Release Notes : F5 Access for macOS 2.0.0

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0, 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0, 13.0.1, 13.0.0
Release Notes
Updated Date: 08/30/2023

Summary:

In July 2018, Apple posted the release of F5 Access for macOS version 2.0.0. Users should download this new version from the macOS app store.

Contents:

F5 Access for macOS general information

General F5 Access Information

F5 Access for macOS provides Layer 3 network access for the BIG-IP APM module. The F5 Access for macOS SSL VPN application complements the existing Edge Client VPN product line, addressing similar use-case and deployment scenarios.

F5 Access for macOS incorporates Apple's new Network Extension Framework. This change creates some major architectural shifts in the new F5 Access VPN application. As a result, there are currently feature differences between F5 Access and Edge Client for macOS.
Note: Users can install and use both F5 Access and Edge Client for macOS on the same system.

F5 Access for macOS supports client certification authentication, but with some caveats. When you use non-official certificates, by default, all non-officially signed server certificates are rejected. If you install your own CA, you must set the system keychain settings to Always Trust.

Note: F5 Access for macOS is hosted in the Apple App Store, instead of on a BIG-IP system.

F5 Access for macOS has two components:

  • App Extension: built on the Network Extension framework to provide traffic tunneling.
  • F5 Access Container App: handles configuration management and state monitoring.

Supported Authentication Modes

Native
Native authentication mode is the default mode that the administrator can use to set the user logon by using username and password, optional client certificate, or both. Interactive authentication, including SAML and external logon pages, are not supported in this mode. Native mode does not require user interaction if all the credentials are previously saved.
Web (Web Logon)
Web-based Authentication is supported in this version. In web authentication mode, the administrator can specify interactive Web-based multi-factor authentication in the access policy. Web authentication mode can be used to support an external logon page, SAML authentication, 2-factor logon with a one-time passcode, or other interactive methods. A user can specify Web logon mode when creating a configuration. All Web logon feature are supported.
Client certificate required mode
In this version, client certificate required mode is supported.

Requirements for F5 Access for macOS

F5 Access for macOS 2.0.0 has the following minimum software requirements:

  • macOS 10.12.6 or later
  • BIG-IP v13.0 or later

User documentation for this release

For a comprehensive list of documentation that is relevant to this release, refer to BIG-IP Access Policy Manager Documentation.

Features and enhancements in 2.0.0

On-Demand VPN

Tunnels can be started on-demand, using either on demand rules in Safari, or directives from an MDM.

Web Logon

Web Logon mode is supported in this release, allowing authentication features such as multi-factor authentication.

MDM Attributes

Device UDID is no longer provided natively, due to macOS changes. With an MDM, the device can be assigned an ID. This is assigned with the MdmDeviceUniqueId or UDID attribute. This assigned value populates the session variables session.client.mdm_device_unique_id and session.client.unique_id. If neither is provided this session variable is not present. If either field is provided by the MDM, both session variables are present.

Always-On VPN

Always-ON VPN is supported with a .mobileconfig file or with an MDM profile.

Password caching

Password caching for macOS clients is now supported. Configure this in the Connectivity Profile for F5 Access for macOS.

Enforce Logon Mode

The administrator can now enforce web or native logon mode. Configure this in the Connectivity Profile for F5 Access for macOS.

Network Extension Framework

Since version 1.0.0, F5 Access for macOS has been using Apple's Network Extension Framework. Apple's Network Extension Framework is a major architectural shift for the F5 Access client related to features such as Layer 3 VPN, Per-App VPN Tunneling, Server Certificate Verification, and other features.

Feature Description
Split-tunneling (include list) Split-tunneling include list of IP address ranges/subnet masks.
Split-tunneling (exclude list) Split-tunneling exclude list of IP address ranges/subnet masks.
Server SSL Certificate Verification Verify server SSL certificate against CA store.
Authentication w/ Username and Password Support Username and password in native and Web Logon modes.
Authentication with Username and Password and Client Certificate Two-factor authentication with username and password and client certificate in native and Web Logon modes.
Certificate-only Authentication Support Authentication with certificate in native asnd Web Logon modes. The client certificate works only for request mode.
Keychain Users can use the saved password from the keychain.
MDM Provisioning Support configuration by endpoint management systems or MDM.
VPN Tunnel Information Display detailed information about the VPN tunnel.
Per-App VPN Support Layer 3 VPN With the macOS Network Extension Framework, Per-App VPN policies are enforced by macOS.
Per-App VPN On-Demand Start Per-App VPN on demand.
TLS and DTLS Support TLS and DTLS protocols switch when appropriate. DTLS to TLS fallback is supported today.
Compression over TLS The compression of traffic (GZIP) for a given TLS network tunnel.
Landing URI support Configuration of a landing URI for the VPN tunnel.

Known issues in F5 Access 2.0.0

The following are known issues that affect the user experience when F5 Access is used on a macOS device. These issues may be addressed in the future by F5 or Apple.

ID number Description
712947 In Web Logon mode, the prompt to install the browser plugin is shown to the user when client-side EPS checks are running, instead of using the fallback branch. If a connection is established in native mode, the fallback branch is taken on all client-side checks. As a workaround, the user should click the link in the Continue without installing software section. The user is then routed to the fallback branch.
713854-2 When APM reaches the concurrent session limit, it does not allow newer APM sessions to be created. In such a scenario, if an F5 Access client that has saved credentials on the client connects to APM, the VPN fails to establish. The credentials are assumed to be invalid and deleted. As a workaround, use the following iRule:# # A simple rule to send reset when F5 Access sends a request with an errorcode=14 # # # Ref: https://devcentral.f5.com/articles/http-event-order-access-policy-manager # when CLIENT_ACCEPTED { ACCESS::restrict_irule_events disable } when HTTP_REQUEST { if { [HTTP::uri] contains "my.logout.php3?errorcode=14" && [HTTP::header value "User-Agent"] contains "F5Access/2.1.1" } { log local0. "DEBUG LOG: [HTTP::uri] => rejecting" # simply reject reject } }
714132 When a VPN configuration is installed by an MDM or configured from a .mobileconfig file, and authentication fails, the VPN connection switches to Disconnected mode without displaying an "Authentication failed" error message.
714426 In this release, compression for inbound traffic works correctly. However, on the Details statistics screen, the Received Compression percentage is always displayed as 0.0.
714635 When On-Demand Cert Auth is set to Require in the access policy, and there is no certificate, the wrong certificate, or if Web Logon mode is used to connect, F5 Access switches to Disconnected state with no error message.
715985 If a per-app VPN configuration doesn't have SafariDomains specified, it is detected as an Enterprise (device-wide) VPN.
715989 The OnDemandRule action EvaluateConnection doesn't work with per-app VPN connections. It does work for device-wide VPN connections on macOS 10.13.4 with Safari. This is expected behavior. Only the Disconnect action works with per-app VPN.
716909 When you create a VPN configuration with a certificate and Web Logon enabled, then connects to the VPN configuration for the first time, a number of prompts are displayed. For most of the prompts, you can select "Always Allow," and proceed. Some prompts may require you to acknowledge them each time they appear.
717157 Password cannot be entered for a new configuration if the password field has been in disabled state while editing another configuration that was afterwards reverted. As a workaround, close the F5 Access Configuration window to resolve the issue. When user goes to Manage VPN Configurations again, the password field can be populated successfully.
718122 On macOS 10.12, the client proxy exclusion list does not work correctly for wildcard IP addresses (for example, 172.29.68.*, 172.*.197). Such traffic still routes through the proxy, and does not bypass the proxy. The exclusion list does work correctly for names, names with wildcards, and IP addresses without wildcards.
718843 In Web Logon mode, with the client certificate set to require in the clientssl profile, the session is not deleted from the BIG-IP when the user disconnects. Native logon mode is not affected.
722550 With Network Access configured for split tunneling, and the DNS address space is not set to the wildcard *, client proxy settings are not used by Chrome or Firefox. Instead, traffic bypasses the proxy. Safari uses client proxy settings correctly in this scenario. If Network Access is configured to force all traffic through the tunnel, or it is configured for split tunneling, but the DNS Address Space is set to *, then both Chrome and Firefox successfully use client proxy settings.
725804 On F5 Access for macOS, when a client certificate is requested, Web Logon mode is specified, and the user chooses Always Allow when presented with the prompt "com.apple.Webkit.Networking wants to sign using key...", a network tunnel cannot be established.

Fixes in 2.0.0

Fixes in F5 Access 2.0.0

There are no fixed issues in this release.

Contacting F5 Networks

Phone - North America: 1-888-882-7535 or (206) 272-6500
Phone - Outside North America, Universal Toll-Free: +800 11 ASK 4 F5 or (800 11275 435)
Fax: See Regional Support for your area.
Web: https://support.f5.com/csp/home
Email: support@f5.com

For additional information, please visit http://www.f5.com.

Additional resources

You can find additional support resources and technical documentation through a variety of sources.

F5 Networks Technical Support

Free self-service tools give you 24x7 access to a wealth of knowledge and technical support. Whether it is providing quick answers to questions, training your staff, or handling entire implementations from design to deployment, F5 services teams are ready to ensure that you get the most from your F5 technology.

AskF5

AskF5 is your storehouse for thousands of knowledgebase articles that help you manage your F5 products more effectively. Whether you want to browse periodically to research a solution, or you need the most recent news about your F5 products, AskF5 is your source.

F5 DevCentral

The F5 DevCentral community helps you get more from F5 products and technologies. You can connect with user groups, learn about the latest F5 tools, and discuss F5 products and technology.

AskF5 Publication Preference Center

To subscribe, click AskF5 Publication Preference Center, enter your email address, select the publications you want, and click the Submit button. You will receive a confirmation email. You can unsubscribe at any time by clicking the Unsubscribe link at the bottom of the email, or on the AskF5 Publication Preference Center screen.

  • TechNews Weekly eNewsletters: Up-to-date information about product and hotfix releases, new and updated articles, and new feature notices.
  • TechNews Notifications: Periodic plain text TechNews, sent any time F5 releases a product or hotfix. (This information is always included in the next weekly HTML TechNews email.)
  • Security Alerts: Timely security updates and ASM attack signature updates from F5.

Legal notices