Netskope Help

Deploy Netskope Client with Microsoft Endpoint Manager

This article provides instructions to deploy Netskope Client on Windows and Apple devices using the Microsoft Endpoint Manager (previously known as Intune).

Note

Requires Admin level access to Microsoft Endpoint Manager.

Supported Devices

  • Windows devices either joined to Active Directory or Azure AD.

  • Apple devices running macOS 11.x (Big Sur), enrolled in Microsoft's Endpoint Manager.

Deploying on Windows Devices

The following steps are for deploying Netskope Client on WIndows devices.

Prerequisites
  • On-board or add users into Netskope using Directory Importer or SCIM integration.

Deployment Procedure
  1. Ensure the device is enrolled in Microsoft Endpoint Manager

  2. Log in to the Azure Portal

  3. Access the Management Page

  4. Under Manage, select Client Apps

    Intune-01.png
  5. Under Manage, select Apps

  6. Select Add

  7. For App Type, select “Line-of-business app”

  8. Upload the NSClient.msi to App Package File and select OK

  9. Under App Information

    1. Provide a description

    2. Publisher Name

    3. Set Ignore App Version to Yes if you intend to allow the Netskope client to auto-update

    4. Select the appropriate category

    5. Select No under Display this as a featured app in the Company Portal

    6. Information and Privacy URL are optional values

    7. Under Command-Line Arguments: token=<organization id> host=addon-<tenant-name>.goskope.com mode=peruserconfig (Use peruserconfig only for multi-user environments) autoupdate=on (only applicable if you want the client to auto-update) /qn

      Intune-02.png
    8. Select OK

    9. Select the appropriate Scope Tag

    10. Select Add.

  10. Wait for the app to upload and finalize

    1. Select the Netskope Client from the app list

    2. Select Assignments > Add Group

    3. For Assignment Type, select Required

    4. Select the appropriate groups that should be included or excluded

    5. Select Save

  11. You can monitor the installation process from the Endpoint Manager. Go to Client Apps > Install Status > Search for “Netskope” > Device Install Status

    Intune-03.png
Deploying on Apple Devices (Big Sur)

The following steps are for deploying Netskope Client on Apple devices running macOS 11.x (Big Sur)

Prerequisites
  • Devices running macOS 11.x (Big Sur).

  • Enroll devices in the Microsoft's Endpoint Manager

  • Convert Netskope Client 84.x package to an .intunemac file. For detailed information and procedure, visit Microsoft Docs portal.

  • Download Netskope Root and Intermediate certificates and convert them to the .cer extension.

  • Configure and verify SAML forward proxy authentication.

Deployment Procedure
  1. Sign in to Microsft Endpoint Manager Admin Center.

  2. Go to Devices > macOS devices. Ensure that the devices to which you will Netskope Client are listed.

    01-MEpM-macOSdevices.png
  3. Create two configuration profiles to deploy the Netskope certificates.

    1. Go to macOS policies > Configuration Profiles > Create Profile and select Profile Type as Templates and Template name as Trusted Certificate.

      02-MEpM-configprofiles.png
    2. Click Create. The page will refresh with settings. Enter a name for the trusted profile and click Next.

    3. Click the folder icon to select the downloaded and converted Netskope certificate (.cer file) and click Next to continue.

    4. Review the configuration and click Create.

      02a-MEpM-verifyConfig.png
  4. Create a script that will create a JSON config file to auto populate the IdP entries for enrollment. Download the Intune script from Netskope Support portal.

    1. Go to Devices > macOS > Shell Scripts and click Add.

      04-JSON-01.png
    2. Enter a Name and click Next.

    3. Select the script from your local storage in your computer. Make the following changes:

      04-JSON-02.png
      • Run script as signed in users - NO

      • Hide script notifications on devices - Yes

      • Script frequency - Every 30 minutes

      • Max number of times to retry if script fails - 3 times.

      Note

      Scripts must be verified to complete the process.

    4. Assign the script to groups, users, and/or devices. Click Next to continue.

      04-JSON-03.png
    5. Click Add to the add the script and push to all Apple devices (Big Sur)

  5. Create a line-of-business applications to be deployed on the Apple devices (Big Sur).

    1. Go to Apps > macOS and click Add. Select Line-of-business app from the App type drop-down menu. Click Select.

      05.png

      Select the app package file by browsing to it and click OK.

    2. Enter a publisher name and click Next.

      06-addApp.png
    3. Assign the application to devices or users. Click Next to continue.

      07-Assign.png
    4. Create the application by clicking Create.

    5. After the Netskope Client has installed, users will be prompted to allow the Netskope Client to add Proxy Configurations. The users must click Allow.

      08-confirmProxy.png
    6. Now login to your IdP to start the enrollment process.

UnInstalling Clients

To set up un-installion script for Netskope client in Windows devices follow the procedure as described in this section:

Note

This procedure is applicable only for devices that are AD joined. Also, during subsequent installation, un-assign this app to avoid un-installation of the newly installed Clients

  1. Login to your Intune admin console and select Device Configuration.

  2. In the Device Configuration page, click Scripts option in the left hand side.

  3. To start adding uninstallation script, click the Add button and select Windows 10.

    uninstall-01.png
  4. In the Add Powershell Script page, enter a Name for the script configuration and click Next to continue.

    uninstall-02.png
  5. In the script settings page, select the powershell script from your computer. Enter the following command in the powershell script.

    $product_identifier= Get-WmiObject -Class Win32_Product | where Name -eq "Netskope Client" | select -expandproperty IdentifyingNumber
    msiexec /uninstall $product_identifier  /qn /l*v <path-to>\nscuninstall.log

    Set the following options for the script

    • Run this script using the logged on credentials - YES

    • Enforce script signature check - NO

    • Run script in 64 bit PowerShell Host - YES

    uninstall-03.png

    Click Next to continue.

  6. In the Assignment step, assign the user groups for this script. Netskope Client in all devices of the assigned user group will be uninstalled.

  7. In the last step, review your selections and click Add to complete the procedure.

    uninstall-05.png