Deploy Netskope Client via IdP
Deploy Netskope Client via IdP
You can enroll a user authenticated by SAML 2.0 supported IdP service. On successful authentication, the Netskope Client verifies and enrolls user to the Netskope Client.
Supported OS and Platform
IdP enrollment is available for Netskope Client installed in the following end-user environments:
- Windows
- macOS
- Linux
- Android and ChromeOS
Prerequisites
- SAML Integration: Configure your IdP in the Settings > Security Cloud Platform > Forward Proxy > SAML in your Netskope Tenant UI. For more details, view SAML Forward Proxy.
- User Provisioning: All users must be provisioned into your Netskope tenant. The email address of the user must be available for all IdP authenticated users. For more details, view SCIM Settings.
- Network Configuration: Ensure that the destinations mentioned in Client Network Configuration are accessible.
- Installation Parameter: Use the IDP mode parameter when installing the client:
npavdimode=on installation parameter. - End user devices must support Android AppLink feature. If the end-user devices (older than 2018 models) do not support AppLink then the user will need to manually select the Netskope App, when the Open With… dialog box is shown. See Enrollment on Devices without AppLink Support section for illustration.
For multi-user environments, add IDP URLs in Steering exception so that subsequent users can successfully perform IDP based enrollment.
Enrollment Workflow
Windows
Windows AD or Hybrid AD Joined – Integrated Windows Authentication (IWA)
Integrated Windows Authentication capabilities enable Single Sign On (SSO) if the user has logged into a corporate domain-joined device.
For example, if you run the following command: msiexec /I NSClient.msi installmode=IDP tenant=acme domain=goskope.com in your terminal, Netskope Client can seamlessly SSO to enroll the user. You can find the following screens during the enrollment process:
Once the enrollment and installation is complete, check Client Configuration to view the User Email that is added in the configuration.
Microsoft Entra ID With Integrated Windows Authentication (IWA)
Microsoft Entra allow users to perform seamless Single Sign on (SSO) when the user’s machine is connected to your corporate network. To learn more, view Quickstart: Microsoft Entra seamless single sign-on – Microsoft Entra ID.
Windows Devices Registered With Entra ID
You can also achieve Single Sign-On (SSO) experience on Windows devices using Primary Refresh Token from Entra ID. Even though it does not require an Active Directory environment, this capability can still be utilized alongside Active Directory and Azure Active Directory (AAD). However, the device must be registered with Entra ID.
Okta With Agentless Desktop Single Sign-on (ADSSO)
Okta provides the ability for Agentless Desktop Single Sign On (ADSSO). To learn more, view Install and configure the Okta IWA Web agent for Desktop Single Sign-on | Okta.
Non-Domain Joined Devices
The following procedure illustrates the typical enrollment workflow for non-domain joined devices:
-
If the Client was installed in IdP mode with tenant and domain suffix, the user is presented with the corporate IDP login page where the user needs to enter login credentials.
If the Client was installed without the tenant details, the user must enter the following details in the enroll window before getting the IdP login page:
– Tenant Name: If you are accessing tenant URL acme.goskope.com, then tenant name = acme.
– Domain Name: If you are accessing tenant URL acme.goskope.com, then domain name = goskope.com.The user can contact their Tenant admin for the Tenant Name and Domain name.
-
On successful IdP authentication, the user is enrolled.
MacOS
Entra ID – Platform SSO
The concept of the Primary Refresh Token is particularly significant for MacOS devices when Entra ID is employed as the Identity Provider. To learn more, view macOS Platform Single Sign-on (PSSO) overview – Microsoft Entra ID. Once a device is registered with Entra ID, Single Sign-On (SSO) capabilities can be extended to the Netskope Client for browser-based authentication challenges. The installation parameters required is similar to the following example:
set -- 0 0 0 IDP goskope.com acme 0 mode=scheme preferephemeral=false httpmethod=get
Browser-Based authentication
Netskope Client supports FIDO authentication with our SAML forward proxy for macOS devices through external browser support. To learn more, view Jamf.
Non-Domain Joined Devices
The following procedure illustrates the typical enrollment workflow.
-
If the Client was installed in IdP mode with tenant and domain suffix, the user is presented with the corporate IDP login page where the user needs to enter login credentials.
If the client was installed without the tenant details, the user must enter the following details in the enroll window before getting the IdP login page:
– Tenant Name: If you are accessing tenant URL acme.goskope.com, then tenant name = acme.
– Domain Name: If you are accessing tenant URL acme.goskope.com, then domain name = goskope.com. -
The Netskope Client redirects user to the IdP authentication process.
-
On successful IdP authentication, the user is enrolled.
Linux
The following procedure illustrates the typical enrollment workflow:
-
If the Client was installed in IdP mode with tenant and domain suffix, the user is presented with the corporate IDP login page where the user needs to enter login credentials.
If the client was installed without the tenant details, the user must enter the following details in the enroll window before getting IdP login page:
– Tenant Name: If you are accessing tenant URL acme.goskope.com, then tenant name = acme.
– Domain Name: If you are accessing tenant URL acme.goskope.com, then Domain name = goskope.com. -
The Netskope Client redirects the user to the IdP authentication process.
-
On successful IdP authentication, the user is enrolled.
To learn more, view Netskope Client for Linux.
Android and Chrome OS
Refer to Netskope Client for Android and ChromeOS to learn more about the enrollment process.
Unenrollment
A user can unenroll by clicking the Unenroll button on the Netskope Client UI. To prevent users from unenrolling, you can disable the Unenroll option in the Netskope client UI.
-
Login to your Netskope tenant UI and go to Setting > Security Cloud Platform > Netskope Client > Client Configurations.
-
Select the relevant Client Configuration.
-
Click Install & Troubleshoot.
-
Select the option Allow users to unenroll.
For ChromeOS users you need to uninstall the app to Unenroll.
IdP Enrollment Using Webview2
The Microsoft Edge WebView2 enables you to include web technologies such as HTML and javascript into your native applications. Netskope Client supports user IdP enrollment using WebView2. The following lists the requirements:
- Supported OS: Windows 10 or above.
- Webview2 version (Minimum): 106.0.1370.52.
Note
Set the Windows Registry feature flag to HKCU\software\Netskope key: webview2 value DWORD 0 to disable the feature.
To check the version of the WebView2 installed in your machine, you can use one of the following methods:
Method 1
- Go to Start > Add or Remove Programs.
- Search for WebView2.
Method 2
- Go to Start > Settings > Apps > Apps & Features.
- Search for WebView2. You can find the version of the installed WebView2.
Enrollment on Devices without AppLink Support
If you have a ChromeOS device that does not support the Android AppLink feature, then you must manually select the Client app for the enrollment process.
After the Client (Netskope Client app) is successfully installed and the dP authentication is successful, the user must manually open the Client app to receive the Netskope tenant authentication token to continue with the enrollment process. In the disambiguation popup (see the following screenshot), click the Open button and also ensure that you select the Remember my choice option.
 |
