Forum Discussion
CirrocumulusEntra ID F5 APM MDM Intune integration compliance check
We have a F5 APM with Entra ID Intune MDM integration for tunnel per-APP-VPN working and we perform cert based authentication, retrieve the UPN username from the certificate.
Now we would like to include compiance check to validate if the device is compliant, and if so proceed with access (no additional checks required).
There is a APM agent available inside the access profile to perform such endpoint security check client based MDM to intune and it has a open id configuration behind (client id/secret and tenant).
How should this be configured on Intune side, is NAC required or is it deprecated, should we use certificates instead, what is the easiest way to perform a compliance check between Intune and client and just inform the F5 APM that it passed?
5 Replies
- Nikoolayy1
MVP
For BYOD devices better look at things like per-app VPN:
Other things that are outside of F5 are MAM with Intune where a container app namespace is installed that is secured from the rest of the mobile device apps.
It is interesting if F5 per-app vpn to be combined with Intune MAM for unmanaged devices but that is for the F5 sales/solutions to answer 😁
https://learn.microsoft.com/en-us/intune/intune-service/protect/microsoft-tunnel-mam
- Injeyan_Kostas
Cumulonimbus
Thats unfortubatelly correct. Device ID is not availble though browser.
MarvinI have to say it works like a charm using certificates i believe the built-in APM agent performs the compliance check via back POST call using the device ID I believe that would make the most sense correct?
https://community.f5.com/kb/technicalarticles/migrating-f5-big-ip-apm-from-legacy-nac-service-to-compliance-retrieval-service/309398
- Injeyan_Kostas
The problem is not the APM Agent who will do the call, is how you feed this agent with Device ID.
Of course if you got a certificate device ID is there, but you are not getting a certificate through browser based authentication
- Marvin
here it says the following https://techdocs.f5.com/en-us/edge-client-7-1-8/big-ip-access-policy-manager-edge-client-and-application-configuration-7-1-8/configuring-access-policy-manager-for-mdm-applications.html
Only iOS devices and Android devices with VPN access to APM from specific mobile device apps that are being managed by MDM (F5 Access Client Apps) are supported. For example, if you connect to APM WebTop from a browser in a device, then APM will not get a device ID and cannot check for device compliance.
F5 Access for macOS and Windows are currently not supported.
For devices with iOS 12 and later, F5 Access client could not retrieve device ID from iOS due to Apple imposed constraints, and compliance check failed. Microsoft's Network Access Control (NAC) integration with Intune provides a new temporary NAC ID to identify the device. This ID is pushed to the F5 Access client through the F5 Access profile in Intune. For iOS devices, the device is always verified by the MDM server as the NAC ID is not stored in the local cache.
To use NAC on iOS devices, the
Enable network access control (NAC)
option must be selected when configuring the VPN profile for F5 Access in Microsoft Intune
and here it says the following
Migrating F5 BIG-IP APM From Legacy NAC Service to Compliance Retrieval Service
Intune ID in certificate-based compliance check
The Device ID is not provided in the VPN profile. Instead, a device certificate with the Intune device ID is pushed to the device during the enrollment process. F5 Access client presents this certificate to the APM during the SSL handshake. APM uses the Intune device ID obtained from the certificate to get the compliance status of the device. In Intune, there is a static interval of 4 hours to sync devices from the non-compliance endpoint for the new Compliance Retrieval service.
