Entra ID F5 APM MDM Intune integration compliance check

Question

We have a F5 APM with Entra ID Intune MDM integration for tunnel per-APP-VPN working and we perform cert based authentication, retrieve the UPN username from the certificate.

Now we would like to include compiance check to validate if the device is compliant, and if so proceed with access (no additional checks required).

There is a APM agent available inside the access profile to perform such endpoint security check client based MDM to intune and it has a open id configuration behind (client id/secret and tenant).

How should this be configured on Intune side, is NAC required or is it deprecated, should we use certificates instead, what is the easiest way to perform a compliance check between Intune and client and just inform the F5 APM that it passed?

marvin · Answer

here it says the following https://techdocs.f5.com/en-us/edge-client-7-1-8/big-ip-access-policy-manager-edge-client-and-application-configuration-7-1-8/configuring-access-policy-manager-for-mdm-applications.html&nbsp;Only iOS devices and Android devices with VPN access to APM from specific mobile device apps that are being managed by MDM (F5 Access Client Apps) are supported. For example, if you connect to APM WebTop from a browser in a device, then APM will not get a device ID and cannot check for device compliance.F5 Access for macOS and Windows are currently not supported.For devices with iOS 12 and later, F5 Access client could not retrieve device ID from iOS due to Apple imposed constraints, and compliance check failed. Microsoft's Network Access Control (NAC) integration with Intune provides a new temporary NAC ID to identify the device. This ID is pushed to the F5 Access client through the F5 Access profile in Intune. For iOS devices, the device is always verified by the MDM server as the NAC ID is not stored in the local cache.To use NAC on iOS devices, the&nbsp;Enable network access control (NAC)&nbsp;option must be selected when configuring the VPN profile for F5 Access in Microsoft Intuneand here it says the following&nbsp;Migrating F5 BIG-IP APM From Legacy NAC Service to Compliance Retrieval ServiceIntune ID in certificate-based compliance checkThe Device ID is not provided in the VPN profile. Instead, a device certificate with the Intune device ID is pushed to the device during the enrollment process. F5 Access client presents this certificate to&nbsp; the APM during the SSL handshake. APM uses the Intune device ID obtained from the certificate to get the compliance status of the device. In Intune, there is a static interval of 4 hours to sync devices from the non-compliance endpoint for the new Compliance Retrieval service.&nbsp;

injeyan_kostas · Answer

Thats unfortubatelly correct. Device ID is not availble though browser.

nikoolayy1 · Answer

For BYOD devices better look at things like per-app VPN:
&nbsp;
https://techdocs.f5.com/en-us/apm-f5-access/apm-f5-access-android-3-0-8/c_f5_access_chapter_title_per_app_vpn.html
&nbsp;
Other things that are outside of F5 are MAM with Intune where a container app namespace is installed that is secured from the rest of the mobile device apps.
https://learn.microsoft.com/en-us/intune/intune-service/fundamentals/deployment-guide-enrollment-mamwe
&nbsp;
It is interesting if F5 per-app vpn to be combined with Intune MAM for unmanaged devices&nbsp; but that is for the F5 sales/solutions to answer 😁
&nbsp;
https://learn.microsoft.com/en-us/intune/intune-service/protect/microsoft-tunnel-mam
&nbsp;

marvin · Answer

I have to&nbsp; say it works like a charm using certificates i believe the built-in APM agent performs the compliance check via back POST call using the device ID I believe that would make the most sense correct?&nbsp;https://community.f5.com/kb/technicalarticles/migrating-f5-big-ip-apm-from-legacy-nac-service-to-compliance-retrieval-service/309398&nbsp;

injeyan_kostas · Answer

The problem is not the APM Agent who will do the call, is how you feed this agent with Device ID.Of course if you got a certificate device ID is there, but you are not getting a certificate through browser based authentication

Forum Discussion

Entra ID F5 APM MDM Intune integration compliance check

5 Replies

AppWorld Berlin iRules Contest!

F5 AppWorld 2026 Las Vegas - iRules Contest Winners!

Recent Discussions

Related Content

Zero Trust building blocks - Leverage Microsoft Intune endpoint Compliance with F5 BIG-IP APM Access

BIG-IP security hardening and compliance checks

VMware VKS integration with F5 BIG-IP and CIS

Implementing F5 NGINX STIGs: A Practical Guide to DoD Security Compliance

Making WAF Simple: Introducing the OWASP Compliance Dashboard

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS