Skip to main content

Netskope Help


Kandji is purpose built MDM application used to deploy apps and services remotely to macOS devices. To learn more about Kandji and their MDM platform, visit: Kandji Support website.

This article illustrates the procedure to deploy Netskope Client on macOS devices running Big Sur or later using the Kandji MDM as the IdP. This process ensures reduced user interaction while deploying tenant certificates, system and network extensions.

Prerequisites to using Kandji
  • Setup Netskope for IdP

  • Download Netskope Certifications (Root and CA)

  • Download VPN Proxy App script from the Netskope Support Portal. This is required for macOS devices running Big Sur or later

  • Administer role access to Kandji

Download Netskope Certificates
  1. Login to Netskope WebUI with admin access and go to Settings > Security Cloud Platform > MDM Distribution. Download both the root and Netskope intermediate certificate.

  2. Convert the downloaded certificates to .cer format by renaming the .pem files to .cer.

Creating Deployment Scripts in Kandji

Deployment scripts are a combination of audit script and remediation script that are required to deploy Netskope Client to the end user devices. The audit script checks if Netskope Client is installed on the end-user devices and the remediation script installs the clients on end-user devices that do not have the client installed.

  1. Go to Library > Add New > Custom Script and Configure

  2. Create custom script with the following parameters:

    • Execution Frequency : Set this to value that suits your environment.

    Audit Script

    #script for installing NSAgent on OSX machines
    #will check to see if Netskope is Installed
    function Test_NSClient(){
        xz=$(/usr/bin/mdfind kMDItemFSName == Netskope -onlyin /Library/Application\ Support/)
        if [ -e "$xz" ]; then
            echo "$xz found netskope client is installed"
        exit 0
            echo "client does not exist"
        exit 1
    #end script

    Remediation Script

    Replace the values marked XXXXX with tenant domain name and YYYY with the tenant name.

    • spDomain= <goskope_domain> ; Example:

    • spTenant = <tenant_name> ; Example: If your tenant URL is, then enter only example.

    • If you are installing using multi-user mode, add “perusermode” parameter in the script.

    #Script for installing Netskope Client on OSX machines
    #function will install Netskope Client
    function Ins_NSClient(){       
        perusermode=0 # put 0 for normal installation, put 1 for per user config             
        echo "Downloading NsAgent..."       
        curl -o /tmp/$ag                   
        echo "will now add config file..."       
        mkdir -p "/Library/Application Support/Netskope/STAgent"       
        NSIDPCONFIG_FILE_PATH="/Library/Application Support/Netskope/STAgent/nsidpconfig.json"       
        echo "{ \"serviceProvider\": { \"domain\": \"$spDomain\", \"tenant\": \"$spTenant\" } }" > "${NSIDPCONFIG_FILE_PATH}"  
        if [ $perusermode -eq 1 ]   
        NSUSERCONFIG_JSON_FILE="/Library/Application Support/Netskope/STAgent/nsuserconfig.json"       
        echo "{\"nsUserConfig\":{\"enablePerUserConfig\": \"true\", \"configLocation\": \"~/Library/Application Support/Netskope/STAgent\", \"token\": \"\", \"host\": \"\",\"autoupdate\": \"true\"$fail_close_option}}" > "${NSUSERCONFIG_JSON_FILE}"   
        echo "Installing Agent..."       
        installer -dumplog -pkg /tmp/$ag -target / && rm /tmp/$ag
Uploading Netskope Certificates to Kandji
  1. Login to Kandji and go to Library > Add New > Certificate > Add and Configure

  2. Go to Library > Add New > Certificate > Add and Configure

  3. Upload Netskope Root Certificate (.cer format).

    1. Enter a name for this certificate, for example: Netskope Root Certificate

    2. Select Certificate Type as PKCS#1-formatted certificate.

    3. Drag and drop the .cer certificate in the uplaod box.


    Repeat this step to upload the Netskope Tenant Certificate. When uploading, give a name, for example: Netskope Tenant Certificate.

Uploading VPN Configuration to Kandji
  • Go to Library > Add New > Custom Profile and click Add and Configure.

    1. Give a name.

    2. Download the AppVPN proxy script from Netskope Support site.

    3. Extract the zip file and upload the .mobileconfig file.

Adding System Extension Profile
  1. Go to Library, select Profiles from the drop down menu.

  2. Select System Extension and click Add and Configure.

  3. Specify the following for System Extension

    • Under General, select Allow Users to approve system extensions.

    • Team Identifier : 24W52P9M7W

    • Name (optional): Netskope

    • Under System Extension, select Allow all system extensions

Creating a New Blueprint and Applying Profiles in Kandji
  1. Go to Blueprint > New Blueprint.

  2. Enable the following to add to the new Blueprint.

    • Netskope Root Certificate

    • Netskope Tenant Certificate

    • VPN Profile (App VPN proxy config)

    • System Extension

    • Kernel Extension (if you have devices running macOS older than Big Sur).