Enabling Netskope before login

RGE_Master · ‎11-05-2021

Good afternoon all,

So I've made some great progress on getting netskope to run so I can access all my network resources etc when it's up and running. However I've run into an issue when it comes to doing a remote Hybrid AD join.

The application is packaged up and working

I can access my domain controllers when not on a VPN through netskope private access.

What I can't do at the moment is domain join machines remotely, is there a way that I can for want of a better word, bodge the install or configure it in such a way so I can open network access and then authenticate against my on-prem domain controllers? I read somewhere that you can use NSBranding.JSON or something to enable the configuration but I can't find any official documentation.

Thanks

RGE_Master

stevej · ‎11-08-2021

Good morning RGE_Master,

Currently, Private Access only runs in as the logged in user and there is currently no way with the current product to have a tunnel come up prior to login. Do you have a local admin account provisioned on these devices? If so, my suggestion is to log in for the first time with the local admin account, which will allow the NPA tunnel to connect, then do a domain join. Do not reboot, but instead after joining the domain, switch user to a domain user which will then cache the credentials of the now logged in domain user.

I would also suggest reaching out to your SE so they can line up a call with the product manager so you can hear of our plans to better address this use case in the coming months.

KunalShah · ‎12-03-2021

Hello,

We are actively developing capability in NPA, to allow Windows PCs to connect to Domain Controllers, w/o requiring the user to authenticate into the Netskope Client. This would be similar to the Pre-login capability that exists in traditional VPN solutions. Is this something you are interested in learning more about? If so, please DM me or have your account team ping me.

Kunal Shah,

Product Manager,

Netskope Private Access

EleComte · ‎02-12-2022

Hi Kunal,

Our company also would benefit greatly from the pre-login capability for Domain Controller connectivity.

Best regards,

Etienne le Comte

Solution Architect TBI

KunalShah · ‎02-14-2022

Hello,

Please send me a DM with your email info. I would like to setup sometime to review the solution that is under development.

Kunal

EleComte · ‎04-27-2022

Hi Kunal,

I just sent the DM.

Etienne

chrisisinclair · ‎04-26-2022

We would also be very interested in this

JulieB · ‎04-27-2022

@KunalShah can you help @chrisisinclair? This member is interested in learning more about the pre-login capability for Domain Controller connectivity.

Julie Brancik
Senior Manager, Online Communities at Netskope

JulieB · ‎04-27-2022

Hi, @chrisisinclair. Welcome to the community! I'm on the community team (not an SME). Let me know if you need any help with the community. Just @mention @JulieB and I can help you to find the right staff to answer your questions. Also, feel free to send me any community feedback through a DM. Thanks again for joining us!

Best,

Julie

Julie Brancik
Senior Manager, Online Communities at Netskope

mkoyfman · ‎05-20-2022

@chrisisinclair DM me so that we can connect and discuss

jdom · ‎05-13-2022

Can someone here confirm if NPA Pre-Logon is GA yet?

mkoyfman · ‎05-20-2022

@jdom not yet, still in beta - but works pretty darn well and we're close. Feel free to DM me if you want to connect to get more info or get your hands on it earlier.

jdom · ‎05-20-2022

We do have access but I can't say with confidence that Pre-Logon is working at all for us.
But I think we may just wait until it is GA before pursuing it again.

KunalShah · ‎05-20-2022

@jdom I am the Product Manager for NPA. I would like my team to assist you with pre-logon testing and also review your use case. What is the best way to reach you?

Kunal

jdom · ‎05-23-2022

I will shoot you a DM with details.

KunalShah · ‎06-10-2022

Hello @jdom , I hope the call to review the prelogon config was useful. Is prelogon working as expected?

jdom · ‎06-10-2022

Hello @KunalShah,

The call was very informative! However, we've chose to wait for GA since I recall we discovered we were facing an issue in the Netskope client that would be fixed in next release.

We have recently moved the entire organization to NPA so Pre-login will be an exciting next step.

KunalShah · ‎06-13-2022

@jdom glad to hear this. We will keep you posted on GA.

AidanH · ‎08-17-2022

Hi @KunalShah Any news on the GA for this and also if multiuser mode will be supported?

KunalShah · ‎09-02-2022

@AidanH NPA Prelogon is GA starting with Netskope Client 97.1 release.. Documentation is available here - https://docs.netskope.com/en/netskope-client-configuration.html#UUID-1e7e72e4-74ef-f041-8dec-ee64a30...

EleComte · ‎06-23-2022

We are also testing NPA with Pre-Login. Works fine, so looking forward to GA.

chrisisinclair · ‎06-30-2022

PreLogin itself has been working well for us but unfortunately since it is not compatible with MultiUserMode (the "puruser" install flag) we will unfortunately have to wait until it is to deploy out to our fleet

jdom · ‎06-30-2022

@chrisisinclair What sort of issues are you encountering?

chrisisinclair · ‎06-30-2022

We deploy all Netskope clients in multi user mode (the default is single user). This ensures that the client updates policies and logs traffic under the current logged in user instead of locking a particular machine to the very first user who logs in.

Currently PreLogin does not work with multi user mode (according to their support) so while the IT staff we have that tested Pre Login and found it to work well (we confirmed windows laptops even authenticate against AD with the right settings!) we are not going to enable it until they get it working with multi user.

jdom · ‎06-30-2022

@KunalShah Is the multi user mode truly not supported? We also use mode=peruserconfig in our deployments. Although our devices are usually 'owned' by one primary user the reality is any other user may login to a device. This is especially true for our "loaner' laptops and test PCs we have deployed in our office locations around the world.

We were looking forward to GA in July

EleComte · ‎06-30-2022

Multiuser together with prelogon would be an ideal combination for our organisation as well. I basic situations we have 5000+ users with their "own/dedicated" laptop, but we need to be able to change the "user assignment" with on-off-reboarding scenario's.

chrisisinclair · ‎06-30-2022

That is exactly our use case as well - and in addition usually one of our helpdesk staff will logon to the laptop right after being imaged to finish up a few quick tasks before it is deployed to the user - if single user mode is enabled then the laptop unfortunately gets locked to the helpdesk user account. Of course this is no good as whatever user policies are supposed to apply to the end user will not apply (it will apply the users assigned to the helpdesk user)

Siva · ‎09-17-2022

Hi There, We are interested in PreLogin for peruser mode. Any updates whether its in the roadmap?

KunalShah · ‎09-19-2022

@Siva prelogin with peruser mode is available starting R97.1 NS Client release.

Siva · ‎09-19-2022

Great 97.1 supports Prelogon on perusermode,

Couple of questions @KunalShah

Do we need to specify prelogonuser= argument during msi install with 97.1x?
Since Client Configs does not allow the use of same prelogin account in different Configs , what is expected behavior when different users associated to different client configs login to the perusermode configured machine? Would the prelogon account change to the one defined in client config pulled down by last logged in user?