Deprovisioning Users
Deprovisioning Users
This document describes the Netskope Client behavior whenever a user is removed from an organization.
There can be various scenarios due to which an IT administrator must remove employee details from their organization. For example, an employee leaving the organization and so on. Administrators deprovision these employees and uninstall Netskope Client from their devices. The administrator must choose the method to deprovision users depending on the way in which the users are provisioned into Netskope. The following are the supported methods to import users into the Netskope tenant.
Netskope Client Behavior
Consider the following example to understand the Netskope Client behavior following a user deprovisioning:
Sam is a senior consultant at Acme.corp and has decided to resign from his current position to join another company. Acme.corp uses services from Netskope and has installed Netskope Client for traffic steering. Employees at Acme.inc are provisioned into Netskope using SCIM Okta. On the last working day at Acme.corp, the administrator asks Sam to submit his laptop and other official devices that were under his possession. Once Sam submits his laptop and other devices, the IT administrator removes Sam’s details from Okta and this should trigger automatic SCIM deprovisioning of the user from Netkope tenant. Now, once the user is deprovisioned from the Netskope tenant webUI, the Netskope Client installed in his devices are uninstalled automatically if the administrator has configured the option: Uninstall clients automatically when users are removed from Netskope in Client Configuration. If Uninstall Clients automatically when users are removed from Netskope is not enabled in Client Configuration, then the Netskope Client icon displays Disabled for all Netskope services like Internet Security, Private App Access, and Endpoint DLP.
Consider another example, where Sam installed Netskope Client in his personal phone and enrolled using his personal email address (considering personal email ID was added under Security Cloud Platform > Netskope Client > Users in the Netskope webUI). In this scenario, Sam can access Netskope Client if the administrator does not remove his personal User ID from the Netskope tenant webUI and all traffic from his phone is steered through Netskope Cloud according to the steering configurations. On the other hand, if Sam had enrolled Netskope Client using the official email address, he will no longer have access to Netskope Client as soon as the administrator removes his email address from Okta and which should automatically deprovision the user from the Netskope tenant webUI using SCIM sync.