Netskope Client iOS and Android Apps

  • 22 June 2023
  • 4 replies
  • 464 views
MetgatzNK
Rank
Userlevel 4
Badge +11

Netskope Client iOS and Android Apps 

 

Hello community, how is everything going ? As always, thanks for the collaboration and good vibes.

I have some issues with a couple of apps.

 

1.-Whatsapp App:
Whatsapp App from IOS and Android, I performed the installation of the client, profile, etc all good all operating correctly for both IOS and Android. By Netskope Whatsapp is not an app qualified as certificate pinning at least not by default or suggested to add.
The issue arises in the case of sending images, chats and messages, links all OK in both cases IOS and Android, the problem arises with sending files and images, when you try does not allow it. There is no blocking or impediment at the level of policies, permissive policies are generated to the APP and URLs, but the issue remained the same. Reviewing the domains in the CCI I noticed the domains whatsapp.com and whatsapp.net. When generating an exception at Steering level for the domain whatsapp.com the issue remained totally the same. Now when adding the whatsapp.net and *.whatsapp.net I could send images, files and photos without problems, and the app worked OK in both Android and IOS. The point is that I removed the domains whatsapp.com and *.whatsapp.com because I want to be able to continue having visibility and control over whatsapp Web ( web.whatsapp.com). For this case what are the recommendations from Netskope for these issues, the idea is that the app works, I understand that the native App is not much control that can be done but in this case whatsapp is not declared as Certificate Pinning.

 

2.- Microsoft Authenticator App:

For the case of Microsoft Authenticator App, we use it for the login to the Netskope Console for the MFA. The issue is that it works perfectly without issues with the client disabled in the cell phones, when you enable it, everything is fine up to a certain point, you add the number that appears on the screen in the APP and then indicates that a communication error occurred in the application, this repeatedly. The CCI does not show the domains of this app Microsoft Authenticator App, as to generate an exception, nor does it appear as Certificate Pinning app or suggested. I have not seen in Skope IT any kind of blocking alert or anything like that of Microsoft Authenticator App or similar. Has this happened to anyone. Searching in the Web they indicate that there is no IP or domains or subdomains associated, that the validation is done by GPS-Geolocation. For this case I still can't find the solution or workaround. I reiterate with the client Netskope disabled it works without any problem.

 

Please if you can help me with your comments, recommendations, advice, points of view, etc. I hope you don't mind me mentioning it, but you have always helped me, it is appreciated. @sshiflett @qyost  

@ark007 

@rclavero 

@amurugesan @mkoyfman 

 

Thank you very much for your collaboration and for your time.

 

I remain attentive

 

Best regards

4 replies

B
Rank
Userlevel 3
Badge +11

Hello @MetgatzNK 

 

Thanks for bringing up great questions.


Let me share some of the best practices first. Netskope recommendation is to deploy client on managed device, which could be either corporate owned or BYOD. Direct deployment of Netskope client on personal device is not encouraged as it will result in capturing personal applications and will raise privacy related issues. Also SSL inspection bypass management will become a big problem because user may use arbitrary applications.


In order to make the device managed, a user will have to go through MDM enrollment process which will result in creation either Per App VPN profile on iOS or Work Profile on Android. Netskope client will steer managed applications deployed by MDM. That way there will be clear segregation between personal space and corporate space and steering exceptions could be aligned with business applications inventory. To further safeguard data on personal device it is recommended to take advantage of App Protection policies rolled up by MDMs - that way managed applications won't be able to share data with an unmanaged ones.


Now going back to your questions - I can understand the requirement to perform spot test of Netskope client deployed without any MDMs with On-Demand VPN.

For WhatsApp we would have to create steering exceptions based on the domains you have discovered. I hope best practices above provide enough clarification and should eliminate the confusion about visibility gap. 

 
Regarding Microsoft Authenticator - I believe there is certificate pinning in play as well. I will be working on reproducing it and documenting the findings. Feel free to DM me and share your logs along with packet captures as well.


Lastly, we are diligently working on expanding prebuilt list of certificate pinned applications. We would welcome customers and partners input (such as yours about Authenticator) and will be looking to address business critical applications first. 

qyost
Userlevel 5
Badge +16
@borisgekhtman wrote:

Let me share some of the best practices first. Netskope recommendation is to deploy client on managed device, which could be either corporate owned or BYOD. Direct deployment of Netskope client on personal device is not encouraged as it will result in capturing personal applications and will raise privacy related issues. 

Given that best-practice, is there a way to prevent installation on personal devices?

I know use of the platform could be somewhat managed through device profiling

 iOS

Android
But I'm unsure if either of those are enough to trust the device. 

Honestly, installing the client onto a personal mobile device was one of the first things one of my initial test users did. Which resulted in us implementing a rule like this at the top of our policy, since we have no expected usage from these devices at this time.

 

---Q.
B
Rank
Userlevel 3
Badge +11

@MetgatzNK 

Unfortunately I can't reproduce an issue with Microsoft Authenticator. In my case authentication including push message and entering number works just fine while steering all traffic through Netskope. I can see authenticator specific domain such as mobileappcommunicator.auth.microsoft.com getting steered processed through SSL Inspection. I recommend to contact with Netskope support to review this problem further. 

B
Rank
Userlevel 3
Badge +11

Hello @qyost very good question!

 

On iOS is you download Netskope Client from AppStore it won't allow you to self enroll as IDP mode is not currently supported. You should have either MDM enrollment or email invite in order to complete the enrollment which means it will be always IT guided process and non-sanctioned use of Netskope won't be allowed.

 

On Android indeed, there an IDP mode available which means a user can technically onboard personal device without IT org knowing. And thats the reason you should take advantage of device posture capabilities in the policies associated with Android. MDM provisioned devices should have this key-value pair which will allow them to get recognized as managed. And as you have noticed, this key value pair could be rotated if required.  

 

 

Reply


Terms & ConditionsCookie settings