Deploy Client on macOS Using Intune

Deploy Client on macOS Using Intune

This article provides instructions to deploy Netskope Client on macOS devices(Big Sur and later) using the Microsoft Intune. The following steps are for deploying Netskope Client on macOS devices running macOS 11.x (Big Sur) or later.

Prerequisites

  • Devices running macOS 11.x (Big Sur) or later.
  • Enroll devices in Microsoft’s Endpoint Manager
  • Download Netskope Root and Intermediate certificates and convert them to the .cer extension. To learn more, see Certificates
  • Ensure that users are provisioned to the Netskope tenant using SCIM or Directory Importer. To learn more about user provisioning, see Provisioning and Authentication and Configure Directory Importer.
  • If you are using IdP mode for the Client deployment configure and verify SAML forward proxy authentication. To learn more about SAML Forward Proxy authentication, see Provisioning and Authentication

Deployment Procedure

Perform the following steps to deploy client on macOS using Intune:

  1. Sign in to Microsoft Intune Admin Center.

  2. Go to Devices > macOS devices. Ensure that the devices to which you will install Netskope Client are listed.

  3. Create two configuration profiles to deploy the Netskope certificates.

    1. Go to macOS policies > Configuration Profiles > Create Profile and select Profile Type as Templates and Template name as Trusted Certificate.

    2. Click Create.

      The page will refresh with settings.

    3. Enter a name for the root certificate profile and click Next.

    4. Click the folder icon to select the Netskope root certificate (.cer file) and click Next to continue.

    5. Assign the appropriate device group and click Next.

    6. Review the configuration and click Create.

    7. Repeat the steps used to upload Netskope root certificate and create another configuration profile to upload Netskope intermediate certificate.

  4. Download the Netskope Intune configuration script from Netskope Support portal.

    1. Extract the contents of MAC-MDM-script.zip file.

    2. Open the script in a text editor and search for the commented line Update here for Intune deployment.

    3. Choose a deployment mode according to your requirement and update the script options for parameters 4 to 8 as follows for each mode:

      Deployment ModesConfiguration Parameters
      Standard Mode (Email-based)

      • Parameter 4: Your tenant name. If your tenant URL is https://addon-corp.goskope.com, then enter addon-corp.

      • Parameter 5: Your AD name.

      • Parameter 6: For rel 90.2 and later - Your Organization ID.


      • For example, set — 0 0 0 <addon-host> <AD> <Org ID>
      Multi-user Mode (enabling for each provisioned user on the tenant)

      • Parameter 4: Your addon URL. If your tenant URL is https://corp.goskope.com, then enter addon-corp.goskope.com.

      • Parameter 5: Your Organization ID.

      • Parameter 6: Enter the keyword peruserconfig.


      • For example, set — 0 0 0 <addon-host> <AD> <Org ID> peruserconfig
      IDP Single-User mode

      • Parameter 4: Enter IDP to specify the client deployment mode is IDP.

      • Parameter 5: Domain name. Example, if your tenant URL is https://corp.goskope.com, then enter goskope.com.

      • Parameter 6: Tenant name. Example, If your tenant URL is https://corp.goskope.com, enter corp.

      • Parameter 7: Email Address request option. Enter 0, if you do not want to request the user’s email address. Enter 1 to request the user’s email address.


      • For example, set — 0 0 0 idp <tenant domain name> <tenant name> 0/1



      IDP Multi-User mode

      • Parameter 4: Enter IDP to specify that the client deployment is in IDP mode.

      • Parameter 5: Domain name. Example, if your tenant URL is https://corp.goskope.com, then enter goskope.com.

      • Parameter 6: Tenant name. Example, If your tenant URL is https://corp.goskope.com, enter corp.

      • Parameter 7: Email Address request option. Enter 0, if you do not want to request user email address. Enter 1 to request the user’s email address.

      • Parameter 8: Enter peruserconfig to specify multi-user IDP deployment mode.


      • For example, set — 0 0 0 idp <tenant domain name> <tenant name> 0/1 peruserconfig


      For macOS devices (single-user installations) that are not AD joined

      • Parameter 4 : Your tenant URL. Example, If your tenant URL is https://corp.goskope.com, enter addon-corp.goskope.com.

      • Parameter 5: For rel 90.2 and later - Your Organization ID.

      • Parameter 6: Preferences file (plist) name. When entering the filename, enter the complete filename including the .plist extension.
        Example: netskope.plist . Do not add HTTP to the URL in the .plist file.

      • Parameter 7 : Enter the keyword preference_email.


      • For example, set — 0 0 0 <addon-host> <Org ID> <plist file name> <preference_email>

      To learn about creating plist in Intune, view plist in Intune.
      If Secure Enrollment feature is enabled, each deployment mode consists of two additional parameters (Authentication and Encryption token):
      • ​​​enrollauthtoken: Specifies the authentication token.​​​
      • enrollencryptiontoken:​​ Specifies the encryption token.
    4. Save the script.

    5. Go to Devices > macOS > Shell Scripts and click Add.

    6. Enter a Name and click Next.

    7. Select the script (.sh file) from your local storage in your computer. Perform the following changes:

      • Run script as signed in users – NO

      • Hide script notifications on devices – Yes

      • Script frequency – Choose Not configured(default) to run a script only once.

      • Max number of times to retry if script fails – Choose Not configured (default) to not retry when a script fails.

    8. Assign the script to groups, users, and/or devices. Click Next to continue.

    9. Click Add to the add the script and push to all devices.

      Ensure that the script is pushed to all endpoints before you proceed with the further steps.
  5. Go to macOS policies > Configuration Profiles > Create Profile and select Profile Type as Templates.

    1. Under Template Names, select Extensions.

    2. Click Create.

    3. Provide a name for the Netskope System Extension profile and click Next.

    4. Expand System Extensions and configure Allow Systems Extensions as follows:

      • Bundle Identifier: com.netskope.client.Netskope-Client.NetskopeClientMacAppProxy

      • Team Identifier: 24W52P9M7W

    5. Select Next to continue.

    6. Assign appropriate users or device group and select Next.

    7. Review your configuration and click Create.

    8. Use the Profiles options in the end-user device to validate if the System Extension was deployed successfully.

  6. To provide full disk access permission for macOS Sonoma or later, navigate to Dashboard > Devices > macOS > Configuration Profiles > Create Profile > New Policy.

    1. Select Settings Catalog from the Templates dropdown menu.

    2. Click Create.

      It opens the Create Profile window.

    3. In Basics, enter a name for the profile.

    4. Click Next to continue.

    5. In Configuration Settings, click +Add Settings.

    6. In Settings Picker, select a category to see all the available settings.

    7. Select Privacy > Privacy Preferences Policy Control.

      This opens another window to configure the privacy preferences policy control payload.

    8. Select checkbox for System Policy All Files under Services.

      All options under System Policy All Files is selected by default.

    9. After you select settings for Privacy Preferences Policy Control, go to Configuration Settings on the left-pane and click +Edit Instance.

    10. In the Configure Instance window, add the following:

      • Toggle to enable Allowed to True.

      • Code Requirement:

        anchor apple generic and identifier "com.netskope.client.Netskope-Client.NetskopeClientMacAppProxy" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "24W52P9M7W")
      • Identifier: com.netskope.client.Netskope-Client.NetskopeClientMacAppProxy

      • Identifier Type: Bundle ID.

      You can remove the Authorization field under Privacy Preferences Policy Control. Click next to the Authorization field to delete.
    11. Click Save.

    12. Click Next to continue.

    13. In Scope tags(optional), assign a tag to a profile in a specific group.

    14. Click Next to continue.

    15. In Assignment, select the users or groups that will receive your profile.

    16. Click Next to continue.

    17. In Review+Create, you can review the policy configurations.

    18. Click Create.

      For Endpoint DLP, you can add the following Identifier and Code Requirement:
      – Identifier: com.netskope.epdlp.client
      – Code Requirement: anchor apple generic and identifier "com.netskope.epdlp.client" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "24W52P9M7W")
      To learn more: Enabling Endpoint DLP on the Netskope Client for macOS.
  7. Go to macOS policies > Configuration Profiles.

    1. Download custom configuration profiles from Netskope Support Portal. Here, click Files > View All to find the configuration profile file (NetskopeClient.mobileconfig).

    2. Select Create Profile and under the Profile Types option, select Templates > Custom. Click Create.

    3. Specify a profile name.

    4. Keep the Deployment Channel option to Device Channel.

    5. Upload the custom configuration profile downloaded from Netskope Support Portal. Click Next to continue.

    6. Select and assign appropriate users or groups. Click Next to continue.

    7. Review configuration and click Create.

    8. Use the Profiles option in the end-user device to validate if the installation was successful.

      Before you proceed to the next steps, ensure that all the previous profiles you created are successfully deployed to the endpoints and the macOS script was executed. Failure to do so results in an unsuccessful deployment of Netskope client.
  8. If you want to create plist in Intune for non-AD Domain-Joined devices, go to section Create PLIST in Intune. Else, you can skip plist and proceed to Step 8.

  9. Create a line-of-business applications to be deployed on the Apple devices (Big Sur).

    1. Go to Apps > macOS and click Add. Select Line-of-business app from the App type drop-down menu and click Select.

    2. Click Select app file to browse and upload the app package.

    3. Click OK.

    4. Enter a publisher name and click Next.

      You can remove the bundle ID com.netskope.client.nsIPFilterNKE. Click the delete icon to remove the bundle ID.
    5. Assign the application to devices or users. Click Next to continue.

    6. Click Create to complete creating the application.

    7. You can check the status of your application in Intune and verify that the application is pushed to your endpoint.

Validate Certificate Chain

You can validate the complete certificate chain in your Mac keychain.

Doc1295 Mackeychain.jpg

IdP Enrollment Workflow

If you choose to enroll Netskope Client using IdP mode in Intune, perform the following steps:

  1. After you complete the steps to deploy Netskope Client in Intune, you will receive a notification to allow the proxy configurations.

  2. Click Allow.

  3. In Enroll Netskope Client, enter the Email Address.

  4. Click Next.

  5. Enter the tenant name and select the tenant domain as shared with the user by their respective IT.

  6. Now, you can sign in using your authentication credential to complete the enrollment process.

Create PLIST in Intune for non-AD domain-Joined Devices

Creating a preference file in Intune include the following steps:

  • Create the Profile with Preference file.
  • Create and Upload the Script file on Intune.

To learn more, view Add a Property List.

Create a Profile Using The preference File

If you are deploying a Client using a PLIST-based installation, create the Profile type as Preference file  and define the email variable with the token {{mail}}.

Follow the steps to create a profile:

  1. Sign in to Microsoft Intune Admin Center.

  2. Navigate to Devices > Configuration Profiles > Create Profile.

  3. Provide the following details in Create a Profile page:

    • Platform: Select macOS

    • Profile Type: Templates. Select the Template name as Preference File.

  4. Click Create.

  5. In Basics, enter the name and description

  6. Click Next.

  7. In Configuration Settings, provide the following details:

    • Preference domain name: Enter the bundle ID. For example, com.netskope.client.Netskope-Client.

    • Upload the property list file.

      <key>email</key>
      <string>{{mail}}</string>
  8. Select Next.

  9. In Scope,  assign a tag to filter the profile to specific IT groups.

  10. Select Next.

  11. In Assignment, select the users or groups that will receive your profile.

  12. Select Next.

  13. In Review + Create, review your configuration and click Create.

Create and Upload the Preinstallation Script file on Intune

Get the latest Preinstallation script and update the Email Preference mode in the script as given in the following example:

set -- 0 0 0 addon-<tenant-URL> <ORG ID> template.plist preference_email
The template.plist parameter must match with the plist file name in the Configuration Settings.
  1. Go to Devices > Scripts.

  2. Click + Add.

  3. Select macOS.

  4. In Basics, enter a Name and Description.

  5. Click Next.

  6. In Script Settings, select the file  from your local storage in your computer. Make the following changes:

    • Run script as signed in users – NO

    • Hide script notifications on devices – Yes

    • Script frequency – Based on your requirement. For example, Every 15 minutes.

    • Max number of times to retry if script fails – 3 times

  7. Assign the script to groups, users, and/or devices.

  8. Click Next to continue.

  9. Click Add to the add the script and push to all devices.

Share this Doc

Deploy Client on macOS Using Intune

Or copy link

In this topic ...