Bug ID 620801: Access Policy is not able to check device posture for Android 7 devices

Last Modified: Dec 10, 2018

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2

Fixed In:
13.0.0, 12.1.2 HF1

Opened: Oct 05, 2016
Severity: 3-Major

Symptoms

APM identifies Android devices based on their MAC address. With Android 7, it is not possible to retrieve device MAC address and hence APM is not able to check for device compliance against configured Endpoint Management System (EMS) using the Managed Endpoint Status Policy Item. If the Access Policy is configured to restrict access based on APM's Managed Endpoint Status, and the user attempts to connect to APM using an Android 7 device with the F5 Edge Client app, access will be disallowed.

Impact

Connection is denied because F5 Edge Client is not able to determine the device MAC address to transmit to APM. The lookup for endpoint posture will result in a compliance check failure.

Conditions

- Access policy is configured to deny access on endpoint compliance failure with Managed Endpoint Status - User accesses APM from an Android 7 device using F5 Edge Client app.

Workaround

This workaround only applies to IBM Maas360: Add Variable Assign agent just before Managed Endpoint Status agent with the following variables: session.client.platform_tmp = expr {[mcget session.client.platform]} session.client.platform = expr {"iOS"} session.client.unique_id = expr {"Android[mcget session.client.unique_id]"} And add Variable Assign agent after Managed Endpoint Status agent to reset session.client.platform to its original state: session.client.platform = expr {[mcget session.client.platform_tmp]}

Fix Information

Access policy now uses multiple fallback types to correlate the device identity with endpoint management systems: Device Serial Number, IMEI number, and MAC address, respectively.

Behavior Change