Manual Chapter : Configuring Access Policy Manager for MDM applications

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 13.1.0
Manual Chapter
 

Overview: Configuring APM for device posture checks with endpoint management systems

When you check the device posture of a mobile device from your endpoint management system, before allowing access to the corporate network, you can configure BIG-IP Access Policy Manager to verify the mobile device posture. The verification comes from the endpoint management system before allowing access from the access policy. An endpoint management system also controls the corporate data on mobile devices. Edge Client establishes a VPN connection with APM®, and an endpoint management system (Airwatch, MaaS360, or Intune) manages and sends device details to APM.

Task summary

Creating an endpoint management system connector with Airwatch

You must create a Server SSL profile on a BIG-IP® system and have access to an Airwatch system.
An endpoint management system on BIG-IP Access Policy Manager®(APM) is an object that stores information about the device management server, such as IP addresses and API credentials. You can configure more than one endpoint management system on the same BIG-IP system. APM® polls devices connected to configured endpoint management systems.
  1. Log in to the Airwatch console using the administrator user name and password.
  2. On the left panel, click Accounts.
    The View Role screen displays.
  3. For the Categories setting, click API > REST.
  4. Enable API access for the administrator.
  5. On the left panel on the main screen, click Groups & Settings.
    The Settings popup screen opens.
  6. Under the System tab, click API > REST API
    The System/Advanced/API/REST popup screen opens.
  7. On the System/Advanced/API/REST screen, select the General tab.
  8. Select the Override setting.
  9. Select Enable API Access.
  10. Copy the API key displayed next to API key.
  11. Click Save.
  12. On the BIG-IP system, on the Main tab, click Access Policy > Authentication > Endpoint Management Systems .
    The Endpoint Management Systems screen opens.
  13. Click Create.
  14. In the Name field, type a name for the endpoint management system.
  15. In the Type list, select Airwatch for the endpoint management system.
  16. In the FQDN field, type a fully qualified domain name.
  17. In the Port field, type 443.
  18. From the Server SSL Profile list, select a previously created Server SSL profile in BIG-IP Local Traffic Manager™.
  19. In Update Interval (minutes) field, type a number in minutes that represents how often APM updates the device database.
  20. In the Username field, type the Airwatch administrator user name.
  21. In the Password field, type the Airwatch administrator password.
  22. In the API Token field, type or paste the API key copied from the Airwatch screen.
  23. Click Finished.
You have created an endpoint management system. APM tests the connection to the device management server, and prints a test status in the Status field. If the status displays OK, APM starts the device database synchronization for the created endpoint management system.
Note: The Airwatch interface might change.

Creating an endpoint management system connector with MaaS360

You must create a Server SSL profile on a BIG-IP® system and have access to an MaaS360 system.
An endpoint management system on BIG-IP® Access Policy Manager®(APM) is an object that stores information about the device management server, such as IP addresses and API credentials. You can configure more than one endpoint management system on the same BIG-IP system. APM® polls devices connected to configured endpoint management systems.
  1. Contact MaaS360 to obtain information needed to access the API.
    The information required includes the following data:
    • Application ID
    • Platform version
    • Version number
    • Access key
    • Service URL
  2. Log in to the MaaS360 console using the administrator user name and password.
  3. At the bottom of the screen, copy the Account ID.
  4. On the BIG-IP system, on the Main tab, click Access > Authentication > Endpoint Management Systems .
    The Endpoint Management Systems screen opens.
  5. Click Create.
    The New endpoint management system screen opens.
  6. In the Name field, type a name for the endpoint management system.
  7. In the Type list, select MaaS360 for the endpoint management system.
    The Network location and API Credentials sections display.
  8. In the FQDN field, type the service URL provided by MaaS360.
  9. In the Port field, type 443.
  10. From the Server SSL Profile list, select a previously created Server SSL profile in BIG-IP Local Traffic Manager™.
  11. In Update Interval (minutes) field, type a number in minutes that represent how often APM updates the device database.
  12. In the Username field, type the MaaS360 administrator user name.
  13. In the Password field, type the MaaS360 administrator password.
  14. In the Billing Id field, type or paste the billing ID copied from the MaaS360 screen.
  15. In the Application Id field, type the application ID provided by MaaS360.
  16. In the Access Key field, type the access key provided by MaaS360.
  17. In the Platform field, type the platform version of the MaaS360 console.
  18. In the App Version field, type the current version number of the application that is linked to the account.
  19. Click Finished.
You have created an endpoint management system. APM tests the connection to the device management server, and prints a test status in the Status field. If the status displays OK, APM starts the device database synchronization for the created endpoint management system.
Note: The MaaS360 interface might change.

Creating an Azure web application for Microsoft Intune on APM

Before you can configure a web application, contact Microsoft to purchase a Microsoft Intune subscription.
BIG-IP APM integrates Microsoft Intune by configuring a Microsoft Azure Client web application on the Microsoft Azure portal. This topic describes how to create a web application to obtain a client ID and a client secret.
  1. On Microsoft Azure, on the main tab, click Azure Active Directory.
    The Azure Active Directory screen opens.
  2. Click App registrations.
    The App registrations screen opens.
  3. Click New application registration.
    A new Create screen opens.
  4. In the Name field, type a name for the new web application.
  5. From the Application type dropdown menu, select Web app / API.
  6. In the Sign-on URL field, type a URL.
    This can be any URL, such as https://localhost.
  7. Click Register.
    A newly-created application's page displays the registration details.
  8. Copy the Application ID to your records.
    You use this ID as a client id when configuring EMS object on BIG-IP.
  9. In the Manage section, click Certificates & secrets.
    The Certificates & secrets screen opens.
  10. Under Client secrets, click New Client Secret to create a secret key.
  11. In the Description field, enter any description for this secret key.
  12. In the Expires section, select Never.
  13. Click Add.
    You should copy the key to the administrator records. You use this key as a client secret when configuring EMS object on a BIG-IP system.
    A new key displays in the Certificates & secret screen.
  14. Click Overview to navigate to the app screen with registration details. In the Manage section, click API permissions.
    The API permissions screen opens.
  15. Click Add a permission.
    The Request API permissions screen opens.
  16. Select Intune from the list of Microsoft APIs, and then select Application Permissions.
  17. From the Permissions list, select Get device state and compliance information from Microsoft Intune.
  18. Click Add permissions.
    A list of added permissions displays.
  19. Click Add a Permission again.
  20. Select Microsoft Graph from the list of Microsoft APIs, and then select Application Permissions.
  21. Select one of the following Microsoft Graph permissions under Application dropdown:
    - Application.Read.All (preferred)
    - Application.ReadWrite.All
    - Application.OwnedBy
    - Directory.Read.All
  22. Click Add Permissions.
    A list of added permissions displays.
  23. On the API permissions screen, click Grant admin consent for button. When asked to confirm grant consent for all accounts in the Azure domain, click Yes.
You now have a tenant ID, client ID, and client secret.
From your BIG-IP system, create an Endpoint Management System for Microsoft Intune.

Creating an endpoint management system connector with Microsoft Intune

You must create a Server SSL profile on a BIG-IP® system and have access to a Microsoft Intune system.
An endpoint management system on BIG-IP® Access Policy Manager®(APM) is an object that stores information about the device management server, such as IP addresses and API credentials. You can configure more than one endpoint management system on the same BIG-IP system. APM® polls devices connected to configured endpoint management systems.
  1. On the BIG-IP system, on the Main tab, click Access > Authentication > Endpoint Management Systems.
    The Endpoint Management Systems screen opens.
  2. Click Create.
    The New endpoint management system screen opens.
  3. In the Name field, type a name for the endpoint management system.
  4. In the Type list, select Microsoft Intune for the endpoint management system.
    The Network location and API Credentials sections display.
  5. From the Server SSL Profile list, select a previously created Server SSL profile in BIG-IP Local Traffic Manager™.
  6. From the DNS Resolver list, select a previously created DNS Resolver in BIG-IP Local Traffic Manager™.
    Create a DNS Resolver the same way you create a Server SSL profile.
  7. In Update Interval (minutes) field, type a number in minutes that represent how often APM updates the device database.
  8. In the Tenant Id field, type the tenant ID that comes with a Microsoft Intune subscription.
  9. In the Client Id field, type the client ID that becomes available after creating a web application.
  10. In the Client Secret field, type the client secret that becomes available after creating a web application.
  11. Click Finished.
You have created an endpoint management system. APM tests the connection to the device management server, and prints a test status in the Status field. If the status displays OK, APM starts the device database synchronization for the created endpoint management system.

Editing an endpoint management system profile

You can create an endpoint management system on BIG-IP APM with either Airwatch or MaaS360.
An endpoint system management system connector object on BIG-IP® Access Policy Manager®(APM®) is an object that stores information about the device management server, such as IP addresses and API credentials. You can configure more than one endpoint management system profile on the same BIG-IP system. APM polls devices connected to configured endpoint management systems.
  1. On the BIG-IP system, on the Main tab, click Access > Authentication > Endpoint Management Systems .
    The Endpoint Management Systems screen with a list of endpoint management systems opens.
  2. In the Name column, click the name of the endpoint management system you want to edit.
    The properties screen for that endpoint management system opens.
  3. Edit one or more fields.
    The status of the endpoint management system updates during each sync interval. If you edit the Username, FQDN, or Port fields, the Status field displays the same status as the actual configuration status. If you edit other property fields, the Status field might be different than the actual configuration status. The correct status appears when the next sync interval begins
  4. Click Update.
You have updated an endpoint management system.

Creating an access profile

You create an access profile to provide the access policy configuration for a virtual server that establishes a secured session.
  1. On the Main tab, click Access > Profiles / Policies .
    The Access Profiles (Per-Session Policies) screen opens.
  2. Click Create.
    The New Profile screen opens.
  3. In the Name field, type a name for the access profile.
    Note: A access profile name must be unique among all access profile and any per-request policy names.
  4. From the Profile Type list, select one these options:
    • LTM-APM: Select for a web access management configuration.
    • SSL-VPN: Select to configure network access, portal access, or application access. (Most access policy items are available for this type.)
    • ALL: Select to support LTM-APM and SSL-VPN access types.
    • SSO: Select to configure matching virtual servers for Single Sign-On (SSO).
      Note: No access policy is associated with this type of access profile
    • RDG-RAP: Select to validate connections to hosts behind APM when APM acts as a gateway for RDP clients.
    • SWG - Explicit: Select to configure access using Secure Web Gateway explicit forward proxy.
    • SWG - Transparent: Select to configure access using Secure Web Gateway transparent forward proxy.
    • System Authentication: Select to configure administrator access to the BIG-IP® system (when using APM as a pluggable authentication module).
    • Identity Service: Used internally to provide identity service for a supported integration. Only APM creates this type of profile.
      Note: You can edit Identity Service profile properties.
    Note: Depending on licensing, you might not see all of these profile types.
    Additional settings display.
  5. In the Language Settings area, add and remove accepted languages, and set the default language.
    A browser uses the highest priority accepted language. If no browser language matches the accepted languages list, the browser uses the default language.
  6. Click Finished.
The access profile displays in the Access Profiles List. Default-log-setting is assigned to the access profile.

Configuring an access policy to include endpoint management integration

You can configure an access policy to perform compliance checks for connected devices. The Managed Endpoint Status action determines whether APM® recognizes a device with a device ID. The Managed Endpoint Notification action sends a push notification message to a device. You can create access policy checks using session variables and device posture information to allow or deny access.
  1. On the Main tab, click Access > Profiles / Policies .
    The Access Profiles (Per-Session Policies) screen opens.
  2. In the Access Policy column, click the Edit link for the endpoint management type access profile you want to configure.
    The visual policy editor opens the access policy in a separate screen.
  3. Click the (+) icon anywhere in the access policy to add a new item.
    Note: Only an applicable subset of access policy items is available for selection in the visual policy editor for any access profile type.
    A popup screen opens, listing predefined actions on tabs such as General Purpose, Authentication, and so on.
  4. Add a Managed Endpoint Status action:
    1. From the Endpoint Security (Server-Side) list, select Managed Endpoint Status and click Add Item.
      A popup Properties screen opens.
    2. In the Name field, type a name for the access policy action.
    3. For the Endpoint Management System, select the endpoint management system that you previously created.
    4. Click Save.
    The visual policy editor screen displays.
  5. In both the compliant branch and not compliant branch of the Managed Device Status action, click the (+) icon anywhere in the access policy to add a new action item.
  6. To add a Managed Endpoint Notification action, perform the following steps:
    1. From the Endpoint Security (Server-Side) list, select Managed Endpoint Notification.
      A popup Properties screen opens.
    2. In the Name field, type a name for the access policy action.
    3. From the endpoint management system list, select the endpoint management system that you previously created.
      Note: The Intune endpoint management system does not support Endpoint Notification agent.
    4. In the Message field, type a message that displays on a device.
    5. Click Save.
    The visual policy editor screen displays.
You have an access policy that presents endpoint management integration with VPN access.

Access policy with endpoint management integration

access policy with managed device status for Edge Client and managed device notification

Creating a virtual server

You create a virtual server for VPN traffic on the network.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. From the Configuration list, select Advanced.
  5. In the Destination Address field, type the IP address for the virtual server.
    When you type the IP address for a single host, it is not necessary to append a prefix to the address.
  6. In the Service Port field, type the port number.
  7. From the SSL Profile (Client) list, select clientssl.
  8. From the Source Address Translation list, select Auto Map.
  9. Click Finished.
  10. From the Access Profile list, select the access profile that you previously created.
  11. From the Connectivity Profile list, select the connectivity profile that you previously created.
You have created a virtual server.