If Netskope client is enabled, I cannot sync the company portal app (Microsoft Intune). it just fails. Disable NS client and it works just fine. All the default pinned apps for Microsoft Intune is enabled and assigned to the steering config my client is assigned. Packet Capture shows that it is still trying to use the NS cert which I thought would be by-passed by the certificate exception.
We see the same things here. Did you solve this issue ?
Yes. I got this from support.
Could you please add the following process separated by commas in the cert-pin app definition:
---For Windows intunewindowsagent.execompanyportal.exeomadmclient.exemicrosoft.management.servicesintunewindowsagent.exeagentexecutor.exedeviceenroller.exe |
---For Mac company portalmdmclientwdavdaemon_enterprise |
This is already what is present in the Netskope default Microsoft Intune certificate pinned app so this shouldn’t fix the issue.
I have seen cases where you must also bypass manage.microsoft.com and dm.microsoft.com from SSL inspection or steering. Microsoft does not support SSL interception on these endpoints. I believe there are subdomains in these as well so I’d test with *.manage.microsoft.com and *.dm.micrsoft.com. I believe there are already discussions around adding these to the default SSL and steering bypasses in Netskope but I’d need to confirm internally.
We had already tested with manage.microsoft.com because those subdomains always appear in the logs in cas of Intune synchronization but it seems that it was not sufficient.
I hadn’t notice for dm.microsoft.com.
Looking at our logs I see only checkin.dm.microsoft.com.
We will try with manage.microsoft.com and checkin.dm.microsoft.com to see if it is sufficient.
Regards
Confirmed fix.
NetSkope Settings > Security Cloud Platform > App Definition > Certificate Pinned Apps
Find ‘Microsoft Intune’ click … kSteering Config Exceptions]
Edit ‘Action’ for your steering configuration
Add (manage.microsoft.com, dm.microsoft.com) to ‘Custom App Domains’
Save.
Open Windows Settings > Accounts > Access Work or School
Click on your domain > Click Info
Scroll down > Click ‘Sync’
Login to the community
If you haven't already registered, now is a good time to do so. After you register, you can post to the community, receive email notifications, and lots more. It's quick and it's free! Create an account
Login with SSO
Employee PartnerEnter your E-mail address. We'll send you an e-mail with instructions to reset your password.