Manual Chapter : Configuring Access Policy Manager for MDM applications

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

Configuring Access Policy Manager for MDM applications

Overview: Configuring APM for device posture checks with endpoint management systems

MDM solutions enable administrators to monitor, manage, and secure mobile devices within an organization. The user enrolls a device (or devices), and the administrator manages access by setting compliance policies that dictate whether a device is compliant or non-compliant. An endpoint management system also controls the corporate data on mobile devices. F5 Access and Edge Client establishes a VPN connection with APM, and an endpoint management system (Airwatch, MaaS360, or Intune) manages and sends device details to APM.
To reduce the number of queries to the MDM server, the Database Synchronization Manager lists all the compliant devices in the case of Airwatch and MaaS360 & non-compliant devices in the case of Microsoft Intune and stores the information in the local cache. The synchronization interval on BIG-IP is configurable to fit your situation and is refreshed after every 4 hours by default to get a new list of devices. The local cache is queried for the device ID when a device tries to connect through the F5 Access client. The MDM server verifies the device when the device ID is not found. When the device status is received, the device ID and the device status are added to the local cache after the user logs in.
For Microsoft Intune, the Database Synchronization Manager syncs non-compliant devices using Microsoft's Intune NAC API and queries for the device and compliance status. Currently, there are two ways for getting the device compliance status using Microsoft's Network Access Control (NAC) API.
  • Device ID based compliance check
    : Information such as the IMEI, Wi-Fi MAC address, and device ID is placed inside the VPN profile and pushed to the device by Intune when the device is enrolled. This information is available to the F5 Access client, which then sends device details to APM.
    In June 2021, Microsoft released the Compliance Retrieval service. This service will replace the Intune NAC service, offering improved security and reliability. This means Microsoft is moving away from the device ID based compliance check towards Intune ID in the certificate based compliance check. For details, click New Microsoft Intune service for network access control.
  • Intune ID in certificate based compliance check
    : The Device ID is not provided in the VPN profile. Instead, a device certificate with the Intune device ID is pushed to the device during the enrollment process. The F5 Access client presents this certificate to the APM during the SSL handshake. APM uses the Intune device ID obtained from the certificate to get the compliance status of the device. In Intune, there is a static interval of 4 hours to sync devices from the non-compliance endpoint for the new compliance retrieval service.
    To support Intune ID in certificate based compliance check, refer to the
    Configuring settings for Intune ID in certificate based compliance check
    section in this guide for details.
Supported Devices
For mobile device apps:
iOS and Android devices with VPN access to APM from specific mobile device apps managed by MDM (F5 Access Client Apps) are supported. For example, if you connect to APM WebTop from a browser in a device, then APM will not get a device ID and cannot check for device compliance.
For devices with iOS 12 and later, the F5 Access client could not retrieve device ID from iOS due to Apple imposed constraints, and failure in a compliance check.
To use NAC on iOS devices, the
Enable network access control (NAC)
option must be selected when configuring the VPN profile for F5 Access in Microsoft Intune.
For desktop apps:
F5 Access for Windows is supported when the
Client Certificate
is set to
ignore
, and the On Demand Cert Auth agent is configured.
F5 Access for macOS is supported with NAC API. To install and enroll your macOS device, refer to the Microsoft documentation Enroll your macOS device using the Company Portal app.

Creating an endpoint management system connector with Airwatch

You must create a Server SSL profile on a BIG-IP system and have access to an Airwatch system.
An endpoint management system on BIG-IP Access Policy Manager (APM) is an object that stores information about the device management server, such as IP addresses and API credentials. You can configure more than one endpoint management system on the same BIG-IP system. APM polls devices connected to the configured endpoint management systems.
  1. Log in to the Airwatch console using the administrator user name and password.
  2. On the left panel, click
    Accounts
    .
    The View Role screen displays.
  3. For the
    Categories
    setting, click
    API
    REST
    .
  4. Enable API access for the administrator.
  5. On the left panel on the main screen, click
    Groups & Settings
    .
    The Settings popup screen opens.
  6. Under the System tab, click
    API
    REST API
    The System/Advanced/API/REST popup screen opens.
  7. On the System/Advanced/API/REST screen, select the
    General
    tab.
  8. Select the
    Override
    setting.
  9. Select
    Enable API Access
    .
  10. Copy the API key displayed next to
    API key
    .
  11. Click
    Save
    .
  12. On the BIG-IP system, on the Main tab, click
    Access Policy
    Authentication
    Endpoint Management Systems
    .
    The Endpoint Management Systems screen opens.
  13. Click
    Create
    .
  14. In the
    Name
    field, type a name for the endpoint management system.
  15. In the
    Type
    list, select
    Airwatch
    for the endpoint management system.
  16. In the
    FQDN
    field, type a fully qualified domain name.
  17. In the
    Port
    field, type
    443
    .
  18. From the
    Server SSL Profile
    list, select a previously created Server SSL profile in BIG-IP Local Traffic Manager.
  19. In
    Update Interval (minutes)
    field, type a number in minutes that represents how often APM updates the device database.
  20. In the
    Username
    field, type the Airwatch administrator user name.
  21. In the
    Password
    field, type the Airwatch administrator password.
  22. In the
    API Token
    field, type or paste the API key copied from the Airwatch screen.
  23. Click
    Finished
    .
You have created an endpoint management system. APM tests the connection to the device management server, and prints a test status in the
Status
field. If the status displays
OK
, APM starts the device database synchronization for the created endpoint management system.
The Airwatch interface might change.

Creating an endpoint management system connector with MaaS360

You must create a Server SSL profile on a BIG-IP system and have access to an MaaS360 system.
An endpoint management system on BIG-IP Access Policy Manager (APM) is an object that stores information about the device management server, such as IP addresses and API credentials. You can configure more than one endpoint management system on the same BIG-IP system. APM polls devices connected to the configured endpoint management systems.
  1. Contact MaaS360 to obtain information needed to access the API.
    The information required includes the following data:
    • Application ID
    • Platform version
    • Version number
    • Access key
    • Service URL
  2. Log in to the MaaS360 console using the administrator user name and password.
  3. At the bottom of the screen, copy the Account ID.
  4. On the BIG-IP system, on the Main tab, click
    Access
    Authentication
    Endpoint Management Systems
    .
    The Endpoint Management Systems screen opens.
  5. Click
    Create
    .
    The New endpoint management system screen opens.
  6. In the
    Name
    field, type a name for the endpoint management system.
  7. In the
    Type
    list, select
    MaaS360
    for the endpoint management system.
    The Network location and API Credentials sections display.
  8. In the
    FQDN
    field, type the service URL provided by MaaS360.
  9. In the
    Port
    field, type
    443
    .
  10. From the
    Server SSL Profile
    list, select a previously created Server SSL profile in BIG-IP Local Traffic Manager.
  11. In
    Update Interval (minutes)
    field, type a number in minutes that represent how often APM updates the device database.
  12. In the
    Username
    field, type the MaaS360 administrator user name.
  13. In the
    Password
    field, type the MaaS360 administrator password.
  14. In the
    Billing Id
    field, type or paste the billing ID copied from the MaaS360 screen.
  15. In the
    Application Id
    field, type the application ID provided by MaaS360.
  16. In the
    Access Key
    field, type the access key provided by MaaS360.
  17. In the
    Platform
    field, type the platform version of the MaaS360 console.
  18. In the
    App Version
    field, type the current version number of the application that is linked to the account.
  19. Click
    Finished
    .
You have created an endpoint management system. APM tests the connection to the device management server, and prints a test status in the
Status
field. If the status displays
OK
, APM starts the device database synchronization for the created endpoint management system.
The MaaS360 interface might change.

Creating an Azure web application with Microsoft Intune for APM

Before you can configure a web application, contact Microsoft to purchase a Microsoft Intune subscription.
BIG-IP APM integrates Microsoft Intune by configuring a Microsoft Azure Client web application on the Microsoft Azure portal. This topic describes how to create a web application to obtain a client ID and a client secret.
  1. On Microsoft Azure, on the main tab, click
    Azure Active Directory
    .
    The Azure Active Directory screen opens.
  2. Click
    App registration
    .
    The App registrations screen opens.
  3. Click
    New registration
    .
    The Register an application screen opens.
  4. In the
    Name
    field, type a name for the new web application.
  5. From the
    Application
    type dropdown menu, select
    Web app / API
    .
  6. In the
    Sign-on URL
    field, type a URL.
    This can be any URL, such as
    https://localhost
    .
  7. Click
    Register
    .
    A newly-created application's page displays the registration details.
  8. Copy the Application ID to your records.
    You use this ID as a client id when configuring an EMS object on the BIG-IP system.
  9. In the
    Manage
    section, click
    Certificates & secrets
    .
    The
    Certificates & secrets
    screen opens.
  10. Under Client secrets, click
    New Client Secret
    to create a secret key.
  11. In the
    Description
    field, enter any description for this secret key.
  12. In the
    Expires
    section, select
    Never
    .
  13. Click
    Add
    .
    You should copy the key to the administrator records. You use this key as a client secret when configuring an EMS object on the BIG-IP system.
    A new key displays in the
    Certificates & secrets
    screen.
  14. Click
    Overview
    to navigate to the app screen with registration details. In the
    Manage
    section, click
    API permissions
    for the registered application.
    The API permissions screen opens.
  15. Click
    Add a permission
    .
    The Request API permissions screen opens.
  16. Select
    Intune
    from the list of Microsoft APIs, and then select
    Application Permissions
    .
  17. From the
    Permissions
    list, select
    Get device state and compliance information from Microsoft Intune
    .
  18. Click
    Add a permissions
    .
    A list of added permissions displays.
  19. Click
    Add a Permission
    again.
  20. Select
    Microsoft Graph
    from the list of Microsoft APIs, and then select
    Application Permissions
    .
  21. Select one of the following under Application dropdown:
    • Application.Read.All
      (This is required for Microsoft Graph)
    • Application.ReadWrite.All
    • Application.OwnedBy
    • Directory.Read.All
    Click
    Add Permissions
    .
    A list of added permissions displays.
  22. On the API permissions screen, click
    Grant admin consent for
    button. When asked to confirm grant consent for all accounts in the Azure domain, click
    Yes
    .
You now have a tenant ID, client ID, and client secret.
Note:
In June 2020, Microsoft announced the deprecation of the Azure Active Directory (AD) Graph API. The Microsoft Graph will replace the Azure AD Graph, offering improved security and resilience, starting June 30, 2022. When adding new API permission, the Azure Active Directory Graph option is greyed out and is not available as Microsoft recommends using Microsoft Graph APIs for new permission requests. If you still want to continue adding Azure Active Directory Graph permission, click
Add a Permission
APIs my organization users
Search for "Windows Azure Active Directory"
and grant legacy permissions as per your requirement.

Creating an endpoint management system connector with Microsoft Intune

You must create a Server SSL profile on a BIG-IP system and have access to a Microsoft Intune system.
An endpoint management system on BIG-IP Access Policy Manager (APM) is an object that stores information about the device management server, such as IP addresses and API credentials. You can configure more than one endpoint management system on the same BIG-IP system. APM polls devices connected to the configured endpoint management systems.
  1. On the BIG-IP system, on the Main tab, click
    Access
    Authentication
    Endpoint Management Systems
    .
    The Endpoint Management Systems screen opens.
  2. Click
    Create
    .
    The New endpoint management system screen opens.
  3. In the
    Name
    field, type a name for the endpoint management system.
  4. In the
    Type
    list, select
    Microsoft Intune
    for the endpoint management system.
    The Network location and API Credentials sections display.
  5. From the
    Server SSL Profile
    list, select a previously created Server SSL profile in BIG-IP Local Traffic Manager.
  6. From the
    DNS Resolver
    list, select a previously created DNS Resolver in BIG-IP Local Traffic Manager.
    Create a DNS Resolver the same way you create a Server SSL profile.
  7. In
    Update Interval (minutes)
    field, type a number in minutes that represent how often APM updates the device database.
  8. In the
    Tenant Id
    field, type the tenant ID that comes with a Microsoft Intune subscription.
  9. In the
    Client Id
    field, type the client ID that becomes available after creating a web application.
  10. In the
    Client Secret
    field, type the client secret that becomes available after creating a web application.
  11. Click
    Finished
    .
You have created an endpoint management system. APM tests the connection to the device management server, and prints a test status in the
Status
field. If the status displays
OK
, APM starts the device database synchronization for the created endpoint management system.

Configuring settings for Intune ID in a certificate based compliance check

When a device is enrolled, Intune pushes a device certificate with the Intune device ID to the devices. The F5 Access client presents this certificate to the APM during the SSL handshake. APM uses the Intune device ID obtained from the certificate to get the compliance status of the device. To support Intune ID in certificate based compliance check, you need to configure some settings on the BIG-IP system and the Microsoft Endpoint Manager admin center. The following sections describe creating Client SSL profile configurations and the different certificates required on Intune.
The Client SSL profile configurations differ based on where the device ID is located. This allows the BIG-IP system to negotiate secure client connections based on the client's preference. Let us consider the following use cases:
  1. All devices have Intune device ID in the device certificate.
  2. Not all devices have Intune device ID in the device certificate. For example, some devices have Intune device IDs in the device certificate, and others have internal device IDs such as IMEI, serial number in the VPN profile.

Configuring access policy when all devices have Intune ID in the certificate

Creating a Client SSL profile
This topic describes creating a Client SSL profile when all client devices have Intune ID in the device certificate. The settings below enable the client SSL profile to demand client authentication during SSL handshake. The client then presents the device certificate containing the Intune ID to the APM.
  1. On the BIG-IP system, on the Main tab, click
    Local Traffic
    Profiles
    SSL
    Client
    .
    The Client profile list screen opens.
  2. Click
    Create
    .
    The New Client SSL Profile screen opens.
  3. From the
    Parent Profile
    list, select
    clientssl
    .
  4. Using the
    Certificate Key Chain
    setting, specify one or more server certificate key chains.
  5. From the
    Client Certificate
    list, select
    require
    .
  6. From the
    Trusted Certificate Authorities
    list, upload the CA cert generated from the certificate authority server. This will be used to trust the device certificate sent by the F5 Access client.
  7. Configure all other profile settings as needed.
  8. Click
    Finished
    .
You can see the custom Client SSL profile in the list of Client SSL profiles on the system.
Connection diagram
The process flow when the
Client Certificate
is set to
require
is depicted in this diagram.
Connection diagram - client certificate set to require
Screenshot client certificate set to require
Creating an access policy
An example access policy for this use case is shown below. In this use case, let us consider that all devices have device ID in the authentication certificate. With the
Client Certificate
set to
require
in the client SSL profile, the BIG-IP virtual server demands a client certificate for all devices.
  • The
    Managed Endpoint Status
    action checks for device compliance against the configured Endpoint Management System (EMS).
  • The
    Advanced Resource Assign
    action enables the assignment of resources to the access policy.
Example access policy
Example access policy

Configuring access policy when not all devices have Intune device ID in the device certificate

Creating a Client SSL profile
This topic describes creating a Client SSL profile when not all client devices have Intune device ID in the device certificate. The use case here could be that some devices have Intune device ID in the device certificate and others have device ID in the VPN profile. The settings below for client SSL profile and On Demand Cert Auth agent allow APM to renegotiate SSL connection with F5 Access client and enforce client authentication during SSL handshake. It enables APM to receive device certificate from all devices which have Intune device ID.
  1. On the BIG-IP system, on the Main tab, click
    Local Traffic
    Profiles
    SSL
    Client
    .
    The Client profile list screen opens.
  2. Click
    Create
    .
    The New Client SSL Profile screen opens.
  3. From the
    Parent Profile
    list, select
    clientssl
    .
  4. Using the
    Certificate Key Chain
    setting, specify one or more server certificate key chains.
  5. From the
    Client Certificate
    list, select
    ignore
    .
  6. From the
    Trusted Certificate Authorities
    list, upload the CA cert generated from the certificate authority server. This will be used to trust the device certificate sent by the F5 Access client.
  7. Configure all other profile settings as needed.
  8. Click
    Finished
    .
You can see the custom Client SSL profile in the list of Client SSL profiles on the system.
Connection diagram
The process flow when the
Client Certificate
is set to
ignore
is depicted in this diagram.
Connection diagram - client certificate set to ignore
Screenshot client certificate set to ignore
Creating an access policy
An example access policy for this use case is shown below. In this use case, let us consider that the iOS devices have device ID in the VPN profile, and the Android devices have device ID in the authentication certificate. With the
Client Certificate
set to
ignore
in the client SSL profile, the access policy ignores and does not request a client certificate for iOS devices but demands a client certificate for Android devices.
  • The
    Managed Endpoint Status
    action checks for device compliance against the configured Endpoint Management System (EMS).
  • The
    Advanced Resource Assign
    action enables the assignment of resources to the access policy.
  • Set the
    On Demand Cert Auth
    action to
    Require
    to override the Client SSL settings and re-negotiate the SSL connection with the client. A certificate request is sent to the Android user. After the user provides a valid certificate, the On-Demand Cert Auth agent verifies the value of the session variable
    session.ssl.cert.valid
    to determine whether authentication was a success. If the client does not provide a valid certificate, the connection terminates, and the F5 Access client stops responding.
Example access policy
Screenshot Example Access Policy

Configuring the Variable Assign action

Intune device ID identifier in the SAN field in Intune

When you use a custom identifier prefix for Intune device ID in the
Subject alternative name
in Intune, you need to create a session variable
session.mdm.intune.id_prefix
using Variable assignment agent and assign the custom identifier prefix to it. This agent derives the value of the identifier prefix and assigns it to the session variable
session.mdm.intune.id_prefix
.
If the value of the identifier prefix in Intune is
customIntuneDeviceId://
then the assignment in the Variable Assign action would be
session.mdm.intune.id_prefix = customIntuneDeviceId://
.
Session variable assignment in Variable Assign action
Screenshot Variable assignment in Variable Assign action
Some examples of session variable assignments are as follows:
session.mdm.intune.id_prefix = Text customIntuneDeviceId://
session.mdm.intune.id_prefix = return {customIntuneDeviceId://}
An example access policy with the variable assignment action is shown below.
Example access policy
Screenshot Example Access Policy
If you use the Microsoft recommended default identifier
IntuneDeviceId://
in Intune, then the Variable Assign action is not required in the access policy.

Intune device ID not in the SAN field in Intune

If provided in the SAN field of the certificate, Intune device ID is available on APM in session variable value of the
session.ssl.cert.x509extension
. By default, the MDM agent searches for Intune device ID in this session variable to query the device status.
Suppose you are not providing Intune device ID in the SAN field of the certificate but are making it available to APM through other means or through a different session variable. In that case, you can create a session variable
session.mdm.intune.id
using the Variable assignment agent or by using iRules and assign the extracted Intune device ID value to this session variable.
An example of iRule usage is shown below. Here, the Intune device ID is present in the SAN field and is available in the session variable value of the
session.ssl.cert.x509extension
. You can extract the Intune Device ID from this variable and assign it to
session.mdm.intune.id
, which will be used to query the device status. Different scenarios can be authored in iRule using the same logic.
Session variable assignment in iRule
Screenshot Variable assignment in iRule

Configuring Trusted certificate profile with Microsoft Intune

You must create a CA authority server and have access to a Microsoft Intune system.
Create and deploy a trusted certificate profile before you create a PKCS profile. You must create a separate trusted certificate profile for each device platform you want to support. This topic describes creating a Trusted certificate profile with Microsoft Intune. The profile should be created for devices having device IDs in their authentication certificates.
Refer to the Microsoft documentation Create trusted certificate profiles in Microsoft Intune for latest instructions.
  1. Sign in to the Microsoft Endpoint Manager admin center.
  2. Navigate to
    Devices
    Configuration profiles
    Create profile
    .
  3. In
    Create a profile
    , specify the following properties:
    1. Platform
      : Select the platform of the devices that will receive this profile.
    2. Profile type
      : Select
      Trusted certificate
      .
  4. Click
    Create
    .
  5. In
    Basic
    , specify the following properties:
    1. Name
      : Enter a descriptive name for the profile.
    2. Description
      : Enter a description for the profile. This setting is optional.
  6. In
    Configuration settings
    , specify the .cer file for the trusted Root CA Certificate and choose a destination store.
  7. Select
    Next
    .
  8. In
    Assignments
    , select the user or groups that will receive your profile. This certificate profile should be deployed to the same groups that receive the PKCS certificate profile.
  9. In
    Review + create
    , review your settings.
When you select Create, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.

Configuring PKCS certificate profile with Microsoft Intune

You must create a CA authority server and have access to a Microsoft Intune system.
This topic describes creating a PKCS certificate profile with Microsoft Intune and adding it to an Intune device configuration profile. The profile should be created for devices having device IDs in their authentication certificates.
Refer to the Microsoft documentation Create a PKCS certificate profile for latest instructions.
  1. Sign in to the Microsoft Endpoint Manager admin center.
  2. Navigate to
    Devices
    Configuration profiles
    Create profile
    .
  3. In
    Create a profile
    , specify the following properties:
    1. Platform
      : Select the platform of the devices that will receive this profile.
    2. Profile type
      : Select
      PKCS certificate
      .
  4. Click
    Create
    .
  5. In
    Basic
    , specify the following properties:
    1. Name
      : Enter a descriptive name for the profile.
    2. Description
      : Enter a description for the profile. This setting is optional.
  6. In
    Configuration settings
    , specify the following properties:
    1. Certificate authority
      : Enter a fully qualified domain name (FQDN) of your Enterprise CA.
    2. Certificate authority name
      : Enter the name of your Enterprise CA.
    3. Certificate template
      : Enter the name of your certificate template.
    4. Certificate type
      : Select
      Device
      .
    5. Root certificate
      : Select a root CA certificate profile. Root certificate field is available only for Android platform. This option is not available for iOS devices.
    6. Subject name format
      : Enter
      CN={{AAD_Device_ID}}
      for iOS or Android devices.
    7. Subject alternative name
      : For
      Attribute
      , select
      URI
      and enter the corresponding
      Value
      . If you are using the default value
      IntuneDeviceId://{{DeviceId}}
      , then the
      Variable Assign
      action is not required while creating an access policy in Visual Policy Editor (VPE). If you are using a custom identifier, then you must add a
      Variable Assign
      action to the access policy on VPE. The {{DeviceId}} in the value field is the Intune device ID. Refer to the
      Configuring the Variable Assign action
      section above for details.
  7. Select
    Next
    .
  8. In
    Assignments
    , select the user or groups that will receive your profile. This certificate profile should be deployed to the same groups that receive the trusted certificate profile.
  9. In
    Review + create
    , review your settings.
When you select Create, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.

Configuring SCEP certificate profile with Microsoft Intune

You must create a CA authority server and have access to a Microsoft Intune system.
You can create a SCEP certificate profile with Microsoft Intune and assign SCEP certificate profiles to users and devices in Intune.
Refer to the Microsoft documentation Create and assign SCEP certificate profiles in Intune for the latest instructions on creating the certificate profile.

Configuring VPN profile with Microsoft Intune

You must create a CA authority server and have access to a Microsoft Intune system.
This topic describes creating a VPN profile with Microsoft Intune. The VPN profiles in Microsoft Intune assign VPN settings to users and devices. The profile should be created for devices having device IDs in their authentication certificates.
Refer to the Microsoft documentation Create VPN profiles to connect to VPN servers in Intune for latest instructions.
  1. Sign in to the Microsoft Endpoint Manager admin center.
  2. Navigate to
    Devices
    Configuration profiles
    Create profile
    .
  3. In
    Create a profile
    , specify the following properties:
    1. Platform
      : Select the platform of the devices that will receive this profile.
    2. Profile type
      : Select
      VPN
      .
  4. Click
    Create
    .
  5. In
    Basic
    , specify the following properties:
    1. Name
      : Enter a descriptive name for the profile.
    2. Description
      : Enter a description for the profile. This setting is optional.
  6. In
    Configuration settings
    , specify the following properties:
    1. Connection type
      : Select
      F5 Access
      . For F5 Access for macOS, select
      Custom VPN
      .
    2. Connection name
      : Enter the name of your connection. End users see this name when they browse their device for a list of available VPN connections.
    3. VPN server address
      : Enter the IP address or fully qualified domain name (FQDN) of the virtual server that devices connect with.
    4. Authentication method
      : Select
      Certificates
      .
    5. Authentication certificate
      : Select an existing PKCS certificate profile to authenticate the connection.
    6. VPN Identifier
      : For F5 Access for macOS, enter
      com.f5.access.macos
      .
    7. Custom XML
      : For the F5 Access Client on Windows 10 desktop, enter custom XML commands that configure the VPN connection. For example, to prevent F5 Access to prompt for credentials, enter the below commands:
      <f5-vpn-conf> <prompt-for-credentials>false</prompt-for-credentials> <client-certificate> <issuer>auto-AUTODC-CA</issuer> </client-certificate> <log-level>debug</log-level> </f5-vpn-conf>
  7. Select
    Next
    .
  8. In
    Assignments
    , select the user or groups that will receive your profile. This certificate profile should be deployed to the same groups that receive the trusted certificate profile.
  9. In
    Review + create
    , review your settings.
    When you select Create, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.
  10. To sync changes to the device, navigate to
    Devices
    All devices
    .
  11. In the list of devices, select the device to sync and get the latest policies and actions with Intune.
  12. In the Overview screen, click
    Sync
    .
  13. To confirm, click
    Yes
    .

Editing an endpoint management system configuration

You can create an endpoint management system on BIG-IP APM with either Airwatch, MaaS360 or Intune.
You can edit an endpoint management system.
  1. On the BIG-IP system, on the Main tab, click
    Access
    Authentication
    Endpoint Management Systems
    .
    The Endpoint Management Systems screen with a list of endpoint management systems opens.
  2. In the Name column, click the name of the endpoint management system you want to edit.
    The properties screen for that endpoint management system opens.
  3. Edit one or more fields.
    The status of the endpoint management system updates during each sync interval. If you edit the
    Username
    ,
    FQDN
    , or
    Port
    fields, the
    Status
    field displays the same status as the actual configuration status. If you edit other property fields, the
    Status
    field might be different than the actual configuration status. The correct status appears when the next sync interval begins
  4. Click
    Update
    .
You have updated an endpoint management system.

Create an access profile

You create an access profile to provide the access policy configuration for a virtual server that establishes a secured session.
  1. On the Main tab, click
    Access
    Profiles / Policies
    Access Profiles (Per-Session Policies)
    .
    The Access Profiles (Per-Session Policies) screen displays.
  2. Click
    Create
    .
    The New Profile screen displays.
  3. In the
    Name
    field, type a unique name for the access profile.
  4. From the
    Profile Type
    list, select one these options:
    • ALL
      : Select to support LTM-APM and SSL-VPN access types.
    • LTM-APM
      : Select for a web access management configuration.
    • OAuth-Resource Server
      : For configuring APM to act as an OAuth resource server that provides an OAuth authorization layer into an API gateway.
    • RDG-RAP
      : Select to validate connections to hosts behind APM when APM acts as a gateway for RDP clients.
    • SSL-VPN
      : Select to configure network access, portal access, or application access. (Most access policy items are available for this type.)
    • SSO
      : Select to configure matching virtual servers for Single Sign-On (SSO).
      No access policy is associated with this type of access profile
    • SWG - Transparent
      : Select to configure access using Secure Web Gateway transparent forward proxy.
    • SWG - Explicit
      : Select to configure access using Secure Web Gateway explicit forward proxy.
    • System Authentication
      : Select to configure administrator access to the BIG-IP system (when using APM as a pluggable authentication module).
    • Identity Service
      : Used internally to provide identity service for a supported integration. Only APM creates this type of profile.
      You can edit Identity Service profile properties.
    Depending on licensing, you might not see all of these profile types.
    Additional settings display.
  5. From the
    Profile Scope
    list, select one these options to define user scope:
    • Profile
      : Access to resources behind the profile.
    • Virtual Server
      : Access to resources behind the virtual server.
    • Global
      : Access to resources behind any access profile with global scope.
    • Named
      : Access for SSL Orchestrator users to resources behind any access profile with global scope.
    • Public
      : Access to resources that are behind the same access profile when the Named scope has configured the session and is checked based on the value and string configured in the Named scope field.
  6. For the
    Customization Type
    , use the default value
    Modern
    .
  7. In the Language Settings area, add and remove accepted languages, and set the default language.
    If any browser language does not match with the accepted languages list, the browser uses the default language.
  8. Click
    Finished
    .
The access profile displays in the Access Profiles List. Default-log-setting is assigned to the access profile.

Configuring an access policy to include endpoint management integration

You can configure an access policy to perform compliance checks for connected devices. The Managed Endpoint Status action determines whether APM recognizes a device with a device ID. The Managed Endpoint Notification action sends a push notification message to a device. You can create access policy checks using session variables and device posture information to allow or deny access.
  1. On the Main tab, click
    Access
    Profiles / Policies
    Access Profiles (Per-Session Policies)
    .
    The Access Profiles (Per-Session Policies) screen displays.
  2. In the Access Policy column, click the
    Edit
    link for the endpoint management type access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the
    (+)
    icon anywhere in the access policy to add a new item.
    Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. Add a Managed Endpoint Status action:
    1. From the Endpoint Security (Server-Side) list, select
      Managed Endpoint Status
      and click
      Add Item
      .
      A popup Properties screen opens.
    2. In the
      Name
      field, type a name for the access policy action.
    3. For the
      Endpoint Management System
      , select the endpoint management system that you previously created.
    4. Click
      Save
      .
    The visual policy editor screen displays.
  5. In both the compliant branch and not compliant branch of the Managed Device Status action, click the
    (+)
    icon anywhere in the access policy to add a new action item.
    For example, as shown in the
    Access policy with endpoint management integration
    image below, the Managed Device Status action performs the compliance checks on the device for allowing network access and sends notification messages to the non-compliant device.
  6. To add a Managed Endpoint Notification action, perform the following steps:
    1. From the Endpoint Security (Server-Side) list, select
      Managed Endpoint Notification
      .
      A popup Properties screen opens.
    2. In the
      Name
      field, type a name for the access policy action.
    3. From the endpoint management system list, select the endpoint management system that you previously created.
      The Intune endpoint management system does not support Endpoint Notification agent.
    4. In the
      Message
      field, type a message that displays on a device.
    5. Click
      Save
      .
    The visual policy editor screen displays.
You have an access policy that presents endpoint management integration with VPN access.
Example of Access policy with endpoint management integration
access policy with managed device status for Edge Client and managed device notification

Creating a virtual server

  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Name
    field, type a unique name for the virtual server.
  4. From the
    Configuration
    list, select
    Advanced
    .
  5. In the
    Destination Address
    field, type the IP address for the Virtual Server.
    When you type the IP address for a single host, it is not necessary to append a prefix to the address.
  6. In the
    Service Port
    field, type the port number.
  7. From the
    SSL Profile (Client)
    list, select
    clientssl
    .
  8. From the
    Source Address Translation
    list, select
    Auto Map
    .
  9. Click
    Finished
    .
  10. From the Access Profile list, select the access profile that you previously created.
  11. From the Connectivity Profile list, select the connectivity profile that you previously created.
Your access policy is now associated with the newly created virtual server.