Netskope Help

Microsoft Intune

This article provides instructions to deploy Netskope Client on Windows and Apple devices using the Microsoft Intune.


  • Microsoft Intune is part of Microsoft Endpoint Manager.

  • Require admin level access to Intune.

Supported Devices

  • Windows devices either joined to Active Directory or Azure AD.

  • Apple devices enrolled in Microsoft's Intune.


To learn more about supported OS and platform, see the Netskope Client Supported OS and Platform section.

Deploying on Windows Devices

The following steps are for deploying Netskope Client on WIndows devices.

  • On-board or add users into Netskope using Directory Importer or SCIM integration.

Deployment Procedure
  1. Ensure the device is enrolled in Microsoft Intune.

  2. Log in to the Azure Portal

  3. Access the Management Page

  4. Under Manage, select Client Apps

  5. Under Manage, select Apps

  6. Select Add

  7. For App Type, select “Line-of-business app”

  8. Upload the NSClient.msi to App Package File and select OK

  9. Under App Information

    1. Provide a description

    2. Publisher Name

    3. Set Ignore App Version to Yes if you intend to allow the Netskope client to auto-update

    4. Select the appropriate category

    5. Select No under Display this as a featured app in the Company Portal

    6. Information and Privacy URL are optional values

    7. Under Command-Line Arguments: token=<organization id> host=addon-<tenant-name> mode=peruserconfig (Use peruserconfig only for multi-user environments) autoupdate=on (only applicable if you want the client to auto-update) /qn

    8. Select OK

    9. Select the appropriate Scope Tag

    10. Select Add.

  10. Wait for the app to upload and finalize

    1. Select the Netskope Client from the app list

    2. Select Assignments > Add Group

    3. For Assignment Type, select Required

    4. Select the appropriate groups that should be included or excluded

    5. Select Save

  11. You can monitor the installation process from Intune. Go to Client Apps > Install Status > Search for “Netskope” > Device Install Status

Deploying on Apple Devices (Big Sur)

The following steps are for deploying Netskope Client on Apple devices running macOS 11.x (Big Sur) or later.

  • Devices running macOS 11.x (Big Sur) or later.

  • Enroll devices in Microsoft's Endpoint Manager

  • Convert Netskope Client package to an .intunemac file. For detailed information and procedure, visit Microsoft Docs portal.

  • Follow these steps after converting the .pkg to .intunemac file. For more details, see Microsoft Doc Portal

  • Download Netskope Root and Intermediate certificates and convert them to the .cer extension. To learn more, see Certificates

  • Configure and verify SAML forward proxy authentication and ensure that users are properly imported into your Netskope tenant. To learn more about user provisioning and SAML Forward Proxy authentication, see Provisioning and Authentication

Deployment Procedure
  1. Sign in to Microsoft IntuneIntu Admin Center.

  2. Go to Devices > macOS devices. Ensure that the devices to which you will Netskope Client are listed.

  3. Create two configuration profiles to deploy the Netskope certificates.

    1. Go to macOS policies > Configuration Profiles > Create Profile and select Profile Type as Templates and Template name as Trusted Certificate.

    2. Click Create. The page will refresh with settings. Enter a name for the root certificate profile and click Next.

    3. Click the folder icon to select the Netskope root certificate (.cer file) and click Next to continue.

    4. Assign the appropriate device group and click Next.

    5. Review the configuration and click Create.

    6. Repeat the steps used to upload Netskope root certificate and create another configuration profile to upload Netskope intermediate certificate.


    Validate Certificate Chain

    You can validate the complete certificate chain in your Mac keychain.

  4. Download the Netskope Intune IDP configuration script (Intune Scipt) from Netskope Support portal .

    1. Extract the contents of file.

    2. Open the Intune script in a text editor and search for the commented line Add Command Line parameters below .

    3. Modify the line below the commented line to reflect the appropriate tenant values:

      • set -- 0 0 1 idp <insert tenant domain name> <insert tenant name> 0

        For example, if your tenant name is, modify the line to: set -- 0 0 1 idp example 0

      • Ensure that the following line uses the same values as the preceding line:

        argstring="0 0 1 idp example 0"

    4. Save the script.

    5. Go to Devices > macOS > Shell Scripts and click Add.

    6. Enter a Name and click Next.

    7. Select the script (.sh file) from your local storage in your computer. Make the following changes:

      • Run script as signed in users - NO

      • Hide script notifications on devices - Yes

      • Script frequency - Every 30 minutes

      • Max number of times to retry if script fails - 3 times.

    8. Assign the script to groups, users, and/or devices. Click Next to continue.

    9. Click Add to the add the script and push to all devices.

      Confirm IDP Configuration Deployment: To confirm if the IDP configuration is pushed successfully, verify the contents of /Library/Application Support/Netskope/STAgent/nsidpconfig.json. The contents of the file should look similar to:

      john-MacBook-Pro:STAGENT johnd$ cat nsidpconfig.json
      {"serviceProvider": {"domain": "". "tenant": "example"}}
  5. Go to macOS policies > Configuration Profiles > Create Profile and select Profile Type as Templates.

    1. Under Template Names select Extensions and click Create.

    2. Provide a name for the Netskope System Extension profile and click Next.

    3. Expand System Extensions and configure Allow Systems Extensions as follows:

      • Bundle Identifier: com.netskope.client.Netskope-Client.NetskopeClientMacAppProxy

      • Team Identifier: 24W52P9M7W

      Select Next to continue.

    4. Assign appropriate users or device group and select Next.

    5. Review your configuration and click Create.

    6. Use the Profiles options in the end-user device to validate if the System Extension was deployed successfully.

  6. Go to macOS policies > Configuration Profiles

    1. Download custom configuration profiles from Netskope Support Portal.

    2. Select Create Profile and under the Profile Types option, select Templates > Custom. Click Create.

    3. Specify a profile name.

    4. Keep the Deployment Channel option to Device Channel.

    5. Upload the custom configuration profile downloaded from Netskope Support Portal. Click Next to continue.

    6. Select and assign appropriate users or groups. Click Next to continue.

    7. Review configuration and click Create.

    8. Use the Profiles option in the end-user device to validate if the installation was successful.

  7. Create a line-of-business applications to be deployed on the Apple devices (Big Sur).

    Before proceeding ensure the following:

    • Convert the Client installation pkg to an .intunemac file.

    • Resolve an issue with Intune and Netskope Client app including multiple components. See Microsoft Doc Portal for more information.

    1. Go to Apps > macOS and click Add. Select Line-of-business app from the App type drop-down menu. Click Select.

    2. Select the app package (.intunemac) file by browsing to it and click OK.

    3. Enter a publisher name and click Next.

    4. Assign the application to devices or users. Click Next to continue.

    5. Click Create to complete creating the application.

    6. Now login to your IdP to start the enrollment process.

Uninstalling Clients

To set up un-installion script for Netskope client in Windows devices follow the procedure as described in this section:


This procedure is applicable only for devices that are AD joined. Also, during subsequent installation, un-assign this app to avoid un-installation of the newly installed Clients

  1. Login to your Intune admin console and select Device Configuration.

  2. In the Device Configuration page, click Scripts option in the left hand side.

  3. To start adding uninstallation script, click the Add button and select Windows 10.

  4. In the Add Powershell Script page, enter a Name for the script configuration and click Next to continue.

  5. In the script settings page, select the powershell script from your computer. Enter the following command in the powershell script.

    $product_identifier= Get-WmiObject -Class Win32_Product | where Name -eq "Netskope Client" | select -expandproperty IdentifyingNumber
    msiexec /uninstall $product_identifier  /qn /l*v <path-to>\nscuninstall.log

    Set the following options for the script

    • Run this script using the logged on credentials - YES

    • Enforce script signature check - NO

    • Run script in 64 bit PowerShell Host - YES


    Click Next to continue.

  6. In the Assignment step, assign the user groups for this script. Netskope Client in all devices of the assigned user group will be uninstalled.

  7. In the last step, review your selections and click Add to complete the procedure.