Solved

How do we prevent Users from stopping Netskope services in MacOS BigSur?

  • 27 August 2021
  • 6 replies
  • 510 views

Badge +7

Hello,

 

About 90% of our users are on MacOS BigSur with full admin privileges on their laptop.  With older clients (v81 or below); users can simply go to Network Preferences and Click disconnect to stop Netskope from intercepting 80/443 traffic.  I have tested on client v87 and this issue has been fixed.  But we noticed that users are finding more creative ways to disable Netskope by doing the following in terminal:

(1) sudo chmod -x /Applications/Netskope Client.app/
(2) Activity Monitor --> Search for Netskope Client --> Force Quit

How do we prevent such actions?

Thanks!


icon

Best answer by kkasavchenko 2 September 2021, 12:37

View original

6 replies

Badge +7

I can also share that once your run the command above, restarting your laptop will not automatically restart the Netskope services.

Userlevel 2
Badge +13

Hi, @dphung, with full admin privileges there are many ways the client could be disabled, I have seen developers create a route to null on their PC just for the Netskope gateway address!!

 

I’m afraid I don’t have an answer except changing the user access levels or even employ some kind of conditional access policy that requires the Netskope client to be active?

Badge +7

Thanks @sfoster .  Do you know of any script that we can run in Jamf or other environment that can check if the client is connecting to the Netskope gateway? 

Badge +7

Hi @dphung A possible solution might be to pull clients status using api/v1/clients API call. More information about this API endpoint and Netskope API in general can be found at https://docs.netskope.com/en/get-client-data.html The branch of JSON response that you are interested in is called last_event

Badge +7

One more solution that does not require API. You can check the tunnelStatus of /Library/Application Support/Netskope/STAgent/nsuser.conf file. When the tunnel is connected, the tunnelStatus should be "16".

Badge +7

Thanks @kkasavchenko .  I will see if we can create a jamf script to check this.

Reply