Release Notes : F5 Access for macOS 2.1.0

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Release Notes
Software Release Date: 06/24/2024
Updated Date: 06/25/2024

Summary:

F5 Access version 2.1.0 for macOS devices is now available. Users should install this new version from the macOS App Store. This release note contains information about the changes made for the current version only. Refer to the prior release note versions for additional information. The build number for F5 Access version 2.1.0 for macOS is 2024.06100237.372.

Contents:

Requirements for F5 Access for macOS

F5 Access for macOS 2.1.0 has the following minimum software requirements:

  • Mac OS X 12.0 or later
  • BIG-IP v15.1 or later

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to the following pages:

 

Features and enhancements

Apple has developed Apple Silicon processors based on the ARM architecture and is promoting these processors with their new device models. Previously, F5 Access was supported on these devices using Rosetta emulation. With this release, F5 has natively built F5 Access for Apple Silicon processors and F5 Access will run natively on Apple Silicon processors without emulation.

Fixed issues

The following issues have been fixed in this release.

ID number Description
1352429-4 Fixed the issue where APM clients did not follow best practices when establishing a VPN connection. For more details, refer to the BIG-IP APM Clients TunnelCrack vulnerability CVE-2023-43125 (f5.com) article.
1493793 Previously, the F5 Access application required the sudo command to launch and failed to start from the Applications folder on the macOS 14.2.1 Sonoma. This issue has been fixed, and now the F5 Access application is launched from the Applications folder.
1580981

F5 Access for macOS Sonoma v14.4 or later version failed to establish the VPN connection when configured BIG-IP APM to authenticate users using the client certificate. This issue is fixed, and now the user can set the Client Certificate Authentication in the affected Client SSL profile to ignore and remove the Client Cert Inspection agent from the access policy. For more details, refer to the K000139715 article.

Known issues

The following are known issues that affect the user experience when F5 Access is used on a macOS device. These issues may be addressed in the future by F5 or Apple.

ID number Description
712947 In the Web Logon mode, you are shown a prompt to install the browser plugin when the client-side EPS checks are running, instead of using the fallback branch for client-side checks. In the native mode, the fallback branch is chosen on all client-side checks without any prompt.

As a workaround, in the Web Logon mode, click the Click here link, in the Continue without installing software section of the prompt, to be routed to the fallback branch.

Alternatively, you can configure an access policy configuration that uses Detect F5 Access macro for detecting F5 Access for Mac and the Access Policy macro for logon and authorization.

How it works

In the Detect F5 Access macro:
  • Use the combination of Client OS and Client Type endpoint security (server-side) actions to detect the client. Use the MacOS branch for Client OS and then the F5 Access branch for Client Type check.
  • When the Client Type agent successfully detects F5 Access for Mac, the request is sent directly to the Access Policy macro for logon and authorization, skipping the client-side EPS checks. When the Client Type agent fails to detect F5 Access for Mac, the request is sent to the fallback branch Other which runs an antivirus check on the client-side.
  • When the Antivirus agent successfully validates the antivirus check, the request is sent to the Access Policy macro for logon and authorization.

The Access Policy macro is the actual policy using the combination of Logon Page and any required authentication actions to authenticate users directly against a local user database. It may use either an Advanced Resource Assign action or a Webtop and Links Assign action to add webtop or webtop links.

713854-2 When APM reaches the concurrent session limit, it does not allow newer APM sessions to be created. In such a scenario, if an F5 Access client that has saved credentials on the client connects to APM, the VPN fails to establish. The credentials are assumed to be invalid and deleted. As a workaround, use the following iRule:# # A simple rule to send reset when F5 Access sends a request with an errorcode=14 # # # Ref: https://devcentral.f5.com/articles/http-event-order-access-policy-manager # when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable } when HTTP_REQUEST { if { [HTTP::uri] contains "my.logout.php3?errorcode=14" && [HTTP::header value "User-Agent"] contains "F5Access/2.1.1" } { log local0. "DEBUG LOG: [HTTP::uri] => rejecting" # simply reject reject } }
714132 When a VPN configuration is installed by an MDM or configured from a .mobileconfig file, and authentication fails, the VPN connection switches to Disconnected mode without displaying an "Authentication failed" error message.
714426 In this release, compression for inbound traffic works correctly. However, on the Details statistics screen, the Received Compression percentage is always displayed as 0.0.
714635 When the On-Demand Cert Auth is set to Require in the access policy, and there is no certificate, the wrong certificate, or if Web Logon mode is used to connect, F5 Access switches to Disconnected state with no error message.
715985 If a per-app VPN configuration does not have SafariDomains specified, it is detected as an Enterprise (device-wide) VPN.
715989 The OnDemandRule action EvaluateConnection does not work with per-app VPN connections. It does work for device-wide VPN connections on macOS 10.13.4 with Safari. This is the expected behavior. Only the Disconnect action works with per-app VPN.
716909 When you create a VPN configuration with a certificate with Web Logon enabled, and then connect to the VPN configuration for the first time, several prompts are displayed. For most of the prompts, you can select "Always Allow" and proceed. Some prompts may require you to acknowledge them each time they appear.
717157 Password cannot be entered for a new configuration if the password field has been disabled while editing another configuration that was reverted later. As a workaround, close the F5 Access Configuration window to resolve the issue. When the user goes to Manage VPN Configurations again, the password field can be populated successfully.
718122 On macOS 10.12, the client proxy exclusion list does not work correctly for wildcard IP addresses (for example, 172.29.68.*, 172.*.197). Such traffic still routes through the proxy and does not bypass the proxy. The exclusion list does work correctly for names, names with wildcards, and IP addresses without wildcards.
718843 In Web Logon mode, with the client certificate set to require in the clientssl profile, the session is not deleted from the BIG-IP when the user disconnects. Native logon mode is not affected.
722550 When the Network Access is configured for split tunneling, and the DNS address space is not set to the wildcard *, then the client proxy settings are not used by Chrome or Firefox and the traffic bypasses the proxy. Safari uses client proxy settings correctly in this scenario.

Workaround: Chrome and Firefox successfully use client proxy settings when the Network Access is configured to force all traffic through the tunnel, or it is configured for split tunneling, with the DNS Address Space set to *.

724230 When you enable per-app VPN with Chrome as a managed application and reboot or wakeup Mac, there are multiple log-in prompts. This issue is currently reported to Apple and tracked through 41166852.
725804 On F5 Access for macOS, when a client certificate is requested, Web Logon mode is specified, and the user chooses Always Allow when presented with the prompt com.apple.Webkit.Networking wants to sign using key...", a network tunnel cannot be established.
1352397-5 F5 Access client may send VPN traffic outside tunnel on vulnerable networks. Please refer to KB Article https://my.f5.com/manage/s/article/K000136907 for more details.

Contacting F5

North America 1-888-882-7535 or (206) 272-6500
Outside North America, Universal Toll-Free +800 11 ASK 4 F5 or (800 11275 435)
Additional phone numbers Regional Offices
Web http://www.f5.com
Email support@f5.com

How to Contact F5 Support or the Anti-Fraud SOC

You can contact a Network Support Center as follows:

You can manage service requests and other web-based support online at F5 My Support (registration required). To register email CSP@F5.com with your F5 hardware serial numbers and contact information.

You can contact the Anti-Fraud SOC as follows:

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Support

https://f5.com/support :: Self-solve Options

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

MyF5 Knowledge Base

https://my.f5.com/manage/s/

The storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, MyF5 is your source.

BIG-IP iHealth Diagnostics and BIG-IP iHealth Viewer

https://f5.com/support/tools/ihealth

BIG-IP iHealth Diagnostics identifies issues, including common configuration problems and known software issues. It also provides solutions and links to more information. With BIG-IP iHealth Viewer, you can see the status of your system at-a-glance, drill down for details, and view your network configuration.

F5 DevCentral

https://community.f5.com/

Collaborate and share innovations including code samples, new techniques, and other tips, with more than 300,000 F5 users worldwide. DevCentral is the place to ask questions, find solutions, learn to harness the power of F5’s powerful scripting language, iRules, and much more.

Communications Preference Center

https://interact.f5.com/F5-Preference-Center.html

Here, you can subscribe to a number of communications from F5. For information about the types of notifications F5 provides, see K9970: Subscribing to email notifications regarding F5 products.