cancel
Showing results for 
Search instead for 
Did you mean: 

APM Integration with MobileIron Using V2 of the API

Jonathan_Wingfi
Altostratus
Altostratus

Has anyone had any experience integrating APM with MobileIron using version two of the MobileIron API? Specifically I'm looking to query the compliance status of Apple devices using the devices UDID. Any assistance with the iRule code to perform this query would be greatly appreciated. Thanks.

 

14 REPLIES 14

Matthieu_Dieric
F5 Employee
F5 Employee

Hi Jonathan, please find on my Github the latest iApp for MobileIron using APIv2. I'm going to write an article on DC in order to push the package on it.

 

In the meantime, please go to : https://github.com/MattDierick/F5-Networks/tree/master/iApps/MobileIron

 

// Matt

 

Stephane_COUETT
Nimbostratus
Nimbostratus

Dear Matthieu ;

 

Thank you for this iApps devellopement. I have few questions for you

 

1- On IOS-10, it seems the iApps is not able to retrieve mobile variables content - The APM receives this message from the mobile client : “session.client.platform is unknown”. Could someone at F5 update the iApps in order to support IOS10 and Windows 10

 

2- It is mandatory to use the F5 Edge Client app (from AppStore) on the mobile in order to help the APM to retreive variable content ? if yes, over all plateforms ?

 

3- Are you aware about other prerequisites ?

 

Thank you very much Matthieu. Have a good day.

 

I ran into the iOS10 issue, and the fix is pretty simple. Modify the f5_mobileiron_vpn_mobileiron_apm_support irule and look for this section:

 

switch -glob [ACCESS::session data get "session.client.platform_version"] { "7.*" - "8.*" - "9.*"{

Change it to: switch -glob [ACCESS::session data get "session.client.platform_version"] { "7." - "8." - "9." - "10."{ Keep the asterisks after the period. The post keeps removing them for some reason.

 

From my understanding it is necessary for the Edge client to retrieve the UUID. For other platforms you should only need the client components, but it is highly recommended to use the Edge client to avoid potential issues with Chrome and Firefox. Hope this helps.

 

Hi,

 

We download the iapp template for mobileiron api v2 from above link. we created the iAPP using the temaplate and it created successfuly.

 

then followed the steps to attach the irules and Access policy to include the irule events.

 

Now when we access the VIP which ha sthe access policy, the polciy kick start at the irule event for pull details with irule even id "mi_device_details" we get TCL error.

 

TCL error: /Common/mdmprd.app/mdmprd_mobileiron_apm_support - can't read "static::mdmprd_mi_virtual_name": no such variable while executing "connect -timeout 1500 -idle 30 -status conn_status $static::mdmprd_mi_virtual_name" ("mi_device_details" arm line 6) invoked from within "switch [ACCESS::policy agent_id] { "mi_device_details" { Call 1 to retrieve UUID - unique ID from MobileIron

 

Do you have any idea why i am running into this issue.

 

Thank you.

 

Hi,

 

Did you downloaded the latest one on : https://github.com/MattDierick/MobileIron-iApp

 

I updated the code for iOS 10.x support.

 

And which release on BIGIP are you testing on ?

 

ODC WebAdmin identified the TCL error was due to the end customer having a non-standard character in their password field ($). Changing the password resolved the issue.

 

I've been looking at the possibility of checking Airwatch for device management with APM. I have not seen the question answered about the edge client. Is the edge client required - I don't want to do vpn, just activesync and I can't push the edge client to devices.

 

To make AirWatch or MobileIron device posture check, you have to present UUID toward MDM. To do so, only EDGE client can retrieve this information (neither Apps or Mail clients retrieve UUID). If you don't want to use Edge client, you need to provide this UUID to APM. The solution is Client Cert authentication where UUID is filled in a custom field in the certificate.

 

Thanks Matthieu,

 

Can you point me to help or docs on configuring the cert with Airwatch? I'm not concerned about getting device compliance, I'll let Airwatch handle that, I just want to verify that the MDM profile is on the device so I know Airwatch is managing it. Would it be any easier to just verify the MDM profile is on the device?

 

You do not check if the profile is on the device but if the device is enrolled and/or compliant. It is almost the same.

 

For client cert, I never did it via AirWatch. I did it manually. But in AirWatch to can push a profile with the client certificate. Airwatch will get the certificate from the PKI.

 

is it possible to use this iapp without installing the edge client on the mobile device.

 

LB_Admin_133366
Nimbostratus
Nimbostratus

Hi Matt,

 

We are using the iapp version 2.2 on F5 apm version 11.6.1 and Mobileiron version 9.5, the api v1 call to retrieve the device details using UUID were all working fine. Our Mobileiron MDM team upgraded their Mobileiron version from 9.5 to 9.6.0.1 build 8. after this Mobileiron MDM version upgrade the api v1 call (to retrieve the device details using UUID) is failing throwing 400 bad request.

 

"api_v1 recv_data is : HTTP/1.1 400 Bad Request Date: Fri, 29 Dec 2017 16:39:45 GMT Server: server Content-Length: 301 Connection: close Content-Type: text/html; charset=iso-8859-1 //DTD HTML 2.0; 400 Bad Request

 

Bad Request

Your browser sent a request that this server could not understand.

 

 

server Server at xyz.abc.org Port 443 "

 

Please let us know your thoughts.

 

Hi,

 

I suppose MI has stopped their API v1 in 9.6. If it is the case (please ask to MI), we will need to upgrade the iApp. But I don't know if we can retrieve everything with the v2.0.

 

It was not feasible when I updated the iApp on last year.

 

schmuck
Nimbostratus
Nimbostratus

Hi Guys, You might have figured this out by now, but the MI upgrade has changed the way Tomcat is processing the send data. In the iRule for the iApp, the send data looks like this:

 

set send_data { GET /api/v2/devices?adminDeviceSpaceId=1&fields=common.uuid%2Ccommon.status&query=\%22${conn_method}\%22%3D\%22${conn_mac}\%22AND%22common.status%22%3D%22Active%22 HTTP/1.1 Accept: text/html, application/xhtml+xml, */* User-Agent: F5-APM-sideband/1.0 Host: ${static::iAPP_NAME_mi_host} Connection: Keep-Alive Authorization: Basic [b64encode "${static::iAPP_NAME_mi_apiuser}:${static::iAPP_NAME_mi_apipassword}"]

(The iRule might actually be still on v1, I can't remember). But the issue is with the above formatting. Tomcat actually rejects that initial line feed after the send_data {. So, you need to reformat the above request as follows:

 

set send_data {GET /api/v2/devices?adminDeviceSpaceId=1&fields=common.uuid%2Ccommon.status&query=\%22${conn_method}\%22%3D\%22${conn_mac}\%22AND%22common.status%22%3D%22Active%22 HTTP/1.1\r\nAccept: text/html, application/xhtml+xml, */*\r\nUser-Agent: F5-APM-sideband/1.0.......and on and on...\r\n\r\n}

Basically, the request needs to all be on one line with no preceding line feeds. This works with 9.6 and 9.7 that we know of.

 

(You also need to change what you are looking for in the returned data as MI has changed that with the v2 API)