Netskope Help

Device Classification for iOS

You can classify iOS devices based on these criteria:

  • Minimum OS version

  • Passcode required

  • Device not compromised

After selecting iOS on the New Device Classification dropdown list, follow these steps to classify your iOS device. Select options and enter the requested parameters.

  1. Rule Name: Enter a name for this classification rule.

  2. Classification Criteria: Checks for All or Any of the criteria selected.

  3. For Devices Installed with iOS Client (for NPA):

    • Minimum OS Version: Select an OS version from the dropdown list or create a custom OS version.

    • Require Passcode: No parameters required.

    • Device Not Compromised: No parameters required.

  4. Certificate: Allows Netskope to check for the presence of a Client certificate on the device. If you already uploaded your certificates for this device on the MDM Distribution page, the certificate name is shown here.


    The Certificate check does not apply to the iOS Client for NPA.

    To upload a new certificate, click Select File, and then upload your certificate file.


    The Netskope Client looks for certificates in the Login Keychain. If the certificates are stored in the System Keychain, export the certificates and import them to the Login Keychain.

    The certificate file must have a specific structure and be in PEM format. The Intermediate and Root certificates need to be combined into a single PEM file. The order of those two certs in that PEM file must be Intermediate first, and then Root below it.

  5. When finished, click Save.

After creating a device classification rule, you can use it in a Real-time Protection policy.

  1. To use this Device Classification in a Real-time Protection policy, click Policies > Real-time Protection in the Netskope UI. Select an existing policy or click New Policy and choose a policy type.

  2. For Source, select the Users for this policy, and then click Add Criteria to specify. If you created a Private Apps policy, for Access Method, select Client. Otherwise, you will need to click Add Criteria to add this Access Method.


    Private Apps for iOS requires that the Access Method be set to Client.

  3. Click Add Criteria, select OS, and then select iOS. Click Add Criteria again, select Device Classification, and then select your iOS Device Classification rule.

  4. Choose a Destination, like Private App, and then select a destination.

  5. Choose Profiles and Actions, like using the Allow Action for specified applications. Finish creating or updating this policy to establish this device classification in a policy.

  6. When finished, click Save and then Apply Changes.

After the policy has been created, perform the process for which the policy was created. Next go to SkopeIT > Application Events and click the magnifying icon for an event to open the Application Event Details panel. In the User section you'll see a Device Classification field, which shows one of these device classifications.