Deploy Client on macOS Using VMware Workspace ONE

Deploy Client on macOS Using VMware Workspace ONE

This document lists the steps to deploy Netskope Client on macOS devices.

Deploying Client on macOS Using VMware Workspace ONE (Non-Domain Joined)

Deploying Client on non-domain joined macOS devices using VMware Workspace ONE utilizes a preferences list (plist) file containing the email attribute to enroll the Client.

Prerequisites: Download Netskope Root and Intermediate certificates and convert them to .cer extension. To learn more, see Certificates.

Push email from Workspace ONE user profile to device

Here, you can add the Plist file containing the email variable in Workspace Sensor. Perform the following steps to add the Plist file:

  1. Log into your Workspace One admin console.

  2. Go to Resources > Sensors.

  3. Click Add > macOS.

  4. On the New Sensor window, provide Name and Description in the General section.

  5. Click Next.

  6. In the Details section, select the following:

    • Language: Bash

    • Execution Context: System

    • Response Data Type: String

    • Code:

      #!/bin/bash
      emailPrefFile="/Library/Managed Preferences/com.netskope.plist"
      if [ -f "$emailPrefFile" ];
      then
          echo "exists"
          echo "plist exists" > /tmp/plist.txt
      else
          /usr/libexec/PlistBuddy -c "add email string $userMail" com.netskope.plist
          cp com.netskope.plist /Library/Managed\ Preferences/
      echo "added"
      fi
  7. In the Variables section, create a variable to be used in the script during execution. Add userMail and select {EmailAddress} in the Key and Value fields respectively. You can add other variable names. However, ensure to add the same variable name as provided in the ‘bash’ script.

    Non-domain-PushEmail-Variables-101.png

  8. Click Save.

Important

You can see the file: com.netskope.plist under the directory: /Library/ManagedPreferences/ in your macOS device. This file contains the user email address. Ensure to check if an email address is assigned to the user, if you cannot find the email address in the plist file. To learn more, view Collect Data with Sensors in macOS.

Pre-install script and package

Here, we are adding Netskope Client script and packages along with the instructions to run the script on the device.

  1. Go to Devices > Provisioning > Components > Files/Actions.

  2. Click Add Files/Actions and select macOS.

  3. In the General tab, enter the required information.

  4. In the Files tab, upload the preinstall script, pkg file, and scripts. Also, mention the local path to download these files. For example, /tmp/JamfLatest.sh. Download the latest scripts and Netskope package from Netskope Support.

  5. In Manifest, under Install Manifest, add the following steps in the same order:

    1. Step 1

      • Action to perform: Run

      • Command Line and Arguments to run: chmod +x <Install script local path> (Refer point 4 )

      • Timeout: Desired value (default 0)

    2. Step 2

      • Action to perform: Run

      • Command Line and Arguments to run: sudo <Install script local path> param1 param2 param3 param4. For example, run: sudo /tmp/<Your JAMFScript>.sh d1 d2 d3 addon-<TENANT-URL> ORGANISATION-ID com.netskope.plist preference_email silent_mode

        • If Secure Enrollment feature is enabled, each deployment mode consists of two additional parameters (Authentication and Encryption token):
          • ​enrollauthtoken: ​​ Specifies the Enforce authentication of Netskope Client Enrollment token(Mandatory).​
          • enrollencryptiontoken:​​ Specifies the Enforce encryption of initial configuration of Netskope client token(Optional).
        For example, enter the command in Command Line and Arguments to run: sudo /tmp/JamfLatest.sh d1 d2 d3 addon-corp.eu.example.com gxxxxxxxxxxxxxxxxx7 com.netskope.plist preference_email silent_mode enrollauthtoken=<your authentication token> enrollencryptiontoken=<your encryption token>
      • Timeout: Desired value (default 0)

    3. Step 3

      • Action to perform: Install

      • File Path and Name to Install <pkg file local path>

  6. Go to Devices > Provisioning > Product List View.

  7. Click Add Product.

  8. Select MacOS as the platform.

  9. In the General tab, enter the required details.

  10. In Manifest, under the policy action, specify the following:

    • Action to perform: Install Files/Action.

    • Files/Actions: Select the files/action created above.

  11. Click Save.

Add VPN and System extensions

Customize and extend the core networking features of macOS to enable content filtering, VPN, and other functionality.

  1. Go to Resources > Profiles & Baselines > Profiles.

  2. Click Add Profile from the Add dropdown options.

  3. Select Apple macOS from the platform list.

  4. Select Device Profile in Select Context.

  5. Start typing ‘System’ in the search text box of the configuration profile.

  6. Expand System Extensions option and click Add.

  7. Configure Allow Systems Extensions as follows:

    • Bundle Identifier: com.netskope.client.Netskope-Client.NetskopeClientMacAppProxy

    • Team Identifier: 24W52P9M7W

    VMwareWorkspace_SystemExtensions_2_102.png

  8. Expand VPN and click Add to enter the following details

    • Connection Name: Enter a descriptive name for the Connection Name.

    • Connection Type: Select Custom SSL.

    • Identifier: com.netskope.client.Netskope-Client.

    • Server: gateway-<tenant-URL>

    VMwareWorkspace_VPN_102.png

Approve Full Disk Access Permission

  1. Go to Resources > Profiles & Baselines > Profiles.

  2. Click Add Profile from the Add dropdown options.

  3. Select Apple macOS from the platform list.

  4. Select Device Profile in Select Context.

  5. Start typing Privacy in the search text box of the configuration profile.

  6. Expand Privacy Preferences option and click Add.

  7. Configure the following settings to allow access to a service or an app:

    • Bundle Identifier: com.netskope.client.Netskope-Client.NetskopeClientMacAppProxy

    • Team Identifier: Select Bundle ID.

    • Code Requirement:

      anchor apple generic and identifier "com.netskope.client.Netskope-Client.NetskopeClientMacAppProxy" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "24W52P9M7W")
    • Find System Policy All Files under Services section and select Allow.

  8. Expand VPN and click Add to enter the following details:

    • Connection Name: Enter a descriptive name for the Connection Name.

    • Connection Type: Select Custom SSL.

    • Identifier: com.netskope.client.Netskope-Client

    • Server: gateway-<tenant-URL>

    • Account: {EmailAddress}

  9. Click Next.

  10. Add the assignment details.

  11. Click Save & Publish.

For Endpoint DLP, you can add the following Identifier and Code Requirement:
– Identifier: com.netskope.epdlp.client
– Code Requirement: anchor apple generic and identifier "com.netskope.epdlp.client" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "24W52P9M7W")
To learn more: Enabling Endpoint DLP on the Netskope Client for macOS.

Enrollment Workflow

The user is enrolled using the email address from the Plist file configured in VMware Workspace ONE while running the script. The user need not perform any steps during the enrollment process.

The following steps illustrate the client enrollment workflow in VMware Workspace ONE:

  1. After you complete the steps to deploy Netskope Client in VMware Workspace ONE, log into the Workspace ONE server.

  2. Click Install on the Profile in System Preferences and follow the system prompts.

  3. Once the installation is complete, Netskope Client Configuration is displayed on screen.

Share this Doc

Deploy Client on macOS Using VMware Workspace ONE

Or copy link

In this topic ...