Netskope Help

Configure the Netskope App with AirWatch for Android for Work Managed Configurations

The Netskope app supports the Android for Work Managed Configurations with AirWatch. This section describes how to configure AirWatch for Android for Work so the Netskope app can accept Android Managed Configurations. For this procedure you'll need the Organization ID value from the Netskope UI (Settings > Security Cloud Platform > Netskope Client > MDM Distribution > Create VPN Configuration).

Note

Organzation ID is case-sensitive.

Deploying the Netskope app Android for Work Managed Configurations consists of these procedures:

  • Enable EMM and Admin SDK APIs in the Google APIs console.

  • Enable API access and authorize client access in the Google Admin console.

  • Integrate Android for Work with AirWatch.

  • Approve applications in Airwatch.

  • Assign applications in Airwatch.

Enable EMM and Admin SDK APIs

To enable EMM and Admin SDKs API access in the Google Developer console:

  1. Go to https:console.developer.google.com and sign in to your account.

  2. On the Select a Project dropdown list, select Create a Project.

  3. Enter a project name (like AirWatchApp) for Project Name, and then click Show advanced options.

  4. Select the App Engine location closest to you, and then click Create.

  5. In the Search field, enter EMM. The Google Play EMM API link appears.

    GoogleAPIsearchEMM.png
  6. Click Google Play EMM API and then click Enable.

  7. Click API in the left frame, enter Admin SDK in the Search field. The Admin SDK link appears.

    GoogleAPIsearchSDK.png
  8. Click Admin SDK and then click Enable.

  9. Click Credentials in the left panel, and then click Create Credentials and Service Account Key.

    GoogleCredentials.png
  10. On the Credentials page, select App Engine default service account from the Service Account dropdown list, select P12 for Key Type, and then click Create.

  11. The new private key is downloaded to your system. Make a note of where it's located, and also note the password for this file: notasecret. You will need these later to configure AirWatch. When finished, click Close.

  12. Open the page menu dropdown and select IAM & Admin. Select Service Accounts, and copy the email address for the App Engine default service account that is in the Service Account ID column. Save this email address; you will need this to configure API client access in the Google Admin Console and also in AirWatch.

Enable API Access and Authorize Client Access

To enable API access and authorize API client access in the Google Admin console:

  1. Go to https://admin.google.com and sign in to your admin account.

  2. In the Google Admin Console, select Security, and then select API Reference to ensure Enable API access is enabled.

    GoogleAPIreference.png
  3. Scroll down and select Advanced Settings (you may have to click Show more to see it).

  4. Select Manage API client access.

    GoogleManageAPIclient.png
  5. In the Client Name field, enter the email address (Service Account ID) you copied from the Google API page.

  6. In the One or More API Scopes field, enter https://www.googleapis.com/auth/admin.directory.user, and the click Authorize.

  7. Go to Security > Android for Work Settings > Manage EMM Provider. Generate the EMM token and copy it. You will need this for AirWatch.

Integrate Android for Work in AirWatch

To integrate Android for Work in AirWatch:

  1. Sign in to the AirWatch console and go to Devices > Device Settings > Android > Android for Work and click Configure.

  2. Click Upload Token. In the Domain field, provide the email domain that you registered with Android for Work (example: gotskope.com).

  3. Enter the EMM Token you obtained from the Google Admin console in the Enterprise Token field, and then click Next.

  4. Select No for the In the Create Google account during enrollment based on enrolled user's email address field.

  5. Select No for the In the Use SAML for Google account authentication field

  6. In the Google Admin Console Setting section, enter the email address of the Google Admin Account (like nsuser1@gotskope.com) in the Google Admin Email Address field.

    GoogleAdminConsoleSettings.png
  7. In the Google Developer Console Settings section, enter the email address from the Google API console in the Service Account Email Address field (it ends with ~gserviceaccount.com).

    GoogleDeveloperConsoleSettings.png
  8. Click Upload and upload the P12 certificate downloaded from the Google API console. The password is: notasecret.

  9. Click Finish.

About Android for Work Public Apps in AirWatch

Applications configured for AirWatch and Android for Work have the same functionality as their counterparts from the Google Play Store.

Configurations for apps in the AirWatch Admin console are passed to the Netskope Client via the Management Configuration framework.

Approve Applications in AirWatch

To approve Android for Work apps in AirWatch:

  1. In the AirWatch Admin console, go to Apps & Books > Applications > List View > Public and click Add Application.

  2. Enter the organization group from which the application uploads in Managed By.

  3. Select Android for Platform.

  4. Select Import from Play to retrieve a list of approved applications to add to the AirWatch Admin console.

  5. Click Next and then choose the desired applications for import.

  6. Click Import.

Assign Applications

To locate approved applications and assign applications to devices in AirWatch:

  1. In the AirWatch Admin console, go to Apps & Books > Applications > List View > Public.

  2. Select the app you just imported select Edit.

  3. Click Assignment.

  4. Select an existing smart group or create a new one in the Assigned Smart Groups field.

  5. Click Deployment to configure the application and control availability.

  6. Enter these parameters:

    1. Push Mode: Set the application to install automatically (auto) or manually (on demand) when needed.

      • Auto: Deploys an application upon device enrollment using the AirWatch App Catalog. If a device is enrolled in AirWatch, this option silently installs the application on devices.

      • On Demand: Deploys applications to the AirWatch App Catalog to enable device users to install when users choose to do so.

    2. Send Application Configuration: Enable this checkbox.

    3. Application Configuration: Enter the key/value information for these fields:

      • Enter User Email Address and {EmailAddress} for the Configuration Key and Configuration Value, respectively.

      • Enter token and your <Orgkey> value (Organization ID in the Netkkope UI) for the Configuration Key and Configuration Value, respectively.

      • Enter host and the addon-<tenant hostname>.goskope.com value for the Configuration Key and Configuration Value, respectively.

        Note

        For deployments with release 46 and above, use the above domain name. For deployment with release 45 and lower, use addon.goskope.com. For international deployments, use ~ .eu.goskope.com or ~ .de.goskope.com.

      • To use the Device Classification function in Netskope, click Add and enter ns_mdm_check for the key and the value from the Netskope UI (Settings > Manage > Device Classification > Managed Config) for the Configuration Key and Configuration Value, respectively.

  7. When finished, click Save and Publish.