Netskope Community
07-16-2021
05:12 PM
- last edited on
10-21-2021
02:15 PM
by
kh_jenn
For our Macintosh computers, running Big Sur 11.4 - we have now spent hours trying to figure out peruserconfig mode, juggling WS1 configurarions, system extension files, client side modifications, and generally attempting every possible way to get this Netskope Client software to work under VMWare's Airwatch / Workspace One MDM (and even done manually using macOS Terminal). Nothing works reliably to completion.
We have engaged Netskope 3rd party support, to no avail.
Netskope have online instructions, but these do not seem to be sufficient to cover a fully working setup. Indeed, if you compare them to their own JAMF instructions, you see almost a 2 to 1 difference in the length of the instructions.
Note: our org knows it can use the email invite method, we have that working to be fair. But it's far from Mgmt.'s first choice, so we are very much hoping for a viable peruserconfig mode methodology.
Referring to the online instructions at:
https://docs.netskope.com/en/deploy-netskope-client-with-airwatch.html
Any assistance or insight genuinely appreciated.
Solved! Go to Solution.
07-21-2021 11:58 AM - last edited on 07-21-2021 12:21 PM by Community_Team
to close the loop on this - the instructions on Netskope side are valid, but there are a couple of additions that need to be reflected specifically for Big Sur deployments. They are actually in one profile, one part if Netskope Root and tenant intermediate CAs that need to be deployed as Certificates to ensure endpoint trusts them once the tunnel starts up, and another is a predefined VPN connection that preapproves the Proxy settings and removes any need for end-user interaction with the client during installation.
A secondary topic to be aware of is that when Macs are domain-joined, and Netskope client is being rolled out, during the installation the endpoint must be able to reach the domain controller to verify user identity. If the user is remote, for example then the VPN tunnel must be up providing this connectivity. This requirement is not Big Sur-specific.
07-19-2021 10:09 AM - edited 07-19-2021 10:10 AM
@Roger_smyth thanks for posting - we can definitely work to help resolve the situation you've described. Since JAMF is the leading Mac EMM/MDM solution, we have always had the most comprehensive/complete instructions to cover various JAMF scenarios(which include non-domain-joined endpoints), while AirWatch instructions only cover domain-joined endpoints. Thus, wanted to ask you a couple clarifying questions first:
1. Have you tried those instructions on Catalina Mac devices and if so, do they work as expected and the only issue is encountered is on Big Sur?
2. What is your understanding of peruserconfig mode? peruserconfig more is there to ensure that a unique Netskope user config exists per local user account profile. Are you expecting to have multiple unique users on the same Mac devices?
Also, if you have opened a case with Netskope support about this, please DM me the case number
07-19-2021 10:27 AM
Hi M,
we have no Catalina Macs so we have no option to test in that way.
We understand peruserconfig mode to allow each of our Mac users to be configured / enabled without having to resort to an email to each one (Mgmt does not prefer this). We configure this mode via command line arguments in the Airwatch-preinstall.sh script, using the normative arguments here: addon-company.goskope.com unique alpha numeric string peruserconfig.
We push the Airwatch pre and post install scripts and PKG via manifest inside WS1, and we trigger client Mac's "Netskope Client would like to allow proxy configs" by logging out and back in. We allow that proxy function in Full Disk Access on the Mac.
We click "enable Netskope" in the menubar greyscale icon, and even resort to clicking the Configuration Update link, to no avail. We expect the Netskope greyscale icon to turn to color, but it never does.
We have dedicated computers for our users. nobody is sharing.
We have had Netskope customer service on this already, but as I have suggested, so far they - and their expert - have not been much help.
07-20-2021 08:24 AM
@Roger_smyth please DM me Netskope case number and/or names of people you're working with on this issue. Installing Netskope client on Big Sur is quite different than on Catalina. There are new config extensions that need to be allowlisted by the MDM and also Netskope tenant root and intermediate CAs should be pushed out as a Certificate by WS1 independently of Netskope client installation. We can take this offline and ensure we work together to achieve a successful resolution of this for you.
07-21-2021 11:58 AM - last edited on 07-21-2021 12:21 PM by Community_Team
to close the loop on this - the instructions on Netskope side are valid, but there are a couple of additions that need to be reflected specifically for Big Sur deployments. They are actually in one profile, one part if Netskope Root and tenant intermediate CAs that need to be deployed as Certificates to ensure endpoint trusts them once the tunnel starts up, and another is a predefined VPN connection that preapproves the Proxy settings and removes any need for end-user interaction with the client during installation.
A secondary topic to be aware of is that when Macs are domain-joined, and Netskope client is being rolled out, during the installation the endpoint must be able to reach the domain controller to verify user identity. If the user is remote, for example then the VPN tunnel must be up providing this connectivity. This requirement is not Big Sur-specific.
In order to view this content, you will need to sign in to your account. Simply click the "Sign In" button below
Sign In