Agent Deployment after macOS 15+

Hey ​@sean.clowes - beginning with the 15.1.1 release of Sequoia, JAMF configuration profiles require a password to be entered in the VPN payload. It does not matter what you put in; literally anything will work. 

Netskope is aware of this and working to determine if this is a JAMF specific issue or the result of changes in 15.1.1.

Did the enrollment work using the password? I’m having the same issue with Netskope and Sequoia. 

Thanks. 

​@secproceo yes it works as long as you put something in the password box of the VPN payload in the configuration profile. 

I've worked with JAMF and they confirmed it is a net new issue introduced into JAMF Pro 11.11. No eta on a resolution from them, though. 

Excellent! Thanks for the update. :) I will let my JAMF admin know about this issue. I need to get the latest version of the Netskope client 120.x.x.x deployed to all the Macs. It looks like the deployment stopped working on 11/7. Are the instructions for configuring JAMF with Netskope listed here https://docs.netskope.com/en/jamf correct? I want to make sure we are not missing anything.

Good morning, everyone.

Has anyone been able to get the Netskope Client successfully deployed using JAMF with Sequoia?

​@secproceo  I’ve gotten this to work in my lab and we have organizations deploying Netskope with JAMF on Sequoia.  Are you encountering an error or behavior that prevents the deployment?

Correct. It appears the client deploys successfully but it will not enroll. Any idea what could prevent the client from enrolling? 

Error:

“Unable to verify Organization name”

Please verify and try again.

unkn - ERR_IDP_CONFIG_NOT_FOUND”

I think we found the issue. It appears the deployment was looking for the IDP when it needed to look for the “plist” file in the JAMF configuration. 

Does this configuration support the new secure enrollment?

What’s the ETA updating the documentation around VPN profile? 
 https://docs.netskope.com/en/jamf

So far, we are using the instructions provided in the link https://docs.netskope.com/en/jamf. We followed every step. I’m not sure if there is anything that needs to be updated. I will keep everyone updated if we get the deployment to work.

Team,

I think I finally found the issue. It appears to be an issue using JAMF deploy the Netskope client with Secure Enrollment enabled. Everything appear to stop when SE was enabled. Has anyone else encountered this issue?

Is your secure enrollment enforced in the tenant? you have to click “enforce” now. 

Also, the author @ryans and I have tested and it actually is a JAMF issue we have spoken with JAMF and they know its a current issue on their end with the current version of JAMF Pro.

You could have had two issues here, JAMF and Secure Enrollment.

Yes. My secure enrollment is enforced in my Tenant. Do you have any documentation from JAMF that says the issue on their end?

In addition, I added the token from my tenant into parameter 8 in our JAMF configuration per the instructions below.

Are you using Single-User for Multi-User Modes?

https://docs.netskope.com/en/jamf

it was in their release notes about the VPN Payload or whatever should be able to find it on their site. However, if you follow what was said it should work as we have done this multiple times as we do everyday with Netskope Customers.

JAMF is single user mode with PLIST and we always recommend you use this method.

Thanks. I will look in the release notes. Did you turn off enforcement mode to resolve the issue with your deployment? I see my deployments stopped working when Secure Enrollment was enabled. 

No, we use secure enrollment in all of our customer deployments. It all works so if yours is not working there is something wrong.

Only use the Auth Token is what we recommend as well. The other is optional.

Thanks. I don’t use the encryption of initial configuration of Netskope Client. 

I only use the authentication token.

Did you place the authentication token in parameter 8 in your JAMF configuration?

I can confirm we are using single user mode in the configuration. 

Correct, in param 8 it should look like this.

enrollauthtoken=(tokengeneratedhere)

Ahh, I think we are missing the enrollauthtoken=******

We have the token number only. I see it in the instructions. 

Thanks again, I’m going to make the change in JAMF this morning to see if that resolves our deployment issue. If not, I will be back. 😀

Just rounding this out, this has now been fixed by JAMF in today’s release of a new maint version of JAMF Pro. 3 Jan 2025

Good afternoon, zhompsoncr, and Happy New Year! Thank you. Is the upgrade to JAMF Pro 3 applied to all tenants?