® BIG-IP APM and F5 Access for iOS 2018 Version 3.0.0 TableofContents Table of Contents Overview: F5 Access for iOS.....................................................................................................5 IntroducingF5Access2018...............................................................................................5 Differences between F5 Access 2018 and F5 Access 2.1.x...................................5 F5Accessandmobiledevices...........................................................................................7 About app notifications............................................................................................8 About SAML support...............................................................................................8 About supported authentication types.....................................................................8 About establishing VPN connections......................................................................9 About pre-logon checks supported for iOS devices................................................9 Aboutautomaticallylaunchingapplicationsfrommobiledevices..........................10 About network integration on iOS devices............................................................11 Setting up network access....................................................................................11 PrerequisitesforconfiguringF5Access...........................................................................12 AccessPolicyManagerconfigurationforF5AccessforiOSdevices.................................13 Running the Network Access Setup wizard.....................................................................13 Customizing client proxy settings for macOS........................................................13 CustomizinganaccesspolicytosupportF5AccessonAccessPolicyManager............14 Overview: Access Policies for F5 Access..............................................................................15 AboutaccesspolicybranchesforF5Access...................................................................15 ExampleofbasicaccesspolicythatsupportsF5Access.....................................15 ConfiguringPer-AppVPNwithAPMandF5Access.............................................................17 What is per-app VPN?.....................................................................................................17 About deploying MDM apps over VPNs...........................................................................17 Creatinganaccessprofile.....................................................................................18 AboutsettingupAccessPolicyManagerforper-appVPN..............................................20 Configuring a virtual server for per-app VPN........................................................20 Managing Devices for F5 Access............................................................................................23 About managing devices..................................................................................................23 Creating a custom device-wide VPN MDM profile................................................23 Creating a custom Per-App VPN MDM profile......................................................23 Creatingaconfigurationprofileforthemanageddevice.......................................24 Additional Access Policy Manager Configuration Information............................................31 F5AccessforiOSsessionvariables................................................................................31 3 TableofContents AccessPolicyManagerconfigurationtips........................................................................32 About starting the client from a URL scheme..................................................................33 ExamplesofstartingaclientfromaURL..............................................................34 AboutdefiningaserverfromaURL.................................................................................35 ExamplesofdefiningaserverfromaURL............................................................35 4 Overview: F5 Access for iOS Introducing F5 Access 2018 F5AccessforiOS2018isanewclient,builtonthelatestAppleVPNarchitecture.Apple'snewNetwork ExtensionarchitectureallowsforsomefeaturesthatwerenotpreviouslyincludedinouriOSclient,including theabilitytouseUDPappswithPer-AppVPN.ApplehasdeprecatedtheirpreviousVPNtechnology, whichwillnotbesupportedinthefuture,soourpreviousclientsbasedonoldertechnologywilleventually bedeprecatedaswell. Thisisnotaone-to-oneupgradefromthepreviousversion(F5Access2.x).Anumberofincompatibilities, possibleincompatibilities,andconfigurationchangesareoutlinedinthisdocumentthatmayaffectyour migrationtoF5AccessforiOS2018.MDMsupportforthisnewclientisstillindevelopment.Pleasecheck withyourMDMvendorformoreinformation. Thereareaccesspolicychangesrequiredtosupportthisclient.Ifyouareplanningtomigrateuserstothe newclient,pleasereviewallofthedifferencesbetweentheclientsoutlinedinthisdocumentbeforeyou migrateyourusers.Weexpecttoaddfeaturesandtosupporttothisclientinthefuture,andeventuallywe expectthesamelevelofsupportfromMDMvendorswithourexistingclient. Note: Withthisrelease,yourMDMvendormaynotincludebuilt-insupport.Weprovidegeneralguidance foryourMDMconfiguration,ifitsupportscustomconfigurations. Differences between F5 Access 2018 and F5 Access 2.1.x ThereareanumberofdifferencesbetweenF5Access2018andF5Access2.1.x. Configurationdeploymentchanges Whendeployingconfigurations,thereareseveraldifferencesbetweenF5Access2.1.xandF5Access2018. Table1:Deploymentdifferences VPNtype Manuallyconfigured MDMconfigured Device-wide Nouser-sideClientCertificate ThekeyVPNSubTypehaschanged. VPN import • InF5Access2.1.x: Userhastoacceptapermission com.f5.F5-Edge-Client.vpnplugin dialogtoaddthefirstVPN • InF5Access2018:com.f5.access.ios configuration Per-AppVPN Nomanualconfiguration • ThekeyVPNSubTypehaschanged: • InF5Access2.1.x: com.f5.F5-Edge-Client.vpnplugin • InF5Access2018:com.f5.access.ios • ThekeyProviderTypemustbesetto packet-tunnelinF5Access2018. Overview:F5AccessforiOS VPNtype Manuallyconfigured MDMconfigured • ThekeyPerAppVpnisnolongerrequiredinthe VendorConfigdictionaryinF5Access2018. DeviceUDIDchange DeviceUDIDisnolongerprovided,duetoiOSchanges.WithanMDM,thedevicecanbeassignedanID. ThisisassignedwiththeMdmDeviceUniqueIdorUDIDattribute.Thisassignedvaluepopulatesthesession variablessession.client.mdm_device_unique_idandsession.client.unique_id.Ifneither isprovidedthissessionvariableisnotpresent.IfeitherfieldisprovidedbytheMDM,bothsessionvariables arepresent.AnexamplevalueisRC1KQLCJFOJEEM0XIOB3P52OMUQ3UN9Y3SDA5RWR. VPNestablishmentchanges WhenestablishingVPNs,thereareseveraldifferencesbetweenF5Access2.1.xandF5Access2018. Table2:VPNestablishmentchanges VPNtype Manual On-demand Device-wideVPN • InF5Access2018, InF5Access2018,notifications notificationsmustbeenabled mustbeenabledforanyuser foranyuserpromptsorWeb promptsorWebLogon Logoninteractions. interactions.Withnotifications • InF5Access2018,theuseris enabled,thesepromptsand abletosavethepasswordwhen featuresaresupported. connectinginnativelogon • WebLogonmode modeiftheSavePassword • Authenticationpromptsin MethodoptionintheAccess nativemode PolicyManagerConnectivity • Deviceauthentication Profileissettodisk. Per-AppVPN Nomanualconfiguration APer-AppVPNconnectioncannot beestablishedifuserinteractionis required.ForF5Access2018, configuretheaccesspolicysouser interactionisnotrequiredto establishtheVPNconnection. AccessPolicyManagerconfigurationchanges WhenconfiguringAccessPolicyManager,thereareseveraldifferencesbetweenF5Access2.1.xandF5 Access2018. Table3:Enforcinglogonmode APMconfigurationitem Change EnforceLogonMode IntheConnectivityProfile,theadministratorcan nowenforceaspecificlogonmode,usingthesetting EnforceLogonMode.Thelogonmodecanbe enforcedasnativeorweb. WebLogonmodeinF5AcesssforiOSapp IfEnforceLogonModeisenabledinthe ConnectivityProfile,theusercannotchangetheWeb Logonoption. 6 BIG-IP®APMandF5AccessforiOS2018 Table4:APMPer-AppVPNchanges Per-AppVPNconfigurationitem Change VirtualServer IntheVirtualServerconfiguration,theoption ApplicationTunnels(Java&Per-AppVPN)isno longerrequiredtobeenabled Accesspolicy WithF5Access2018,Per-AppVPNnowusesan L3tunnel.Assuch,thefollowingitemsmustbe addedtotheapplicableaccesspolicybranch: • NetworkAccessresource • Webtop iOSdevice TheiOSdeviceenforcestheapplicationsthatare allowedtoaccesstheVPN,accordingtothePer-App VPNconfiguration. AppleAppTransportSecurity(ATS)changes AppleTransportSecurity(ATS),implementedinF5Access2018,requiresthefollowingsecuritychanges forcommunicationsbetweenF5Access2018andthecorrespondingBIG-IP. • PlaintextHTTPconnectionsarenolongerallowed. • HTTPSrequiresthestrongestTLSconfiguration(TLS1.2andPFSciphersuites). • Self-signedcertificatesarenotsupportedunlesstheCAcertificateisfirstTrustedonthedevice. ClientCertificateauthentication ClientCertificateAuthenticationisnotsupportedinWebLogonmode. F5 Access and mobile devices F5AccessformobiledevicesprovidesfullnetworkaccessthroughBIG-IP®AccessPolicyManager®.With networkaccess,userscanrunapplicationssuchasRDP,SSH,Citrix,VMwareView,andotherenterprise applicationsontheirmobiledevices. ForinformationabouthowtouseF5Accessonyourdevice,refertotheF5AccessforiOSUserGuide. F5Accessfeaturesinclude: • N-factorauthentication(atleasttwoinputfields,passwordandpasscode)support • Usernameandpassword,clientcertificate,andRSASecurIDsupport • Multipleinputfieldsupport • Credentialcachingsupport • SupportforTouchIDauthentication,PIN,oradevicepasswordtomakeaconnection,whenusingcached credentials • SupportforDNSaddressspaceforsplit-tunnelingconfigurations • Supportforcheckinginformationfromclientdevices • Supportforautomaticallylaunchingapplicationsonclientdevices • SupportforroamingbetweencellularandWiFinetworks • LandingURIsupport • Loggingsupporttoreportissues • Supportforprivate-sideinternalproxyservers.Public-sideproxyserversarenotcurrentlysupported. 7 Overview:F5AccessforiOS • Per-appVPNsupportforTCPandUDPapplications • Applicationnotifications • Diagnostics • TrafficGraphs • SupportforSAML2.0featuresinBIG-IP®AccessPolicyManager® • iOSwidgetsupport About app notifications F5AccessforiOS2018requiresthatnotificationsbeenabledformostuserconfigurations.Thisrequires thattheappbestartedbytheuserandacceptnotifications. Important: Theuserispromptedtoenablenotificationsonlythefirsttimetheappisstarted.Afterthefirst appstart,ifthenotificationsdialogisdismissed,theusermustmanuallyenablenotifications.Iftheuser dismissesthenotificationdialog,theusercanenablenotificationsmanually.Toenablenotifications,inthe Settingsapp,gotoF5Access>Notifications,andenabletheAllowNotificationssetting. Note: Notificationsarenotrequiredtobeenabled,onlyinaPer-AppVPNscenariowherenouser interventionisrequired. About SAML support F5AccessforiOSdevicesprovidesthefollowingSAMLsupport: • Serviceprovider-initiatedaccessonly,forexample,APMactingastheserviceprovider(SP) • WebLogonmodeonly • SingleLog-Out(SLO):supportedonlywhenthelogoutactionisinitiatedfromtheclient WhenyouuseF5AccessasaclientperformingSP-initiatedaccess,F5AccessfirstconnectstoBIG-IP® AccessPolicyManager®(APM®).Becausethereisnoassertion,APMredirectstheclienttotheIdP.The IdPthenauthenticatestheuserandredirectsF5AccessbacktotheSPwithassertion.APMthenaccepts theassertionandestablishesaVPNconnection.Youcanthenaccessback-endresourcesthrough>F5 Access. YoucanconfigureaBIG-IPsystembyconfiguringAPMasanSP.Theaccesspolicythatisassociatedwith theconfigurationassignsaSAMLAAAresourcefollowedbyaNetworkAccessResource.Formore informationaboutSAMLconfigurations,refertotheBIG-IP®AccessPolicyManager®:Authentication andSingleSign-Onguide. About supported authentication types F5AccessforiOS2018supportstheseauthenticationandconnectiontypecombinations. Tip: Youcancreatea.mobileconfigfilewithAppleConfigurator2.ReadAppleConfigurator2 documentationformoreinformation. 8 BIG-IP®APMandF5AccessforiOS2018 Authentication Connectiontype type Usernameand Runtimeprompts(logindialogs,deviceauthentication,andotheruserinput password prompts)areallowedfor: • User-initiatedconnections,innativemodeorWebLogonmode • Device-wideVPNOn-Demandconnections,innativemodeorWebLogon mode ForaPer-AppVPNconnection,runtimepromptsarenotsupported,sotheusername andpasswordmustbespecifiedindeviceconfigurationspecifiedbytheMDM, orinthe.mobileconfigfile.Per-AppVPNdoesnotsupportWebLogonmode. Clientcertificate • User-initiatedconnections,innativemodeonly • Device-wideVPNOn-Demand,innativemodeonly • Per-AppVPNconnections Note: AclientcertificatecanonlybeinstalledbyanMDM,orwitha.mobileconfig file. Clientcertificate+ Runtimeprompts(logindialogs,deviceauthentication,andotheruserinput usernameand prompts)areallowedfor: password • User-initiatedconnections,innativemodeonly. • Device-wideVPNOn-Demandconnections,innativemodeonly. ForaPer-AppVPNconnection,runtimepromptsarenotsupported,sotheusername andpasswordmustbespecifiedintheconfiguration.Per-AppVPNdoesnotsupport WebLogonmode. Note: AclientcertificatecanonlybeinstalledbyanMDM,orwitha.mobileconfig file. About establishing VPN connections TheF5Accessapplication(app)formobiledevicesprovidesuserswithtwooptionstoestablishaVPN tunnelconnection.AusercanstartatunnelconnectionexplicitlywiththeF5Accessapplication,orimplicitly throughtheVPNOn-Demandfunctionality. Forexample,aconnectioncanbeconfiguredtoautomaticallytriggerwheneveracertaindomainorhost namepatternismatched. ForPer-AppVPN,thefollowingondemandconsiderationsapply.ThesedonotapplytoOn-Demand device-wideVPNconnections. • WhenaPer-AppVPNconnectionisinitiatedOn-Demand,userinterventionisnotallowed.Forexample, ifapasswordisneededforauthentication,butisnotsuppliedintheconfiguration,theconnectionfails. NotethatRSAauthenticationisnotsupported. • On-DemandPer-AppVPNdoesnotworkwithWebLogon. About pre-logon checks supported for iOS devices AccessPolicyManager®cancheckuniqueidentifyinginformationfromaniOSclientdevice.Thesupported sessionvariables,whichbecomepopulatedwiththeiOSclientdeviceinformation,aregatheredautomatically, 9 Overview:F5AccessforiOS andcaneasilybecombinedwithanLDAPorADquerytoimplementwhite-listinginacustomactionto improveaccesscontext.ThisinformationallowsAccessPolicyManagertoperformpre-logonsequence checksandactionsbasedoninformationabouttheconnectingdevice.Usingsuchinformation,Access PolicyManagercanperformthefollowingtasks: • DenyaccessiftheiOSversionislessthantherequiredlevel. • Denyaccessiftheappversionislessthanrequired. Thisexampledisplaysanaccesspolicywithacustomactiontochecktheappversion. Figure1:ExampleofacustomactionforcheckingtheF5Accessappversion About automatically launching applications from mobile devices YoucanconfigureF5AccesstolaunchanappwitharegisteredURLschemeafteraVPNconnectionis established. Auto-launchingapplicationsfromF5Access YoucanconfigureapplicationstoautomaticallystartonF5Accessonceaconnectionisinitiated. 1. OntheMaintab,clickAccess>Connectivity/VPN>NetworkAccess(VPN)>NetworkAccess Lists. 2. Clickthenameofyournetworkaccessresourceonthelist. 3. ClicktheLaunchApplicationstab. 4. ClickAdd. 5. IntheApplicationPathfield,typeinyourapplicationpathintheformofaURLscheme,forexample, skype://14082734800?call. 6. TypeanyrequiredparametersintheParametersfield. 7. FromtheOperatingSystemlist,selectiOS. 8. ClickFinished. Onthedevice,awarningisissuedbeforethelocalapplicationexecutes. 10