Kandji
Kandji is purpose built MDM application used to deploy apps and services remotely to macOS devices. To learn more about Kandji and their MDM platform, visit: Kandji Support website.
This article illustrates the procedure to deploy Netskope Client on macOS devices running Big Sur or later using the Kandji MDM as the IdP. This process ensures reduced user interaction while deploying tenant certificates, system and network extensions.
Prerequisites to using Kandji
Setup Netskope for IdP
Download Netskope Certifications (Root and CA)
Download VPN Proxy App script from the Netskope Support Portal. This is required for macOS devices running Big Sur or later
Administer role access to Kandji
Download Netskope Certificates
Login to Netskope WebUI with admin access and go to Settings > Security Cloud Platform > MDM Distribution. Download both the root and Netskope intermediate certificate.
Convert the downloaded certificates to .cer format by renaming the .pem files to .cer.
Creating Deployment Scripts in Kandji
Deployment scripts are a combination of audit script and remediation script that are required to deploy Netskope Client to the end user devices. The audit script checks if Netskope Client is installed on the end-user devices and the remediation script installs the clients on end-user devices that do not have the client installed.
Go to Library > Add New > Custom Script and Configure
Create custom script with the following parameters:
Execution Frequency : Set this to value that suits your environment.
Audit Script
#!/bin/bash #script for installing NSAgent on OSX machines #will check to see if Netskope is Installed function Test_NSClient(){ xz=$(/usr/bin/mdfind kMDItemFSName == Netskope Client.app -onlyin /Library/Application\ Support/) if [ -e "$xz" ]; then echo "$xz found netskope client is installed" exit 0 else echo "client does not exist" exit 1 fi } Test_NSClient #end script
Remediation Script
Replace the values marked XXXXX with tenant domain name and YYYY with the tenant name.
spDomain= <goskope_domain> ; Example: goskope.com
spTenant = <tenant_name> ; Example: If your tenant URL is example.goskope.com, then enter only example.
If you are installing using multi-user mode, add “perusermode” parameter in the script.
#!/bin/bash #Script for installing Netskope Client on OSX machines #function will install Netskope Client function Ins_NSClient(){ ag="NSClient.pkg" spDomain="XXXXX" spTenant="YYYYY" perusermode=0 # put 0 for normal installation, put 1 for per user config echo "Downloading NsAgent..." curl -o /tmp/$ag https://download.goskope.com/dlr/mac/get echo "will now add config file..." mkdir -p "/Library/Application Support/Netskope/STAgent" NSIDPCONFIG_FILE_PATH="/Library/Application Support/Netskope/STAgent/nsidpconfig.json" echo "{ \"serviceProvider\": { \"domain\": \"$spDomain\", \"tenant\": \"$spTenant\" } }" > "${NSIDPCONFIG_FILE_PATH}" if [ $perusermode -eq 1 ] then NSUSERCONFIG_JSON_FILE="/Library/Application Support/Netskope/STAgent/nsuserconfig.json" echo "{\"nsUserConfig\":{\"enablePerUserConfig\": \"true\", \"configLocation\": \"~/Library/Application Support/Netskope/STAgent\", \"token\": \"\", \"host\": \"\",\"autoupdate\": \"true\"$fail_close_option}}" > "${NSUSERCONFIG_JSON_FILE}" fi echo "Installing Agent..." installer -dumplog -pkg /tmp/$ag -target / && rm /tmp/$ag } Ins_NSClient
Uploading Netskope Certificates to Kandji
Login to Kandji and go to Library > Add New > Certificate > Add and Configure
Go to Library > Add New > Certificate > Add and Configure
Upload Netskope Root Certificate (.cer format).
Enter a name for this certificate, for example: Netskope Root Certificate
Select Certificate Type as PKCS#1-formatted certificate.
Drag and drop the .cer certificate in the uplaod box.
Repeat this step to upload the Netskope Tenant Certificate. When uploading, give a name, for example: Netskope Tenant Certificate.
Uploading VPN Configuration to Kandji
Go to Library > Add New > Custom Profile and click Add and Configure.
Give a name.
Download the AppVPN proxy script from Netskope Support site.
Extract the zip file and upload the .mobileconfig file.
Adding System Extension Profile
Go to Library, select Profiles from the drop down menu.
Select System Extension and click Add and Configure.
Specify the following for System Extension
Under General, select Allow Users to approve system extensions.
Team Identifier : 24W52P9M7W
Name (optional): Netskope
Under System Extension, select Allow all system extensions
Creating a New Blueprint and Applying Profiles in Kandji
Go to Blueprint > New Blueprint.
Enable the following to add to the new Blueprint.
Netskope Root Certificate
Netskope Tenant Certificate
VPN Profile (App VPN proxy config)
System Extension
Kernel Extension (if you have devices running macOS older than Big Sur).