Updated on March 4, 2024

JAMF

JAMF

JAMF is an enterprise mobility management tool that is used for the endpoint management of macOS devices. You can install the Client on users’ device using JAMF ( formerly known as Casper Suite ).

Deployment Prerequisites

  • Administrators must possess fair knowledge of JAMF/JSS/Casper suite.
  • Download the JAMF scripts from the Download page in Netskope Support portal. The file contains the essential command-line executable scripts to install and configure the client. The script file is available from the Netskope support portal. 
  • User Configuration: Execute the downloaded script to get the configuration file. This script locates active (online) AD users and downloads user specific configuration files from the Netskope cloud to the end point. Ensure that the AD devices are accessible before executing the script.

Configuration Profile for Auto Approval

Approve Network Extension for Big Sur and Latest

  1. In JAMF, go to Computers > Configuration Profiles > New > System Extension.
  2. Select Allow users to approve system extensions.
  3. Under Allowed Team IDs and System Extensions, select System Extension Types as Allowed System Extensions.
  4. Add Network Extension Team ID: 24W52P9M7W
  5. Click the Add button to add the following System Extension: com.netskope.client.Netskope-Client.NetskopeClientMacAppProxy

Confirming Netskope Client Extension Approval

To confirm that the Netskope Client extension has been approved and the client is running, run the following command in your macOS11 terminal window:

systemextensionsctl list

The output should look like this:

% systemextensionsctl list  
1 extension(s)
--- com.apple.system_extension.network_extension
enabled active teamID bundleID (version) name [state]
* * 24W52P9M7W com.netskope.client.Netskope-Client.NetskopeClientMacAppProxy (85.2.0.269/1) 
NetskopeClientMacAppProxy [activated enabled]

Additionally, inspect the system preferences and Network UI to confirm that Netskope Client extension is active.

Approve Full Disk Access Permission For Sonoma or Later

  1. In JAMF, go to Computers > Configuration Profiles > New > Privacy Preferences Policy Control.

  2. Click Configure to define access settings for applications.

  3. Under App Access, enter the following:

    • Identifier: com.netskope.client.Netskope-Client.NetskopeClientMacAppProxy

    • Select Bundle ID for Identifier Type.

    • Code Requirement:

      anchor apple generic and identifier "com.netskope.client.Netskope-Client.NetskopeClientMacAppProxy" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "24W52P9M7W")

  4. Click +Add to allow or deny access to a service or app.

  5. Select SystemPolicyAllFiles under App or Service and Allow under Access.

  6. Click Save to save the permission.

  7. Save the configuration profile.

For Endpoint DLP, you can add the following Identifier and Code Requirement:
– Identifier: com.netskope.epdlp.client
– Code Requirement: anchor apple generic and identifier "com.netskope.epdlp.client" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "24W52P9M7W")
To learn more: Enabling Endpoint DLP on the Netskope Client for macOS.

Approve VPN Popup for App Proxy

The following procedure is applicable for macOS devices running Big Sur 11.0 or later:

  1. Go to Computers > Configuration Profiles > New > General
  2. Go to VPN > Configure and configure the VPN with following
    • Connection Name: Any Name
    • VPN Type : Select Per-App VPN
    • Per-App VPN Connection Type: Select Custom SSL
    • Identifier: Enter com.netskope.client.Netskope-Client
    • Server: Enter the Netskope Gateway URL for the tenant: gateway-<tenant_hostname>.goskope.com
    • Provider Bundle Identifier: Enter com.netskope.client.Netskope-Client
    • Provider Type: Select App-Proxy
    • Select Include All Networks.
    • For Specify Provider Designated Requirement: enter the following:

      anchor apple generic and identifier”com.netskope.client.Netskope-Client” and (certificateleaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificateleaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificateleaf[subject.OU] = “24W52P9M7W”)

    • Select Prohibit users from disabling on-demand VPN settings

Restrict AppProxy Removal

The following configuration steps (applicable for macOS devices running Big Sur 11.0 or later) restrict users from making any changes to network option accessibility.

  1. In JAMF, go to Computer’s > Configuration Profile > New > Restrictions.
  2. Configure Restrictions.
  3. Select Restrict items from System Preferences.
  4. Select items (Network in this case)
  5. Add the scope (machine) and push the profile.

Installing the Client

Client installation is done using JAMF policies. The following section describes in detail on creating JAMF policies.

Note

Download the latest JAMF scripts from Netskope Support website.

Create a New JAMF Policy

  1. In the JSS Dashboard, go to Computer > Policies and click + New.
  2. On the General page, enter a Display Name, for example: Netskope Client Policy.
  3. For Trigger, select Login. Scripts can also be run using other options, like Logout and Network State Change.
  4. For Execution Frequency, select Once per computer.
  5. Select Packages and on the Packages page, click Configure.
  6. Add the Client installer package, and for Action, select Install.
  7. Select Scripts and on the Scripts page, add the JAMFScript_v19_Jan2023.sh script.
    • For Priority, select Before. The script must be executed before the installation process, so Priority must be Before.
    • Netskope supports six modes of deployment. Before you proceed, ensure that you have the following parameters handy:
      • REST API token: In your tenant (Netskope admin console), go to Settings > Tools > REST API > Show to get the token. If you are generating your token for the first time, click the Generate New Token button.
      • Organization ID: In your tenant (Netskope admin console), go to Settings > Security Cloud Platform > click MDM Distribution in the left column under Netskope Client. The Organization ID is in the Create VPN Configuration section. The Organization ID is case-sensitive.
    • Update the script options for parameters 4 to 8 for each mode. Refer to the table below the instructions to understand the modes and parameters added in the script.
  8. Click the + button to add another script.
  9. When finished, click Save.
Deployment ModeConfiguration Parameters

Standard Mode (email-based)

  • Parameter 4: Your tenant name.

    If your tenant URL is https://corp.goskope.com, then enter corp.

  • Parameter 5: Your AD name.

  • Parameter 6: For rel 90.2 and later - Your Organization ID.

Multi-user Mode (enabling for each provisioned user on the tenant)

  • Parameter 4: Your addon URL.

    If your tenant URL is https://corp.goskope.com, then enter addon-corp.goskope.com.

  • Parameter 5: Your Organization ID

  • Parameter 6: Enter the keyword peruserconfig.

IDP Single-User mode

  • Parameter 4: Enter IDP to specify the client deployment mode is IDP.

  • Parameter 5: Domain name. Example, if your tenant URL is https://corp.goskope.com, then enter goskope.com

  • Parameter 6: Tenant name. Example: If your tenant URL is https://corp.goskope.com, enter corp.

  • Parameter 7: Email Address request option. Enter 0, if you do not want request user's email address. Enter 1 to request user's email address.

IDP Multi-User mode

  • Parameter 4: Enter IDP to specify that the client deployment is in IDP mode.

  • Parameter 5: Domain name. Example, if your tenant URL is https://corp.goskope.com, then enter goskope.com

  • Parameter 6: Tenant name. Example: If your tenant URL is https://corp.goskope.com, enter corp.

  • Parameter 7: Email Address request option. Enter 0, if you do not want request user's email address. Enter 1 to request user's email address.

  • Parameter 8: Enter peruserconfig to specify multi-user IDP deployment mode.

For macOS devices (single-user installations) that are not AD joined.

  • Parameter 4 : Your tenant URL.

    • For rel 90.2 and later: If your tenant URL is https://corp.goskope.com, enter addon-corp.goskope.com.

  • Parameter 5

    • For rel 90.2 and later: Your Organization ID.

  • Parameter 6 : Preferences file (plist)  name. When entering the filename, enter the complete filename including the .plist extension. Example: netskope.plist . Do not add HTTP: to the URL in the plist file.

    Note

    The name must match as defined in the JAMF > Computers > Configuration Profiles > Custom Settings > Preference Domain. The Preference Domain will not include the .plist extension but the JAMF script parameter 6 must include the .plist extension.

  • Parameter 7 : Enter the keyword preference_email.


To learn about creating a plist, view create plist for Jamf installation.
  • Adding the Silent Mode (silent_mode) parameter as one of the script options for any deployment mode can suppress the Netskope Client Installer failure pop-up in the event of any deployment failure.
  • If Secure Enrollment feature is enabled, each deployment mode consists of two additional parameters (Authentication and Encryption token):
    • ​​enrollauthtoken: ​​ Specifies the authentication token.
    • ​​enrollencryptiontoken:​​ Specifies the encryption token.
External Browser-based Authentication

Netskope Client supports FIDO authentication with our SAML forward proxy for macOS devices through external browser support.

You can enable the external browser support in the IdP configuration file and set Safari, MS Edge, and Google Chrome as the default browser(Firefox is not supported).  Use the following additional parameters in the IdP mode (single user and multi-user) of deployment in the Jamf script:

  • Mode: Enter the mode to specify the browser support to be enabled during Client installation. Mode is a string with values and you can add one of the following values in the script.

    • Embedded: Default value and opens the existing mini-browser.

    • Scheme:  Opens the external browser.

  • preferEphemeral: If you set the value to:

    • True: It means it request ephemeral (private) browser window from the default browser. 

    • False: It means it request regular (non-private) browser window from the default browser.

For example,

sudo ./nsclientconfig.sh 1 2 3 idp goskope.com corp 0 preferephemeral=true mode=scheme
These parameters work only with the latest JAMFScript_v20_Jan2023 available in Support.

Push Netskope Root and Tenant Certificates

Provide additional trust to end users by pushing certificates during client installation. Before you can push the root and tenant certificates, ensure that you do the following:

  1. Download root and tenant certificates from Netskope MDM distribution page.
    1. Login to Netskope tenant admin console with admin credentials.
    2. Go to Settings > Security Cloud Platform > MDM Distribution. The certificate download options are displayed in the Certificate Setup section.
  2. Convert the downloaded certificates to .cer format by renaming the .pem files to .cer.

Push Certificate via JAMF

  1. Login to JAMF admin console. Go to Computer > Configuration Profile > New.
  2. Under Options, give a name to this profile.
  3. Select Certificate > Configure.
  4. Enter a name for the certificates.
  5. Select Upload to upload the converted root and tenant certificates.
  6. In the Scope tab, select the target computers.
  7. Click the Save button.

Create .plist for Jamf Installation

This section contains the steps  to install the Netskope Client for non-AD joined MacOS devices.

NOTE: The “peruserconfig” mode cannot be supported as part of this deployment method. Also it is assumed the users have been imported to the tenant using the Directory Importer or other such mechanism.
Prerequisites

  • Configured Directory Importer and imported users to the tenant.

  • JAMF Pro with push enabled.

  • JAMF Pro entry for computers must have an email field available for all computers in scope.

Workflow for Jamf Installation

  1. Push out a configuration profile (plist) containing the email for the user that owns the endpoint to /Library/Managed Preferences/.

  2. Run the Policy to install the Netskope client package.

Step 1: Creating a template plist file

  1. Run the following command on a Mac OS terminal:

    /usr/libexec/PlistBuddy -c "add email string user@example.com" template.plist

  2. This creates the following file template.plist:

    <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">;
<plist version="1.0">
<dict>
	<key>email</key>
<string>user@example.com</string>
</dict>
</plist>

    Open the netskope.plist file you created in a text editor.

  3. Replace the string value user@example.com with $EMAIL. Once complete, the plist file should look similar to:

    <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
	<dict>
		<key>email</key>
		<string>$EMAIL</string>
	</dict>
</plist>

  4. Save your changes.  You can now use this file with your MDM to provide configuration info to Netskope.

Step 2: Configure JAMF to push the plist file to the Mac machine

  1. Log into your JAMF admin console.

  2. Navigate to Computers > Configuration Profiles.

  3. Click New.

  4. Click Application and Custom Settings from the payload list pane.

  5. The preference domain should be the name of the plist file you generated without .plist. For example, if using the instructions above, the preference name should be com.netskope.client.

  6. Click Upload and select the plist file you previously created. 

  7. Click Scope and assign the plist payload you created to the appropriate user or machine groups. 

Verify Client Installation

Check the installation logs on the user’s machine in the /var/log/install.log folder. If the user configuration download script fails and the Netskope client installer is executed, the installer will exit and displays the “Configuration file missing, aborting installation! error” message.

Check Netskope Client Installation Status

  1. To verify the status of each device, go to Computer > Policies and click on the policy you created.
  2. Click the Logs button at the bottom to view the log files for each device and then click the Show button.
Share this Doc

JAMF

Or copy link

In this topic ...