Skip to main content

Netskope Help

Kandji

Kandji is purpose built MDM application used to deploy apps and services remotely to macOS devices. To learn more about Kandji and their MDM platform, visit: Kandji Support website.

This article illustrates the procedure to deploy Netskope Client on macOS devices running Big Sur or later using the Kandji MDM as the IdP. This process ensures reduced user interaction while deploying tenant certificates, system and network extensions.

Prerequisites to using Kandji

  • Setup Netskope for IdP

  • Download Netskope Certifications (Root and CA)

  • Download VPN Proxy App script from the Netskope Support Portal. This is required for macOS devices running Big Sur or later

  • Administer role access to Kandji

Download Netskope Certificates

  1. Login to Netskope WebUI with admin access and go to Settings > Security Cloud Platform > MDM Distribution. Download both the root and Netskope intermediate certificate.

    img-01-downloadMDMcert.png

  2. Convert the downloaded certificates to .cer format by renaming the .pem files to .cer.

Creating Deployment Scripts in Kandji

Deployment scripts are a combination of audit script and remediation script that are required to deploy Netskope Client to the end user devices. The audit script checks if Netskope Client is installed on the end-user devices and the remediation script installs the clients on end-user devices that do not have the client installed.

  1. Go to Library > Add New > Custom Script and Configure

  2. Create custom script with the following parameters:

    • Execution Frequency : Set this to value that suits your environment.

    Audit Script

    #!/bin/bash
#script for installing NSAgent on OSX machines
#will check to see if Netskope is Installed
function Test_NSClient(){
    xz=$(/usr/bin/mdfind kMDItemFSName == Netskope Client.app -onlyin /Library/Application\ Support/)
 
    if [ -e "$xz" ]; then
        echo "$xz found netskope client is installed"
    exit 0
    else
        echo "client does not exist"
    exit 1
    fi
 
}
Test_NSClient 
#end script

    Remediation Script

    Replace the values marked XXXXX with tenant domain name and YYYY with the tenant name.

    • spDomain= <goskope_domain> ; Example: goskope.com

    • spTenant = <tenant_name> ; Example: If your tenant URL is example.goskope.com, then enter only example.

    • If you are installing using multi-user mode, add “perusermode” parameter in the script.

    #!/bin/bash
#Script for installing Netskope Client on OSX machines
#function will install Netskope Client
function Ins_NSClient(){       
    ag="NSClient.pkg"       
    spDomain="XXXXX"       
    spTenant="YYYYY"   
    
    perusermode=0 # put 0 for normal installation, put 1 for per user config             
    
    echo "Downloading NsAgent..."       
    curl -o /tmp/$ag  https://download.goskope.com/dlr/mac/get                   
    
    echo "will now add config file..."       
    mkdir -p "/Library/Application Support/Netskope/STAgent"       
    NSIDPCONFIG_FILE_PATH="/Library/Application Support/Netskope/STAgent/nsidpconfig.json"       

    echo "{ \"serviceProvider\": { \"domain\": \"$spDomain\", \"tenant\": \"$spTenant\" } }" > "${NSIDPCONFIG_FILE_PATH}"  
    
    if [ $perusermode -eq 1 ]   
    then       
    NSUSERCONFIG_JSON_FILE="/Library/Application Support/Netskope/STAgent/nsuserconfig.json"       

    echo "{\"nsUserConfig\":{\"enablePerUserConfig\": \"true\", \"configLocation\": \"~/Library/Application Support/Netskope/STAgent\", \"token\": \"\", \"host\": \"\",\"autoupdate\": \"true\"$fail_close_option}}" > "${NSUSERCONFIG_JSON_FILE}"   
    if
        
    echo "Installing Agent..."       
    installer -dumplog -pkg /tmp/$ag -target / && rm /tmp/$ag
}

Ins_NSClient
Uploading Netskope Certificates to Kandji

  1. Login to Kandji and go to Library > Add New > Certificate > Add and Configure

    img-02-kandjiAddNewCert.png

  2. Go to Library > Add New > Certificate > Add and Configure

    img-03-kandjiAddNewCert-addConfigure.png

  3. Upload Netskope Root Certificate (.cer format).

    1. Enter a name for this certificate, for example: Netskope Root Certificate

    2. Select Certificate Type as PKCS#1-formatted certificate.

    3. Drag and drop the .cer certificate in the uplaod box.

    img-04-kandjiAddNSKProotCert.png

    Repeat this step to upload the Netskope Tenant Certificate. When uploading, give a name, for example: Netskope Tenant Certificate.

Uploading VPN Configuration to Kandji

  • Go to Library > Add New > Custom Profile and click Add and Configure.

    1. Give a name.

    2. Download the AppVPN proxy script from Netskope Support site.

    3. Extract the zip file and upload the .mobileconfig file.

    img-06-kandjiAddmobileConfig.png
Adding System Extension Profile

  1. Go to Library, select Profiles from the drop down menu.

  2. Select System Extension and click Add and Configure.

    img-05-kandjiAddSystemXtn.png

  3. Specify the following for System Extension

    • Under General, select Allow Users to approve system extensions.

    • Team Identifier : 24W52P9M7W

    • Name (optional): Netskope

    • Under System Extension, select Allow all system extensions

    img-07-kandjiAllowSysExtn.png
Creating a New Blueprint and Applying Profiles in Kandji

  1. Go to Blueprint > New Blueprint.

    img-08-kandjiAddBlueprint.png

  2. Enable the following to add to the new Blueprint.

    • Netskope Root Certificate

    • Netskope Tenant Certificate

    • VPN Profile (App VPN proxy config)

    • System Extension

    • Kernel Extension (if you have devices running macOS older than Big Sur).

In this section: