Forum Discussion

Federico_Meiner's avatar
Federico_Meiner
Icon for Altostratus rankAltostratus
Jun 25, 2019

Per-App VPN: A project story (Workspace one (Ex AirWatch) + iOS/Android + F5 APM)

Hello everyone,

 

This is post is not a question but instead a compilation of tips if you are embarking a Per-App VPN project where these technologies are integrated:

Workspace One (Ex Airwatch) as the MDM.

F5 APM as the VPN gateway (With F5 Access)

iOS and Android as your supported mobile OS.

TMOS 13.1.1 Build 0.0.4

 

TL;DR

iOS Per-App VPN works (Not in all apps) with F5 Access (Not F5's fault)

Android Per-App VPN does not work with F5 Access (Not F5's fault) an always on configuration must be enforced from the MDM side to achieve "similar" functionality.

Authentication from users should be via certificates.

MDM API to check device posture works great although some configurations on the iOS side must be made on the MDM side.

Have iOS and Android devices to test ASAP with many use cases and apps.

Most of the settings and configurations are made on the MDM, you will need strong collaboration with this team. Keep this in mind when choosing your project sponsor, team and stakeholder analysis.

It's strongly recommended for the deployment to manage both platforms (MDM and F5).

Functionality changes drastically from one mobile OS version to another, be prepared for broken things after updates.

 

Background

My role in this project was only to deploy F5 solutions, not Workspace one, this was made through another team.

Let's start with the scope:

Deploy a Per-App solution using F5 APM for iOS and Android devices, this solution will work together with Workspace One (AirWatch) to provide transparent and secure access to corporate applications.

Provide access to the user based on device posture in the MDM (Compliant, non compliant).

 

I have deployed remote access solutions with many vendors so I decided to proceed. How different could it be? Finally, there are a lot of brochures out there from VMware and F5 alike promoting this functionality.

 

First stage - Research

First of all I stumbled upon this video from the great Matthieu Dierick, he does a POC using and iOS emulator and everything goes great, keep in mind that this video is old and now you don't have to implement the iRule for device posture.

https://www.youtube.com/watch?v=3iNSx9TkVfo

Then I went through these guides from F5 and VMWare:

F5: https://f5.com/Portals/1/Premium/Architectures/RA-Enterprise-Mobility-Gateway-Recommended-Practices.pdf

VMWare: https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/9.5/vmware-airwatch-f5-integration-guide.pdf

MDM API Configuration in APM: https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-client-configuration-12-0-0/7.html?sr=56554427

And finally this post from Cody Green https://devcentral.f5.com/s/articles/solving-secure-mobile-access-with-f5-and-ios-7-per-app-vpn-part-1

 

Second stage - The lab

With all the information I proceed to build my lab, since it was an integration project and I always wanted to play with an MDM I asked VMWare for a trial license for Workspace One to have the complete experience, even though it was not my responsability I like to know enough from the other technology in order to achieve a better synergy with other teams.

I had only an Android device to test at this stage.

Setting up Workspace one is really a straight forward and simple process, I was able to do it without major research and I had my test device enrolled in no time, after that I started to follow the guides posted above.

First warning: Most of the documentation points to iOS, not much emphasis on Android is made.

First step was to set up all the VPN related issues on APM.

Second I set up the Airwatch/MDM API in F5, the configuration it's really simple and it works out of the box, things got a little tricky when I had to to this on the Workspace One side since some menu options are different than their guides.

Third I setup my APM policy.

I test the F5 Access VPN alone and it works, the device posture check in F5 with the MDM also works!

I set up all the configurations required in the MDM console (VPN profiles, Per App VPN assignments, certificates, among others) and push the configuration with a sample public application.

 

Time to test the Per-App VPN on Android, the hype is real... and... it doesn't work.

 

Android nightmare

I analyzed all the settings and one of the first thing that comes to my attention is that there are 2 profiles that you can configure in the MDM console Android and Android legacy.

In the Android Profile there is no F5 Access for the VPN Configuration 🙁

In the Android (Legacy) it seems that there is (F5 SSL), I tested both of them and it did not work.

 

A post from VMWare stating that Per-App VPN is working on Android (Doesn't state much more)

https://docs.vmware.com/en/VMware-AirWatch/9.2/vmware-airwatch-guides-92/GUID-AW92-ProfilePerAppVPNAnd.html

This post from F5 states that Per App VPN configuration on Android devices is possible from Android 5 onwards and that it must be configured on the MDM side.

https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/related/apm-f5-access-android-3-0-4/3.html

 

At this point I presented all my tests to the MDM team, their could not find a possible solution so they opened a support ticket with VMWare and after some time the first sad news arrived:

VMWare support stated that Per-App VPN with F5 Access on Android devices does not work

 

Android - The work around

Before you ask about On Demand VPN, it seems that it doesn't work either, so the work around was to set up an always on VPN on Android devices, according to the following post, this configuration has to be enforced from the MDM side too.

https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/related/apm-f5-access-android-3-0-4/1.html

"Always-On mode for Android 7.0 and later for devices managed by an MDM"

 

At the moment we haven't set this up and we don't know if it is really possible.

 

The grass is greener on the iOS side

Finally we got an iPhone to play with, we enrolled it and made all the woo-woo MDM magic on the device.

We wanted to inject the user credentials via the MDM for transparent authentication but it seems that this was not possible, only options were certificate authentication and the usage of only one service account.

Per-App VPN on iOS did not work out of the box, at first try Per App VPN with Safari worked fine, same as you see in the videos or posts but some tweaking had to be made on the MDM side for others applications to work.

The Per-App functionality is really good and nice to watch, everything works like magic and the VPN tunnel is only for the opened application.

 

We have some applications that don't work, the MDM team is looking into it.

 

iOS session variables issues with F5 Access

Another problem showed up, in our test we could see that the device posture was failing in the APM policy not with a Compliant or Non Compliant, but with a fallback, this means that F5 Access could not send enough device information to the APM module in order to check the posture with the MDM. We went through the session variables available and found that the Device UDID should be presented to the F5 but it doesn't, it's important to note that IMEI or MAC is not passed in iOS devices.

After some research we found that from iOS 12 an onwards, iOS doesn't provide this information anymore and it should be supplied via the MDM.

https://techdocs.f5.com/kb/en-us/products/big-ip_apm/manuals/related/apm-f5access-ios-3-0-0/1.html

According to the MDM team this was an easy configuration and everything worked fine.

 

The network location awareness problem

One of the things that we are still looking is a way to enforce per app connectivity only when users are outside the corporate network.

On the Windows F5 Access client this is easly made via a custom installation package, but we could not find how to do it on mobile devices, my guess is that the MDM must enforce it.

This is kind of tricky since split tunnel configuration does not work (in theory) within the Per App VPN.

Any information on this issue would be greatly appreciated.

 

Hope you find this post useful,

 

Regards,

No RepliesBe the first to reply