@shashe APM also can collect limited device information from HTTP headers without additional S/W installation.  However, if you need to collect detailed device information from the client, SW installation is required. 

@James_Jinwon_Lee Thanks for your response. can you please detail the information it collects? What device posture checks can I enforce without the need for additional s/w clients. We have a combination of MAC,windows, android and iphones. 

Thanks.

@shashe F5 APM supports two types of endpoint posture checks as a policy in the VPE(Visual Policy Editor), 'Client-Side' and 'Server-Side'. For the 'Client-Side' check, we need to install 'Endpoint Inspection' S/W to check the specific information from the client machine. So, in this method, APM can do detail checking such as file existence, AV status, Windows registry and etc. However, for the 'Server-Side' check, we use the header and other network telemetry data we can collect from the request. Thus, the information we can check in this method is quite limited, such as IP geolocation, IP reputation, client OS, browser type and etc. 

@James_Jinwon_Lee  Do I need to pay any license for that inspection software? Also, where can I download it?

Thanks.

I tested this with Fatclient but without Access Guard app. It works well with just fat client. In short: the fat client is enough to make these endpoint checks.

Yup, so I remembered correctly 🙂 . For session checks there is no need for Access Guard app. In the future if you decide to go zero-trust then Access Guard will be needed for per-request checks like shown in https://community.f5.com/t5/technical-articles/zero-trust-access-with-f5-identity-aware-proxy-and-cr... .

If you decidem you can mark the question as answered.