Manual Chapter : Managing Devices for F5 Access

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 15.0.1, 15.0.0, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0, 12.1.5, 12.1.3, 11.6.4, 11.6.3, 11.5.7
Manual Chapter

Managing Devices for F5 Access

About managing devices

With an MDM, you manage devices by enrolling them. Refer to your MDM documentation to enroll devices. With this release, your MDM vendor may not include built-in support. We provide general guidance for your MDM configuration, if it supports custom configurations.

Important: A user must enroll the device with the MDM in order for you to manage the device. However, you can deploy VPN configurations to the devices that aren't under management. F5 Access must be installed on the device to deploy configurations. F5 Access can be installed either by the user, or deployed with the MDM solution.

Creating a custom device-wide VPN MDM profile

Your MDM may not currently support F5 Access for iOS 3.x. The VPN MDM profile for previous versions of F5 Access is not compatibile with F5 Access for iOS 3.x. If your MDM allows you to create custom configuration profiles, use these generic settings to configure the profile.
Important: Consult with your MDM vendor to determine support. Refer to your MDM documentation before making changes.
  1. Add a VPN profile.
  2. For the Connection Type, specify Custom.
  3. For the Identifier, specify com.f5.access.ios.
  4. Complete the rest of the configuration as required.

Creating a custom Per-App VPN MDM profile

Your MDM may not currently support F5 Access for iOS 3.x. The VPN MDM profile for previous versions of F5 Access is not compatibile with F5 Access for iOS 3.x. If your MDM allows you to create custom configuration profiles, use these generic settings to configure the profile.
Important: Consult with your MDM vendor to determine support. Refer to your MDM documentation before making changes.
  1. Add a VPN profile.
  2. For the Connection Type, specify Custom.
  3. For the Identifier, specify com.f5.access.ios.
  4. For the Provider Type, specify Packet Tunnel.
  5. Complete the rest of the configuration as required.

Creating a configuration profile for the managed device

Before you assign a configuration profile to a device, that device must be enrolled with your MDM. Additionally, F5 Access must be installed on the device.
A configuration profile enables the per-app VPN feature on a managed device, and specifies which apps use the VPN.
Create a configuration profile for the device.
Configuration profiles are described at the Apple Configuration Profile Reference.
Configure Access Policy Manager® to provide the necessary support for per-app VPN features.

Device identification configuration profile settings

These are settings for identifying devices in an MDM profile.

Device identification settings

Hardware manufacturers have phased out support for many methods of device identification, including UDID, wireless MAC, and others. To identify devices, you can use the device IDs assigned by the MDM.

Table 1. Device identification commands
Key Type Description
MdmAssignedId String The internal device ID assigned to the device by the MDM.
MdmInstanceId String An arbitrary string that identifies particular MDM instance.
MdmDeviceUniqueId String An assigned ID for the device.
MdmDeviceWifiMacAddress String The wireless MAC address of the device.
MdmDeviceSerialNumber String An assigned serial number for the device.
Device ID example for iOS macOS

In this example, the commands are deployed in the VendorConfig document.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
...
    <key>VendorConfig</key>
    <dict>
     
       <key>MdmAssignedId</key>
       <string>MDM assigned ID here</string>
       <key>MdmInstanceId</key>
       <string>some MDM instance ID here</string>
       <key>MdmDeviceUniqueId</key>
       <string>device iOS UDID here</string>
       <key>MdmDeviceWifiMacAddress</key>
       <string>device wifi mac address here</string>
       <key>MdmDeviceSerialNumber</key>
       <string>device serial number here</string>
    </dict>
...
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
...
    <key>VendorConfig</key>
    <dict>
     
       <key>MdmAssignedId</key>
       <string>MDM assigned ID here</string>
       <key>MdmInstanceId</key>
       <string>some MDM instance ID here</string>
       <key>MdmDeviceUniqueId</key>
       <string>device macOS UDID here</string>
       <key>MdmDeviceWifiMacAddress</key>
       <string>device wifi mac address here</string>
       <key>MdmDeviceSerialNumber</key>
       <string>device serial number here</string>
    </dict>
...

Web Logon setting

This setting configures Web Logon mode in an MDM profile.

Web Logon configuration

In the MDM configuration profile, you can use the command WebLogon to specify whether Web Logon is enabled. Use the syntax <key>WebLogon</key><string>true|false</string>.

If you configure Enforce Logon Mode in the Connectivity Profile on Access Policy Manager, that setting overrides the Web Logon setting configured in the MDM profile, or in a manual configuration. This setting is available on BIG-IP 12.1.3, 13.1.0, and 14.0.0. This setting is note available on 11.5.1, 11.5.7, or 11.6.3.

Note: Web Logon is not supported with Per-App VPN.

Device-wide VPN configuration profile settings

Settings for the device-wide VPN profiles in an MDM configuration.

Device-wide VPN settings

Configure a device-wide VPN by specifyng the VPN payload. For the PayloadType value, specify com.apple.vpn.managed. For the PayloadType value, specify com.apple.vpn.managed. F5 Access 3.0 2.0 VPN configurations must define the following keys:

Table 2. System-Wide VPN specific keys
Key Type Description
PayloadType String com.apple.vpn.managed
PayloadType String com.apple.vpn.managed
VPNType String VPN
VPNSubType String com.f5.access.ios
VPNSubType String com.f5.access.macos
ProviderBundleIdentifier String Optional key: com.f5.access.macos.PacketTunnel
OnDemandEnabled Int Optional key: 1 if the VPN connection should be brought up on demand, or else 0.
OnDemandRules Array of Dictionaries Optional key. Determines when and how an on-demand VPN should be used. See On Demand Rules Dictionary Keys for details.
Example device-wide VPN configuration profile

Includes a sample configuration profile for the device-wide VPN configuration profile.

Device-wide VPN configuration example profile

The following example uses sample data only. For your own configuration, items like the PayloadDisplayName, PayloadUUID, UserDefinedName, and the user name, password and certificate information must be customized to your network and installation.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
   <key>PayloadContent</key>
   <array>
      <dict>
         <key>IPv4</key>
         <dict>
            <key>OverridePrimary</key>
            <integer>0</integer>
         </dict>
         <key>PayloadDescription</key>
         <string>Configures VPN settings</string>
         <key>PayloadDisplayName</key>
         <string>VPN</string>
         <key>PayloadIdentifier</key>
         <string>com.apple.vpn.managed.E3C31113-0AC1-4085-BD77-6315F2ADA1EE</string>
         <!-- F5 COMMENT: PayloadType key: for System-Wide VPN 
         the value is "com.apple.vpn.managed" -->
         <key>PayloadType</key>
         <string>com.apple.vpn.managed</string>
         <key>PayloadUUID</key>
         <string>E3C31113-0AC1-4085-BD77-6315F2ADA1EE</string>
         <key>PayloadVersion</key>
         <integer>1</integer>
         <key>Proxies</key>
         <dict>
            <key>HTTPEnable</key>
            <integer>0</integer>
            <key>HTTPSEnable</key>
            <integer>0</integer>
         </dict>
         <key>UserDefinedName</key>
         <string>VPN Config</string>
         <key>VPN</key>
         <dict>
            <key>AuthName</key>
            <string>username</string>
            <key>AuthPassword</key>
            <string>password</string>
            <key>AuthenticationMethod</key>
            <string>Password</string>
            <key>RemoteAddress</key>
            <string>https://demo-na-bigip.com</string>
         </dict>
         <!-- F5 COMMENT: VPNSubType key: For F5 Access the value 
         should be "com.f5.access.ios" -->
         <key>VPNSubType</key>
         <string>com.f5.access.ios</string>
         <!-- F5 COMMENT: VPNType key: Specifies VPN type, 
         for F5 Access VPN should be "VPN" -->
         <key>VPNType</key>
         <string>VPN</string>
         <key>VendorConfig</key>
         <dict/>
      </dict>
   </array>
   <key>PayloadDisplayName</key>
   <string>SystemwideVPNDemo</string>
   <key>PayloadIdentifier</key>
   <string>XYZ-ML-00003638.DBCD844F-1B48-55AF-A262-82B10131000D</string>
   <key>PayloadRemovalDisallowed</key>
   <false/>
   <key>PayloadType</key>
   <string>Configuration</string>
   <key>PayloadUUID</key>
   <string>842BF859-9305-4E86-A73F-8C44E1E36D72</string>
   <key>PayloadVersion</key>
   <integer>1</integer>
</dict>
</plist>

Per-App VPN configuration profile settings

Settings for the per-app VPN profile in an MDM.

Per-App VPN settings

The per-app VPN payload supports all of the keys described in the Apple Configuration Profile Reference. These keys, specific to the per-app VPN payload, are described in that reference as well.

Table 3. Per-App VPN keys
Key Type Description
PayloadType String com.apple.vpn.managed.applayer
VPNType String VPN
ProviderType String packet-tunnel
VPNSubType String com.f5.access.ios
VPNSubType String com.f5.access.macos
ProviderBundleIdentifier String Optional key: com.f5.access.macos.PacketTunnel
VPNUUID String A globally-unique identifier for this VPN configuration. This identifier is used to configure apps so that they use the per-app VPN service for all of their network communication.
OnDemandMatchAppEnabled (optional) Boolean

If true, the per-app VPN connection starts automatically when apps linked to this per-app VPN service initiate network communication.

If false, the per-app VPN connection will not start.

If this key is not present, the value of the OnDemandEnabled key is used to determine the status of per-app VPN On Demand.

SafariDomains (optional) Array

This key is a special case of App-to-Per App VPN Mapping. It sets up the app mapping for Safari with a specific identifier and a designated requirement.

The array contains strings, each of which is a domain that triggers a VPN connection in Safari. Do not specify a full URI; rule matching works only with the domain name. The rule matching behavior is as follows:

  • Before being matched against a host, all leading and trailing dots are stripped from the domain string. For example, if the domain string is .com the domain string used to match is com.
  • Each label in the domain string must match an entire label in the host string. For example, a domain of example.com matches "www.example.com", but not old.badexample.com.
  • Domain strings with only one label must match the entire host string. For example, a domain of com matches com, not www.example.com.
Example per-app VPN configuration profile

Includes a sample configuration profile for the per-app VPN configuration profile.

Per-App VPN configuration example profile

The following example uses sample data only. For your own configuration, items like the PayloadDisplayName, PayloadUUID, UserDefinedName, and the user name, password and certificate information must be customized to your network and installation.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
   <key>PayloadContent</key>
   <array>
      <dict>
         <key>IPv4</key>
         <dict>
            <key>OverridePrimary</key>
            <integer>0</integer>
         </dict>
         <key>PayloadDescription</key>
         <string>Configures VPN settings</string>
         <key>PayloadDisplayName</key>
         <string>VPN</string>
         <key>PayloadIdentifier</key>
         <string>com.apple.vpn.managed.CF2C73E8-B7AD-442F-BF91-2682777023CC</string>
         <!-- F5 COMMENT: PayloadType key: for Per-App VPN the value 
         is "com.apple.vpn.managed.applayer" -->
         <key>PayloadType</key>
         <string>com.apple.vpn.managed.applayer</string>
         <key>PayloadUUID</key>
         <string>CF2C73E8-B7AD-442F-BF91-2682777023CC</string>
         <key>PayloadVersion</key>
         <integer>1</integer>
         <key>Proxies</key>
         <dict>
            <key>HTTPEnable</key>
            <integer>0</integer>
            <key>HTTPSEnable</key>
            <integer>0</integer>
         </dict>
         <key>UserDefinedName</key>
         <string>Per-App VPN Demo</string>
         <key>VPN</key>
         <dict>
            <key>AuthName</key>
            <string>username</string>
            <key>AuthPassword</key>
            <string>password</string>
            <key>AuthenticationMethod</key>
            <string>Password</string>
            <!-- F5 COMMENT: ProviderType key: F5 Access 3.x supports 
            only "packet-tunnel" value for this key -->
            <key>ProviderType</key>
            <string>packet-tunnel</string>
            <key>OnDemandMatchAppEnabled</key>
            <true/>
            <key>RemoteAddress</key>
            <string>https://demo.siterequest.com</string>
         </dict>
          <!-- F5 COMMENT: VPNUUID key: A globally-unique identitifer 
          for the VPN configuration. This identifier is used to configure 
          apps so that they use the Per-App VPN service for 
          all of their network communication -->
         <key>VPNUUID</key>
         <string>17027186-61c3-470d-afaa-5a9e4d519da1</string>
         <!-- F5 COMMENT: VPNSubType key: For F5 Access the value 
         is "com.f5.access.ios" -->
         <key>VPNSubType</key>
         <string>com.f5.access.ios</string>
         <!-- F5 COMMENT: VPNType key: Specifies VPN type, 
         for F5 Access VPN is "VPN" -->
         <key>VPNType</key>
         <string>VPN</string>
         <key>VendorConfig</key>
         <dict/>
         <key>SafariDomains</key>
         <array>
            <string>test.siterequest.com</string>
         </array>
      </dict>
   </array>
   <key>PayloadDisplayName</key>
   <string>PerAppVPNDemo</string>
   <key>PayloadIdentifier</key>
   <string>XYZ-ML-00003638.C4B7F07B-9C1C-F3F2-BB80-A30390AD085F</string>
   <key>PayloadRemovalDisallowed</key>
   <false/>
   <key>PayloadType</key>
   <string>Configuration</string>
   <key>PayloadUUID</key>
   <string>BD56E80E-BFCE-4FD6-AEDB-543014C6ADE8</string>
   <key>PayloadVersion</key>
   <integer>1</integer>
</dict>
</plist>