Applies To:Show Versions
- 14.0.0, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.3, 11.6.3, 11.5.7
Additional Access Policy Manager Configuration Information
F5 Access for iOS session variables
The following table contains a list of session variables and their attributes.
|session.client.type||Indicates the client type, for example Standalone.|
|session.client.platform||Indicates the platform type, such as iOS .|
|session.client.app_id||The app ID for the client. For F5 Access for iOS this is com.f5.Edge-Client.|
|session.client.app_version||The app version for the client. For F5 Access 2018 this is 3.0.0.|
|session.user.agent||Indicates the browser, device type, and operating system version of the client, as well as the version of F5 Access.|
|session.client.model||Indicates the model name of the mobile device. For example, iPhone|
|session.client.platform_version||Indicates the platform and version of the mobile device. For example, 11.1|
|session.client.jailbreak||Indicates the jailbreak status of the device. 0 indicates the device is not jailbroken, 1 indicates the device is jailbroken, and an empty response indicates that the status of the device is unknown.|
|session.client.biometric_fingerprint||Indicates whether the device supports biometric fingerprint authentication. 1 indicates that a fingerprint is configured, 0 indicates that a fingerprint is not configured, or the device does not support fingerprint authentication.|
|session.client.vpn_scope||Indicates the scope of the VPN tunnel. The result is device for a device-wide VPN connection, and per-app for a per-app VPN.|
|session.client.vpn_tunnel_type||Indicates the type of VPN tunnel. For F5 Access for iOS, this is L3.|
|session.client.vpn_start_type||Indicates how the VPN connection was initiated.
|session.client.version||Indicates the client protocol version. For iOS, the value is always 2.0.|
|session.client.device_passcode_set||Indicates whether the user has a device unlock passcode, PIN, or biometric authentication configured. The results is 1 if a device lock is configured, and 0 if it is not.|
|session.client.browscap_info||Specifies the browser information presented. For example, uimode=7&ctype=Standalone &cversion=2.0&cjs=0&cactivex=0 &cplugin=0&cplatform=iOS&cpu=ARM|
|session.client.hostname||This is the device host name (for example, SandysiPhone).|
|session.client.js||Indicates whether the device used Web Logon mode to log on. The result is 1 if Web Logon Mode was used, and 0 if it was not.|
|session.client.mdm_device_unique_id, session.client.unique_id||This value is provided by an MDM with the MdmDeviceUniqueId or UDID attribute. If both attributes are provided, MdmDeviceUniqueId takes preference. If neither is provided this session variable is not present. If this field is provided by the MDM, both session variables are present. An example value is RC1KQLCJFOJEEM0XIOB3P52OMUQ3UN9Y3SDA5RWR.|
|session.client.mdm_assigned_id||This value is provided by the MDM in the MdmAssignedId attribute. If this attribute is not provided, the session variable is not present.|
|session.client.mdm_instance_id||The value is provided by the MDM in the MdmInstanceId attribute. If this attribute is not provided, the session variable is not present.|
|session.client.mdm_device_wifi_mac_address||The value is provided by the MDM in the MdmDeviceWifiMacAddress or WiFiMAC attribute. If both attributes are provided, MdmDeviceWifiMacAddress takes preference. If neither attribute is provided, the session variable is not present.|
|session.client.mdm_device_serial_number||The value is provided by the MDM in the MdmDeviceSerialNumber or SerialNumber attribute.If both attributes are provided, MdmDeviceSerialNumber takes preference. If neither attribute is provided, the session variable is not present.|
Access Policy Manager configuration tips
The following table provides tips for setting up F5 Access for devices.
|Client endpoint checks||Client end-point checks are not currently supported.|
|Require Device Authentication||For devices with iOS 9 or later, F5 Access can require device authentication with one of the device locking methods, including biometric authentication (Touch ID), a PIN, or a passphrase. To enable device authentication for F5 Access, in the Connectivity Profile under iOS Edge Client, enable the options Allow Password Caching and Require Device Authentication.|
|Password caching policy||
|Enforce Logon Mode||You can enforce the logon mode for the iOS client. In the Connectivity Profile, select iOS Edge Client, and click Enforce Logon Mode. Select Native or Web and click OK. The logon mode will be enforced for all clients that use the connectivity profile.|
|Client certificates||Client certificate authentication is supported, either with a certificate alone or with a certificate secured with a user name and password. However, client certificates can be installed only by an MDM with a profile, or with a .mobileconfig file.|
|On-Demand Cert Auth||If used, the On-Demand Cert Auth action must be placed after other authentication actions in the access policy.|
About starting the client from a URL scheme
You can start F5 Access connections for users from a URL. You can then provide these URLs to users, so they can start the VPN connection without having to manually start the application. If there is already an active connection, a prompt appears to warn the user that the existing connection must be stopped before the new connection can start. The connection uses a client certificate if it is specified in the existing configuration.
URL connections use the following parameters. This is an example, you must provide your own parameters and values.
The syntax to start a connection from a URL follows.
- Starts a connection. The start command requires either the name or server parameter to be present in the URL. If the name parameter is specified, then F5 Access looks for the name in the list of existing configuration entries. If the server parameter is specified, then the name parameter is set to the same value as the server parameter. A new configuration is created if a configuration with that name does not exist. If the specified configuration already exists, the other parameters specified in the URL are merged with the existing configuration. The result of this merged configuration is used only for the current, active connection, and does not persist. If a name is specified with other parameters, such as server, username, or password, those parameters override what is specified in the configuration.
- A parameter used to specify the user name with which to start the connection. When the username is specified without a password, then an authentication prompt is displayed.
- A parameter used to specify the password with which to start the connection. When the password parameter is specified, it is used as a one-time password and not saved in the configuration.
- A parameter used to specify the URL that starts after the connection starts.
- An optional parameter that specifies whether the logon mode is the standard logon (native) or web logon (web). The default logon mode is native.
Examples of starting a client from a URL
The following examples illustrate how to start F5 Access connections for users from a URL.
Connecting to an existing configuration called MYVPN:f5access://start?name=MYVPN
Connecting to an existing configuration called MYVPN and including the server URL myvpn.siterequest.com:f5access://start?name=MYVPN&server=myvpn.siterequest.com
Connecting to a specific server called myvpn.siterequest.com:f5access://start?server=myvpn.siterequest.com
Connecting to a specific server called myvpn.siterequest.com with web logon enabled:f5access://start?server=myvpn.siterequest.com&logon_mode=web
Connecting to an existing configuration called MYVPN and including the username smith and the password passw0rd:f5access://start?name=MYVPN&username=smith&password=passw0rd
Starting a connection to a configuration called MYVPN and specifying the post-launch URL jump://?host=10.10.1.10&username=smith:f5access://start?name=MYVPN&postlaunch_url=jump%3A%2F%2F%3Fhost%3D10.10.1.10 %26username%3Dsmith
Stopping a connection:f5access://stop
About defining a server from a URL
You can add BIG-IP® server definitions to F5 Access from a URL. You can provide these URLs to users, so they can create and/or start VPN connections without having to manually start the application.
Use the following URL and parameters to create a server:
The syntax to define a server from a URL follows.
- The server address is either a DNS name or an IP address.
- An optional description of the server.
- An optional parameter used to specify the user name with which to start the connection. When the username is specified without a password, then an authentication prompt is displayed. If no username is specified during server creation, the user is prompted for it at session initiation, if required.
- An optional parameter used to specify the password with which to start the server connection. When the password parameter is specified, it is used as a one-time password and not saved in the configuration.
Specifies whether the logon mode is the standard logon (native) or web logon (web). The default logon mode is native.
- An optional, comma-separated list of match pattern(s) for the Never Connect domain list, for iOS devices only.
- An optional, comma-separated list of match pattern(s) for the Connect If Needed domain list, for iOS devices only.
Examples of defining a server from a URL
The following examples illustrate how to define servers for F5 Access connections from a URL.
Create a server at edgeportal.siterequest.com:f5access://create?server=edgeportal.siterequest.com
Create a server named EdgePortal with the server URL edgeportal.siterequest.com:f5access://create?name=EdgePortal&server=edgeportal.siterequest.com