Device Classification for Mac

Device Classification for Mac

You can classify Mac devices based on these criteria:

  • Criteria match: Checks for All or Any of the criteria selected.
  • Encryption check: Checks for FileVault drive encryption and/or PCP drive encryption.
  • OPSWAT check: Checks for basic compliance or full compliance.
  • Process check: Checks for specified processes, like Chrome.exe.
  • File check: Checks for specified files, like file.txt. You must include the path and filename, for example, C:\Users\Public\file.txt.
  • AD Domain check: Checks for AD domains, like company.localGroup.
  • AV check(Beta): Checks the running status of the selected anti-virus product.
  • OS check(Beta): Checks the OS version compliance.
  • Certificate check: Checks for the specified certificate on the device.

    You can use your own certificates or the certificates downloaded from the Netskope UI (refer to Trusted Certificates).

    The certificate file must have a specific structure and be in PEM format. The Intermediate and Root certificates need to be combined into a single PEM file. The order of those two certs in that PEM file must be Intermediate first, and then Root below it.

Go to Settings > Manage > Device Classification and select Mac on the New Device Classification dropdown list, and then follow these steps to classify your Mac device. Select options and enter the requested parameters.

  1. Rule Name: Enter a name for this classification rule.

  2. Device Classification: This option is only visible on the webUI only if you have enabled Custom Device Classification for your tenant. This is currently a beta feature. From the options displayed in the dropdown menu, choose the desired label you want to assign to this rule. You cannot assign more than one label to a rule.

  3. Classification Criteria: Select an All or Any criteria match.

  4. Encryption: To classify a device to be encrypted, choose one or both of these options:

    • FileVault

    • PGP

  5. OPSWAT: Netskope can leverage OPSWAT capabilities (You need to install OPSWAT to use its capabilities) to identify the applications installed on the endpoint device and monitor them. To use an OPSWAT check, select one of the following from the Check Type dropdown menu and enter the Metaccess license key:

    • Full Compliance check: Netskope Client checks whether the MetaAccess agent is running to ensure that registry contains the latest compliance information.  Also, checks if the configured MetaAccess license on the WebUI matches the product license.

    • Basic Compliance check: Checks if the compliance policy check has a critical error. In case of an error, the basic compliance check fails.

  6. Process: To classify a managed device based on the presence of any one or more processes, enter the executable file name.

  7. File: To classify a device based on the presence of any one or more files, enter the path and file name.

  8. AD Domain: To classify a device associated to any one or more domains, enter the domain name.

  9. Certificate: To look for certificates on the device. This section also displays the existing certificates. To upload a new certificate, click Select File, and then upload your certificate. If you have multiple certificates to upload, you need to create multiple device classification rules for each certificate. For example, to upload certificate a and certificate b, create separate device classification rules: dc_cert_rule_a with certificate a and dc_cert_rule_b with certificate b. The new certificate added in each rule do not replace the previously added certificates in other rules. However, if you choose to replace an existing certificate, the new certificate replaces the previous one within the same rule.

  10. AV: To check the existence and status of an anti-virus product. The admin can select one or multiple AVs from the following predefined AV list:

    • CrowdStrike

    • SentinelOne

      Currently, detection of SentinelOne is not supported on macOS.
    • Carbon Black

    • Microsoft Defender

    • Custom

    This feature is currently in Beta for Windows and macOS devices. Contact Netskope Support or your Sales Representative to enable this feature for your tenant. This feature will be available for other operating systems in the future releases.

    Custom: The admin must manually enter the AV product name in the Custom AV Product Name field.

    After you select the AV name, Client enumerates the list of system extensions installed on the machine and matches the corresponding AVs in the enabled state.

  11. OS: To check and classify device compliance for the detected OS version that matches or is above the version information configured by the administrator. The OS check rule for macOS consists of  Minimum OS Version.

     This feature is currently in Beta for Windows macOS. Contact Netskope Support or your Sales Representative to enable this feature for your tenant. This feature will be available for Linux in the future releases.

    The admin can select one of the following predefined OS versions:

    • BigSur

    • Monterey

    • Ventura

    • Sonoma

    • Custom

    Custom: If you select Custom, provide the minimum OS version number in the following format: x.x.x.

    After you add the version details, Netskope Client fetches the active macOS version number and matches it with the configured rule.

  12. When finished, click Save.

After creating a device classification rule, you can use it in a Real-time Protection policy.

  1. To use this Device Classification in a Real-time Protection policy, click Policies > Real-time Protection in the Netskope UI. Select an existing policy or click New Policy and choose a policy type.

  2. Proceed through the Users, Cloud Apps + Web, DLP/Threat Protection, and Select Activities sections.

  3. For Additional Attributes, click Access Method and select either Client, Mobile Profile, or Reverse Proxy, and then click Save. Click Device Classification, and then select label from Custom Device Management and Managed or Unmanaged from Device Classification, based on the devices you just classified.

    • Managed means the device is managed; the device posture information sent by the Client matches at least one of the device classification checks configured for that Client’s OS.

    • Unmanaged means the device is unmanaged; the device posture information sent by the Client matches none of the device classification checks configured for that Client’s OS.

  4. When finished, click Save and then Next.

  5. Combine device classification with other policy elements, like using the Block Action for specified applications for activities like uploading files from managed or unmanaged devices. Finish creating or updating this policy to establish this device classification. Click Apply Changes for this policy.

  6. After the policy has been created, perform the process for which the policy was created. Next go to Skope IT > Application Events and click the magnifying icon for an event to open the Application Event Details panel. In the User section you’ll see a Device Classification field, which shows one of these device classifications.

Share this Doc

Device Classification for Mac

Or copy link

In this topic ...