Netskope Help

Deploy Netskope Client with JAMF

JAMF is an enterprise mobility management tool that is used for the endpoint management of macOS devices. You can install the Client on users' device using JAMF ( formerly known as Casper Suite ).

Deployment Prerequisites
  • Administrators must possess fair knowledge of JAMF/JSS/Casper suite.

  • This procedure provides JAMF/JSS configuration instructions for the clients installed in AD controlled macOS devices.

  • Download the JAMF scripts from the Download page in Netskope Support portal. The file contains the essential command-line executable scripts to install and configure the client. The script file is available from the Netskope support portal. 

  • User Configuration: Execute the downloaded script to get the configuration file. This script locates active (online) AD users and downloads user specific configuration files from the Netskope cloud to the end point. Ensure that the AD devices are accessible before executing the script.

Configuration Profile for Auto Approval
Approve Kernel Extension for macOS Catalina or older
  1. Login to JAMF with admin credentials.

  2. Go to Computers > Configuration Profiles > New > Approved Kernel Extensions.

  3. Select Allow users to approve kernel extensions.

  4. Fill Allow users to approve kernel extensions.

  5. Approved Team IDs and Kernel Extensions: Add Network Extension Team ID. Team Identifier:

    Team ID

    • Team ID: 24W52P9M7W

    • Display Name: Netskope Developer

    Kernel Extension

    • Display Name: Any Name

    • Kernel Extension Bundle ID: com.netskope.client.nsIPFilterNKE

  6. Optionally, if older clients are used in the same profile, you can combine kernel extensions.

    1. Go to Approved Kernel Extensions

    2. Select Allow users to approve kernel extensions and FIELD_ALLOW_NON_ADMIN_USER_APPROVALS.

    3. Create extension bundles by adding KERNEL EXTENSION BUNDLE ID.

Approve Network Extension for Big Sur
  1. In JAMF, go to Computers > Configuration Profiles > New > System Extension.

  2. Select Allow users to approve system extensions.

  3. Under Allowed Team IDs and System Extensions, select System Extension Types as Allowed System Extensions.

  4. Add Network Extension Team ID: 24W52P9M7W

  5. Add Allowed System Extension as:

    • com.netskope.client.Netskope-Client.NetskopeClientMacAppProxy

    • com.netskope.client.Netskope-Client.NetskopeClientMacDNSProxy

  6. Click the Edit button. Under the Options section, select VPN and configure the following:

Confirming Netskope Client Extension Approval

To confirm that the Netskope Client extension has been approved and the client is running, run the following command in your macOS11 terminal window:

systemextensionsctl list

The output should look like this:

% systemextensionsctl list  
1 extension(s)
--- com.apple.system_extension.network_extension
enabled active teamID bundleID (version) name [state]
* * 24W52P9M7W com.netskope.client.Netskope-Client.NetskopeClientMacAppProxy (85.2.0.269/1) 
NetskopeClientMacAppProxy [activated enabled]

Additionally, inspect the system preferences and Network UI to confirm that Netskope Client extension is active.

Approve VPN Popup for App Proxy (applies to Big Sur devices)
  1. Go to Computers > Configuration Profiles > New > General

  2. Go to VPN > Configure and configure the VPN with following

    • Connection Name: Any Name

    • VPN Type : Select Per-App VPN

    • Per-App VPN Connection Type: Select Custom SSL

    • Identifier: Enter com.netskope.client.Netskope-Client

    • Server: Enter Netskope Gateway .

    • Provider Bundle Identifier: Enter com.netskope.client.Netskope-Client

    • Provider Type: Select App-Proxy

    • Select Include All Networks.

    • For Specify Provider Designated Requirement: enter the following:

      anchor apple generic and identifier"com.netskope.client.Netskope-Client" and (certificateleaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificateleaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificateleaf[subject.OU] = "24W52P9M7W")

    • Select Prohibit users from disabling on-demand VPN settings

Restrict AppProxy Removal (for Big Sur devices)

The following configuration steps restrict users from making any changes to network option accessibility.

  1. In JAMF, go to Computer's > Configuration Profile > New > Restrictions.

  2. Configure Restrictions.

  3. Select Restrict items from System Preferences.

  4. Select items (Network in this case)

  5. Add the scope (machine) and push the profile.

Installing the Client

Client installation is done using JAMF policies. The following section describes in detail on creating JAMF policies.

Note

Download the latest JAMF scripts from Netskope Support website.

Create a New JAMF Policy
  1. In the JSS Dashboard, go to Computer > Policies and click + New.

  2. On the General page, enter a Display Name, for example: Netskope Client Policy.

  3. For Trigger, select Login. Scripts can also be run using other options, like Logout and Network State Change.

  4. For Execution Frequency, select Once per computer.

  5. Select Packages and on the Packages page, click Configure.

  6. Add the Client installer package, and for Action, select Install.

  7. Select Scripts and on the Scripts page, add the jamfnsclientconfig_<version-number>.sh script.

    • For Priority, select Before. The script must be executed before the installation process, so Priority must be Before.

    • Netskope supports six modes of deployment. Update the script options for parameters 4 to 8 as follows for each mode:

      Deployment Modes

      Configuration Parameters

      Standard Mode (email-based)

      • Parameter 4: Your tenant name.

        If your tenant URL is https://corp.goskope.com, then enter corp.

      • Parameter 5: Your AD name.

      • Parameter 6: Your REST API token.

        Note

        n your tenant (Netskope admin console), go to Settings > Tools > REST API > Show to get this token. If you are generating your token for the first time, click the Generate New Token button.

      UPN Mode

      • Parameter 4: Your addon URL.

        If your tenant URL is https://corp.goskope.com, then the addon URL is addon-corp.goskope.com.

      • Parameter 5: Your Organization ID.

        Note

        In your tenant (Netskope admin console), go to Settings > Security Cloud Platform > click MDM Distribution in the left column under Netskope Client. The Organization ID is in the Create VPN Configuration section. The Organization ID is case-sensitive.

      • Parameter 6: Enter the keyword upn (in lowercase).

        Note

        When using UPN mode for non AD joined devices, download the latest JAMF script and execute it as follows (ensure that the UPN is already added to the preferences file):

        jamfnsclientconfig.sh <dummy param 1> <dummy param 2> <currentUsername> 
        <Adonman url> <Org Key> <upn> [preference_file_name]

      Multi-user Mode (enabling for each provisioned user on the tenant)

      • Parameter 4: Your addon URL.

        If your tenant URL is https://corp.goskope.com, then enter addon-corp.goskope.com.

      • Parameter 5: Your Organization ID

      • Parameter 6: Enter the keyword peruserconfig.

      IDP Single-User mode

      • Parameter 4: Enter IDP to specify the client deployment mode is IDP.

      • Parameter 5: Domain name. Example, if your tenant URL is https://corp.goskope.com, then enter goskope.com

      • Parameter 6: Tenant name. Example: If your tenant URL is https://corp.goskope.com, enter corp.

      • Parameter 7: Email Address request option. Enter 0, if you do not want request user's email address. Enter 1 to request user's email address.

      IDP Multi-User mode

      • Parameter 4: Enter IDP to specify that the client deployment is in IDP mode.

      • Parameter 5: Domain name. Example, if your tenant URL is https://corp.goskope.com, then enter goskope.com

      • Parameter 6: Tenant name. Example: If your tenant URL is https://corp.goskope.com, enter corp.

      • Parameter 7: Email Address request option. Enter 0, if you do not want request user's email address. Enter 1 to request user's email address.

      • Parameter 8: Enter peruserconfig to specify multi-user IDP deployment mode.

      For macOS devices (single-user installations) that are not AD joined.

      • Parameter 4 : Your tenant URL. If your tenant URL is corp.goskope.com, enter corp.goskope.com.

      • Parameter 5 : Your Rest API token.

        Note

        In your tenant (Netskope admin console), go to Settings > Tools > REST API > Show to get this token. If you are generating your token for the first time, click the Generate New Token button.

      • Parameter 6 : Preferences file (plist)  name. When entering the filename, enter the complete filename including the .plist extension. Example: netskope.plist . Do not add HTTP: to the URL in the plist file.

        Note

        The name must match as defined in the JAMF > Computers > Configuration Profiles > Custom Settings > Preference Domain. The Preference Domain will not include the .plist extension but the JAMF script parameter 6 must include the .plist extension.

      • Parameter 7 : Enter the keyword preference_email.

  8. Click the + button to add another script.

  9. When finished, click Save.

Push Netskope Root and Tenant Certificates

Provide additional trust to end users by pushing certificates during client installation. Before you can push the root and tenant certificates, ensure that you do the following:

Note

This procedure is applicable for Apple devices running Big Sur.

  1. Download root and tenant certificates from Netskope MDM distribution page.

    1. Login to Netskope tenant admin console with admin credentials.

    2. Go to Settings > Security Cloud Platform > MDM Distribution. The certificate download options are displayed in the Certificate Setup section.

  2. Convert the downloaded certificates to .cer format by renaming the .pem files to .cer.

Push Certificate via JAMF
  1. Login to JAMF admin console. Go to Computer > Configuration Profile > New.

  2. Under Options, give a name to this profile.

  3. Select Certificate > Configure.

  4. Enter a name for the certificates.

  5. Select Upload to upload the converted root and tenant certificates.

  6. In the Scope tab, select the target computers.

  7. Click the Save button.

Verify Client Installation

Check the installation logs on the user's machine in the /var/log/install.log folder. If the user configuration download script fails and the Netskope client installer is executed, the installer will exit and displays the "Configuration file missing, aborting installation! error” message.

Check Netskope Client Installation Status
  1. To verify the status of each device, go to Computer &gt; Policies and click on the policy you created.

  2. Click the Logs button at the bottom to view the log files for each device and then click the Show button.