Deploy Client on Android Using Ivanti Neurons
Deploy Client on Android Using Ivanti Neurons
This topic describes the instructions to deploy Netskope Client on Android devices using Ivanti Neurons(formerly known as MobileIron Cloud).
Non-Zero Touch Deployment With Ivanti Neuron
Netskope supports two methods prescribed by MobileIron to enable Android Enterprise devices in Ivanti Neurons:
- Using Managed Google Accounts.
- Using Managed Google Play Accounts (Recommended method).
Managed Google Accounts
To use Android Managed Configurations in Ivanti Neurons, first set up Android for Work in Google. After Android for Work is configured, copy the MDM token from admin.google.com
and .json file generated from console.developer.google.com
. When you have these, follow these instructions.
To configure Android Managed Configurations in Ivanti Neurons:
-
Log in to your Ivanti Neurons Admin Portal.
-
Click Admin in the top menu bar, and then click Android Enterprise in the left nav panel.
-
In the Android Enterprise window:
-
Enter the MDM token generated from admin.google.com.
-
Enter the domain for your google account.
-
Upload the .json file from console.developer.google.com.
-
-
Click Connect, and then authorize the G Suite account.
-
Click Users in the top menu bar, and then click + Add > Single User.
-
Create a new user with the domain used for Android Enterprise above, and then enable Google Sync for the user.
-
Click Apps.
-
On the App Catalog page, click Add+.
-
Enter
Netskope
in the Find Apps field. -
Select Netskope Client, and then enter these values:
-
User Email Address: ${userEmailAddress}
-
Host: addon-<tenant-URL>.
-
Token: <OrgKey>. Use the Organization ID from the VPN Configuration section in the Netskope UI for the OrgKey value (Settings > Security Cloud Platform > Netskope Client > MDM Distribution).
-
enrollencryptiontoken: Enter the enrollment encryption token
-
enrollauthtoken: Enter the enrollment authentication token
Useenrollauthtoken
andenrollencryptiontoken
if only secure enrollment is enabled for your tenant.
-
-
Click Done and then click Publish.
Managed Google Play Accounts
To use Android Enterprise devices in Ivanti Neurons, first setup a Managed Google Play account.
Prerequisite: Register your Android enterprise in Ivanti Neurons through Managed Google Play Accounts. To learn more, view Ivanti Neurons.
Environment
Netskope Client Playstore Version: 96.0.0.1009
Android Enterprise Modes
Android enterprise devices enabled in Ivanti Neurons supports one of the following device modes:
- Work Managed Device (Company Owned)
- Work Profile (BYOD)
- Managed Device with Work Profile (Company owned personally enabled devices)
To learn more, view Device Modes.
Netskope supports the Work Profile (BYOD) variant of the Android Enterprise and you can modify the default configuration to only apply to select device groups- for instance a subset of Android devices.
Deploying Android Applications
Perform the following steps to deploy your Android applications:
- Go to Apps > App Catalog.
- Click the +Add.
- Select Google Play.
- Search and select Netskope Client.
- Add Netskope configuration.
- Enter User Email Address and {EmailAddress} for the Configuration Key and Configuration Value, respectively.Enter token and your <Orgkey> value (Organization ID in the Netkkope UI) for the Configuration Key and Configuration Value, respectively. Enter host and the addon-< tenant-URL> value for the Configuration Key and Configuration Value, respectively.
- Click Approve.
To learn more, view Android Enterprise.
Perform the following to setup BYOD with the work profile:
- Download and Install the Mobileiron Go app from Playstore.
- Open the MobileIron Go app and select CONTINUE.
- Enter in the username and password.
- Select CONTINUE again to create the Work Profile.
- Accept the Terms and Conditions.
- Select SET UP.
- Wait for the profile to finish set up.
- The application will restart and the MobileIron Go application will be moved to the Work Profile.
- Select FINISH to complete the setup.
- The device is now fully registered and configured with Android For Work.
Zero-Touch Deployment With Ivanti Neurons
This section describes the steps for a silent deployment of Netskope Client for Android without any user action using a VPN profile.
Prerequisites
-
On the Netskope UI, go to Settings > Manage > Certificates. Here, click the Signing CA tab to download the Netskope Root and Intermediate Certificate.
-
On the same page locate and save Organization ID token value.
-
User accounts provisioned within the MDM/EMM platform must match with those provisioned with the Netskope tenant.
Create a Trusted Netskope Root Certificate Profile
To create a Netskope root certificate profile:
-
On the Ivanti UI, from the left-pane, click Configurations.
-
In Configurations, click +Add.
-
Click Certificate. Or you can search for Certificate in the Search Configurations text-box.
-
It opens the Create Certificate Configuration window.
-
In Create Settings, perform the following actions:
-
Enter the configuration Name.
-
Upload the root certificate in Configuration Setup.
-
-
Click Next.
-
In Distribute, click to select the checkbox for Enable this configuration.
-
Perform appropriate assignments to the User and/or Device group.
-
Click Done.
Add Netskope Client
To add Netskope Client for Android:
-
On the left-pane, go to Apps > Apps Catalog.
-
Search for Netskope in the text-box.
-
Click Netskope Client for Android.
-
In Netskope Client, click Distribution.
-
Perform appropriate assignments to the User and/or Device group.
-
Click App configurations.
-
Click Managed Configurations for Android.
-
Click Add.
-
Enter the configuration name.
-
Under Managed Configurations, click to select the option Block the user from uninstalling the app.
-
Expand Managed Configurations and enter the following configuration values:
-
User Email Address: ${userEmailAddress}
-
Host: addon-[tenant].goskope.com
-
Token: <organization ID>. Retrieve Organization ID token value from your Netskope tenant.
-
enrollencryptiontoken: Enter the enrollment encryption token.
-
enrollauthtoken: Enter the enrollment authentication token.
Useenrollauthtoken
andenrollencryptiontoken
if only secure enrollment is enabled for your tenant.
-
-
In Distribute this App Config, Perform appropriate assignments to User and/or Device group.
-
Click Save.
Add VPN Profile Configuration
To achieve Zero-touch deployment, it is imperative to add a VPN profile that is tied to Netskope Client.
To create a VPN Profile:
-
On the Ivanti UI, from the left-pane, click Configurations.
-
In Configurations, click +Add.
-
Search for VPN in the Search Configurations text-box.
-
Click Always On VPN.
-
This opens Create Always On VPN Configuration.
-
In Create Settings, enter a Profile Name.
-
In Select OS, click Android.
-
It opens the Configuration Settings section.
-
In Select App, click the Select Manually tab.
-
Enter the package name: com.netskope.netskopeclient.
-
Click Select App.
-
After you click Select App, you can view Netskope client details in the Selected App Details tab.
-
Click Next.
-
Perform appropriate assignments to the User and/or Device group.
-
Click Save.
Device Classification for Android
You can classify Android devices based on these criteria:
- Minimum OS version
- Passcode required
- Device not compromised
- Primary storage encrypted
- Managed configuration
Go to Settings > Manage > Device Classification and select Android on the New Device Classification dropdown list, and then follow these steps to classify your Android device. Select options and enter the requested parameters.
- Rule Name: Enter a name for this classification rule.
- Classification Criteria: Select an Any or All criteria match.
- Minimum OS Version: Select an OS version from the dropdown list or create a custom OS version.
- Passcode Required: No parameters required.
- Device Not Compromised: No parameters required.
- Primary Storage Encrypted: No parameters required.
- Managed Configuration: If you already added a managed configuration for this device on the MDM Distribution page, the key-value pair is shown here. This key-value pair is sent from the MDM to the device so the Netskope app can validate the key-value pair and mark it as Managed or Unmanaged. To regenerate the key-value pair, click Regenerate.
Note
Managed Configuration does not work when an app is installed on an Android device using the onboarding email or with the AirWatch SDK.
- When finished, click Save.
After creating a device classification rule, you can use it in a Real-time Protection policy.
- To use this Device Classification in a Real-time Protection policy, click Policies > Real-time Protection in the Netskope UI. Select an existing policy or click New Policy and choose a policy type.
- Proceed through the Users, Cloud Apps + Web, DLP/Threat Protection, and Select Activities sections.
- For Additional Attributes, click Access Method and select either Client, Mobile Profile, or Reverse Proxy, and then click Save. Click Device Classification, and then select Managed or Unmanaged, based on the devices you just classified.
- Managed means the device is managed; the device information sent by the Client matches at least one of the device classification checks configured for that Client’s OS.
- Unmanaged means the device is unmanaged; the device information sent by the Client matches none of the device classification checks configured for that Client’s OS.
When finished, click Save and then Next.
- Combine device classification with other policy elements, like using the Block Action for specified applications for activities like uploading files from managed or unmanaged devices. Finish creating or updating this policy to establish this device classification. Click Apply Changes for this policy.
After the policy has been created, perform the process for which the policy was created. Next, go to Skope IT > Application Events and click the magnifying icon for an event to open the Application Event Details panel. In the User section you’ll see a Device Classification field, which shows one of these device classifications.