Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP APM
Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2
Fixed In:
13.0.0, 12.1.2 HF1
Opened: Oct 05, 2016 Severity: 3-Major
APM identifies Android devices based on their MAC address. With Android 7, it is not possible to retrieve device MAC address and hence APM is not able to check for device compliance against configured Endpoint Management System (EMS) using the Managed Endpoint Status Policy Item. If the Access Policy is configured to restrict access based on APM's Managed Endpoint Status, and the user attempts to connect to APM using an Android 7 device with the F5 Edge Client app, access will be disallowed.
Connection is denied because F5 Edge Client is not able to determine the device MAC address to transmit to APM. The lookup for endpoint posture will result in a compliance check failure.
- Access policy is configured to deny access on endpoint compliance failure with Managed Endpoint Status - User accesses APM from an Android 7 device using F5 Edge Client app.
This workaround only applies to IBM Maas360: Add Variable Assign agent just before Managed Endpoint Status agent with the following variables: session.client.platform_tmp = expr {[mcget session.client.platform]} session.client.platform = expr {"iOS"} session.client.unique_id = expr {"Android[mcget session.client.unique_id]"} And add Variable Assign agent after Managed Endpoint Status agent to reset session.client.platform to its original state: session.client.platform = expr {[mcget session.client.platform_tmp]}
Access policy now uses multiple fallback types to correlate the device identity with endpoint management systems: Device Serial Number, IMEI number, and MAC address, respectively.