Skip to main content
  • EN

dM8EuJ_ZbG6ImYOm9ge6Zzo8iyjGyFzCnS0fmTs1C1mdsepP-sQl1a0w_PK6blQwOjNLcsoslM0TYuN1WjoO8lsZIHYT69OdIpm7QpoTVC7ehKqkoDSjmsgMZ-HeKOtHhLPDDW5myHokpuFbYRDLfKw

Netskope Global Technical Success (GTS)

Case Insights - Netskope Client Deployment

 

Netskope Cloud Version - 126

What is this article about?

As a new initiative, this report examines the most recurrent “How-to” questions raised by customers and managed by Netskope Global Technical Success (GTS) Team.

 

Netskope Client Deployment

A significant number of cases focus on the Netskope client, including deployment on various operating systems such as Windows, macOS, Android, iOS, and Linux.

 

Windows deployment

While preparing to deploy Netskope Client on Windows devices there are 3 main questions you should ask yourself before selecting the correct deployment method, here the questions:

  • Is the device domain joined?
  • Will the device be used by multiple users?
  • Is prelogon (NPA) needed?

 

Windows Deployment Workflow

Refer to the following workflow diagram with different deployment methods supported by Netskope Client.

 

Deployment details for learning purposes

Tenant: abcde.eu.goskope.com

Organization ID: AbCdddEFgHHijJKMn1o

Prelogon User: TestUser@prelogon.netskope.com

Authentication Token: 4e1170d4e0924c692a51224fc3a14281

Encryption Token (if enabled): f5da01b27f08ef5f4121380f2d87d168

 

Reference Number

Install mode

Command Line

#1

Single User IDP mode

msiexec /I NSClient.msi tenant=abcde domain=eu.goskope.com installmode=idp enrollencryptiontoken=f5da01b27f08ef5f4121380f2d87d168 /qn

#2

Single User IDP mode with prelogon

msiexec /I NSClient.msi host=addon-abcde.eu.goskope.com token=AbCdddEFgHHijJKMn1o tenant=abcde domain=eu.goskope.com installmode=idp prelogonuser=TestUser@prelogon.netskope.com enrollauthtoken=4e1170d4e0924c692a51224fc3a14281 enrollencryptiontoken=f5da01b27f08ef5f4121380f2d87d168 /qn

#3

Multiuser IDP mode

msiexec /I NSClient.msi tenant=abcde domain=eu.goskope.com installmode=idp mode=peruserconfig enrollencryptiontoken=f5da01b27f08ef5f4121380f2d87d168 /qn

#4

Multiuser IDP mode with prelogon

msiexec /I NSClient.msi host=addon-abcde.eu.goskope.com token=AbCdddEFgHHijJKMn1o tenant=abcde domain=eu.goskope.com installmode=idp mode=peruserconfig prelogonuser=TestUser@prelogon.netskope.com enrollauthtoken=4e1170d4e0924c692a51224fc3a14281 enrollencryptiontoken=f5da01b27f08ef5f4121380f2d87d168 /qn

#5

UPN Single User mode

msiexec /I NSClient.msi host=addon-abcde.eu.goskope.com token=AbCdddEFgHHijJKMn1o enrollauthtoken=4e1170d4e0924c692a51224fc3a14281 enrollencryptiontoken=f5da01b27f08ef5f4121380f2d87d168 /qn

#6

UPN Single User mode with prelogon

msiexec /I NSClient.msi host=addon-abcde.eu.goskope.com token=AbCdddEFgHHijJKMn1o prelogonuser=TestUser@prelogon.netskope.com enrollauthtoken=4e1170d4e0924c692a51224fc3a14281 enrollencryptiontoken=f5da01b27f08ef5f4121380f2d87d168 /qn

#7

UPN Multiuser mode with prelogon

msiexec /I NSClient.msi host=addon-abcde.eu.goskope.com token=AbCdddEFgHHijJKMn1o mode=peruserconfig prelogonuser=TestUser@prelogon.netskope.com enrollauthtoken=4e1170d4e0924c692a51224fc3a14281 enrollencryptiontoken=f5da01b27f08ef5f4121380f2d87d168 /qn

#8

UPN Multiuser mode

msiexec /I NSClient.msi host=addon-abcde.eu.goskope.com token=AbCdddEFgHHijJKMn1o mode=peruserconfig enrollauthtoken=4e1170d4e0924c692a51224fc3a14281 enrollencryptiontoken=f5da01b27f08ef5f4121380f2d87d168 /qn

 

ℹ️

  • When deploying in IDP mode, you must ensure you configured a SAML Forward Proxy for User Authentication.
    Path: Netskope Tenant UI >>> Settings >>> Security Cloud Platform >>> Forward Proxy >>> SAML
  • If Prelogon and Secure Enrollment (Authentication and Encryption) are enabled, both tokens must be present on the end-user device even with IDP enrollment. Failing to do so will result in the Prelogon not being able to be provisioned.

 

macOS deployment

Installing Netskope Client on macOS requires five main process:

  • Deploy Netskope Root and Intermediate Certificates
  • Deploy Installation Script
  • Pre-approved Netskope Client Extensions
  • Deploy Netskope VPN Configuration
  • Deploy Netskope Client package

For the most common MDMs, the deployment guide can be found on Netskope Knowledge base, however, there are some other MDMs where customers wish to deploy Netskope Client from, and for these customers we will provide some generic installation process.

 

The most important part for a successful installation is ensuring that the installation script runs before distributing Netskope Client package, when the script does not timely arrive, then Netskope Client is installed, it will enter in IDP by default where it will ask for tenant name, and domain, then it will prompt the IDP authentication (if configured), if not it will throw an error message.

 

In addition to ensuring that the script runs before Netskope Client arrives, you must ensure that the script contains the desired deployment mode (IDP or .plist).

 

Please bear in mind that Netskope Client in macOS does not support UPN enrollment, and if .plist is selected, then you must create and deploy a preference profile from your MDM, meaning that there will be an additional item for this deployment: 

  • Deploy Netskope Root and Intermediate Certificates
  • Create and deploy a .plist profile with the following format:

<key>email</key>

<string>{{mail}}</string>

  • Deploy Installation Script
  • Pre-approved Netskope Client Extensions
  • Deploy Netskope VPN Configuration
  • Deploy Netskope Client package

ℹ️

  • Generic installation script: “MAC-MDM-script.zip” can be downloaded under Download Netskope Client and Scripts.
  • Ensure that the .plist profile arrives before running the installation script.
  • You can validate directly on the device whether the .plist profile has been deployed or not and if the MDM was able to successfully resolve the variable, the profile will be found under: /Library/Managed Preferences/<given name>.plist
  • If the .plist is found but empty or contains random characters, .plist deployment will not be feasible then you should plan deploying Netskope Client in IDP mode.
  • If the .plist is found with an user, but the user is not provisioned via SCIM, Netskope Client will not be able to enroll itself.

 

macOS Deployment Workflow

Refer to the following workflow diagram with different deployment methods supported by Netskope Client.

 

Deployment details for learning purposes

Tenant: abcde.eu.goskope.com

Organization ID: AbCdddEFgHHijJKMn1o

Prelogon User: TestUser@prelogon.netskope.com

Authentication Token: 4e1170d4e0924c692a51224fc3a14281

Encryption Token (if enabled): f5da01b27f08ef5f4121380f2d87d168

 

Reference Number

Install mode

Command Line

#1

Multiuser IDP mode

set -- 0 0 0 idp eu.goskope.com abcde 0 peruserconfig enrollencryptiontoken=f5da01b27f08ef5f4121380f2d87d168

#2

Single User IDP mode

set -- 0 0 0 idp eu.goskope.com abcde 0 enrollencryptiontoken=f5da01b27f08ef5f4121380f2d87d168

#3

.plist installation mode

set -- 0 0 0 addon-abcde.eu.goskope.com AbCdddEFgHHijJKMn1o EXAMPLE.plist preference_email enrollauthtoken=4e1170d4e0924c692a51224fc3a14281 enrollencryptiontoken=f5da01b27f08ef5f4121380f2d87d168

#4

Multiuser IDP mode

set -- 0 0 0 idp eu.goskope.com abcde 0 peruserconfig enrollencryptiontoken=f5da01b27f08ef5f4121380f2d87d168

 

ℹ️ When editing the installation script to add .plist mode, the referenced .plist file must match with the exact preference profile name deployed on the device via MDM. You can check the preference name by looking at the following directory.

Path: /Library/Managed Preferences/<given name>.plist

 

Netskope Root and Intermediate certificate

Certificates can be downloaded from your tenant.

Path: Netskope Tenant UI >>> Manage >>> Certificates >>> Signing CA

 

Pre-approved Netskope Client Extensions

Bundle Identifier: com.netskope.client.Netskope-Client.NetskopeClientMacAppProxy

Team Identifier: 24W52P9M7W

If Endpoint DLP is entitled and needed, check: Endpoint Data Loss Prevention

 

Netskope VPN Configuration

VPN configuration: “NetskopeClient.mobileconfig” can be downloaded from Download Netskope Client and Scripts 

 

Netskope Client package

Last golden release for macOS can be downloaded on Download Netskope Client and Scripts

Or latest released under:

  • macOS: https://download-<your-tenant-name>.goskope.com/dlr/mac/get

For EU and DE, use the following URL:

  • https://download-<your-tenant-name>.eu.goskope.com/dlr/mac/get
  • https://download-<your-tenant-name>.de.goskope.com/dlr/mac/get

 

Android and iOS deployments

As a generic deployment process, these deployments require the following:

  • Deploy Netskope Root and Intermediate certificates.
  • Deploy an application configuration profile for Netskope Enrollment with the following key:pair:
    • OrgKey: YourOrganizationID
    • AddonHost: addon-<tenant name>.<region>.goskope.com
    • UserEmail: Depends on MDM, for Intune is {{mail}} or Workspace one is {EmailAddress}
    • Enrollauthtoken: Authentication Token
    • Enrollencryptiontoken: Encryption token
  • Deploy custom VPN profile with the following:
    • VPN server address: gateway-<tenant name>.<region>.goskope.com
    • Authentication method: Username and password
    • Type of automatic VPN: On-demand VPN or Per-App VPN
    • VPN identifier: com.netskope.Netskope
  • If Per-App VPN is selected - Apps need to be associated with the VPN profile.
  • If an user open Netskope client on their mobiles and yet the app configuration profiles was not arrived, Netskope Client will enter in IDP mode (Android only, for iOS is not yet supported) where it will ask for tenant name, and domain, then it will prompt the IDP authentication if configured, if not it will throw an error message.
  • If the app configuration has arrived and Netskope Client is kept in “waiting for configuration files” this could indicate Netskope Client may experiencing some issues at accessing addon-<tenant name>.<region>.goskope.com, some common reasons (not limited) could be UserEmail is not found on Netskope Tenant, Authentication token or Encryption token are expired or not correctly added.
  • Zero Touch depends on the MDM, this requires a VPN configuration that deploys and turns on a VPN which will trigger Netskope Client enrollment automatically, if not, Users are required to open Netskope Client app to action its enrollment. See the following example (Android: On-Demand VPN): Zero Touch Enrollment with On-demand VPN Configuration 
 

Linux deployment

Netskope Client for Linux supports the following deployment methods: email invitation, UPN and IDP, however, it does not support multiuser mode. We would recommend checking this helpful guide: Netskope Client - Installation on Ubuntu Linux

 

Helpful content:

Netskope Client Deployment Options

Provisioning Users for Netskope Client

SCIM Settings for User Provisioning

Active Directory with Netskope Adapters

Best Practices – Netskope Client Version Upgrade

Netskope Client Configuration

 

Terms and Conditions

  • All documented information undergoes testing and verification to ensure accuracy.
  • In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them

Notes

  • This article is authored by Netskope Global Technical Success (GTS).
  • For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.
Be the first to reply!

Badges Winner

Show all badges

Not finding what you're looking for?

Don't be shy and let us know about your challenge.

Ask your question here!
Terms & ConditionsCookie settings