Updated on April 18, 2024

Device Classification

Device Classification

Device Classification allows you to define rules that function like posture checks on the device and allows you to create and apply policies based on these rules. The application of the rules varies with the operating system and the devices are classified as one of the following after validation:

  • Managed

  • Unmanaged

Device enforcement enables you to restrict access to cloud apps from corporate devices. A corporate device can be identified by monitoring these factors based the OS used on the device:

  • Windows: Encryption Status, Registry Settings, Process, File, Active Directory Domain, and Certificates
  • Mac: Encryption Status, Process, File, Active Directory Domain, and Certificates
  • iOS: Certificate (with MDM)
  • Android: OS Version, Required Passcode, Device Not Compromised, Primary Storage Encryption, and Managed Configuration (with MDM)
  • Chrome: Device Not Compromised, Primary Storage Encryption.
  • Linux: Encryption, Process, File, and Active Directory Domain.

Devices that match/pass these classification checks are considered managed. You can create policies to block, alert, or bypass managed or unmanaged devices using these classifications. Devices that adhere to these checks are considered corporate devices with privileged access.

Note

In multi-user environments, most Device Classification checks are device (host) wide.  Certificate-based checks are per user or guest.

To open the Device Classification page, go to Settings > Manage > Device Classification.

DeviceClassificationPage.png

This page shows the name, OS, and last modification date of existing device classifications. To begin, click New Device Classification and select an OS type.

Linux_DC.png

Proceed to the section below for the OS type you selected.

Custom Device Classification

The custom device classification is an enhancement to the existing device classification where you can check for:

  • Timely validation of the configured policies in your devices.

  • Compliance of the devices and take appropriate actions to limit data exfiltration.

In the custom device classification, you can create labels and use them while creating real-time protection policies. A label can contain multiple rules and a device can have only one label at any point in time.  Prior to release version 110.0.0, the device classification displayed only two labels such as Managed and Unmanaged that is used in the policy creation. From version 110.0.0, you can create custom device classification labels or profiles that can add to the real-time protection policies.

  • This feature is currently in Controlled General Availability(GA). Contact your Netskope Support or Sales Representative to enable this feature for your tenant.
  • Netskope Private Access(NPA) is currently in Beta for Custom Device Classification.

Label Specifications

  • For users with existing device classification rules, they are automatically migrated to a predefined label Group of Migrated Rules while shifting to the new device classification.

  • The Netskope Client Configuration pop-up now displays the new device classification label instead of displaying the “Managed” or “Unmanaged” label. You can click the Netskope Client icon from the system tray to select Client Configuration option.

  • You can create up to 50 labels on the device classification UI (not including “Not configured”). The webUI shows warning messages when your tenant reach the device classification limit.

  • Not configured is a unique and reserved label for the users to apply real-time protection policies on those OSs that do not have any rules attached. It contains the lowest priority.

  • You can always prioritize labels and define how you want them to appear on the device classification webUI.

  • The labels also goes with the real-time protection policies that you can setup for device classification. You can choose labels from Custom Device Classification while creating real-time protection policies.

After you configure the labels and rules for your device, the Client downloads the device classification rule and evaluates them. The device is only classified with a high priority label only when it matches any one rule of that label. The Client Configuration screen now displays that classified label or else, it displays Unmanaged.

Create Label

To create a label:

  1. Go to Settings > Manage > Device Classification.

  2. Click New Device Classification.

  3. In Device Classification, enter the following:

    • Device Classification Name: Enter a desired name that is not a duplicate of the existing device classification rule or custom device classification label. Maximum characters allowed: 80.

    • Description: Enter a description for this new label.

    • Position: This option lets you set positions for the labels on the Device Classification webUI. Choose one of the following options:

      • To the top: Choose this option if you want to place the label as the first priority on the Device Classification webUI.

      • To the bottom: Choose this option if you want to place the label as the last priority on the webUI.

      • Before classification: Choose this option if you want to add a new label before an existing label on the webUI.

      • After classification: Choose this option if you want to add a new label after an existing label on the webUI.

  4. Click Save.

    Once you create labels, you can create rules according to your operating system and assign labels. Refer to the following articles for each operating system:

    Manage Labels

    The Device Classification also provides you the flexibility to manage labels using the following functionalities.

    Click the ellipsis(…) available on the right-hand side of the Device Classification webUI.

    • Edit: Use this option to change or modify the existing label details. You can change or modify the Name, Description, and Position of the labels.

    • Move: Use this option to change the label position on the webUI.

    • Delete: Use this option to remove the label from the Device Classification webUI. All rules are deleted after you delete a label. You can edit the rule to assign a different classification if you want to reserve the rule.

      You cannot delete a device classification and its rules if you have assigned this device classification to any real-time protection policy.

Steering Exceptions for Device Classification

Currently, steering configurations considers only managed and unmanaged and send this config to the Netskope Client. With the custom device classification feature, you get the option to bypass the configured apps or domains directly to the destination using device classification labels. Use Certificate Pinned Application exception to bypass traffic in the steering configuration.  In the Exceptions window, the Managed Devices option under Advanced Options  is replaced by Devices matching specific Device Classification checkbox.

Articles

Share this Doc

Device Classification

Or copy link

In this topic ...