Deploy Client on macOS Using VMware Workspace ONE

Deploying Client on non-domain joined macOS devices using VMware Workspace ONE utilizes a preferences list (plist) file containing the email attribute to enroll the Client.

Prerequisites: Download Netskope Root and Intermediate certificates and convert them to .cer extension. To learn more, see Certificates.

Here, you can add the Plist file containing the email variable in Workspace Sensor. Perform the following steps to add the Plist file:

1. Log into your Workspace One admin console.

2. Go to Resources > Sensors.

3. Click Add > macOS.

4. On the New Sensor window, provide Name and Description in the General section.

5. Click Next.

6. In the Details section, select the following:

   • Language: Bash

   • Execution Context: System

   • Response Data Type: String

   • Code:

     #!/bin/bash
     emailPrefFile="/Library/Managed Preferences/com.netskope.plist"
     if [ -f "$emailPrefFile" ];
     then
         echo "exists"
         echo "plist exists" > /tmp/plist.txt
     else
         /usr/libexec/PlistBuddy -c "add email string $userMail" com.netskope.plist
         cp com.netskope.plist /Library/Managed\ Preferences/
     echo "added"
     fi

     

7. In the Variables section, create a variable to be used in the script during execution. Add userMail and select {EmailAddress} in the Key and Value fields respectively. You can add other variable names. However, ensure to add the same variable name as provided in the ‘bash’ script.

   

8. Click Save.

Here, we are adding Netskope Client script and packages along with the instructions to run the script on the device. To learn more, view Deploy Internal macOS Applications.

1. Go to Resources > Apps > Native > Internal.

2. Select Add > Add Application.

3. In Add Application, click Upload to add the Netskope package file.

4. Click Save.

5. Click Continue.

6. Select Full Storage Management in Deployment Type

7. Upload the meta data file (.plist). To create a metadata file, download and install VMware Workspace ONE UEM Admin Assistant Tool to your macOS computer. To learn more, view Generate Metadata.

8. Click Continue.

   This navigates to Add Application.

9. Under Details, you can review the details and make modifications, if necessary.

10. Click Scripts.

11. Under Install Scripts,add Pre-Install Script that runs before the installation process.

    #!/bin/bash
    ####
    # ws1_netskope_pre-install.sh
    # WorkspaceOne Pre-install script used to prepare macOS devices for the Netskope client. This script has support for secure enrollment.
    # You will need to set the following parameters:
    #
    # TENANT - This should be to addon-YOUR TENANT.goskope.com
    # ORGID - You can obtain your Organization ID from your tenant (Settings > Security Cloud Platform > MDM Distrubtion)
    # EMAIL - This value will be fetched from com.netskope.plist file which will be created by ws1_netskope_sensor.sh script
    # enrollencryptiontoken - encryption token on Secure Enrollment page if enabled & enforced
    # enrollauthtoken - authentication token on Secure Enrollment page if enabled & enforced
    #
    ##
    TENANT=addon-<tenant>
    ORGID=<org_key>
    EMAIL=`defaults read /Library/Managed\ Preferences/com.netskope.plist email`
    enrollauthtoken=<auth_token>
    enrollencryptiontoken=<encryption_token>
    TEMP_BRANDING_DIR="/tmp/nsbranding"
    TEMP_ENROLLMENT_TOKEN_FILE="$TEMP_BRANDING_DIR/enroll.conf"
    if [ ! -d $TEMP_BRANDING_DIR ]; then
     mkdir -p $TEMP_BRANDING_DIR
    fi
    NSINSTPARAM_JSON_FILE="${TEMP_BRANDING_DIR}/nsinstparams.json"
    echo "{\"TenantHostName\": \"$TENANT\", \"Email\": \"$EMAIL\", \"OrgKey\": \"$ORGID\"}" > "${NSINSTPARAM_JSON_FILE}"
    Create_Json() {
        if [[ -f "$TEMP_ENROLLMENT_TOKEN_FILE" ]]; then
            rm "$TEMP_ENROLLMENT_TOKEN_FILE"
        fi  
        local a=$1
        local b=$2
        if ! [[ "$a" =~ ^[a-fA-F0-9]{32}$ ]] && [[ "$a" != "0" ]]; then
            echo "Invalid auth token: must be 32 hexadecimal characters"
            return 1
        fi  
        if ! [[ "$b" =~ ^[a-fA-F0-9]{32}$ ]] && [[ "$b" != "0" ]]; then
            echo "Invalid encryption token: must be 32 hexadecimal characters"
            return 1
        fi  
        echo "{" > $TEMP_ENROLLMENT_TOKEN_FILE
        if [[ "$a" != "0" && "$b" != "0" ]]; then
            echo "\"enrollauthtoken\": \"$a\"," >> $TEMP_ENROLLMENT_TOKEN_FILE
            echo "\"enrollencryptiontoken\": \"$b\"" >> $TEMP_ENROLLMENT_TOKEN_FILE
        elif [[ "$a" == "0" && "$b" != "0" ]]; then
            echo "\"enrollencryptiontoken\": \"$b\"" >> $TEMP_ENROLLMENT_TOKEN_FILE
        elif [[ "$b" == "0" && "$a" != "0" ]]; then
              echo "\"enrollauthtoken\": \"$a\"" >> $TEMP_ENROLLMENT_TOKEN_FILE
        else
             echo "Unsupported use case"
        fi  
        echo "}" >> $TEMP_ENROLLMENT_TOKEN_FILE
        chmod 700 "$TEMP_ENROLLMENT_TOKEN_FILE"
        echo "enroll.conf created with provided tokens."
    }
    if [[ "$enrollencryptiontoken" != "0" || "$enrollauthtoken" != "0" ]]; then
        echo "Using secure enrollment"
        Create_Json "$enrollauthtoken" "$enrollencryptiontoken"
    else
        echo "Not using secure enrollment"
        if [[ -f "$TEMP_ENROLLMENT_TOKEN_FILE" ]]; then
            rm "$TEMP_ENROLLMENT_TOKEN_FILE"
        fi
    fi
    

    – Replace  lines 14, 15, 17, and 18 with values from your tenant. To understand the location for these values, view About Your Tenant.
    – Ensure not to add any space while adding values.
    – If no secure enrollment token is enabled, add 0 as the token value. For example, if encryption token is not enabled in your tenant, then add enrollencryptiontoken=0.

12. Click Save & Assign.

13. Once you add an application to the VMware Workspace console, start assigning devices to the application.

14. Click the application that you added.

15. Click the Assignment tab.

16. Click Assign available on the right corner of the screen.

17. Under Assignments, click Add Assignment.

18. On the Assignment screen, perform the following:

    • Provide a Name for the assignment.

    • In Assignment Groups, select the desired group

19. Click Create.

20. Click Save.

Customize and extend the core networking features of macOS to enable content filtering, VPN, and other functionality.

1. Go to Resources > Profiles & Baselines > Profiles.

2. Click Add Profile from the Add dropdown options.

3. Select Apple macOS from the platform list.

4. Select Device Profile in Select Context.

5. Start typing ‘System’ in the search text box of the configuration profile.

6. Expand System Extensions option and click Add.

7. Configure Allow Systems Extensions as follows:

   • Bundle Identifier: com.netskope.client.Netskope-Client.NetskopeClientMacAppProxy

   • Team Identifier: 24W52P9M7W

   

8. Expand VPN and click Add to enter the following details

   • Connection Name: Enter a descriptive name for the Connection Name.

   • Connection Type: Select Custom SSL.

   • Identifier: com.netskope.client.Netskope-Client.

   • Server: gateway-<tenant-URL>

   

9. Expand Credentials and click Add to enter the following details:

   • Credential Source: Select Upload.

   • Credential Name: It auto-populates the name after uploading the certificate.

   • Certificate: Click Choose File > Browse for the rootcaCert.cer file you downloaded from the Netskope tenant.

     

10. Click Attach Certificate.

    

    Once you click Attach Certificate, the webUI displays the uploaded certificate details such as validity, thumbprint, and so on.

11. Click +Add to add another certificate.

12. Click Choose File > Browse for the caCert.cer file you downloaded from the Netskope tenant.

13. Click Attach Certificate.

    The webUI now displays two Credentials tabs in your Credentials payload.

    

14. Click Next.

15. Add the assignment details.

16. Click Save & Publish.

Approve Full Disk Access Permission

1. Go to Resources > Profiles & Baselines > Profiles.

2. Click Add Profile from the Add dropdown options.

3. Select Apple macOS from the platform list.

4. Select Device Profile in Select Context.

5. Start typing Privacy in the search text box of the configuration profile.

6. Expand Privacy Preferences option and click Add.

7. Configure the following settings to allow access to a service or an app:

   • Bundle Identifier: com.netskope.client.Netskope-Client.NetskopeClientMacAppProxy

   • Team Identifier: Select Bundle ID.

   • Code Requirement:

     anchor apple generic and identifier "com.netskope.client.Netskope-Client.NetskopeClientMacAppProxy" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "24W52P9M7W")

     

   • Find System Policy All Files under Services section and select Allow.

     

8. Expand VPN and click Add to enter the following details:

   • Connection Name: Enter a descriptive name for the Connection Name.

   • Connection Type: Select Custom SSL.

   • Identifier: com.netskope.client.Netskope-Client

   • Server: gateway-<tenant-URL>

   • Account: {EmailAddress}

9. Click Next.

10. Add the assignment details.

11. Click Save & Publish.

The user is enrolled using the email address from the Plist file configured in VMware Workspace ONE while running the script. The user need not perform any steps during the enrollment process.

The following steps illustrate the client enrollment workflow in VMware Workspace ONE:

1. After you complete the steps to deploy Netskope Client in VMware Workspace ONE, log into the Workspace ONE server.

2. Click Install on the Profile in System Preferences and follow the system prompts.

3. Once the installation is complete, Netskope Client Configuration is displayed on screen.