Netskope Global Technical Success (GTS)

Secure Enrollment: Leveraging Device Classification rules to have visibility into what devices have the tokens already deployed (Windows)

Netskope Cloud Version - 125

Objective

This article aims to explain how Device Classification can be leveraged to have a quick view of devices with the SE tokens deployed

Context

Administrators sometimes require a method to discern which managed devices have successfully received and deployed the Secure Enrollment token and which devices are still awaiting this crucial deployment. This visibility is essential for tracking the progress of the enrollment process, identifying potential bottlenecks or deployment failures, and ensuring comprehensive security coverage across the device fleet. Without this insight, administrators lack the necessary information to effectively manage and troubleshoot the Secure Enrollment deployment, potentially leaving some devices unprotected.

Notes: 

• This article focuses on the Authentication Token, which is the one that is mandatory to enable and enforce secure enrollment.
• This method is only possible to implement in Windows OS

Did you know?

Custom device classification was introduced in Netskope version 110.0.0. Prior to this version, device classification was limited to only two labels: "Managed" and "Unmanaged". With the introduction of custom device classification, users gained the ability to create custom labels and profiles that can be used in real-time protection policies.

Device Classification allows you to define rules that function like posture checks on the device and allows you to create and apply policies based on these rules. In the case of Windows Devices, the Registry Settings is one of the options to check. 

When SE enrollment tokens are deployed on end devices, in case of Windows OS, there is a registry entry that is generated. Although Device Classification is intended for other purposes, it can be leveraged to do a check of this registry key to confirm if the device has the token in place.

Procedure

1. Go to Settings > Manage > Device Classification
   1. Click on New Device Classification, give a meaningful name to the DC (for example “SE_Token_On”) and click Save.
2. Create a New Device Classification Rule, select Windows as the OS
   1. Enter a name for the rule, select your recently created Custom Device Classification. Check the box “Registry”
   2. Enter the following parameters:
      1. HKEY: HKEY_LOCAL_MACHINE
      2. KEY: SOFTWARE\NetSkope\SecureToken\AuthenticationToken
      3. VALUE: size
      4. REG: REG_DWORD
      5. DATA: 262
3. Click save to save the data.

Your rule should look like this:

Verification

1. Go to Settings > Security Cloud Platform > Devices
2. Click on the icon gear on the top right corner and add the “Device Classification” Column

When the condition is matched it will display the Device Classification that you specified:

You can use this field to apply filters and you can export this data to a CSV for external processing.

Terms and Conditions

• All documented information undergoes testing and verification to ensure accuracy.
• In the future, If any such platform changes are brought to our attention, we will promptly update the documentation to reflect them.

 Notes

• This article is authored by Netskope Global Technical Success (GTS).
• For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.