JAMF
JAMF
JAMF is an enterprise mobility management tool that is used for the endpoint management of macOS devices. You can install the Client on users’ device using JAMF ( formerly known as Casper Suite ).
Deployment Prerequisites
- Administrators must possess fair knowledge of JAMF/JSS/Casper suite.
- Download the JAMF scripts from the Download page in Netskope Support portal. The file contains the essential command-line executable scripts to install and configure the client. The script file is available from the Netskope support portal.
- User Configuration: Execute the downloaded script to get the configuration file. This script locates active (online) AD users and downloads user specific configuration files from the Netskope cloud to the end point. Ensure that the AD devices are accessible before executing the script.
Configuration Profile for Auto Approval
Approve Network Extension for Big Sur and Latest
- In JAMF, go to Computers > Configuration Profiles > New.
- Under Options > General.
- Enter the display name. For example, Restrict AppProxy Removal (for Big Sur devices).
- Choose the following:
- Category, if needed.
- Level: Computer Level
- Distribution Method: Install Automatically
- Go to Options > System Extension.
- Click Configure.
- Select Allow users to approve system extensions.
- Under Allowed Team IDs and System Extensions, enter a display name. For example, Netskope System Extension.
- Choose the following:
- System Extension Types: Allowed System Extensions
- Team Identifier: 24W52P9M7W
- Click Add to add the following System Extension:
com.netskope.client.Netskope-Client.NetskopeClientMacAppProxy
- In the Scope tab, assign the target computers.
- Click Save.
Confirming Netskope Client Extension Approval
To confirm that the Netskope Client extension has been approved and the client is running, run the following command in your macOS11 terminal window:
systemextensionsctl list
The output should look like this:
% systemextensionsctl list 1 extension(s) --- com.apple.system_extension.network_extension enabled active teamID bundleID (version) name [state] * * 24W52P9M7W com.netskope.client.Netskope-Client.NetskopeClientMacAppProxy (85.2.0.269/1) NetskopeClientMacAppProxy [activated enabled]
Additionally, inspect the system preferences and Network UI to confirm that Netskope Client extension is active.
Approve Full Disk Access Permission For Sonoma or Later
-
In JAMF, go to Computers > Configuration Profiles > New > Privacy Preferences Policy Control.
-
Click Configure to define access settings for applications.
-
Under App Access, enter the following:
-
Identifier:
com.netskope.client.Netskope-Client.NetskopeClientMacAppProxy
-
Select Bundle ID for Identifier Type.
-
Code Requirement:
anchor apple generic and identifier "com.netskope.client.Netskope-Client.NetskopeClientMacAppProxy" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "24W52P9M7W")
-
-
Click +Add to allow or deny access to a service or app.
-
Select SystemPolicyAllFiles under App or Service and Allow under Access.
-
Click Save to save the permission.
-
Save the configuration profile.
– Identifier: com.netskope.epdlp.client
– Code Requirement:
anchor apple generic and identifier "com.netskope.epdlp.client" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "24W52P9M7W")
To learn more: Enabling Endpoint DLP on the Netskope Client for macOS.
Approve VPN Popup for App Proxy
The following procedure is applicable for macOS devices running Big Sur 11.0 or later:
-
Go to Computers > Configuration Profiles > New.
-
Under Options > General.
-
Enter the display name. For example, Restrict AppProxy Removal (for Big Sur devices).
-
Choose the following:
-
Category, if needed.
-
Level: Computer Level
-
Distribution Method: Install Automatically
-
-
-
Go to Options > VPN.
-
Click Configure and configure the VPN with following:
-
Connection Name: Any Name
-
VPN Type : Select Per-App VPN
-
Per-App VPN Connection Type: Select Custom SSL
-
Identifier: Enter
com.netskope.client.Netskope-Client
-
Server: Enter the Netskope Gateway URL for the tenant: gateway-<tenant_hostname>.goskope.com
-
Provider Bundle Identifier: Enter
com.netskope.client.Netskope-Client
-
Provider Type: Select App-Proxy
-
Select Include All Networks
-
For Specify Provider Designated Requirement, enter the following:
anchor apple generic and identifier”com.netskope.client.Netskope-Client” and (certificateleaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificateleaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificateleaf[subject.OU] = “24W52P9M7W”)
-
Select Prohibit users from disabling on-demand VPN settings
-
-
Click Save.
Restrict AppProxy Removal
The following configuration steps (applicable for macOS devices running Big Sur 11.0 or later) restrict users from making any changes to network option accessibility.
- In JAMF, go to Computer’s > Configuration Profile > New.
- Under Options > General:
- Enter the display name. For example, Restrict AppProxy Removal (for Big Sur devices).
- Choose the following:
- Category if needed
- Level: Computer Level
- Distribution Method: Install Automatically
- Go to Options > Restrictions.
- Click Configure.
- Under Preferences, select Restrict items in System Preferences.
- Select items (Network in this case)
- Add the scope (machine) and push the profile.
- Click Save.
Installing the Client
Client installation is done using JAMF policies. The following section describes in detail on creating JAMF policies.
Note
Download the latest JAMF scripts from Netskope Support website.
Create a New JAMF Policy
- In the JSS Dashboard, go to Computer > Policies and click + New.
- On the Options > General.
- Enter a Display Name, for example: Netskope Client Policy.
- For Trigger, select Login. Scripts can also be run using other options, like Logout and Network State Change.
- For Execution Frequency, select Once per computer.
- Select Options > Packages.
- Click Configure.
- Add the Client installer package, and for Action, select Install.
- Select Options > Scripts.
- Click Configure.
- Add the jamfscript_v20.sh script.
- For Priority, select Before. The script must be executed before the installation process, so Priority must be Before.
- Netskope supports six modes of deployment. Before you proceed, ensure that you have the following parameters handy:
- REST API token: In your tenant (Netskope admin console), go to Settings > Tools > REST API > Show to get the token. If you are generating your token for the first time, click the Generate New Token button.
- Organization ID: In your tenant (Netskope admin console), go to Settings > Security Cloud Platform > click MDM Distribution in the left column under Netskope Client. The Organization ID is in the Create VPN Configuration section. The Organization ID is case-sensitive.
- Update the script options for parameters 4 to 8 for each mode. Refer to the table below the instructions to understand the modes and parameters added in the script.
- Click the + button to add another script.
- When finished, click Save.
Deployment Mode | Configuration Parameters |
---|---|
IDP Single-User mode |
For example, set — 0 0 0 idp <tenant domain name> <tenant name> 0/1 enrollencryptiontoken=<your encryption token> |
IDP Multi-User mode |
For example, set — 0 0 0 idp <tenant domain name> <tenant name> 0/1 peruserconfig enrollencryptiontoken=<your encryption token> |
For macOS devices (single-user installations) that are not AD joined. |
To learn about creating a plist, view create plist for Jamf installation. For example, set — 0 0 0 <addon-host> <Org ID> <plist file name> <preference_email> enrollauthtoken=<your auth token> enrollencryptiontoken=<your encryption token> |
External Browser-based Authentication
Netskope Client supports FIDO authentication with our SAML forward proxy for macOS devices through external browser support.
You can enable the external browser support in the IdP configuration file and set Safari, MS Edge, and Google Chrome as the default browser(Firefox is not supported). Use the following additional parameters in the IdP mode (single user and multi-user) of deployment in the Jamf script:
-
Mode: Enter the mode to specify the browser support to be enabled during Client installation. Mode is a string with values and you can add one of the following values in the script.
-
Embedded: Default value and opens the existing mini-browser.
-
Scheme: Opens the external browser.
-
-
preferEphemeral: If you set the value to:
-
True: It means it request ephemeral (private) browser window from the default browser.
-
False: It means it request regular (non-private) browser window from the default browser.
-
For example,
sudo ./nsclientconfig.sh 1 2 3 idp goskope.com corp 0 preferephemeral=true mode=scheme
Push Netskope Root and Tenant Certificates
Provide additional trust to end users by pushing certificates during client installation. Before you can push the root and tenant certificates, ensure that you do the following:
- Download root and tenant certificates from Netskope MDM distribution page.
- Login to Netskope tenant admin console with admin credentials.
- Go to Settings > Security Cloud Platform > MDM Distribution. The certificate download options are displayed in the Certificate Setup section.
- Convert the downloaded certificates to .cer format by renaming the .pem files to .cer.
Push Certificate via JAMF
- Login to JAMF admin console. Go to Computer > Configuration Profile > New.
- Under Options, give a name to this profile.
- Select Certificate > Configure.
- Enter a name for the certificates.
- Select Upload to upload the converted root and tenant certificates.
- In the Scope tab, select the target computers.
- Click the Save button.
Create .plist for Jamf Installation
This section contains the steps to install the Netskope Client for non-AD joined MacOS devices.
Prerequisites
-
Configured Directory Importer and imported users to the tenant.
-
JAMF Pro with push enabled.
-
JAMF Pro entry for computers must have an email field available for all computers in scope.
Workflow for Jamf Installation
-
Push out a configuration profile (plist) containing the email for the user that owns the endpoint to /Library/Managed Preferences/.
-
Run the Policy to install the Netskope client package.
Step 1: Creating a Template PLIST File
-
Run the following command on a Mac OS terminal:
/usr/libexec/PlistBuddy -c "add email string user@example.com"com.netskope.client.plist
-
This creates the following file com.netskope.client.plist:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>email</key> <string>user@example.com</string> </dict> </plist>
-
Replace the string value user@example.com with $EMAIL. Once complete, the plist file should look similar to:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>email</key> <string>$EMAIL</string> </dict> </plist>
-
Save your changes. You can now use this file with your MDM to provide configuration info to Netskope.
Step 2: Configure JAMF to Push the PLIST File to the Mac Machine
-
Log into your JAMF admin console.
-
Navigate to Computers > Configuration Profiles.
-
Click New.
-
Click Application and Custom Settings from the payload list pane.
-
Click Upload. Select the plist file that you previously created.
-
The preference domain should be the name of the plist file you generated without .plist. For example, if using the instructions above, the preference name should be com.netskope.client.
-
Click Scope and assign the plist payload you created to the appropriate user or machine groups.
Verify Client Installation
Check the installation logs on the user’s machine in the /var/log/install.log folder. If the user configuration download script fails and the Netskope client installer is executed, the installer will exit and displays the “Configuration file missing, aborting installation! error” message.
Check Netskope Client Installation Status
- To verify the status of each device, go to Computer > Policies and click on the policy you created.
- Click the Logs button at the bottom to view the log files for each device and then click the Show button.