Release Notes : F5 Access for macOS 2.0.1

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0
Release Notes
Original Publication Date: 09/27/2019 Updated Date: 08/30/2023

Summary:

In August 2019, Apple posted the release of F5 Access for macOS version 2.0.1. Users should download this new version from the macOS app store.

Contents:

Requirements for F5 Access for macOS

F5 Access for macOS 2.0.1 has the following minimum software requirements:

  • Mac OS X 10.3 or later
  • BIG-IP v13.0 or later

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to BIG-IP Access Policy Manager Documentation.

Features and enhancements in 2.0.1

There are no features and enhancements in 2.0.1.

Fixed issues in F5 Access 2.0.1

The following issues have been fixed in this release.

ID number Description
713640 Previously, for BIG-IP configured with a DTLS server, F5 Access for macOS failed to reconnect in some cases if mac went to sleep and is then woken up. For example, if the laptop lid is closed and reopened, or the device goes to sleep using the power button or the menu option. Now, this issue is fixed, and the F5 Access for macOS reconnects successfully.
720093-1 Previously, F5 Access did not support opening links for App Store app during authentication with Web Logon. When the user selected the link, an error message "Unsupported URL" was displayed. Now, with this release, the app store opens without any issues. The Web Logon also stays open, and the user can get back by switching to F5 Access.
725682 Previously, with the Ethernet cable plugged in, when the wifi connection was lost over network access tunnel using DTLS or TLS, F5 Access was stuck in a reasserting state. Now, this issue is fixed, and the tunnel reconnects over Ethernet successfully.
738442-1 Previously, under certain circumstances, per-app VPN sessions could intermittently close with APM log Session deleted (network_error; code - 4) or new sessions could be established while current sessions were still active. This issue is fixed.
741849-1 Previously, when an F5 Access connection was redirected from one virtual server to another, the VPN connection would fail to establish. Now, the VPN is established, and this issue is fixed.
742270-1 Previously, F5 Access failed to recognize SAML HTTP POST request and wrongly treated it as an external redirect before restarting the weblogon. With this release, the issue is resolved, and the Weblogon does not restart.
742285-1 Previously, F5 Access did not pass the VHOST cookie to the controller, causing a connection failure when accessing a web application that contains a landing URI. Now, the cookie is set, and this issue is resolved.
745614-1 Previously, when Access Profile is configured with a Domain Cookie on BIG-IP, then F5 Access web logon mode failed to connect. Now, this issue is resolved, and the VPN connection is established.
751187-1 Previously, F5 Access displayed DNS error notifications when the device was not able to resolve the FQDN for F5 Access Server, and the on-demand VPN connection attempt failed. These error messages were displayed on the device until the VPN on-demand connection was restored. Now, there are no DNS error notifications for on-demand triggered connections, and this issue has been fixed.
757704-1 Previously, F5 Access failed to resolve the iOS DNS requests for root servers, causing a delay in establishing the VPN tunnel (60+ seconds). This issue has been fixed, and now the F5 Access VPN tunnel establishment process connects and reconnects immediately.

Known issues in F5 Access 2.0.1

The following are known issues that affect the user experience when F5 Access is used on a macOS device. These issues may be addressed in the future by F5 or Apple.

ID number Description
712947 In the Web Logon mode, you are shown a prompt to install the browser plugin when the client-side EPS checks are running, instead of using the fallback branch for client-side checks. In the native mode, the fallback branch is chosen on all client-side checks without any prompt.

As a workaround, in the Web Logon mode, click the Click here link, in the Continue without installing software section of the prompt, to be routed to the fallback branch.

Alternatively, you can configure an access policy configuration that uses Detect F5 Access macro for detecting F5 Access for Mac and the Access Policy macro for logon and authorization.

How it works

In the Detect F5 Access macro:
  • Use the combination of Client OS and Client Type endpoint security (server-side) actions to detect the client. Use the MacOS branch for Client OS and then the F5 Access branch for Client Type check.
  • When the Client Type agent successfully detects F5 Access for Mac, the request is sent directly to the Access Policy macro for logon and authorization, skipping the client-side EPS checks. When the Client Type agent fails to detect F5 Access for Mac, the request is sent to the fallback branch Other which runs an antivirus check on the client-side.
  • When the Antivirus agent successfully validates the antivirus check, the request is sent to the Access Policy macro for logon and authorization.

The Access Policy macro is the actual policy using the combination of Logon Page and any required authentication actions to authenticate users directly against a local user database. It may use either an Advanced Resource Assign action or a Webtop and Links Assign action to add webtop or webtop links.

713854-2 When APM reaches the concurrent session limit, it does not allow newer APM sessions to be created. In such a scenario, if an F5 Access client that has saved credentials on the client connects to APM, the VPN fails to establish. The credentials are assumed to be invalid and deleted. As a workaround, use the following iRule:# # A simple rule to send reset when F5 Access sends a request with an errorcode=14 # # # Ref: https://devcentral.f5.com/articles/http-event-order-access-policy-manager # when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable } when HTTP_REQUEST { if { [HTTP::uri] contains "my.logout.php3?errorcode=14" && [HTTP::header value "User-Agent"] contains "F5Access/2.1.1" } { log local0. "DEBUG LOG: [HTTP::uri] => rejecting" # simply reject reject } }
714132 When a VPN configuration is installed by an MDM or configured from a .mobileconfig file, and authentication fails, the VPN connection switches to Disconnected mode without displaying an "Authentication failed" error message.
714426 In this release, compression for inbound traffic works correctly. However, on the Details statistics screen, the Received Compression percentage is always displayed as 0.0.
714635 When the On-Demand Cert Auth is set to Require in the access policy, and there is no certificate, the wrong certificate, or if Web Logon mode is used to connect, F5 Access switches to Disconnected state with no error message.
715985 If a per-app VPN configuration does not have SafariDomains specified, it is detected as an Enterprise (device-wide) VPN.
715989 The OnDemandRule action EvaluateConnection does not work with per-app VPN connections. It does work for device-wide VPN connections on macOS 10.13.4 with Safari. This is the expected behavior. Only the Disconnect action works with per-app VPN.
716909 When you create a VPN configuration with a certificate with Web Logon enabled, and then connect to the VPN configuration for the first time, several prompts are displayed. For most of the prompts, you can select "Always Allow" and proceed. Some prompts may require you to acknowledge them each time they appear.
717157 Password cannot be entered for a new configuration if the password field has been disabled while editing another configuration that was reverted later. As a workaround, close the F5 Access Configuration window to resolve the issue. When the user goes to Manage VPN Configurations again, the password field can be populated successfully.
718122 On macOS 10.12, the client proxy exclusion list does not work correctly for wildcard IP addresses (for example, 172.29.68.*, 172.*.197). Such traffic still routes through the proxy and does not bypass the proxy. The exclusion list does work correctly for names, names with wildcards, and IP addresses without wildcards.
718843 In Web Logon mode, with the client certificate set to require in the clientssl profile, the session is not deleted from the BIG-IP when the user disconnects. Native logon mode is not affected.
722550 When the Network Access is configured for split tunneling, and the DNS address space is not set to the wildcard *, then the client proxy settings are not used by Chrome or Firefox and the traffic bypasses the proxy. Safari uses client proxy settings correctly in this scenario.

Workaround: Chrome and Firefox successfully use client proxy settings when the Network Access is configured to force all traffic through the tunnel, or it is configured for split tunneling, with the DNS Address Space set to *.

724230 When you enable per-app VPN with Chrome as a managed application and reboot or wakeup Mac, there are multiple log-in prompts. This issue is currently reported to Apple and tracked through 41166852.
725804 On F5 Access for macOS, when a client certificate is requested, Web Logon mode is specified, and the user chooses Always Allow when presented with the prompt com.apple.Webkit.Networking wants to sign using key...", a network tunnel cannot be established.

Contacting F5

North America 1-888-882-7535 or (206) 272-6500
Outside North America, Universal Toll-Free +800 11 ASK 4 F5 or (800 11275 435)
Additional phone numbers Regional Offices
Web http://www.f5.com
Email support@f5.com

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Support

https://f5.com/support :: Self-solve Options

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5 Knowledge Base

https://support.f5.com/csp/home

The storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

BIG-IP iHealth Diagnostics and BIG-IP iHealth Viewer

https://f5.com/support/tools/ihealth

BIG-IP iHealth Diagnostics identifies issues, including common configuration problems and known software issues. It also provides solutions and links to more information. With BIG-IP iHealth Viewer, you can see the status of your system at-a-glance, drill down for details, and view your network configuration.

F5 DevCentral

https://devcentral.f5.com/

Collaborate and share innovations including code samples, new techniques, and other tips, with more than 300,000 F5 users worldwide. DevCentral is the place to ask questions, find solutions, learn to harness the power of F5’s powerful scripting language, iRules, and much more.

Communications Preference Center

https://interact.f5.com/F5-Preference-Center.html

Here, you can subscribe to a number of communications from F5. For information about the types of notifications, F5 provides, see K9970: Subscribing to email notifications regarding F5 products.