Netskope Help

Deploy Netskope Client via IdP

You can enroll a user authenticated by an SAML 2.0 supported IdP service. After installing the Netskope Client (using Email invite or a supported MDM deployment tool ), users follow the enroll process in the Netskope Client UI to authenticate themselves via the organization's IdP / SSO service. On successful authentication, the Netskope Client verifies and enrolls the user.


IdP enrollment is available for clients installed in Windows and macOS devices and requires Netskope Client ver 68 or above.

Prerequisites to using IdP for Client Deployment
  • All users must be authenticated via the IdP and imported into your Netskope tenant. The email address of the user must be available for all IdP authenticated users.

  • Configure your IdP in the Settings > Security Cloud Platform > SAML (under the Forward Proxy section ) in your Netskope Tenant UI. See SAML Forward Proxy for details.

  • Ensure that the URL nsauth-<tenantname> is publicly accessible. If not, please reach out to Netskope support.

  • Use the IDP mode parameter when installing the client.

    • On Windows

      • Single-user mode: msiexec /I NSClient.msi installmode=IDP tenant=<tenant-name> domain=<domain>

      • Multi-user mode: msiexec /I NSClient.msi installmode=IDP mode=peruserconfig tenant=<tenant-name> domain=<domain>

    • On MacOS


      Configure the JAMF script. The initial three parameters are JAMF specific. For IDP mode specify the parameters are follows:

      • 4th Param: idp

      • 5th Param: domain (If your domain is, enter

      • 6th Param: tenant

      • 7th Param: 1 (to request users email)

      • Single-user mode:./ <jamf param 1> <jamf param 2> < jamf param 3> idp <domain> <tenant> <l>

      • Multi-user mode: ./ <jamf param 1> <jamf param 2> <jamf param 3> idp <domain> <tenant> <1> peruserconfig

  • User Email Request: This is an optional parameter used for requesting user's email address during IDP deployment. requestEmail=[0 | 1]. Enter 1 to request user's email.

Enrollment Workflow
  1. The user clicks the Enroll button in the Netskope Client UI. This launches a pop-up window.

  2. If the client was installed in IdP mode with tenant and domain suffix, the user enters only their email ID in the enroll pop-up window.


    If the client was installed without the tenant details, the user must enter the following details in the enroll pop-up window:

    • Email ID

    • Tenant Name

    • Select Home Pop Domain. The user can contact their Tenant admin for the name of the Home Pop Domain.

  3. The Netskope Client redirects the user to the IdP authentication process. On successful IdP authentication, the user is enrolled.


A user can unenroll themselves by clicking the Unenroll button in the Netskope Client UI. To prevent users from unenrolling, you can disable the Unenroll option in the Netskope client UI.

  1. Login to your Netskope tenant UI and goto Setting > Security Cloud Platform > Devices.

  2. Click Client Configurations. In the list of configuration options, disable the Allow users to unenroll option.