Skip to main content

Netskope Help

Deploy Client on macOS Using Intune

This article provides instructions to deploy Netskope Client on macOS devices(Big Sur) using the Microsoft Intune. The following steps are for deploying Netskope Client on macOS devices running macOS 11.x (Big Sur) or later.

Prerequisites
  • Devices running macOS 11.x (Big Sur) or later.

  • Enroll devices in Microsoft's Endpoint Manager

  • Convert Netskope Client package to an .intunemac file. For detailed information and procedure, visit Microsoft Docs portal.

  • Follow these steps after converting the .pkg to .intunemac file. For more details, see Microsoft Doc Portal

  • Download Netskope Root and Intermediate certificates and convert them to the .cer extension. To learn more, see Certificates

  • Configure and verify SAML forward proxy authentication and ensure that users are properly imported into your Netskope tenant. To learn more about user provisioning and SAML Forward Proxy authentication, see Provisioning and Authentication

Deployment Procedure

Perform the following steps to deploy client on macOS using Intune:

  1. Sign in to Microsoft Intune Admin Center.

  2. Go to Devices > macOS devices. Ensure that the devices to which you will install Netskope Client are listed.

    01-MEpM-macOSdevices.png
  3. Create two configuration profiles to deploy the Netskope certificates.

    1. Go to macOS policies > Configuration Profiles > Create Profile and select Profile Type as Templates and Template name as Trusted Certificate.

      02-MEpM-configprofiles.png
    2. Click Create. The page will refresh with settings. Enter a name for the root certificate profile and click Next.

    3. Click the folder icon to select the Netskope root certificate (.cer file) and click Next to continue.

    4. Assign the appropriate device group and click Next.

    5. Review the configuration and click Create.

      02a-MEpM-verifyConfig.png
    6. Repeat the steps used to upload Netskope root certificate and create another configuration profile to upload Netskope intermediate certificate.

      netskopeintcert.png

    Validate Certificate Chain

    You can validate the complete certificate chain in your Mac keychain.

    doc1295-mackeychain.jpg
  4. Download the Netskope Intune configuration script from Netskope Support portal .

    1. Extract the contents of MAC-MDM-script.zip file.

    2. Open the script in a text editor and search for the commented line Update here for Intune deployment .

    3. Update the script options for parameters 4 to 8 as follows for each mode:

      Deployment Modes

      Configuration Parameters

      Standared Mode (Email-based)

      • Parameter 4: Your tenant name. If your tenant URL is https://addon-corp.goskope.com, then enter addon-corp.

      • Parameter 5: Your AD name.

      • Parameter 6:

        • For rel 89 and before: Enter REST API token.

        • For rel 90.2 and later: Your Organization ID.

      For example, set -- 0 0 0 <addon-host> <AD> <Org ID/ REST API Token>

      UPN Mode

      • Parameter 4: Your addon URL. If your tenant URL is https://corp.goskope.com, then the addon URL is addon-corp.goskope.com.

      • Parameter 5: Your Organization ID.

      • Parameter 6: Enter the keyword upn (lowercase).

      For example, set -- 0 0 0 <addon-host> <Org ID> upn

      Multi-user Mode (enabling for each provisioned user on the tenant)

      • Parameter 4: Your addon URL. If your tenant URL is https://corp.goskope.com, then enter addon-corp.goskope.com.

      • Parameter 5: Your Organization ID.

      • Parameter 6: Enter the keyword peruserconfig.

      For example, set -- 0 0 <username> <addon-host> <AD> <Org ID> peruserconfig

      IDP Single-User mode

      • Parameter 4: Enter IDP to specify the client deployment mode is IDP.

      • Parameter 5: Domain name. Example, if your tenant URL is https://corp.goskope.com, then enter goskope.com.

      • Parameter 6: Tenant name. Example: If your tenant URL is https://corp.goskope.com, enter corp.

      • Parameter 7: Email Address request option. Enter 0, if you do not want to request the user's email address. Enter 1 to request the user's email address.

      For example, set -- 0 0 1 idp <tenant domain name> <tenant name> 0/1

      IDP Multi-User mode

      • Parameter 4: Enter IDP to specify that the client deployment is in IDP mode.

      • Parameter 5: Domain name. Example, if your tenant URL is https://corp.goskope.com, then enter goskope.com.

      • Parameter 6: Tenant name. Example: If your tenant URL is https://corp.goskope.com, enter corp.

      • Parameter 7: Email Address request option. Enter 0, if you do not want to request user email address. Enter 1 to request the user's email address.

      • Parameter 8: Enter peruserconfig to specify multi-user IDP deployment mode.

      For example, set -- 0 0 1 idp <tenant domain name> < tenant name> 0/1 peruserconfig

      For macOS devices (single-user installations) that are not AD joined

      • Parameter 4 : Your tenant URL.

        • For rel 89 and before: If your tenant URL is corp.goskope.com, enter corp.goskope.com.

        • For rel 90.2 and later: If your tenant URL is https://corp.goskope.com, enter addon-corp.goskope.com.

      • Parameter 5:

        • For rel 89 and before: Enter REST API token.

        • For rel 90.2 and later: Your Organization ID.

      • Parameter 6: Preferences file (plist)  name. When entering the filename, enter the complete filename including the .plist extension. Example: netskope.plist . Do not add HTTP to the URL in the .plist file.

      For example, set -- 0 0 0 <addon-host> <Org ID> <plist file name>

    4. Save the script.

    5. Go to Devices > macOS > Shell Scripts and click Add.

      04-JSON-01.png
    6. Enter a Name and click Next.

    7. Select the script (.sh file) from your local storage in your computer. Make the following changes:

      addScript.png
      • Run script as signed in users - NO

      • Hide script notifications on devices - Yes

      • Script frequency - Every 30 minutes

      • Max number of times to retry if script fails - 3 times.

    8. Assign the script to groups, users, and/or devices. Click Next to continue.

      04-JSON-03.png
    9. Click Add to the add the script and push to all devices.

  5. Go to macOS policies > Configuration Profiles > Create Profile and select Profile Type as Templates.

    1. Under Template Names select Extensions and click Create.

    2. Provide a name for the Netskope System Extension profile and click Next.

    3. Expand System Extensions and configure Allow Systems Extensions as follows:

      • Bundle Identifier: com.netskope.client.Netskope-Client.NetskopeClientMacAppProxy

      • Team Identifier: 24W52P9M7W

      Select Next to continue.

    4. Assign appropriate users or device group and select Next.

    5. Review your configuration and click Create.

    6. Use the Profiles options in the end-user device to validate if the System Extension was deployed successfully.

      ProfilesOptionMac.png
  6. Go to macOS policies > Configuration Profiles

    1. Download custom configuration profiles from Netskope Support Portal.

    2. Select Create Profile and under the Profile Types option, select Templates > Custom. Click Create.

    3. Specify a profile name.

    4. Keep the Deployment Channel option to Device Channel.

    5. Upload the custom configuration profile downloaded from Netskope Support Portal. Click Next to continue.

      custom-config-step2.png
    6. Select and assign appropriate users or groups. Click Next to continue.

    7. Review configuration and click Create.

    8. Use the Profiles option in the end-user device to validate if the installation was successful.

  7. Create a line-of-business applications to be deployed on the Apple devices (Big Sur).

    Before proceeding ensure the following:

    • Convert the Client installation pkg to an .intunemac file.

    • Resolve an issue with Intune and Netskope Client app including multiple components. See Microsoft Doc Portal for more information.

    1. Go to Apps > macOS and click Add. Select Line-of-business app from the App type drop-down menu. Click Select.

      05.png
    2. Select the app package (.intunemac) file by browsing to it and click OK.

      deployClientPkg.png
    3. Enter a publisher name and click Next.

      06-addApp.png
    4. Assign the application to devices or users. Click Next to continue.

      07-Assign.png
    5. Click Create to complete creating the application.

    6. Now login to your IdP to start the enrollment process.