Session Policy column, click the
    Edit
    link for the access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the
    Resource Assign
    agent in the access policy branch.
    The Properties screen opens.
  4. Click the
    Add/Delete Resources
    link.
    A popup screen with a tab for each resource type displays.
  5. Select the tab, select the ACLs to add to the access policy, and click
    Update
    when finished.
  6. Click
    Apply Access Policy
    .

Disabling the Home Tab

Disabling the Home Tab ensures that the BIG-IP Edge Portal app renders properly.
The Home Tab property exists for each portal access resource item.
  1. On the Main tab, click
    Access
    Connectivity / VPN
    Portal Access
    Portal Access Lists
    .
    The Portal Access List screen opens.
  2. Click the name of a resource item for the portal access resource that you created.
    The properties screen for that resource item opens.
  3. In the Resource Items Properties area, select
    Advanced
    and for
    Home Tab
    , make sure the
    Enabled
    check box is cleared.
  4. Click
    Update
    .
Repeat this task for each portal access resource item.

Configuring a connectivity profile for Edge Portal for Android

A connectivity profile automatically contains settings for BIG-IP Edge Portal for Android clients. You should configure the settings to fit your situation.
  1. On the Main tab, click
    Access
    Connectivity / VPN
    Connectivity
    Profiles
    .
    A list of connectivity profiles displays.
  2. Select the connectivity profile that you want to update and click
    Edit Profile
    .
    The Edit Connectivity Profile popup screen opens and displays General Settings.
  3. From Mobile Client Settings in the left pane, select
    Android Edge Portal
    .
    Settings for the Android Edge Portal display in the right pane.
  4. To enable users to save their passwords for reconnection purposes within a specified time period, select the
    Allow Password Caching
    check box.
    The additional fields in the area become available.
  5. For
    Save Password Method
    , specify how to perform password caching:
    • To allow the user to save the encrypted password on the device without a time limit, select
      disk
      .
    • To specify that the user password is cached in the application on the user's device for a configurable period of time, select
      memory
      .
    If you select
    memory
    , the
    Password Cache Expiration (minutes)
    field becomes available.
  6. If the
    Password Cache Expiration (minutes)
    field displays, type the number of minutes you want the password to be cached in memory.
  7. To enhance security on the client, retain the selection of the
    Enforce Device Lock
    check box (or clear the check box).
    This check box is selected by default. Edge Portal and Edge Client support password locking, but do not support pattern locking. If you clear this check box, the remaining settings in the area become unavailable.
  8. For
    Device Lock Method
    , select the specific device locking method. Default is numeric. Available options are alphabetic, alphanumeric, any, and numeric. The following rules are applicable for the selected device locking method:
    • alphabetic
      : Password should contain alphabets only.
    • alphanumeric
      : Password should contain the combination of alphabets and numbers.
    • any
      : Password can include both alphabets and numbers without any restriction.
    • numeric
      : Password should contain numerical PIN only.
  9. For
    Minimum Passcode Length
    , retain the default
    4
    , or type a different passcode length.
  10. For
    Maximum Inactivity Time (minutes)
    , retain the default
    5
    , or type a different number of minutes.
  11. To force the app to use a selected logon mode and prevent users from changing it:
    1. Select the
      Enforce Logon Mode
      check box.
    2. From the
      Logon Method
      list, select
      web
      or
      native
      .
    This feature is supported with F5 Access for iOS and F5 Access for Android.
  12. Click
    OK
    .
    The popup screen closes, and the Connectivity Profile List displays.
You have now configured the security settings for BIG-IP Edge Portal for Android clients.

Configuring connectivity profiles for Edge Portal for iOS

A connectivity profile automatically contains settings for BIG-IP Edge Portal for iOS. You should configure the settings to fit your situation.
  1. On the Main tab, click
    Access
    Connectivity / VPN
    Connectivity
    Profiles
    .
    A list of connectivity profiles displays.
  2. Select the connectivity profile that you want to update and click
    Edit Profile
    .
    The Edit Connectivity Profile popup screen opens and displays General Settings.
  3. From Mobile Client Settings in the left pane, select
    iOS Edge Portal
    .
    Settings for the iOS Edge Portal display in the right pane.
  4. To enable users to save their passwords for reconnection purposes within a specified time period, select the
    Allow Password Caching
    check box.
    The additional fields in the area become available.
  5. For
    Save Password Method
    , specify how to perform password caching:
    • To allow the user to save the encrypted password on the device without a time limit, select
      disk
      .
    • To specify that the user password is cached in the application on the user's device for a configurable period of time, select
      memory
      .
    If you select
    memory
    , the
    Password Cache Expiration (minutes)
    field becomes available.
  6. If the
    Password Cache Expiration (minutes)
    field displays, type the number of minutes you want the password to be cached in memory.
  7. Specify security by keeping
    Enforce PIN Lock
    set to
    Yes
    .
    Edge Portal supports PIN locking, but does not support pattern locking.
  8. For
    Maximum Grace Period (minutes)
    , retain the default
    2
    , or type a different number of minutes.
  9. To force the app to use a selected logon mode and prevent users from changing it:
    1. Select the
      Enforce Logon Mode
      check box.
    2. From the
      Logon Method
      list, select
      web
      or
      native
      .
    This feature is supported with F5 Access for iOS and F5 Access for Android.
  10. Click
    OK
    .
    The popup screen closes, and the Connectivity Profile List displays.
You have now configured the security settings for BIG-IP Edge Portal for iOS.