F5 Recommended Practices for BIG-IP
and AirWatch MDM Integration
Contents
Introduction 4
Purpose 5
Requirements 6
Prerequisites 6 AirWatch 6F5 BIG-IP 6
Network Topology 7
Big-IP Configuration 7
Remote Access Wizard 7
SSL Certificate and Key 14
SSL Client Profile 14
Virtual Server Advanced Configuration 15
Access Policy Manager - Visual Policy Editor 16
Basic AirWatch Access Policy Flow 16
BIG-IP ActiveSync Proxy 19
Login and Authentication Verification 19
Air Watch Configuration 21
AirWatch Console Access 21
Child Organization Group Creation 22
User Group Creation 23
Smart Group Creation 23
AirWatch and F5 Integration 24
AirWatch Certificate Authority 26
VPN Profiles 26
Base VPN Profile 26
On-Demand Certificate Authority VPN Access Profile 32
Copy the Access Policy 38
On-Demand Certificate Authority Macro 38
Variable Assign Object 39
Advanced Resource Assign Macro 41
SSL Client Certificate Modification 42
Virtual Server Access Policy assignment 43
Per-App VPN Profile 44
Copy the Access Policy 46
Conclusion 47
Introduction
The F5 BIG-IP Access Policy Manager (APM) allows for the consolidation of multiple access gateways (mobile application management, virtual desktop infrastructure, Microsoft Active Sync Proxy, and others) into a single unified access gateway.
You can begin your deployment with a single access gateway use case or with multiple access gateway use cases. In either scenario, F5’s tight integration with technology alliance partners allows for validated configurations to ensure compatibility. While this recommended practices guide is specific to integrating F5 BIG-IP APM with AirWatch MDM, you may reference our VDI access gateway solutions here:
VMware Horizon View:
https://f5.com/solutions/deployment-guides/vmware-horizon-view-optimized-solution-big-ip-v114-apm
Citrix XenApp/XenDesktop:
https://f5.com/solutions/deployment-guides/citrix-xenapp-or-xendesktop-release-candidate-big
Microsoft Remote Desktop Services:
http://www.f5.com/pdf/deployment-guides/f5-microsoft-remote-desktop-services-dg.pdf
For VMware Horizon View, administrators may use BIG-IP APM as a PCoIP proxy for remote access use cases. This greatly increases not only Horizon View security, but also scale and performance.
Many more F5 BIG-IP APM use cases may be referenced here:
https://f5.com/solutions/deployment-guides/tag/access%20policy%20manager
Purpose
With F5 BIG-IP APM, you may provide AirWatch mobile users unmatched secure remote access, performance, and availability. This document outlines the configuration details required to integrate F5 BIG-IP APM with AirWatch mobile device management (MDM). The steps are a series of
recommended practices to follow in order to build an integrated solution. As with any system deployment, the steps are examples and the deployed environment may not exactly match these examples.
After completing this guide, you will be able to:
• Use the F5 BIG-IP APM as an AirWatch access gateway.
• Use the iOS BIG-IP Edge Client for Per-App VPN access with iOS 7 or later.
Please reference the latest iOS BIG-IP Edge Client configuration guide here:
https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/related/apm- edgeclientios-2-0-4.html
• Authenticate AirWatch MDM users via the BIG-IP APM.
• Initiate on-demand VPN tunnels by domain query.
• Use BIG-IP APM as a Microsoft Active Sync Proxy for Android and iOS email synchronization.
• Manage AirWatch MDM devices through the BIG-IP APM access gateway.
This recommended- practices guide will enable you to:
1. Configure an APM access policy (network access, authentication, webtop, and session variables).
2. Create a certificate authority (CA), client certificates, and associated BIG-IP ClientSSL Profile.
3. Configure a BIG-IP virtual server and associate the APM access policy and SSL profile.
4. Configure multiple custom access policies for three (3) AirWatch remote access use cases:
a. A VPN profile for all iOS and Android network traffic
b. A VPN On-Demand Profile
c. A Per-App VPN profile
Requirements
This section covers various requirements for this guide. These include prerequisites, product licensing, software, and/or hardware requirements.
Prerequisites
The following prerequisites need to be addressed prior to implementing this guide. This solution utilizes the following ancillary infrastructure:
• An authentication server
• An email server
• An application server
• An NTP time server
• Globally Routable IP addresses
• Mobile device(s) with network access (iOS and Android devices only)
• Internet access
• Administrator login credentials
• SSL Certificate and Key (please reference F5 solution article SOL14499 for how to create a certificate authority and client certificates)
AirWatch
• AirWatch service cloud subscription and AirWatch cloud account are required
Note: This recommended practices guide was formulated on a cloud-based AirWatch deployment. The recommended practices in this document may apply to AirWatch on- premises deployments but have not been tested.
F5 BIG-IP
• Either a physical or a virtual instance of BIG-IP is required.
• This guide is based on BIG-IP software release 11.5.0.
• This solution relies on F5 Access Policy Manager (APM) and requires an APM software license.
Network Topology
Figure 1: Logical Network Topology
Big-IP Configuration
This section covers the steps required to be performed within the BIG-IP web configuration utility.
Remote Access Wizard
The BIG-IP configuration utility wizard will assist you in creating a remote access configuration using Access Policy Manager (APM). Log in to the BIG-IP and select Wizards->Device Wizards from the left menu bar. Select Network Access Setup Wizard for Remote Access and click Next.
Enter a Policy Name and Caption. The Default Language, Full Webtop, and Client Side Checks fields are optional. Then click Next to continue.
Figure 3: Network Access Policy Name and Details
Select Create New or Use Existing in the Authentication Options field. Select the Authentication Server type from the list. Then click Next to continue.
Figure 4: Authentication Server Type Details
The Authentication Server settings need to be defined. In this example we choose an Active Directory Authentication method. Enter a Domain Name. In this example, a Direct connection to the Primary Domain Controller is chosen. Enter an IP Address, Admin Name, and Password for the Active Directory Domain. Then click Next to continue.
Figure 5: Active Directory Server Details
A lease pool is a pool of available IP addresses that BIG-IP will assign to remote clients for network access. The size of this pool needs to be large enough to provide enough address space for the total concurrent connections licensed by APM. In this example, an address space of 20 IP addresses is defined. Select a Supported IP Version, and a Start and End IP Address. Select Add to move the address range to the Member List. Click Next to continue.
The client settings should be set according to the deployment scenario requirements. In this example, all traffic will be forced through the SSL VPN tunnel. Select Force all traffic through tunnel. Then click Next to continue.
Figure 7: Traffic Option Client Details
Primary and Secondary Name Servers need to be specified. Enter a Primary and Secondary Name Server and the Default Domain Suffix.
Figure 8: DNS Server Details
An optional step is to add Static Host entries. These are static host names to IP address assignments that BIG-IP can use to resolve remote access client requests. In this example, two static hosts are added. Host entries for an email server and an application server are input. If this is required, enter a Host Name and an IP Address and then select Add to include these entries in the list. Click Next to continue.
Figure 9: Static Host Details
Finally, the Virtual Server IP Address needs to be defined. A Redirect Server will also be created, which will redirect client requests to the HTTPS virtual server. Enter an IP Address that is globally routable and resolvable by DNS. Click Next to continue.
Figure 10: Virtual Server IP Address Details
The wizard will display a list of all the configuration values entered. Review the list. Click Next to continue or Previous to correct any configuration mistakes.
Figure 11: Access Wizard Confirmation Details
The Setup Summary is displayed.
Figure 12: Access Wizard Setup Details
The wizard will address most of the configuration tasks necessary. The next sections will address the ones that haven’t been addressed.
SSL Certificate and Key
This solution requires that an SSL certificate and key pair be imported to BIG-IP. These configuration procedures are beyond the scope of this document but can be referenced in F5 solution article SOL14499. These procedures can be used to create a certificate authority (CA) and client certificates and provide instructions for importation to BIG-IP.
It is important that you generate the required certificate and key pair before continuing to the next section.
SSL Client Profile
An SSL Client Profile must be bound to the HTTPS virtual server created in the previous section.
Follow the configuration procedures to create an SSL Client Profile: Navigate to Local Traffic-
>Profiles->SSL->Client and select Create. Enter a Name. Scroll down to the Client Authentication section. Check the Custom boxes for Client Certificate and choose Require. Check the Custom boxes for Trusted Certificate Authorities and Advertised Certificate Authorities and select the certificate that was imported from the previous section.
Figure 13: SSL Client Profile Details
Virtual Server Advanced Configuration
Some virtual server parameters below will require modifications:
Select the External VLAN from the Available list and click the << button to move it to the Selected column. This is a security feature that prevents VLAN misuse.
Figure 14: External VLAN Selection
Set the virtual server to use the SSL Client profile created in the previous section. Select the SSL Profile from the Available column and click the << button to move it to the Selected column. Click the >> button on the clientssl default profile from the Selected column to move it to the Available column.
Figure 15: SSL Client Profile Details
Check Enabled for VDI and Java Support.
Figure 16: Enable VDI and Java Support Details
Access Policy Manager - Visual Policy Editor
The F5 BIG-IP Access Policy Manager (APM) Visual Policy Editor (VPE) is a subordinate user interface (UI) that resides within the BIG-IP APM web configuration utility to assist with building access policies.
Depending on the deployment scenario, it may be necessary to alter the access policy. Follow these procedures to configure the VPE:
Basic AirWatch Access Policy Flow
Access the current access policy by navigating to Access Policy->Access Profiles->Access Profiles List. The list of access policies is displayed.
Figure 17: Access Policy Details
Click on the Edit hyperlink from the F5_AirWatch_Policy policy row. The VPE is displayed. The current policy should look like the following:
Figure 18: Access Policy Flow for Basic AirWatch Policy Details
Note: Each of the hyperlink items in blue unscored text can be modified to address the deployment requirements.
The next few sections will detail some of these basic access policy settings.
Logon Page Macro
From Figure 18 above, click on the hyperlink labeled Logon Page. This will display the Logon page Properties tab.
The top portion of the page details the parameters that will be presented to the user.
Figure 19: Logon Page Agent Details
The lower portion of the page contains the customizations parameters available.
Figure 20: Logon Page Customization Details
AD Auth Macro
From figure 18 above, click on the hyperlink labeled AD Auth to display the Authentication page Properties tab.
Figure 21: AD Authentication Configuration Details
Modify these values to satisfy site specific deployment requirements. Select Cancel or Save to return to the VPE.
Resource Assign Macro
From figure 18 above, click on the hyperlink labeled Resource Assign to display the Resource Properties tab.
Figure 22: Resource Assignment Configuration Details
Modify these values to satisfy site-specific deployment requirements. Select Cancel or Save to return to the VPE. Click the Close button when you’re finished.
Note: It is recommended to take these access policy options into consideration when deploying AirWatch VPN Profiles.
BIG-IP ActiveSync Proxy
F5 BIG-IP APM’s Microsoft ActiveSync proxy enables native email application integration for both Android and iOS devices. These configuration procedures are beyond the scope of this document. To configure BIG-IP APM as a Microsoft ActiveSync proxy, please see the deployment guide and according iApp.
Login and Authentication Verification
You should now be able to test the APM Access Policy from a PC client. This tests the integration of the BIG-IP APM with respective authentication servers.
From a PC client, test that the APM logon prompt is properly displayed. Open a Web Browser and enter the fully-qualified domain name (FQDN) or IP address of the APM-protected Virtual Server. The Secure Logon page is displayed. Enter a valid username and password and select Logon to continue.
Figure 23: APM Logon Details
If this is the first time you’re logging onto the APM-Protected Virtual Server, you may have to install browser plugins. If this is the case, follow these instructions:
Figure 24: Browser Plugin Notification Details
Once the test client can properly authenticate and obtain privileges, Mobile Device Management (MDM) can be configured.
If the client is unable to authenticate, review the APM log files in the BIG-IP command line interface (CLI) at /var/log/apm.
Air Watch Configuration
This section covers the steps required for MDM configuration via the AirWatch administration console (herein referred to as the AirWatch console).
AirWatch Console Access
The AirWatch console is the management interface to configure AirWatch MDM. Log in to the AirWatch Console. The console dashboard is displayed.
Figure 25: AirWatch Console Dashboard Details
The console is laid out with tabs on the far-left column that expose sub tabs to the right of these tabs.
Child Organization Group Creation
An organization group is a simple way to manage VPN profiles and devices. It allows for configuration settings that adhere to deployment requirements to be set at the organization level and be applied by default. Within the AirWatch console, select the Groups & Settings icon on the left. Expand the Groups, Organization Groups, Organization Group Details menu tree.
Figure 26: AirWatch Organization Group Creation Details
Note: You’ll need the Group ID for future reference while performing additional configuration steps.
Enter a Name for the group and a Group ID, and then click Save. Be sure to choose this group from the upper-left tab.
Figure 27: Organization Group Details
User Group Creation
Add a new user group by selecting Groups & Settings->Groups->User Groups, and then click on the Add hyperlink. Enter the Name for the group and click Save to continue.
Figure 28: New User Group Details Click Save when finished.
Smart Group Creation
Add a new smart group by selecting Groups & Settings->Groups->Smart Groups, and then click on the Add Smart Group hyperlink. Enter the Name for the smart group at the top-right of the screen.
Select only the Organization Group and User Group previously created.
Click Save when finished.
AirWatch and F5 Integration
To enable the F5 integration, perform the following steps. Navigate to Group & Settings->All Settings and select the System tab in the left-hand column. The System tab menu selections are displayed. Expand the Enterprise Integration menu item and select Enterprise Integration Services.
Figure 30: System Details
It should be noted that if the Current Setting is Inherit, you will need to change it to Override by selecting Override in order to enable enterprise integration. You may also need to change the cloud connector and/or mobile access gateway (MAG) current setting to override. Enable the enterprise Integration by clicking the Enable button. Enter an EIS URL. This is the FQDN that resolves to the IP address of the BIG-IP Virtual Server.
Figure 31: EIS URL BIG-IP FQDN Details
Scroll down to the Enterprise Services section. Enable or Disable the necessary services.
Figure 32: Enterprise Services Details
Next, scroll down to the AirWatch Services. Enable the services as per deployment requirements.
Figure 33: AirWatch Services Details
Next, verify the Certificate state and Child Permissions.
AirWatch Certificate Authority
A CA needs to be defined. Within the AirWatch console, navigate to System->Enterprise Integration ->Certificate Authorities. Click the Add button to add a new CA. Enter a valid Name, Auth Type,
Server Hostname, Authority Name, Username, and password.
Figure 35: AirWatch Certificate Authority Details Click Save when finished.
VPN Profiles
You can deploy three different VPN Profile types:
• A Base VPN Profile for all iOS and Android network traffic
• A VPN On-Demand Profile that will initiate a VPN connection whenever applications navigate to predefined domains
• A Per-App VPN Profile that specifies which applications can utilize the VPN connection
Base VPN Profile
To create a base VPN Profile for Android and iOS devices, within the AirWatch console, navigate to Devices->Profiles->List View menu from within the left column.
Create New Android Profile
To create a new AirWatch profile for Android devices, within the AirWatch Console, navigate to Devices->Profiles->List View. Click the Add button and then choose the Android icon.
Figure 36: Android Platform Detail
Enter a Name and select the Smart Group previously created for this profile.
Figure 37: Android Profile Details
Next, in the left column, select the Passcode tab and then click the Configure button. This will display the Passcode settings that need to be applied. Select the Minimum Passcode Length value as per deployment requirements. For this example the default values remain.
Figure 38: Passcode Details
Next, in the left column, select the Restrictions tab and then click the Configure button. This will display the restriction settings that can be applied. Note that some values are operating system–
dependent. Apply the appropriate restrictions per deployment requirements.
Figure 39: Restriction Details
Next, in the left column, select the VPN tab and then click the Configure button. This will display the VPN settings that need to be applied. Choose the F5 SSL Connection Type. Enter a Connection Name for the profile; make sure the Server is the BIG-IP Virtual Server FQDN; and select
{EnrollmentUser} as the Username.
Figure 40: Android VPN Profile Details
Next, in the left column, select the Exchange ActiveSync tab and then click the Configure button.
This will display the ActiveSync settings that need to be applied. Enter the Account Name and enter the FQDN of the BIG-IP Virtual Server as the Exchange ActiveSync Host.
Login Information needs to be defined. Enter a Domain. Click the + button next to User and enter {EnrollmentUser}.
Figure 42: Exchange ActiveSync Login Details
In the Settings section, in the Past Days of Mail to Sync field, enter the value the deployment requires. In this example, Auto is selected. In the Contacts and Calendar section in this example, Native Contacts Application is chosen for both fields.
Figure 43: Exchange ActiveSync Settings and Security Details Click the Save & Publish button to continue.
Create iOS Profile
In this section you will create a new AirWatch profile for iOS devices. Within the AirWatch Console navigate to Devices->Profiles->List View. Click the Add button and then choose the Apple iOS icon. Enter a Name for this profile.
Figure 44: iOS Profile Details
Next, in the left column, select the VPN tab and click the Configure button. This will display the VPN settings that need to be applied.
Enter the Connection Name, Type, Server, and select {EnrollmentUser} as the Account. Then select the Per-App VPN and Connect Automatically check boxes.
On-Demand Certificate Authority VPN Access Profile
This profile builds on the Base VPN Profile. The VPN On-Demand feature allows applications to automatically initiate a VPN connection using the F5 client whenever those applications navigate to any of the domains specified in the VPN Profile.
Create New On-Demand Android Profile
In this section you will create a new On-Demand AirWatch profile for Android devices. Within the AirWatch console navigate to Devices->Profiles->List View, click the Add button, choose the Android icon, and then enter a Name for this profile.
Figure 46: Android On-Demand Profile Details
Next, in the left column, select the Credentials tab, and then click the Configure button. This will display the VPN Credentials settings that need to be applied. Select a Credential Source appropriate for the deployment.
Figure 47: On-Demand Credential Profile Details
Next, in the left column, select the VPN tab and click the Configure button. This will display the VPN settings that need to be applied.
Enter the Connection Type, Name, Server, and select the Username.
Figure 48: On-Demand VPN Details
Click the Save & Publish button to continue.
Create New On-Demand iOS Profile
This section contains instructions on how to create a new AirWatch profile for iOS devices. Within the AirWatch Console, navigate to Devices->Profiles->List View, click the Add button, and then choose the Apple iOS icon from the platform listing.
Enter a Name and select the Smart Group previously created for this profile.
Figure 50: iOS Profile Details
Next, in the left column, select the Passcode tab and then click the Configure button.
This will display the Passcode settings that need to be applied. Select the Require passcode on device checkbox. This will display more passcode settings. For this example, additional values remain the defaults.
Figure 51: Passcode Details
Next, in the left column, select the Restrictions tab and click the Configure button. This will display the restriction settings that can be applied. Note that some values are operating system–
dependent. Select the checkboxes that correspond to the restrictions that the deployment requires.
Figure 52: Restriction Details
Next, in the left column, select the VPN tab and then click the Configure button. This will display the VPN settings that need to be applied. Enter the Name of the profile; select F5 SSL as the
Connection Type; enter the FQDN of the BIG-IP Virtual Server as the Server; and select {EnrollmentUser} as the Account. Then select the Per-App VPN and Connect Automatically checkboxes.
Within the Safari Domains, add the appropriate Domains for the deployment. User Authentication remains the default value of Password.
Figure 53: iOS VPN Profile Details
Next, in the left column, select the Exchange ActiveSync tab and then click the Configure button.
This will display the Exchange ActiveSync settings that need to be applied. Enter a Name for this account. Enter the FQDN of the BIG-IP Virtual Server as the Exchange ActiveSync Host.
Figure 54: Exchange ActiveSync Details
The Login Information needs to be defined. Enter a Domain. Click the + link next to Username and enter {EnrollmentUser}.
Figure 55: Exchange ActiveSync Login Details
In the Settings and Security section, For Past Days of Mail to Sync select a value that the deployment requires. In this example, 2 weeks is selected.
Figure 56: Exchange ActiveSync and Security Details Click the Save & Publish button to continue.
BIG-IP On-Demand Certificate Authentication Access Policy
Make the following modifications within the F5 BIG-IP web configuration utility.The existing access policy can be modified or copied. These instructions will result in copying the existing policy and modifying the SSL client profile.
Copy the Access Policy
To copy the policy to a new name, click on the Copy hyperlink from the F5_AirWatch_Policy policy row. Enter a name for the new policy and click the Copy button.
Figure 57: Access Profile Copy Details
The Access policy can be edited by clicking on the Edit hyperlink. Modify the policy to match the following configuration.
Figure 58: On-Demand Certificate Authentication Access Policy Details
Note: Enter the details of the Certificate Authentication and Resource Assignment to meet deployment requirements.
On-Demand Certificate Authority Macro
Click on the hyperlink labeled On-Demand Cert Auth.Figure 59: On-Demand Certificate Authentication Details
The Authentication mode is set to Request. Leave the settings at the default values and click the Save button.
Variable Assign Object
Add a variable assign object to the policy by clicking the + symbol on the Successful branch of the On-Demand Cert Auth macro. Enter a Name; in this example it is Extract UPN. Add a new variable entry by clicking the Change hyperlink.
Figure 60: On-Demand Certificate Authority VPE Macro
Figure 61: Variable Assign Details
Note: The “name” parameter specified in the three variable-assignment screen captures below is entered in the “Custom Variable” box (in Figure 60 above) for each variable assignment you create.
Add three variable assignments as follows:
Name: session.logon.last.domain Custom Expression:
set upn [mcget {session.logon.last.upn}];
if {[string first “@” $upn] >= 0} {
return [string range $upn [expr { [string first “@” $upn] + 1 } ] end ];
} else { return “”;
}
Figure 62: Variable Assignment #1
Name: session.logon.last.username Custom Expression:
Name: session.logon.last.upn Custom Expression:
set e _ fields [split [mcget {session.ssl.cert.x509extension}] “\n”];
foreach qq $e _ fields {
if {[string first “othername:UPN” $qq] >= 0} {
return [string range $qq [expr { [string first “<” $qq] + 1 } ] [expr { [string first “>” $qq] - 1 } ] ];
} } return “”;
Figure 64: Variable Assignment #3
Figure 65: Variable Assignment for Extract UPN Macro Details
Note: The Extract UPN Variable Assignment dialog should now appear as shown in Figure 63.
If it does not, edit each entry to match the values displayed in the graphic.
Note: If you choose to cut and paste the variable name and expression, be sure to paste the copied text as plain text. Otherwise an error pertaining to the variable syntax may block saving these assignments.
The next step will be to add an advanced resource assignment to the access policy.
Advanced Resource Assign Macro
Add an advanced resource assign object to the policy by clicking the + link on the Successful branch of the Extract UPN variable assignment macro. Enter a Name; in this example it is SSL VPN.
Select the Network Access tab and choose the F5_AirWatch_Policy_na_res that was created as a part of the initial BIG-IP Access Policy Wizard configuration task previously completed.
Figure 66: On-Demand Certificate Authority VPE Macro
Figure 67: Network Access Resource Details
Select the Webtop tab and select the F5_AirWatch_Policy_webtop that was created in the initial BIG-IP base configuration. Then click the Update button.
Figure 68: Webtop Assignment Details
The resource assignment macro should look as follows:
Figure 69: Resource Assignment Details
Click the Save button to return to the policy flow diagram. The On-Demand Policy should now look as follows:
Figure 70: On-Demand Policy Details
SSL Client Certificate Modification
When using On-Demand Certificate Authentication, client authentication is enabled with a Client certificate set. This setting needs to be changed to Ignore. Navigate to Local Traffic->Profiles-
>SSL->Client. The list of SSL Profiles is displayed; Select the AW_Client_Cert profile.
Figure 71: SSL Client Profile Details
Scroll down to the Client Authentication section and for the Client Certificate select Ignore from the drop-down list.
Figure 72: Client Authentication Set to Ignore Client Certificate Click the Update button to complete the change.
Virtual Server Access Policy assignment
The new Access Policy needs to be applied to the Virtual Server. To do this, navigate to Local Traffic ->Virtual Servers->Virtual Server List.
Figure 73: F5 Air Watch HTTPS Virtual Server Details
Scroll down to the Access Policy section. Modify the Access Profile to be the new On-Demand profile.
Figure 74: Virtual Server Access Profile Details Click the Update button to continue.
Per-App VPN Profile
This profile builds on the Base VPN Profile.
The Per-App VPN Profile is available in iOS 7 devices. This allows the profile to specify which applications can utilize the VPN connection. These are the managed applications that are pushed to specific devices via the AirWatch Admin Console.
There is a distinct difference between a per-app VPN and an on-demand VPN. With a per-app VPN, unique TCP tunnels are established per application and bind the application to the BIG-IP gateway.
With an on-demand VPN, when a mobile application queries a particular domain name, a TCP/UDP tunnel is established for all device applications.
Create New Per-App iOS 7 Profile
This section details how to create a new Per-App AirWatch profile for iOS devices. Within the AirWatch Console, navigate to Devices->Profiles->List View. Then click the Add button, choose the IOS icon, and enter a Name for this profile.
Figure 75: iOS Per-App Profile Details
Next, in the left column, select the Credentials tab and click the Configure button. This will display the VPN Credentials settings that need to be applied. Select a Credential Source appropriate for the deployment.
Figure 76: Per-App Credential Profile Details
Next, in the left column, select the VPN tab and click the Configure button. This will display the VPN settings that need to be applied.
Enter the Connection Type, Name, Server, and for the Account select {EnrollmentUser} from the drop-down list.
BIG-IP Per-App Access Policy
Make these modifications within the F5 BIG-IP web configuration utility.
The existing policy can be modified or copied. These instructions will result in copying the existing policy, and applying the new policy to the virtual server.
Copy the Access Policy
To copy the policy to a new name, click on the Copy hyperlink from the F5_AirWatch_Policy policy row.
Define a name for the new policy and then click the Copy button.
Figure 78: Access Policy Copy Details
The Access policy can be edited by clicking the Edit hyperlink. Edit the policy to match the following configuration. Delete the Resource Assignment macro item by clicking on the X link .
Figure 79: Per-App Access Policy Details
Note: Define the details of Certificate Authentication and Resource Assignment to meet deployment requirements. Refer to the Base VPN Access Profile settings in the Configuring BIG-IP sections above.
Virtual Server Access Policy Assignment
Apply the new Access Policy to the Virtual Server. Navigate to Local Traffic->Virtual Servers-
>Virtual Server List.
Figure 80: Virtual Server Details
Scroll down to the Access Policy section. Edit the Access Policy and select the new On-Demand profile from the drop-down menu.
Figure 81: Virtual Server Access Profile Details Click the Update button.
Conclusion
This concludes the BIG-IP and AirWatch recommended practices guide. The configuration details may vary from the deployed network topology.
