Table Of Content®
BIG-IP APM and F5 Access for iOS
2018
Version 3.0.0
TableofContents
Table of Contents
Overview: F5 Access for iOS.....................................................................................................5
IntroducingF5Access2018...............................................................................................5
Differences between F5 Access 2018 and F5 Access 2.1.x...................................5
F5Accessandmobiledevices...........................................................................................7
About app notifications............................................................................................8
About SAML support...............................................................................................8
About supported authentication types.....................................................................8
About establishing VPN connections......................................................................9
About pre-logon checks supported for iOS devices................................................9
Aboutautomaticallylaunchingapplicationsfrommobiledevices..........................10
About network integration on iOS devices............................................................11
Setting up network access....................................................................................11
PrerequisitesforconfiguringF5Access...........................................................................12
AccessPolicyManagerconfigurationforF5AccessforiOSdevices.................................13
Running the Network Access Setup wizard.....................................................................13
Customizing client proxy settings for macOS........................................................13
CustomizinganaccesspolicytosupportF5AccessonAccessPolicyManager............14
Overview: Access Policies for F5 Access..............................................................................15
AboutaccesspolicybranchesforF5Access...................................................................15
ExampleofbasicaccesspolicythatsupportsF5Access.....................................15
ConfiguringPer-AppVPNwithAPMandF5Access.............................................................17
What is per-app VPN?.....................................................................................................17
About deploying MDM apps over VPNs...........................................................................17
Creatinganaccessprofile.....................................................................................18
AboutsettingupAccessPolicyManagerforper-appVPN..............................................20
Configuring a virtual server for per-app VPN........................................................20
Managing Devices for F5 Access............................................................................................23
About managing devices..................................................................................................23
Creating a custom device-wide VPN MDM profile................................................23
Creating a custom Per-App VPN MDM profile......................................................23
Creatingaconfigurationprofileforthemanageddevice.......................................24
Additional Access Policy Manager Configuration Information............................................31
F5AccessforiOSsessionvariables................................................................................31
3
TableofContents
AccessPolicyManagerconfigurationtips........................................................................32
About starting the client from a URL scheme..................................................................33
ExamplesofstartingaclientfromaURL..............................................................34
AboutdefiningaserverfromaURL.................................................................................35
ExamplesofdefiningaserverfromaURL............................................................35
4
Overview: F5 Access for iOS
Introducing F5 Access 2018
F5AccessforiOS2018isanewclient,builtonthelatestAppleVPNarchitecture.Apple'snewNetwork
ExtensionarchitectureallowsforsomefeaturesthatwerenotpreviouslyincludedinouriOSclient,including
theabilitytouseUDPappswithPer-AppVPN.ApplehasdeprecatedtheirpreviousVPNtechnology,
whichwillnotbesupportedinthefuture,soourpreviousclientsbasedonoldertechnologywilleventually
bedeprecatedaswell.
Thisisnotaone-to-oneupgradefromthepreviousversion(F5Access2.x).Anumberofincompatibilities,
possibleincompatibilities,andconfigurationchangesareoutlinedinthisdocumentthatmayaffectyour
migrationtoF5AccessforiOS2018.MDMsupportforthisnewclientisstillindevelopment.Pleasecheck
withyourMDMvendorformoreinformation.
Thereareaccesspolicychangesrequiredtosupportthisclient.Ifyouareplanningtomigrateuserstothe
newclient,pleasereviewallofthedifferencesbetweentheclientsoutlinedinthisdocumentbeforeyou
migrateyourusers.Weexpecttoaddfeaturesandtosupporttothisclientinthefuture,andeventuallywe
expectthesamelevelofsupportfromMDMvendorswithourexistingclient.
Note: Withthisrelease,yourMDMvendormaynotincludebuilt-insupport.Weprovidegeneralguidance
foryourMDMconfiguration,ifitsupportscustomconfigurations.
Differences between F5 Access 2018 and F5 Access 2.1.x
ThereareanumberofdifferencesbetweenF5Access2018andF5Access2.1.x.
Configurationdeploymentchanges
Whendeployingconfigurations,thereareseveraldifferencesbetweenF5Access2.1.xandF5Access2018.
Table1:Deploymentdifferences
VPNtype Manuallyconfigured MDMconfigured
Device-wide Nouser-sideClientCertificate ThekeyVPNSubTypehaschanged.
VPN import
• InF5Access2.1.x:
Userhastoacceptapermission com.f5.F5-Edge-Client.vpnplugin
dialogtoaddthefirstVPN • InF5Access2018:com.f5.access.ios
configuration
Per-AppVPN Nomanualconfiguration • ThekeyVPNSubTypehaschanged:
• InF5Access2.1.x:
com.f5.F5-Edge-Client.vpnplugin
• InF5Access2018:com.f5.access.ios
• ThekeyProviderTypemustbesetto
packet-tunnelinF5Access2018.
Overview:F5AccessforiOS
VPNtype Manuallyconfigured MDMconfigured
• ThekeyPerAppVpnisnolongerrequiredinthe
VendorConfigdictionaryinF5Access2018.
DeviceUDIDchange
DeviceUDIDisnolongerprovided,duetoiOSchanges.WithanMDM,thedevicecanbeassignedanID.
ThisisassignedwiththeMdmDeviceUniqueIdorUDIDattribute.Thisassignedvaluepopulatesthesession
variablessession.client.mdm_device_unique_idandsession.client.unique_id.Ifneither
isprovidedthissessionvariableisnotpresent.IfeitherfieldisprovidedbytheMDM,bothsessionvariables
arepresent.AnexamplevalueisRC1KQLCJFOJEEM0XIOB3P52OMUQ3UN9Y3SDA5RWR.
VPNestablishmentchanges
WhenestablishingVPNs,thereareseveraldifferencesbetweenF5Access2.1.xandF5Access2018.
Table2:VPNestablishmentchanges
VPNtype Manual On-demand
Device-wideVPN • InF5Access2018, InF5Access2018,notifications
notificationsmustbeenabled mustbeenabledforanyuser
foranyuserpromptsorWeb promptsorWebLogon
Logoninteractions. interactions.Withnotifications
• InF5Access2018,theuseris enabled,thesepromptsand
abletosavethepasswordwhen featuresaresupported.
connectinginnativelogon
• WebLogonmode
modeiftheSavePassword
• Authenticationpromptsin
MethodoptionintheAccess
nativemode
PolicyManagerConnectivity
• Deviceauthentication
Profileissettodisk.
Per-AppVPN Nomanualconfiguration APer-AppVPNconnectioncannot
beestablishedifuserinteractionis
required.ForF5Access2018,
configuretheaccesspolicysouser
interactionisnotrequiredto
establishtheVPNconnection.
AccessPolicyManagerconfigurationchanges
WhenconfiguringAccessPolicyManager,thereareseveraldifferencesbetweenF5Access2.1.xandF5
Access2018.
Table3:Enforcinglogonmode
APMconfigurationitem Change
EnforceLogonMode IntheConnectivityProfile,theadministratorcan
nowenforceaspecificlogonmode,usingthesetting
EnforceLogonMode.Thelogonmodecanbe
enforcedasnativeorweb.
WebLogonmodeinF5AcesssforiOSapp IfEnforceLogonModeisenabledinthe
ConnectivityProfile,theusercannotchangetheWeb
Logonoption.
6
BIG-IP®APMandF5AccessforiOS2018
Table4:APMPer-AppVPNchanges
Per-AppVPNconfigurationitem Change
VirtualServer IntheVirtualServerconfiguration,theoption
ApplicationTunnels(Java&Per-AppVPN)isno
longerrequiredtobeenabled
Accesspolicy WithF5Access2018,Per-AppVPNnowusesan
L3tunnel.Assuch,thefollowingitemsmustbe
addedtotheapplicableaccesspolicybranch:
• NetworkAccessresource
• Webtop
iOSdevice TheiOSdeviceenforcestheapplicationsthatare
allowedtoaccesstheVPN,accordingtothePer-App
VPNconfiguration.
AppleAppTransportSecurity(ATS)changes
AppleTransportSecurity(ATS),implementedinF5Access2018,requiresthefollowingsecuritychanges
forcommunicationsbetweenF5Access2018andthecorrespondingBIG-IP.
• PlaintextHTTPconnectionsarenolongerallowed.
• HTTPSrequiresthestrongestTLSconfiguration(TLS1.2andPFSciphersuites).
• Self-signedcertificatesarenotsupportedunlesstheCAcertificateisfirstTrustedonthedevice.
ClientCertificateauthentication
ClientCertificateAuthenticationisnotsupportedinWebLogonmode.
F5 Access and mobile devices
F5AccessformobiledevicesprovidesfullnetworkaccessthroughBIG-IP®AccessPolicyManager®.With
networkaccess,userscanrunapplicationssuchasRDP,SSH,Citrix,VMwareView,andotherenterprise
applicationsontheirmobiledevices.
ForinformationabouthowtouseF5Accessonyourdevice,refertotheF5AccessforiOSUserGuide.
F5Accessfeaturesinclude:
• N-factorauthentication(atleasttwoinputfields,passwordandpasscode)support
• Usernameandpassword,clientcertificate,andRSASecurIDsupport
• Multipleinputfieldsupport
• Credentialcachingsupport
• SupportforTouchIDauthentication,PIN,oradevicepasswordtomakeaconnection,whenusingcached
credentials
• SupportforDNSaddressspaceforsplit-tunnelingconfigurations
• Supportforcheckinginformationfromclientdevices
• Supportforautomaticallylaunchingapplicationsonclientdevices
• SupportforroamingbetweencellularandWiFinetworks
• LandingURIsupport
• Loggingsupporttoreportissues
• Supportforprivate-sideinternalproxyservers.Public-sideproxyserversarenotcurrentlysupported.
7
Overview:F5AccessforiOS
• Per-appVPNsupportforTCPandUDPapplications
• Applicationnotifications
• Diagnostics
• TrafficGraphs
• SupportforSAML2.0featuresinBIG-IP®AccessPolicyManager®
• iOSwidgetsupport
About app notifications
F5AccessforiOS2018requiresthatnotificationsbeenabledformostuserconfigurations.Thisrequires
thattheappbestartedbytheuserandacceptnotifications.
Important: Theuserispromptedtoenablenotificationsonlythefirsttimetheappisstarted.Afterthefirst
appstart,ifthenotificationsdialogisdismissed,theusermustmanuallyenablenotifications.Iftheuser
dismissesthenotificationdialog,theusercanenablenotificationsmanually.Toenablenotifications,inthe
Settingsapp,gotoF5Access>Notifications,andenabletheAllowNotificationssetting.
Note: Notificationsarenotrequiredtobeenabled,onlyinaPer-AppVPNscenariowherenouser
interventionisrequired.
About SAML support
F5AccessforiOSdevicesprovidesthefollowingSAMLsupport:
• Serviceprovider-initiatedaccessonly,forexample,APMactingastheserviceprovider(SP)
• WebLogonmodeonly
• SingleLog-Out(SLO):supportedonlywhenthelogoutactionisinitiatedfromtheclient
WhenyouuseF5AccessasaclientperformingSP-initiatedaccess,F5AccessfirstconnectstoBIG-IP®
AccessPolicyManager®(APM®).Becausethereisnoassertion,APMredirectstheclienttotheIdP.The
IdPthenauthenticatestheuserandredirectsF5AccessbacktotheSPwithassertion.APMthenaccepts
theassertionandestablishesaVPNconnection.Youcanthenaccessback-endresourcesthrough>F5
Access.
YoucanconfigureaBIG-IPsystembyconfiguringAPMasanSP.Theaccesspolicythatisassociatedwith
theconfigurationassignsaSAMLAAAresourcefollowedbyaNetworkAccessResource.Formore
informationaboutSAMLconfigurations,refertotheBIG-IP®AccessPolicyManager®:Authentication
andSingleSign-Onguide.
About supported authentication types
F5AccessforiOS2018supportstheseauthenticationandconnectiontypecombinations.
Tip: Youcancreatea.mobileconfigfilewithAppleConfigurator2.ReadAppleConfigurator2
documentationformoreinformation.
8
BIG-IP®APMandF5AccessforiOS2018
Authentication Connectiontype
type
Usernameand Runtimeprompts(logindialogs,deviceauthentication,andotheruserinput
password prompts)areallowedfor:
• User-initiatedconnections,innativemodeorWebLogonmode
• Device-wideVPNOn-Demandconnections,innativemodeorWebLogon
mode
ForaPer-AppVPNconnection,runtimepromptsarenotsupported,sotheusername
andpasswordmustbespecifiedindeviceconfigurationspecifiedbytheMDM,
orinthe.mobileconfigfile.Per-AppVPNdoesnotsupportWebLogonmode.
Clientcertificate • User-initiatedconnections,innativemodeonly
• Device-wideVPNOn-Demand,innativemodeonly
• Per-AppVPNconnections
Note: AclientcertificatecanonlybeinstalledbyanMDM,orwitha.mobileconfig
file.
Clientcertificate+ Runtimeprompts(logindialogs,deviceauthentication,andotheruserinput
usernameand prompts)areallowedfor:
password
• User-initiatedconnections,innativemodeonly.
• Device-wideVPNOn-Demandconnections,innativemodeonly.
ForaPer-AppVPNconnection,runtimepromptsarenotsupported,sotheusername
andpasswordmustbespecifiedintheconfiguration.Per-AppVPNdoesnotsupport
WebLogonmode.
Note: AclientcertificatecanonlybeinstalledbyanMDM,orwitha.mobileconfig
file.
About establishing VPN connections
TheF5Accessapplication(app)formobiledevicesprovidesuserswithtwooptionstoestablishaVPN
tunnelconnection.AusercanstartatunnelconnectionexplicitlywiththeF5Accessapplication,orimplicitly
throughtheVPNOn-Demandfunctionality.
Forexample,aconnectioncanbeconfiguredtoautomaticallytriggerwheneveracertaindomainorhost
namepatternismatched.
ForPer-AppVPN,thefollowingondemandconsiderationsapply.ThesedonotapplytoOn-Demand
device-wideVPNconnections.
• WhenaPer-AppVPNconnectionisinitiatedOn-Demand,userinterventionisnotallowed.Forexample,
ifapasswordisneededforauthentication,butisnotsuppliedintheconfiguration,theconnectionfails.
NotethatRSAauthenticationisnotsupported.
• On-DemandPer-AppVPNdoesnotworkwithWebLogon.
About pre-logon checks supported for iOS devices
AccessPolicyManager®cancheckuniqueidentifyinginformationfromaniOSclientdevice.Thesupported
sessionvariables,whichbecomepopulatedwiththeiOSclientdeviceinformation,aregatheredautomatically,
9
Overview:F5AccessforiOS
andcaneasilybecombinedwithanLDAPorADquerytoimplementwhite-listinginacustomactionto
improveaccesscontext.ThisinformationallowsAccessPolicyManagertoperformpre-logonsequence
checksandactionsbasedoninformationabouttheconnectingdevice.Usingsuchinformation,Access
PolicyManagercanperformthefollowingtasks:
• DenyaccessiftheiOSversionislessthantherequiredlevel.
• Denyaccessiftheappversionislessthanrequired.
Thisexampledisplaysanaccesspolicywithacustomactiontochecktheappversion.
Figure1:ExampleofacustomactionforcheckingtheF5Accessappversion
About automatically launching applications from mobile devices
YoucanconfigureF5AccesstolaunchanappwitharegisteredURLschemeafteraVPNconnectionis
established.
Auto-launchingapplicationsfromF5Access
YoucanconfigureapplicationstoautomaticallystartonF5Accessonceaconnectionisinitiated.
1. OntheMaintab,clickAccess>Connectivity/VPN>NetworkAccess(VPN)>NetworkAccess
Lists.
2. Clickthenameofyournetworkaccessresourceonthelist.
3. ClicktheLaunchApplicationstab.
4. ClickAdd.
5. IntheApplicationPathfield,typeinyourapplicationpathintheformofaURLscheme,forexample,
skype://14082734800?call.
6. TypeanyrequiredparametersintheParametersfield.
7. FromtheOperatingSystemlist,selectiOS.
8. ClickFinished.
Onthedevice,awarningisissuedbeforethelocalapplicationexecutes.
10
Description:expect the same level of support from MDM vendors with our existing client. Manual. VPN type. In F5 Access 2018, notifications must be enabled for any user network access, users can run applications such as RDP, SSH, Citrix,
