on
22-Feb-2023
05:00
- edited on
22-Feb-2023
15:13
by
Rebecca_Moloney
Mobile Device Management (MDM) solutions enable administrators to monitor, manage, and secure mobile devices within the organization. The user enrolls the device(s), and the administrator manages access by setting compliance policies that dictate whether a device is compliant or non-compliant. An Endpoint management system also controls the corporate data on mobile devices. F5 Access establishes a VPN connection with APM, an Endpoint management system which manages and sends the device details to APM.
Currently, there are two ways to get the device compliance status for Microsoft Intune using the Microsoft’s Network Access Control (NAC) API.
For details, refer to the New Microsoft Intune Network Access Control (NAC) API document.
F5 BIG-IP Access Policy Manager supports Compliance Retrieval service. Customers who are using F5 NAC MDM solution must migrate to Compliance Retrieval service. Customers must make the required modifications to their environment and use the certificate-based authentication for NAC enabled networks with the new service.
For additional information on deploying the certificate-based authentication setup, including Intune device ID in the Subject Alternative Name field of the certificate, and configuring the BIG-IP Access Policy Manager, refer to the MyF5 documentation link and demonstration below.
F5 Access for iOS, Android, Windows, and macOS supports the new NAC API service.
Compliance Retrieval Service demonstration includes two parts.
This video describes how to deploy and configure certificate-based authentication setup, device configuration profiles on Microsoft Azure, Endpoint manager admin center (Intune). It also explains how to include Intune device ID in the Subject Alternative Name field of the certificate.
Note: If you use the Microsoft recommended default identifier IntuneDeviceId:// in the Subject Alternative Name field in Intune, then the Variable Assign action is not required in the access policy.
Custom Intune device ID:
This video describes how to configure client certificate profile, access policy using BIG-IP APM for complaince retrieval service and also differentiate between legacy NAC service and new NAC service with respect to BIG-IP APM.
In the Subject Alternative Name field, the Android, iOS, and Windows devices have default Intune device ID, so the Variable Assign action is not required in the access policy whereas the MacOS device has custom device ID which requires a Variable assign action.
Variable Assign agent:
Here, the Client Certificate is set to ignore in the Client SSL profile and On Demand Cert Auth action is set to Require.
Administrators can check the APM log and Session variables to verify whether the Compliance Retrieval service configuration is successful.
We described the prerequisites, Microsoft Intune configuration, and BIG-IP Access policy configuration required to switch to the Compliance Retrieval service in this article.
For further information, click the links below:
Combining F5 APM and Microsoft AAD/Intune is really powerful! Also F5 APM integration with Microsoft Conditional Access is really great :
https://www.youtube.com/watch?v=nunqHea5rjE&t=254s