Netskope Community
-
Forums
ProductsCommunity Resources
-
Learn
Education, Training, Certification, and Thought LeadershipCommunity Resources
-
Groups
Community GroupsCommunity Resources
-
Events
Community Resources
- Support
- Netskope Community
- Other Forums
- Additional Discussions
- Re: Big Sur 11.4 + Netskope + peruserconfigmode = ...
Big Sur 11.4 + Netskope + peruserconfigmode = certain installation issues
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-16-2021
05:12 PM
- last edited on
10-21-2021
02:15 PM
by
kh_jenn
For our Macintosh computers, running Big Sur 11.4 - we have now spent hours trying to figure out peruserconfig mode, juggling WS1 configurarions, system extension files, client side modifications, and generally attempting every possible way to get this Netskope Client software to work under VMWare's Airwatch / Workspace One MDM (and even done manually using macOS Terminal). Nothing works reliably to completion.
We have engaged Netskope 3rd party support, to no avail.
Netskope have online instructions, but these do not seem to be sufficient to cover a fully working setup. Indeed, if you compare them to their own JAMF instructions, you see almost a 2 to 1 difference in the length of the instructions.
Note: our org knows it can use the email invite method, we have that working to be fair. But it's far from Mgmt.'s first choice, so we are very much hoping for a viable peruserconfig mode methodology.
Referring to the online instructions at:
https://docs.netskope.com/en/deploy-netskope-client-with-airwatch.html
- When the manifest is ultimately pushed to the clients we see the “Netskope Client would like to allow proxy configs” prompt and we allow it
- We verify that Full Disk Access has been allowed for the Netskope client (nowhere mentioned in their online URL above btw, but we ensure its been done)
- We have setup WS1 to specifically allow the two Netskope proxy extensions (one app and one dns)
- We see the the manifest contents (two shell scripts a .pkg file) load into /tmp on the test machines
- We click on the link at the bottom of the Configuration panel, and 99% of the time it does not work (our definition of working:
- The link connects to its destination, and presumably downloads or updates the existing client, taking approximately 1-3 seconds to do so) to where the Apple macOS menubar icon turns from greyscale to colored
- Typing in known banned URL's – instead of them being still allowed, we see "access denied" on screen
Any assistance or insight genuinely appreciated.
Solved! Go to Solution.
- Labels:
-
netskope client
-
peruserconfig
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-21-2021 11:58 AM - last edited on 07-21-2021 12:21 PM by Community_Team
to close the loop on this - the instructions on Netskope side are valid, but there are a couple of additions that need to be reflected specifically for Big Sur deployments. They are actually in one profile, one part if Netskope Root and tenant intermediate CAs that need to be deployed as Certificates to ensure endpoint trusts them once the tunnel starts up, and another is a predefined VPN connection that preapproves the Proxy settings and removes any need for end-user interaction with the client during installation.
A secondary topic to be aware of is that when Macs are domain-joined, and Netskope client is being rolled out, during the installation the endpoint must be able to reach the domain controller to verify user identity. If the user is remote, for example then the VPN tunnel must be up providing this connectivity. This requirement is not Big Sur-specific.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-19-2021 10:09 AM - edited 07-19-2021 10:10 AM
@Roger_smyth thanks for posting - we can definitely work to help resolve the situation you've described. Since JAMF is the leading Mac EMM/MDM solution, we have always had the most comprehensive/complete instructions to cover various JAMF scenarios(which include non-domain-joined endpoints), while AirWatch instructions only cover domain-joined endpoints. Thus, wanted to ask you a couple clarifying questions first:
1. Have you tried those instructions on Catalina Mac devices and if so, do they work as expected and the only issue is encountered is on Big Sur?
2. What is your understanding of peruserconfig mode? peruserconfig more is there to ensure that a unique Netskope user config exists per local user account profile. Are you expecting to have multiple unique users on the same Mac devices?
Also, if you have opened a case with Netskope support about this, please DM me the case number
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-19-2021 10:27 AM
Hi M,
we have no Catalina Macs so we have no option to test in that way.
We understand peruserconfig mode to allow each of our Mac users to be configured / enabled without having to resort to an email to each one (Mgmt does not prefer this). We configure this mode via command line arguments in the Airwatch-preinstall.sh script, using the normative arguments here: addon-company.goskope.com unique alpha numeric string peruserconfig.
We push the Airwatch pre and post install scripts and PKG via manifest inside WS1, and we trigger client Mac's "Netskope Client would like to allow proxy configs" by logging out and back in. We allow that proxy function in Full Disk Access on the Mac.
We click "enable Netskope" in the menubar greyscale icon, and even resort to clicking the Configuration Update link, to no avail. We expect the Netskope greyscale icon to turn to color, but it never does.
We have dedicated computers for our users. nobody is sharing.
We have had Netskope customer service on this already, but as I have suggested, so far they - and their expert - have not been much help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-20-2021 08:24 AM
@Roger_smyth please DM me Netskope case number and/or names of people you're working with on this issue. Installing Netskope client on Big Sur is quite different than on Catalina. There are new config extensions that need to be allowlisted by the MDM and also Netskope tenant root and intermediate CAs should be pushed out as a Certificate by WS1 independently of Netskope client installation. We can take this offline and ensure we work together to achieve a successful resolution of this for you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-21-2021 11:58 AM - last edited on 07-21-2021 12:21 PM by Community_Team
to close the loop on this - the instructions on Netskope side are valid, but there are a couple of additions that need to be reflected specifically for Big Sur deployments. They are actually in one profile, one part if Netskope Root and tenant intermediate CAs that need to be deployed as Certificates to ensure endpoint trusts them once the tunnel starts up, and another is a predefined VPN connection that preapproves the Proxy settings and removes any need for end-user interaction with the client during installation.
A secondary topic to be aware of is that when Macs are domain-joined, and Netskope client is being rolled out, during the installation the endpoint must be able to reach the domain controller to verify user identity. If the user is remote, for example then the VPN tunnel must be up providing this connectivity. This requirement is not Big Sur-specific.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
- Netskope client install for Windows via Automox in Additional Discussions
- Install Netskope on macOS with Intune in Additional Discussions
- Secure Hybrid Access with Azure Active Directory (AAD) and Netskope in Additional Discussions
- Failed to install Netskope CRE plugin in Additional Discussions
- Removing Old Client in Additional Discussions
-
cloud exchange
14 -
DLP
10 -
Threat Protection
6 -
sdwan
5 -
Advanced Analytics
4 -
IaaS
4 -
MacOS
4 -
netskope client
4 -
SASE
3 -
cloud threat exchange
3 -
ipsec
3 -
ztna
3 -
API
3 -
client update
3 -
SupportPoral
3 -
vpn
2 -
Rest API
2 -
Proxy
2 -
SWG
2 -
Real-time Policy
2 -
Netskope
2 -
Netskope Endpoint Client
2 -
NPA
2 -
Netskope Agent
2 -
Windows 365 Desktop
2 -
Azure
2 -
SCIM
2 -
steering
2 -
publisher
2 -
docker
2 -
on-prem
2 -
technology partner
2 -
Client
2 -
Azure AD
2 -
best practice
2 -
private access
2 -
NG-SWG
2 -
Community Resources
2 -
SAML
2 -
Cloud & Threat Challenges
2 -
Community Forum
2 -
CASB
2 -
crowdstrike
1 -
export
1 -
Netskope Private Access
1 -
Remote access
1 -
Microsoft Sentinel
1 -
SupportPortal
1 -
Netskope Admin
1 -
cisco
1 -
policy
1 -
MS Teams
1 -
APIv2
1 -
Home-office
1 -
traffic routing
1 -
OVF-OVA
1 -
json
1 -
MIP
1 -
Authentication
1 -
Verizon
1 -
remote workers
1 -
traffic steering
1 -
Linux based
1 -
NewEdge
1 -
skopeit
1 -
meraki
1 -
SIEM Integration
1 -
VMware
1 -
DBIR
1 -
Groups
1 -
Virtual Machines
1 -
HA
1 -
Communications
1 -
cloud app
1 -
Email DLP
1 -
logs
1 -
Adoption
1 -
Azure Virtual Desktop
1 -
PROD
1 -
Auto-update
1 -
coexistence
1 -
Reporting
1 -
Rest API to fetch the Users from NetSkope
1 -
Provisionning
1 -
Monitoring
1 -
Time Actively Spent on Sites Widget
1 -
Webinar
1 -
restriction
1 -
interoperability
1 -
SMTP
1 -
Threat and Vulnerability Management
1 -
User Defined Route (UDR)
1 -
scim query postman
1 -
Technical Success
1 -
option
1 -
GRE
1 -
ServiceNow
1 -
Cloud Security
1 -
Office365
1 -
Internet next hop type
1 -
ChangeManagement
1 -
License
1 -
certificate error
1 -
integration
1 -
OSX
1 -
tunnel
1 -
Bug
1 -
Waterfox Browser
1 -
AD
1 -
hub-and-spoke model
1 -
Workflow
1 -
Forensic File Storage
1 -
install
1 -
Active Directory
1 -
Next Gen SWG
1 -
Network Virtual Appliances (NVA)
1 -
Business Rule
1 -
DLP Violation
1 -
CCI
1 -
Macintosh
1 -
Support
1 -
single mode
1 -
Adapters
1 -
tenant
1 -
AZURE-AD-FREE
1 -
IPSec Tunnels
1 -
Data Loss Prevention
1 -
steer traffic
1 -
NSClient
1 -
beta
1 -
multi-user mode
1 -
RBI
1 -
Sync
1 -
Cloud Firewall License
1 -
SSO cloud exchange azureAD
1 -
API Credentials
1 -
datacenter
1 -
SSPM
1 -
Netskope Community
1 -
Users Policies
1 -
PAC file
1 -
Netskope Advocacy
1 -
risk management: cloud services
1 -
pop
1 -
peruserconfig
1 -
Netskope Cloud Security
1 -
regex
1 -
Based-Group
1 -
proxy configurations
1 -
Admin
1 -
advanced analytics custom
1 -
training
1 -
IDP
1 -
voip
1 -
Based-Users
1 -
explicit proxy over IPSec
1 -
Microsoft Outlook
1 -
watermark
1 -
user
1 -
QRadar
1 -
RBAC
1 -
roadmap
1 -
On-Premise Detection
1 -
HELP!
1 -
Infrastructure as Code (IaC)
1 -
SD-WAN
1
In order to view this content, you will need to sign in to your account. Simply click the "Sign In" button below
Sign In