Skip to main content

Having NS Client deployed/installed pre-Big Sur works great. We've even managed to update the install script to grab the local user logged in, append our email domain and auto enroll with iDP. The challenge now is upgrading to Big Sur relies on a user accepting the system extension, which not everyone is doing. Curious how others are addressing this.

Hi @nduda the only way to automate the system extension acceptance is to use JAMF.  Are you using or planning to use JAMF to manage Mac endpoints?

Here is an article on our support site that covers how to deploy Netskope Client with JAMF https://docs.netskope.com/en/deploy-netskope-client-with-jamf.html


 


JAMF is how we're managing this. We setup a 'self service' application deployed via JAMF which allows users to run various scripts related to all our deployments. One of those scripts essentially re-installs the Netskope client, so any user on BigSur who experiences issues with Netskope can simply re-install the app at their leisure. 


Also, ensure you have followed Coexistence-of-Netskope-for-Web-client-and-VPN-vendor-clients-on-Windows-and-Mac-endpoints as Big Sur does not support backhauling of the NS tunnel through VPN.


@ChickenTenderer would you be willing to share that script?  We'd love to post those instructions on how to solve this problem broadly for other customers who are in the same boat.  Are you running the same script that is running when Netskope client is installed, or did you modify it?


Thanks for the reply everyone. Our concern though is how to streamline this. Basically what we observed is any Netskope NS Client installs that have happened on a pre-big sur system are working fine (Yes we use JAMF). However as soon as the system is upgraded to Big Sur NS Client breaks unless the user clicks the ok for any new extensions. This is manual efforts and very difficult to detect "broken machines".  From what we can see it's also not possible to automate the system extension post NS client -- a reinstall is needed. 

Publishing a JAMF self-service application is cool and all, but users are definitely not of the mindset to reinstall if broken. I do like the idea of at least publishing that for quick troubleshooting.


Apple's MDM provides a way for administrators to "pre-approve" extensions through configuration profiles. Here's a link to a JamfNation discussion where a user details the Team ID and allowed system extensions for Netskope.


@fsteele thanks, yes, we do use this concept to preapprove system extensions on new install(have it documented in our JAMF instructions), now the question, I guess, is whether JAMF can preapprove network extensions that we use in Big Sur in advance of Big Sur upgrade to ensure seamless user experience.


Looks like yes. I just upgraded to Big Sur 11.4 on a box with a config profile set to allow the extension, and the extension was approved automatically. I _did_ receive a notification explaining that Netskope could proxy traffic or some such, but with no option to deny.


Awesome, thanks for sharing, @fsteele !


Reply