Deploying Netskope Enterprise Browser to your Windows Fleet

Introduction

Enterprise Browser allows organizations to provide secure access to sensitive applications & content for unmanaged devices or devices not running the Netskope client. Here at Netskope the Global Information Security and Information Technology teams partnered closely to successfully launch this technology internally. Below you will find instructions on how the IT team deployed this solution to our fleet of Windows machines.

This method is for deploying with Microsoft Intune. This guide details how to deploy the Netskope Enterprise Browser with auto profile enrollment. Netskope Enterprise Browser profiles are leveraging users' corporate email address and for Entra Joined Windows machines, this allows admins to leverage the UPN to have the browser auto enroll upon deployment. 

The method described in this guide  consists of 2 steps, deploying the installer and config file to the local machine via Win32 Deployment, then leveraging a PowerShell Platform script or in our example a Remediation Script to complete the Enterprise Browser installation with auto profile enrollment. 
 

Script Based Auto Enrollment Deployment

Part 1 - Pre-requist task 

Installer & Configuration file deployment to local machine

1. Get the MDM Installation artifact (currently a Windows MSI file), this file will be sent to you via your CSR
2. Add this to a dedicated folder on your Windows Machine 
3. Create a Powershell script that will run the deployment 
   1. Example of our deployment script, where we are targeting deployment of the files to Public Libraries folder

#Installation Script: EB-Installfile.ps1

$FileName = "EnterpriseBrowser.msi"

$ScriptPath = [System.IO.Path]::GetDirectoryName($MyInvocation.MyCommand.Definition)

Copy-Item -Path "$ScriptPath\$FileName" -Destination "$Env:Public\Libraries"

4. You can also set up a removal script if required 
5. Now your Dedicated folder should look like below

6. Now wrap the .ps1 file within the folder to package the whole contents using IntuneWinAppUtil.exe
   1. Download the IntuneWinAppUtil.exe tool from the Microsoft Download Center. - (GitHub - microsoft/Microsoft-Win32-Content-Prep-Tool: A tool to wrap Win32 App and then it can be uploaded to Intune ) - (You can information on how to use IntuneWinAppUtil within the link
7. Now your Powershell and installer file is wrapped into a .intunewin it is ready to deploy as a Win32 Deployment to your target endpoints
8.  Now your Powershell and installer file is wrapped into a .intunewin it is ready to deploy as a Win32 Deployment to your target endpoints
9. Login to your Intune Environment - (https://endpoint.microsoft.com) 

10. On Intune navigate to App and select create 
11. Select Windows App Win32

12. Enter the name and details of your package

13. Add the following install commands & Set the Install behavior to System and no specific action for device restart

Install command: 

%windir%\system32\windowspowershell\v1.0\powershell.exe -executionpolicy bypass -file "EB-Installfile.ps1"

Uninstall Command:

Uninstall command: %windir%\system32\windowspowershell\v1.0\powershell.exe -executionpolicy bypass -file "Remove-file.ps1"

14. Set the requirements to 32bit and 64bit 

15. For the detection, you can set manual and map to the C drive public Libraries folder: C:\Users\Public\Libraries. In the file section, place EnterpriseBrowser.msi

16. Assign to your relevant scope or assignment group and then select complete and allow to deploy to your targeted fleet. 

Part 2 - Script Deployment task 

1. Select Devices > then select Scripts & Remeditations

2. Set to remediations & select create

3. Set a name and description

4. Add your detection and Remediation script & set the script to run using the logged-on credentials and also set script to run in 64-bit

Detection Script - (Detecting if application is already installed on endpoint

# Discovery

$OutputVariable = & "%USERPROFILE%\AppData\Local\Netskope\Browser\Application\nsbrowsrer.exe" -f | Out-String

$OutputVariable

    exit 1 

Remediation Script - (This points to the installer file pushed down in Step 1 and creates a log file and installs using the install argument leveraging the UPN)

# Remediation

$msiPath = "$env:Public\Libraries\EnterpriseBrowser.msi"  # Ensure this points to the MSI file

$logFile = "$env:Public\Libraries\EnterpriseBrowser_Install.log"

$upn = (whoami /upn) -replace '\s+$', ''  # Get User Principal Name and remove trailing spaces

$timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"

# Function to Write Logs

function Write-Log {

    param ([string]$message)

    $logMessage = "$timestamp - $message"

    Write-Host $logMessage

    Add-Content -Path $logFile -Value $logMessage

}

# Validate MSI Path

if (-Not (Test-Path $msiPath)) {

    Write-Log "ERROR: MSI file not found at $msiPath. Exiting script."

    exit 1

}

# Define Install Arguments

# Define install arguments

$arguments = "/i `"$msiPath`" /qn NETSKOPEPROFILE=`"--netskope-mp-host=Your Host  --netskope-user-email=$upn --netskope-tenant-name=Your Tenant`""

# Start Installation

Write-Log "Starting Enterprise Browser installation for: $upn"

Start-Process -FilePath "msiexec.exe" -ArgumentList $arguments -NoNewWindow -Wait

$exitCode = $LASTEXITCODE

# Check if installation was successful

if ($exitCode -eq 0) {

    Write-Log "Enterprise Browser Installed Successfully."

} else {

    Write-Log "ERROR: Installation Failed with Exit Code: $exitCode"

    exit 1

}

exit 0

5. Set your scope targets or your assignment group depending on your assignment setup on your Microsoft Intune Tenant & set the schedule suitable for your environment

6. Now review and create 

Once the script runs the user should see the icon on their desktop with the profile automatically enrolled 

Below is an example of what your end users will see post deployment

Please let us know if these instructions were helpful to you and don’t hesitate to leave a comment or question below!