Updated on January 24, 2024

Microsoft Endpoint Configuration Manager

Microsoft Endpoint Configuration Manager

Using the Microsoft Endpoint Configuration Manager, you can install the client on the endpoints without any user intervention. After the installation, the client can detect the logged in user’s AD login name and download the branding information for the user from the Netskope cloud.

A branding file is a JSON file that contains user details (for example, email address), the addon server URL, and other configuration rules for this user.

Note

  • Application for devices running Windows
  • See the Netskope Command Line Reference for all supported msiexec options.
  • Starting in version 1910, Configuration Manager is now part of Microsoft Endpoint Manager. Reference – Microsoft Docs.

End-user environment: Microsoft Windows

Prerequisites to Deploying Client via SCCM

  • Install and configure Directory Importer to fetch email addresses and usernames from Active Directory. Use Directory Importer version 2.24 or above for importing AD users to Netskope system. This has the capability to capture the user’s principal name (UPN) along with the user’s email ID.

    Note

    For details on installing and configuring Netskope Adapters, refer to the Netskope Adapters.Netskope Adapters-OLD

  • Download the Netskope Client installer file from the Netskope Support Portal . Download the MSI file for Windows. 
  • When using SCCM, you will first create a installer package and then use that to install Netskope Clients on the end user devices.

Installing the Client

Execute the following command to install the client using the MSI file (the installation package).

msiexec /I NSClient.msi token=<token> host=<host> [mode=peruserconfig | installmode=IDP [userconfiglocation=<path>]] fail-close=[no-npa|all] [autoupdate=on|off]

Note

If multiple users do not share a system, Netskope recommends that you install the Client in single-user mode. In a multi-user system/devices, the client is installed for all users in that system that have an AD account. The client is not installed for local users and therefore traffic from apps used by a local user is not steered to the Netskope cloud. Also, if the mode is not specified, the Client is installed in single-user mode.

ParameterDescription
mode=peruserconfigOptional parameter. Use this parameter when installing in a multi-user system. 
installmode=IDPOptional parameter. Use this parameter when provisioning users via IdP.
userconfiglocation=<path>Specifies the user-specific directory used for storing the user configuration. It is recommended to use default value unless user’s home directories are hosted on external file servers or network shares. This is recommended to be used only for the multi-user environment.

This is an optional parameter. By default the path is %AppData%NetskopeSTAgent.

Note

The path can be an absolute path, a network share, or a path having environment variables.

  • To run the above from command prompt with environment variables, append ‘^’ before ‘%’. For example: /I NSClient.msi mode=peruserconfig userconfiglocation=C:Users^%USERNAME^%Netskope
  • To run the above command from a batch script with environment variables, append ‘%’ before ‘%’. For example: /I NSClient.msi mode=peruserconfig userconfiglocation=C:Users%%USERNAME%%Netskope
  • To run the above command from SCCM (or ) with environment variables, append ‘^’ before ‘%’ and prefix with “cmd /c”. For example: cmd /c /I NSClient.msi mode=peruserconfig userconfiglocation=C:Users^%USERNAME^%Netskope
token=<token>Specifies organization ID.

To obtain your Organization ID (Token) from the Netskope Admin console:

  1. Go to Settings > Security Cloud Platform > MDM Distribution.
  2. Under Create VPN Configuration, copy the Organization ID.
host=<host>Specifies the addon manager hostname.

For example: if your URL is seiu.goskope.com, then host = addon-seiu.goskope.com

fail-close=[no-npa|all]

Optional parameter. If fail-close is not present, the client will honor Web UI “fail close” client configuration.

  • all: Fail close will be applicable to CASB / Web traffic for the NPA tunnel too. Example: If the Netskope tunnel is not established, NPA’s application traffic will also be blocked.
  • no-npa: Fail close will be applicable only for CASB / Web traffic but not for NPA tunnel.  Example: If the Netskope Tunnel is not established, NPA’s application traffic will NOT be blocked.
autoupdate=on|off
  • on
  • off
/qnSilent installation
/l*v %PUBLIC%nscinstall.logSpecifies the log file path
If Secure Enrollment feature is enabled, each deployment mode consists of two additional parameters (Authentication and Encryption token):
  • ​​​enrollauthtoken: Specifies the authentication token.
  • ​​​enrollencryptiontoken:​​ Specifies the encryption token.

Installing Netskope Client in a Multi-User Environment

In addition to installing the Client for a single user, you can install it to provide user visibility for cases where multiple users are sharing the same system. Examples of this include:

  • Persistent and Non persistent VDI
  • Citrix Xenapp with Hosted Shared Desktop (HSD)
  • Windows Remote Desktop Services
  • Floating/Loaner Laptops, when loaner PCs that are given to employees on a temporary basis.
  • Kiosk Desktops, such as shared desktops in call centers, conference rooms, front desks.
Share this Doc

Microsoft Endpoint Configuration Manager

Or copy link

In this topic ...