Applies To:
Show Versions
BIG-IP APM
- 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Updated Date: 06/25/2024
Summary:
F5 Access version 2.1.0 for macOS devices is now available. Users should install this new version from the macOS App Store. This release note contains information about the changes made for the current version only. Refer to the prior release note versions for additional information. The build number for F5 Access version 2.1.0 for macOS is 2024.06100237.372.
Contents:
- Requirements for F5 Access for macOS
- User documentation for this release
- Contacting F5
- Legal notices
Requirements for F5 Access for macOS
F5 Access for macOS 2.1.0 has the following minimum software requirements:
- Mac OS X 12.0 or later
- BIG-IP v15.1 or later
User documentation for this release
For a comprehensive list of documentation that is relevant to this release, refer to the following pages:
Features and enhancements
Fixed issues
The following issues have been fixed in this release.
| ID number | Description |
|---|---|
| 1352429-4 | Fixed the issue where APM clients did not follow best practices when establishing a VPN connection. For more details, refer to the BIG-IP APM Clients TunnelCrack vulnerability CVE-2023-43125 (f5.com) article. |
| 1493793 | Previously, the F5 Access application required the sudo command to launch and failed to start from the Applications folder on the macOS 14.2.1 Sonoma. This issue has been fixed, and now the F5 Access application is launched from the Applications folder. |
| 1580981 | F5 Access for macOS Sonoma v14.4 or later version failed to establish the VPN connection when configured BIG-IP APM to authenticate users using the client certificate. This issue is fixed, and now the user can set the Client Certificate Authentication in the affected Client SSL profile to ignore and remove the Client Cert Inspection agent from the access policy. For more details, refer to the K000139715 article. |
Known issues
The following are known issues that affect the user experience when F5 Access is used on a macOS device. These issues may be addressed in the future by F5 or Apple.
| ID number | Description |
|---|---|
| 712947 | In the Web Logon mode, you are shown a prompt to install the browser plugin when the client-side EPS checks are running, instead of using the fallback branch for client-side checks. In the native mode, the fallback branch is chosen on all client-side checks without any prompt. As a workaround, in the Web Logon mode, click the Click here link, in the Continue without installing software section of the prompt, to be routed to the fallback branch. Alternatively, you can configure an access policy configuration that uses Detect F5 Access macro for detecting F5 Access for Mac and the Access Policy macro for logon and authorization. How it works In the Detect F5 Access macro:
The Access Policy macro is the actual policy using the combination of Logon Page and any required authentication actions to authenticate users directly against a local user database. It may use either an Advanced Resource Assign action or a Webtop and Links Assign action to add webtop or webtop links. |
| 713854-2 | When APM reaches the concurrent session limit, it does not allow newer APM sessions to be created. In such a scenario, if an F5 Access client that has saved credentials on the client connects to APM, the VPN fails to establish. The credentials are assumed to be invalid and deleted. As a workaround, use the following iRule:# # A simple rule to send reset when F5 Access sends a request with an errorcode=14 # # # Ref: https://devcentral.f5.com/articles/http-event-order-access-policy-manager # when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable } when HTTP_REQUEST { if { [HTTP::uri] contains "my.logout.php3?errorcode=14" && [HTTP::header value "User-Agent"] contains "F5Access/2.1.1" } { log local0. "DEBUG LOG: [HTTP::uri] => rejecting" # simply reject reject } } |
| 714132 | When a VPN configuration is installed by an MDM or configured from a .mobileconfig file, and authentication fails, the VPN connection switches to Disconnected mode without displaying an "Authentication failed" error message. |
| 714426 | In this release, compression for inbound traffic works correctly. However, on the Details statistics screen, the Received Compression percentage is always displayed as 0.0. |
| 714635 | When the On-Demand Cert Auth is set to Require in the access policy, and there is no certificate, the wrong certificate, or if Web Logon mode is used to connect, F5 Access switches to Disconnected state with no error message. |
| 715985 | If a per-app VPN configuration does not have SafariDomains specified, it is detected as an Enterprise (device-wide) VPN. |
| 715989 | The OnDemandRule action EvaluateConnection does not work with per-app VPN connections. It does work for device-wide VPN connections on macOS 10.13.4 with Safari. This is the expected behavior. Only the Disconnect action works with per-app VPN. |
| 716909 | When you create a VPN configuration with a certificate with Web Logon enabled, and then connect to the VPN configuration for the first time, several prompts are displayed. For most of the prompts, you can select "Always Allow" and proceed. Some prompts may require you to acknowledge them each time they appear. |
| 717157 | Password cannot be entered for a new configuration if the password field has been disabled while editing another configuration that was reverted later. As a workaround, close the F5 Access Configuration window to resolve the issue. When the user goes to Manage VPN Configurations again, the password field can be populated successfully. |
| 718122 | On macOS 10.12, the client proxy exclusion list does not work correctly for wildcard IP addresses (for example, 172.29.68.*, 172.*.197). Such traffic still routes through the proxy and does not bypass the proxy. The exclusion list does work correctly for names, names with wildcards, and IP addresses without wildcards. |
| 718843 | In Web Logon mode, with the client certificate set to require in the clientssl profile, the session is not deleted from the BIG-IP when the user disconnects. Native logon mode is not affected. |
| 722550 | When the Network Access is configured for split tunneling, and the DNS address space is not set to the wildcard *, then the client proxy settings are not used by Chrome or Firefox and the traffic bypasses the proxy. Safari uses client proxy settings correctly in this scenario. Workaround: Chrome and Firefox successfully use client proxy settings when the Network Access is configured to force all traffic through the tunnel, or it is configured for split tunneling, with the DNS Address Space set to *. |
| 724230 | When you enable per-app VPN with Chrome as a managed application and reboot or wakeup Mac, there are multiple log-in prompts. This issue is currently reported to Apple and tracked through 41166852. |
| 725804 | On F5 Access for macOS, when a client certificate is requested, Web Logon mode is specified, and the user chooses Always Allow when presented with the prompt com.apple.Webkit.Networking wants to sign using key...", a network tunnel cannot be established. |
| 1352397-5 | F5 Access client may send VPN traffic outside tunnel on vulnerable networks. Please refer to KB Article https://my.f5.com/manage/s/article/K000136907 for more details. |
Contacting F5
| North America | 1-888-882-7535 or (206) 272-6500 |
| Outside North America, Universal Toll-Free | +800 11 ASK 4 F5 or (800 11275 435) |
| Additional phone numbers | Regional Offices |
| Web | http://www.f5.com |
| support@f5.com |
How to Contact F5 Support or the Anti-Fraud SOC
- By phone in the U.S. (accessible 24x7): 888-88askf5 (888-882-7535).
- International contact numbers: http://www.f5.com/training-support/customer-support/contact/.
- The Support Coordinator can contact the SOC as needed.
You can manage service requests and other web-based support online at F5 My Support (registration required). To register email CSP@F5.com with your F5 hardware serial numbers and contact information.
You can contact the Anti-Fraud SOC as follows:
- By phone in the U.S. (accessible 24x7): 866-329-4253 (Option #3 for Anti-Fraud)
- International contact numbers: https://f5.com/products/platforms/silverline/f5-silverline-ddos-protection
Additional resources
You can find additional support resources and technical documentation through a variety of sources.
| F5 Support | Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology. |
| MyF5 Knowledge Base | The storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, MyF5 is your source. |
| BIG-IP iHealth Diagnostics and BIG-IP iHealth Viewer | BIG-IP iHealth Diagnostics identifies issues, including common configuration problems and known software issues. It also provides solutions and links to more information. With BIG-IP iHealth Viewer, you can see the status of your system at-a-glance, drill down for details, and view your network configuration. |
| F5 DevCentral | Collaborate and share innovations including code samples, new techniques, and other tips, with more than 300,000 F5 users worldwide. DevCentral is the place to ask questions, find solutions, learn to harness the power of F5’s powerful scripting language, iRules, and much more. |
| Communications Preference Center | Here, you can subscribe to a number of communications from F5. For information about the types of notifications F5 provides, see K9970: Subscribing to email notifications regarding F5 products. |
