Manual Chapter : Configuring Per-App VPN with APM and F5 Access

Applies To:

Show Versions Show Versions


  • 15.0.0, 14.1.0, 14.0.0, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.3, 12.1.2, 12.1.1, 12.1.0, 11.6.3, 11.5.7, 11.5.1
Manual Chapter

Configuring Per-App VPN with APM and F5 Access

What is per-app VPN?

With Android 5.0, Google enhanced their VPN framework to support application level layer-3 tunneling. Users must first connect with F5 Access manually, then start the app on the device with traffic that is required to go through the VPN tunnel. Admin users can configure a list of allowed apps or disallowed apps; traffic from the "allowed apps" list are able to pass through the VPN tunnel while traffic from the "disallowed apps" list are unable to pass through. Use the allowed apps or disallowed apps URL scheme parameters if the device is not a managed device using a Mobile Device Manager (MDM) solution.

Users can have multiple configurations, but can choose only one at a time. Per-app VPN gives IT granular control over corporate network access, and ensures that data transmitted by managed apps travels only through a separate VPN tunnel and are isolated in the workspace. Meanwhile, other data, like an employee's personal web browsing activity, does not use the VPN. Per-app VPN also works with the mobile browser on a per-app basis on Android 5.0 and later versions. Users with Android for Work should use the same configuration as per-app VPN with Android F5 Access.

A per-app VPN configuration requires four configuration components.

  • A device under MDM management.
  • A managed app installed on the device, or the mobile browser.
  • F5 Access for Android installed on the managed device. For Android for Work, F5 Access should be installed within the Android for Work container.
  • A related F5 Access configuration (VPN). This is configured with an MDM command that associates the app with an F5 Access configuration.
Note: Per-app VPN is currently not supported for Android apps on Chrome OS.