Manual Chapter :
F5 Access Apps
Applies To:
Show VersionsBIG-IP APM
- 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
F5 Access Apps
Overview: Configuring APM for F5 Access
Apps
F5 Access for Android, F5 Access for iOS, F5 Access for Chrome OS, and F5
Access for macOS enable secure network access for supported mobile clients. Previously, the
Android and iOS products were called BIG-IP
Edge Client® for Android and BIG-IP Edge Client for iOS.
For the clients to connect, you need a Network Access configuration on BIG-IP Access Policy
Manager. The Network Access Wizard creates a Network Access configuration with authentication, an
access policy, and a virtual server with connectivity and access profiles.
You might need to update the connectivity profile or the network access resource to complete
the configuration on APM®. Optionally, you can also configure SSO and ACLs,
and add items to the access policy to enable SSO and enforce ACLs.
Running the Network Access Setup wizard
Your DNS server must be configured to resolve internal addresses with DNS.
Configure Access Policy Manager to provide users
with full network access when they use F5 Access for iOS or F5 Access for Android.
You must specify either the DNS Default Domain Suffix or the
DNS Address Space in the Network Access configuration. Otherwise, the system cannot
resolve internal DNS addresses.
- On the Main tab, click.The Device Wizards screen opens.
- SelectNetwork Access Setup Wizard for Remote Access, and then clickNext.Follow the instructions in the wizard to create your access policy and virtual server.
- To ensure that the apps can connect from supported mobile devices, forClient Side Checks, clear theEnable Antivirus Check in Access Policycheck box.Follow the instructions in the wizard to create your access policy and virtual server.
- To specify theDNS Address Spacesetting, on the Network Access screen perform these substeps:
- FromTraffic Options, selectForce Use split tunneling for traffic.Additional settings display.
- In theDNS Address Spacesetting, for each address space, type the address in the formsite.siterequest.comor*.siterequest.com, and clickAdd.
- On the DNS Hosts screen, you can type a value in theDNS Default Domain Suffixfield.
- After you complete the wizard screens and create the configuration, on the Setup Summary screen clickFinished.
You now have a network access configuration
that supports F5 Access apps for mobile devices. All configuration object names are
prefixed with the policy name that you entered in the wizard.
Configuring a connectivity profile for F5 Access for iOS
A connectivity profile automatically contains
default settings for F5 Access for iOS. You should configure the connectivity profile
settings to fit your needs.
- On the Main tab, click.A list of connectivity profiles displays.
- Select the connectivity profile that you want to update and clickEdit Profile.The Edit Connectivity Profile popup screen opens and displays General Settings.
- From Mobile Client Settings in the left pane, selectiOS Edge Client.Settings for the iOS Edge Client display in the right pane.
- To enable users to save their passwords for reconnection purposes within a specified time period, select theAllow Password Cachingcheck box.The additional fields in the area become available.
- To enable device authentication on the client, selectRequire Device Authentication.This option links the option to use a saved password to a device authentication method. Supported device authentication methods include PIN, passphrase, and biometric (fingerprint) authentication on iOS and Android. Android devices also support pattern unlocking.
- ForSave Password Method, specify how to perform password caching:
- To allow the user to save the encrypted password on the device without a time limit, selectdisk.
- To specify that the user password is cached in the application on the user's device for a configurable period of time, selectmemory.
If you selectmemory, thePassword Cache Expiration (minutes)field becomes available. - If thePassword Cache Expiration (minutes)field displays, type the number of minutes you want the password to be cached in memory.
- In theOn Demand Disconnect Timeout (minutes)field, retain the default2, or type a different number of minutes before VPN on demand times out.
- To force the app to use a selected logon mode and prevent users from changing it:
- Select theEnforce Logon Modecheck box.
- From theLogon Methodlist, selectwebornative.
This feature is supported with F5 Access for iOS and F5 Access for Android. - ClickOK.The popup screen closes, and the Connectivity Profile List displays.
You have now configured the security settings
for F5 Access for iOS.
To provide functionality with a connectivity profile, you must add the connectivity profile and an access profile to a virtual server.
Configuring a connectivity profile for F5 Access for
Android
A connectivity profile automatically contains
settings for F5 Access for Android. You should configure the settings to fit your
situation.
- On the Main tab, click.A list of connectivity profiles displays.
- Select the connectivity profile that you want to update and clickEdit Profile.The Edit Connectivity Profile popup screen opens and displays General Settings.
- From Mobile Client Settings in the left pane, selectAndroid Edge Client.Settings for the Android Edge Client display in the right pane.
- To enable users to save their passwords for reconnection purposes within a specified time period, select theAllow Password Cachingcheck box.The additional fields in the area become available.
- To enable device authentication on the client, selectRequire Device Authentication.This option links the option to use a saved password to a device authentication method. Supported device authentication methods include PIN, passphrase, and biometric (fingerprint) authentication on iOS and Android. Android devices also support pattern unlocking.
- ForSave Password Method, specify how to perform password caching:
- To allow the user to save the encrypted password on the device without a time limit, selectdisk.
- To specify that the user password is cached in the application on the user's device for a configurable period of time, selectmemory.
If you selectmemory, thePassword Cache Expiration (minutes)field becomes available. - If thePassword Cache Expiration (minutes)field displays, type the number of minutes you want the password to be cached in memory.
- To enhance security on the client, retain the selection of theEnforce Device Lockcheck box (or clear the check box).This check box is selected by default. Edge Portal and Edge Client support password locking, but do not support pattern locking. If you clear this check box, the remaining settings in the area become unavailable.
- ForDevice Lock Method, select the specific device locking method. Default is numeric. Available options are alphabetic, alphanumeric, any, and numeric. The following rules are applicable for the selected device locking method:
- alphabetic: Password should contain alphabets only.
- alphanumeric: Password should contain the combination of alphabets and numbers.
- any: Password can include both alphabets and numbers without any restriction.
- numeric: Password should contain numerical PIN only.
- ForMinimum Passcode Length, retain the default4, or type a different passcode length.
- ForDevice Lock Complexity, select the specific device locking complexity type. This option allows you to configure new password policies for devices running Android 10 or higher and using F5 Access 3.0.8 or later. You can continue to use the older method that enforced device lock on devices running on Android 9 and lower.This device lock complexity criteria is controlled and subjected to be changed by Google and Android. Refer to Android New Password Complexity for updates.Available options in theDevice Lock Complexityoption are high, low, medium, and none. The following password rules are applicable for the selected device lock complexity:
- high: Password should meet one of the following rules:alphabetic: Minimum length of six characters.alphanumeric: Minimum length of six characters.numeric: Minimum length of eight characters without repetition or ordered sequences.
- medium: Password should meet one of the following rules:alphabetic: Minimum length of four characters.alphanumeric: Minimum length of four characters.numeric: Minimum length of four characters without repetition or ordered sequences.
- low: Password can be a Pattern or a PIN with repeating numbers or ordered sequences.
- none:: Password is not required.
You cannot enforce the presence of alphabets in device locks. This limitation is from Android, as none of the device complexity levels (None, Low, Medium, or High) enforces the use of alphabets. For details, refer to the Android New Password Complexity.The following table displays the password policy features supported with BIG-IP and Android device versions:BIG-IP VersionF5 Access Android VersionAndroid OS VersionBehavior and Password Policy FeaturesUpcoming BIG-IP maintenance releases having theDevice Lock Complexityoption3.0.8 or above10 or laterThe following password policy features are supported:- Max. Inactivity Time (minutes)
- Device Lock Complexity
For all BIG-IP versions except versions specified in the first row3.0.8 or above10 or laterThe following password policy features are supported for BIG-IP releases not having theDevice Lock Complexityoption:- Max. Inactivity Time (minutes)
Mediumby default.- Users having their device lock less than four digits (not meeting the medium complexity criteria) are asked to update their device password.
- For users having their device lock more complex than medium, the administrator cannot enforce the device lock password length to be more than four digits. Users can, however, still set up their passwords with a length of more than four digits. This issue is resolved by upgrading the BIG-IP system to versions having the Device Lock Complexity option and setting the Device Lock Complexity toHigh.
For all BIG-IP versions3.0.8 or above9 or belowThe behavior remains same as existing with the following password policy features supported:- Device Lock Method
- Min. Passcode Length
- Max. Inactivity Time (minutes)
For all BIG-IP versions3.0.7 or belowAllThe following password policy features are supported:- Device Lock Method
- Min. Passcode Length
- Max. Inactivity Time (minutes)
- ForMaximum Inactivity Time (minutes), retain the default5, or type a different number of minutes.
- To force the app to use a selected logon mode and prevent users from changing it:
- Select theEnforce Logon Modecheck box.
- From theLogon Methodlist, selectwebornative.
This feature is supported with F5 Access for iOS and F5 Access for Android. - ClickOK.The popup screen closes, and the Connectivity Profile List displays.
You have now configured the security settings
for F5 Access for Android.
Configuring a connectivity profile for F5 Access for Chrome
OS
A connectivity profile automatically contains
default settings for F5 Access for Chrome. You should configure the connectivity profile
settings to fit your needs.
- On the Main tab, click.A list of connectivity profiles displays.
- Select the connectivity profile that you want to update and clickEdit Profile.The Edit Connectivity Profile popup screen opens and displays General Settings.
- ClickF5 Access for Chrome OSin the left pane.Settings for the F5 Access for Chrome OS display in the right pane.
- To enable users to save their passwords for reconnection purposes within a specified time period, select theAllow Password Cachingcheck box.The additional fields in the area become available.
- ForSave Password Method, specify how to perform password caching:
- To allow the user to save the encrypted password on the device without a time limit, selectdisk.
- To specify that the user password is cached in the application on the user's device for a configurable period of time, selectmemory.
If you selectmemory, thePassword Cache Expiration (minutes)field becomes available. - If thePassword Cache Expiration (minutes)field displays, type the number of minutes you want the password to be cached in memory.
- To force the app to use a selected logon mode and prevent users from changing it:
- Select theEnforce Logon Modecheck box.
- From theLogon Methodlist, selectwebornative.The password caching is only supported with Native logon mode. In Web authentication mode, user will be prompted to enter username/password on the Web page.
- ClickOK.The popup screen closes, and the Connectivity Profile List displays.
You have now configured the security settings
for F5 Access for Chrome.
To provide functionality with a connectivity
profile, you must add the connectivity profile and an access profile to a virtual
server.
Configuring a connectivity profile for F5 Access for macOS
A connectivity profile automatically contains
default settings for F5 Access for macOS. You should configure the connectivity profile
settings to fit your needs.
- On the Main tab, click.A list of connectivity profiles displays.
- Select the connectivity profile that you want to update and clickEdit Profile.The Edit Connectivity Profile popup screen opens and displays General Settings.
- ClickF5 Access for Mac OSin the left pane.Settings for the F5 Access for macOS display in the right pane.
- To enable users to save their passwords for reconnection purposes within a specified time period, select theAllow Password Cachingcheck box.The additional fields in the area become available.
- ForSave Password Method, specify how to perform password caching:
- To allow the user to save the encrypted password on the device without a time limit, selectdisk.
- To specify that the user password is cached in the application on the user's device for a configurable period of time, selectmemory.
If you selectmemory, thePassword Cache Expiration (minutes)field becomes available. - If thePassword Cache Expiration (minutes)field displays, type the number of minutes you want the password to be cached in memory.
- To force the app to use a selected logon mode and prevent users from changing it:
- Select theEnforce Logon Modecheck box.
- From theLogon Methodlist, selectwebornative.The password caching is only supported with Native logon mode. In Web authentication mode, user will be prompted to enter username/password on the Web page.
- ClickOK.The popup screen closes, and the Connectivity Profile List displays.
You have now configured the security settings
for F5 Access for macOS.
To provide functionality with a connectivity
profile, you must add the connectivity profile and an access profile to a virtual
server.
Overview: Configuring APM for Edge Portal Mobile Apps
BIG-IP
Edge Portal® for Android and BIG-IP Edge Portal for iOS streamline access to
portal access web sites and applications that reside behind BIG-IP Access Policy Manager (APM®). To support the clients, you need a Portal Access
configuration on APM. The Portal Access Wizard creates a configuration with authentication, an
access policy, and a virtual server with connectivity and access profiles.
You might need to update the connectivity profile or the access policy to complete the
configuration on APM.
Running the Portal Access wizard
Run the Portal Access Setup Wizard to quickly set up an access policy and a virtual
server for your users.
- On the Main tab, click.The Device Wizards screen opens.
- SelectPortal Access Setup Wizardand clickNext.
- On the Basic Properties screen in thePolicy Namefield, type a name for the access policy.The name you type here prepends the name of the objects (for example, the virtual server) that the wizard creates for this configuration.
- To ensure that the apps can connect from supported mobile devices, forClient Side Checks, clear theEnable Antivirus Check in Access Policycheck box.Follow the instructions in the wizard to create your access policy and virtual server.
- ClickFinished.
You have created the configuration objects that are required for a Portal Access
configuration to support BIG-IP
Edge Portal mobile apps.
Configuring an
access policy to support Edge Portal app
Configure an access policy to process access
correctly for various client types, including the Edge Portal app.
- On the Main tab, click.The Access Profiles (Per-Session Policies) screen displays.
- In the Per-Session Policy column, click theEditlink for the access profile you want to configure.The visual policy editor opens the access policy in a separate screen.
- ClickAdd New Macro.
- In theSelect macro template:select Client Classification and Prelogon checks from the drop-down list.The macro inserts an antivirus check for those clients that can support it, and provides the appropriate terminal for each type of client.
- ClickSave.
- Click the plus [+] sign that appears before the Logon Page action.
- In the Macrocalls area, click theClient Classification and Prelogon checksbutton.
- ClickAdd item.The Client Classification and Prelogon checks action appears in the access policy sequence.
- Click the underlined wordDenyin the ending field.
- In the Select Ending area, clickAllow.
- ClickSave.
Assigning ACLs to
your access policy
Assign ACLs to limit access to resources.
- On the Main tab, click.The Access Profiles (Per-Session Policies) screen displays.
- In the Per-Session Policy column, click theEditlink for the access profile you want to configure.The visual policy editor opens the access policy in a separate screen.
- Click theResource Assignagent in the access policy branch.The Properties screen opens.
- Click theAdd/Delete Resourceslink.A popup screen with a tab for each resource type displays.
- Select the tab, select the ACLs to add to the access policy, and clickUpdatewhen finished.
- ClickApply Access Policy.
Disabling the Home Tab
Disabling the Home Tab ensures that the BIG-IP
Edge Portal app renders properly.
The Home Tab
property exists for each portal access resource item.
- On the Main tab, click.The Portal Access List screen opens.
- Click the name of a resource item for the portal access resource that you created.The properties screen for that resource item opens.
- In the Resource Items Properties area, selectAdvancedand forHome Tab, make sure theEnabledcheck box is cleared.
- ClickUpdate.
Repeat this task for each portal access resource item.
Configuring a
connectivity profile for Edge Portal for Android
A connectivity profile automatically contains
settings for BIG-IP Edge Portal for Android clients. You should configure the settings
to fit your situation.
- On the Main tab, click.A list of connectivity profiles displays.
- Select the connectivity profile that you want to update and clickEdit Profile.The Edit Connectivity Profile popup screen opens and displays General Settings.
- From Mobile Client Settings in the left pane, selectAndroid Edge Portal.Settings for the Android Edge Portal display in the right pane.
- To enable users to save their passwords for reconnection purposes within a specified time period, select theAllow Password Cachingcheck box.The additional fields in the area become available.
- ForSave Password Method, specify how to perform password caching:
- To allow the user to save the encrypted password on the device without a time limit, selectdisk.
- To specify that the user password is cached in the application on the user's device for a configurable period of time, selectmemory.
If you selectmemory, thePassword Cache Expiration (minutes)field becomes available. - If thePassword Cache Expiration (minutes)field displays, type the number of minutes you want the password to be cached in memory.
- To enhance security on the client, retain the selection of theEnforce Device Lockcheck box (or clear the check box).This check box is selected by default. Edge Portal and Edge Client support password locking, but do not support pattern locking. If you clear this check box, the remaining settings in the area become unavailable.
- ForDevice Lock Method, select the specific device locking method. Default is numeric. Available options are alphabetic, alphanumeric, any, and numeric. The following rules are applicable for the selected device locking method:
- alphabetic: Password should contain alphabets only.
- alphanumeric: Password should contain the combination of alphabets and numbers.
- any: Password can include both alphabets and numbers without any restriction.
- numeric: Password should contain numerical PIN only.
- ForMinimum Passcode Length, retain the default4, or type a different passcode length.
- ForMaximum Inactivity Time (minutes), retain the default5, or type a different number of minutes.
- To force the app to use a selected logon mode and prevent users from changing it:
- Select theEnforce Logon Modecheck box.
- From theLogon Methodlist, selectwebornative.
This feature is supported with F5 Access for iOS and F5 Access for Android. - ClickOK.The popup screen closes, and the Connectivity Profile List displays.
You have now configured the security settings for BIG-IP Edge Portal for Android
clients.
Configuring
connectivity profiles for Edge Portal for iOS
A connectivity profile automatically contains
settings for BIG-IP Edge Portal for iOS. You should configure the settings to fit your
situation.
- On the Main tab, click.A list of connectivity profiles displays.
- Select the connectivity profile that you want to update and clickEdit Profile.The Edit Connectivity Profile popup screen opens and displays General Settings.
- From Mobile Client Settings in the left pane, selectiOS Edge Portal.Settings for the iOS Edge Portal display in the right pane.
- To enable users to save their passwords for reconnection purposes within a specified time period, select theAllow Password Cachingcheck box.The additional fields in the area become available.
- ForSave Password Method, specify how to perform password caching:
- To allow the user to save the encrypted password on the device without a time limit, selectdisk.
- To specify that the user password is cached in the application on the user's device for a configurable period of time, selectmemory.
If you selectmemory, thePassword Cache Expiration (minutes)field becomes available. - If thePassword Cache Expiration (minutes)field displays, type the number of minutes you want the password to be cached in memory.
- Specify security by keepingEnforce PIN Lockset toYes.Edge Portal supports PIN locking, but does not support pattern locking.
- ForMaximum Grace Period (minutes), retain the default2, or type a different number of minutes.
- To force the app to use a selected logon mode and prevent users from changing it:
- Select theEnforce Logon Modecheck box.
- From theLogon Methodlist, selectwebornative.
This feature is supported with F5 Access for iOS and F5 Access for Android. - ClickOK.The popup screen closes, and the Connectivity Profile List displays.
You have now configured the security settings for BIG-IP Edge Portal for iOS.