Migrating F5 BIG-IP APM From Legacy NAC Service to Compliance Retrieval Service
Introduction
Mobile Device Management (MDM) solutions enable administrators to monitor, manage, and secure mobile devices within the organization. The user enrolls the device(s), and the administrator manages access by setting compliance policies that dictate whether a device is compliant or non-compliant. An Endpoint management system also controls the corporate data on mobile devices. F5 Access establishes a VPN connection with APM, an Endpoint management system which manages and sends the device details to APM.
Currently, there are two ways to get the device compliance status for Microsoft Intune using the Microsoft’s Network Access Control (NAC) API.
- Device ID based compliance check
Device ID is placed inside the VPN profile and pushed to the device by Intune when the device is enrolled. This information is available to the F5 Access client, then sends the device details to APM.
"In June 2021, Microsoft released the Compliance Retrieval service. This service will replace the legacy NAC service and offers improved security, privacy, and reliability. Microsoft will stop supporting the legacy NAC service from December 31, 2023 and recommends migrating to new Compliance Retrieval service." - Intune ID in certificate-based compliance check
The Device ID is not provided in the VPN profile. Instead, a device certificate with the Intune device ID is pushed to the device during the enrollment process. F5 Access client presents this certificate to the APM during the SSL handshake. APM uses the Intune device ID obtained from the certificate to get the compliance status of the device. In Intune, there is a static interval of 4 hours to sync devices from the non-compliance endpoint for the new Compliance Retrieval service.
For details, refer to the New Microsoft Intune Network Access Control (NAC) API document.
F5 BIG-IP Access Policy Manager supports Compliance Retrieval service. Customers who are using F5 NAC MDM solution must migrate to Compliance Retrieval service. Customers must make the required modifications to their environment and use the certificate-based authentication for NAC enabled networks with the new service.
For additional information on deploying the certificate-based authentication setup, including Intune device ID in the Subject Alternative Name field of the certificate, and configuring the BIG-IP Access Policy Manager, refer to the MyF5 documentation link and demonstration below.
Supported Devices
F5 Access for iOS, Android, Windows, and macOS supports the new NAC API service.
Demonstration
Compliance Retrieval Service demonstration includes two parts.
- Migrating F5 BIG-IP APM From Legacy NAC Service to Compliance Retrieval Service – Part 1
- Migrating F5 BIG-IP APM From Legacy NAC Service to Compliance Retrieval Service – Part 2
1. Migrating F5 BIG-IP APM From Legacy NAC Service to Compliance Retrieval Service – Part 1
This video describes how to deploy and configure certificate-based authentication setup, device configuration profiles on Microsoft Azure, Endpoint manager admin center (Intune). It also explains how to include Intune device ID in the Subject Alternative Name field of the certificate.
Key things to follow on Microsoft Azure and Intune:
- Create an Azure web application with Microsoft Intune and select Microsoft Graph API from the list of Microsoft APIs.
- Create a Certificate Authority (CA) server and install Intune certificate connector to get access to the Microsoft Intune system.
- Create the following configuration profiles on Microsoft Intune system:
- Trusted certificate profile
- PKCS or SCEP certificate profile
- VPN profile
- Include Intune device ID in the subject alternate name field of PKCS or SCEP certificate profile as mentioned below.
Default Intune device ID:
Custom Intune device ID:
- In the VPN profile, select Certificates as the Authentication method and choose the PKCS or SCEP certificate profile.
2. Migrating F5 BIG-IP APM From Legacy NAC Service to Compliance Retrieval Service – Part 2
This video describes how to configure client certificate profile, access policy using BIG-IP APM for complaince retrieval service and also differentiate between legacy NAC service and new NAC service with respect to BIG-IP APM.
Key things to follow on BIG-IP Access Policy Manager:
- Create an Endpoint management system connector with Microsoft Intune.
- Create a Client SSL profile with Client Certificate set to Require in the Client Authentication.
- In the Trusted Certificate Authorities list, select the CA certificate generated from the certificate authority server.
- An example of access policy is shown below.
In the Subject Alternative Name field, the Android, iOS, and Windows devices have default Intune device ID, so the Variable Assign action is not required in the access policy whereas the MacOS device has custom device ID which requires a Variable assign action.
Variable Assign agent:
- An example of access policy with the “On-demand Cert Auth” agent.
Here, the Client Certificate is set to ignore in the Client SSL profile and On Demand Cert Auth action is set to Require.
Verifying the configuration
Administrators can check the APM log and Session variables to verify whether the Compliance Retrieval service configuration is successful.
- In the APM log, while trying to sync the device information, the URL for new NAC service should be similar to: URL: https://<Domainname>/TrafficGateway/TrafficRoutingService/ResourceAccess/ComplianceRetrievalService
- In the APM session variables, session.mdm.device.mscomplianceservice value must be 1 and session.mdm.device.id value must be same as the Intune device ID.
Conclusion:
We described the prerequisites, Microsoft Intune configuration, and BIG-IP Access policy configuration required to switch to the Compliance Retrieval service in this article.
For further information, click the links below:
Combining F5 APM and Microsoft AAD/Intune is really powerful! Also F5 APM integration with Microsoft Conditional Access is really great :
https://www.youtube.com/watch?v=nunqHea5rjE&t=254s