Netskope Global Technical Success (GTS)
Understanding and actioning notification related to Secure Enrollment
Netskope Cloud Version - 121
Objective
This document contains instructions for customers who have either received an email communication related to “Secure Enrollment” or see a pop-up message when logging into the Netskope Tenant UI, titled “Secure Enrollment not deployed”.
This document will only discuss the requirement of enabling Secure Enrollment and passing the authentication token to end user devices.
Parent Article
Context
Netskope has been notified of a Security gap in Netskope’s client enrollment authentication process. In some specific cases, this gap can be used to impersonate users from the same organization or from other organizations without proper validation.To address this issue, Netskope has implemented a fix which is generally available to customers today.
This fix can be implemented by “enabling the Secure Enrollment” option on the Web UI
What happens as a result of the secure enrollment enablement ?
System A : Has Netskope client deployed using Email invite (Example of Single User mode). This system won't be affected post enablement of secure enrollment
System B : Has Netskope client deployed in UPN multi-user mode. There are two users who Log in to this system - Saniya and Mandeep.
However, this system now gets assigned to another User Zulkifal
Post enablement and enforcement of secure enrollment (with no secure tokens present on the Device)
Saniya and Mandeep will be able to log in to the system and the client will continue to function as expected.
Zulkifal will be able to log into the system however the client will fail to download provisioning information and will stay disabled as Zulkifal has never logged in to this system before.
To continue allowing seamless use of systems in multi- user mode, below action has to be taken by System Administrators -
- Identify all the systems with UPN mode of deployment and update the command line parameter with the enrollment token.
- Update the command line for Installation with the enrollment token for all future deployments.
What do I need to check before enabling Secure Enrollment on the Web UI?
The only thing that you need to check before enabling Secure Enrollment is “Your deployment mode for Netskope client deployment” and take action accordingly.
Netskope client gets deployed in various modes such as email invite, IDP Mode, UPN mode etc.
How to check the deployment mode -
- If you are deploying the clients by sending an invite from the Web UI as shown below, the deployment mode is “Email invite”
- If you are not using email invite based deployment, you can check the deployment mode from the “installation command line” that your teams are using for deployment. Please reference the below command line as an example -
Example 1 : msiexec /I NSClient.msi host=addon-<tenant-name>f.region].<tenant-domain> atoken=<Organization ID>] sinstallmode=IDP] puserconfiglocation=<path>]] ;fail-close=no-npa|all] &autoupdate=on|off] [/l*v %PUBLIC%nscinstall.log]
Response : In the above case, the install mode is IDP Mode
In general, if you see the keyword, “IDP” in your installation command line, the deployment mode is IDP
Example 2 : msiexec /I NSClient.msi host=addon-<tenant-name> .region].<tenant-domain> atoken=<Organization ID>] 9installmode=peruserconfig] ;userconfiglocation=<path>]] 9fail-close=no-npa|all] tautoupdate=on|off] [/l*v %PUBLIC%nscinstall.log]
Response : In the above case, the install mode is UPN multi user mode.
If you see a similar command line with install mode other than IDP, the deployment mode is single user UPN deployment.
If you need help understanding the deployment mode, please share the installation command line via the TSM Ticket and the TSM team can guide you on the same.
What action do I need to take to ensure smooth enablement of secure enrollment?
Please note that Secure Enrollment has to be enabled on every tenant and is applicable for every tenant.
If you are using -
- Email invite method : You simply need to enable the Toggle from the Web UI and enforce the tokens, no further action is required.
- IDP Mode : You simply need to enable the Toggle from the Web UI and enforce the tokens, no further action is required.
- UPN Mode :
UPN Single User Mode :
→ For New client deployment : Update your command line parameters to include the “enrollment token”. For all future deployments of Netskope clients, the command line should have the parameter “enrollauthtoken” in the command line.
Example : <OS utility> <NSClient> host=<addon URL> token=<orgID> enrollauthtoken=<auth token>
Refer this links for exact command line : Windows, MAC OS, IOS
→ For existing client deployment : No change is required but if you face any issues, create a package with the token and deploy the new package with the token.
Example : <OS utility> <NSClient> host=<addon URL> token=<orgID> enrollauthtoken=<auth token>
Refer this links for exact command line : Windows, MAC OS, IOS
UPN Multi User Mode :
→ For New client deployment : Update your command line parameters to include the “enrollment token”. For all future deployments of Netskope clients, the command line should have the parameter “enrollauthtoken” in the command line.
Example : <OS utility> <NSClient> host=<addon URL> mode = peruserconfig token=<orgID> enrollauthtoken=<auth token>
Refer this links for exact command line : Windows, MAC OS, IOS
→ For Existing clients that have been deployed across the environment :
If Netskope client version is lower than version 116.1.0 : Uninstall the client and re-install the client with the enrollment token
If Netskope client version is greater than version 116.1.0 :
Option 1 : Re-run the commands with the new token as a part of the installer.
Note that MSI re-run is not supported if the Protect Client configuration and resources option is selected in the Client Configuration webUI.
Eg. You need to re-run this command from your MDM Solution. Just append the value of the enrollment token to it.
“<OS utility> <NSClient> host=<addon URL> token=<orgID> enrollauthtoken=<auth token>”
Option 2 : (Only for windows) : You can use the below nsdiag.exe command to update the token :
nsdiag -e enrollauthtoken=<token> enrollencryptiontoken=<token>
You can run the nsdiag command using the path: C:\Program Files (x86)\Netskope\STAgent.
How can a customer enable Secure enrollment ?
Secure enrollment can be enabled from the Web UI as shown below :
UI Path : Settings —> Security Cloud platform —-> MDM Distribution :
How can I generate the token for using in command line without enforcing secure enrollment?
Step 1 : Enable Secure Enrollment from the Tenant UI but do not Enforce :
Path: Tenant UI >>> Settings >>> Security Cloud platform >>> MDM Distribution
Step 2 : Enable “Enforce Tokens” when the enrollment tokens are distributed to all devices.
This step can be followed for distributing the tokens to all the existing devices which already have Netskope clients deployed. Enforcement is essential for any new installations to work. So, any new installations of Netskope client with new enrollment token will require enforcement of the token and can be done in Step 3.
How can I verify if the tokens are distributed on the end user system?
The tokens are stored in Windows registry key and keychain in macOS. If the tokens are not stored properly or incorrect tokens are stored, the Client enrollment process fails and the appropriate logs are generated in the nsdebuglog file of the Client. Additionally, the device will be listed under Devices on the tenant webUI. It will not have Tunnel Up for installation. Secondly, the tokens on the devices are stored in an encrypted fashion. So, an end user won't be able to verify the token is correct. But, you can verify if the tokens have been applied to the end user device.
Sample Snapshot for Windows -
Other FAQs :
Notes
- This article is authored by Netskope Global Technical Success (GTS).
- For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.