Bug ID 620801: Access Policy is not able to check device posture for Android 7 devices

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2

Fixed In:
13.0.0, 12.1.2 HF1

Opened: Oct 05, 2016

Severity: 3-Major


APM identifies Android devices based on their MAC address. With Android 7, it is not possible to retrieve device MAC address and hence APM is not able to check for device compliance against configured Endpoint Management System (EMS) using the Managed Endpoint Status Policy Item. If the Access Policy is configured to restrict access based on APM's Managed Endpoint Status, and the user attempts to connect to APM using an Android 7 device with the F5 Edge Client app, access will be disallowed.


Connection is denied because F5 Edge Client is not able to determine the device MAC address to transmit to APM. The lookup for endpoint posture will result in a compliance check failure.


- Access policy is configured to deny access on endpoint compliance failure with Managed Endpoint Status - User accesses APM from an Android 7 device using F5 Edge Client app.


This workaround only applies to IBM Maas360: Add Variable Assign agent just before Managed Endpoint Status agent with the following variables: session.client.platform_tmp = expr {[mcget session.client.platform]} session.client.platform = expr {"iOS"} session.client.unique_id = expr {"Android[mcget session.client.unique_id]"} And add Variable Assign agent after Managed Endpoint Status agent to reset session.client.platform to its original state: session.client.platform = expr {[mcget session.client.platform_tmp]}

Fix Information

Access policy now uses multiple fallback types to correlate the device identity with endpoint management systems: Device Serial Number, IMEI number, and MAC address, respectively.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips