Skip to main content

Netskope Help

MobileIron Cloud

Netskope supports using MobileIron Cloud for mobile device management (MDM) to allow iOS devices access to the Netskope cloud using the per-app VPN mode. This document explains how to deploy Netskope for iOS devices using the on-demand and per-app VPN mode.

Note

Refer to MobileIron Cloud documentation for additional help.

Prerequisites

To deploy MobileIron for iOS VPN, you can get the Netskope Root and Intermediate CA certificates from Netskope, or use your own Root and Intermediate certificates.

In the Netskope tenant UI, go to Settings > Security Cloud Platform> Netskope Client > MDM Distribution. In the Certificate Setup section of this page, download the Netskope Root and Intermediate certificates. If using your own certificates, downloading these certificates are not necessary. In either case, copy the tenant OU and Organization Name here. These are needed when enrolling the local certificate.

In the Create VPN Configuration section, copy the VPN Server Name, Organization ID, and PAC URL. These are needed for configuring the VPN profile. This page also shows the current VPN mode configured. Optionally, your administrator can have the on-demand VPN function set to always on therefore not requiring the connection to be triggered each time.

In the Upload Certificate section, upload new certificates to Netskope, or view and replace an existing certificate using the icons to the right of the registered certificate.

The following sections explain how to upload and enroll certificates and how to configure an iOS profile for MobileIron Cloud for on-demand or per-app VPN. For information about iOS VPN fail-open, refer to iOS VPN Fail Open.

Create Certificates in MobileIron Cloud

To configure MobileIron Cloud, you need to create a local standalone CA, or use a 3rd-party CA, and also Identity certificates in MobileIron Cloud.

Create a Standalone CA Certificate

To create a standalone CA certificate:

  1. In the Mobile Iron Cloud admin console, go to Admin > Certificate Authority and click Add.

  2. Click Continue under Create a Standalone Certificate Authority.

  3. Click Actions, and then select Download Certificate.

  4. Note where you saved the certificate.

  5. Open a Mac OS X terminal window, and then openssl to convert the certificate from .cer format to .pem format. To do this, open a terminal window and use openssl to convert the certificate format with this command: sudo openssl x509 -inform der -in cert.cer -out cert.pem

  6. After it's converted, verify the .pem file using this command: cat cert.pem

  7. Upload the certificate to Netskope using the tenant UI. Go to Settings > Security Cloud Platform > Netskope Client > MDM Distribution, and then scroll down the page until you see the Upload Certificate to Netskope section.

  8. Click Upload/Replace Certificate, and then click Select Certificate to locate and select your certificate file.

  9. When finished, click Upload.

  10. When the Preview message box opens, click Save.

Create an Identity Certificate

To create an identity certificate:

  1. In the Mobile Iron Cloud admin console, select Configurations and click Add.

  2. Select Identity Certificate.

    SelectIdentityCert.png
  3. Enter these parameters:

    • Name: Enter a unique name for the certificate.

    • In the Configuration Setup section, select Dynamically Generated from the Certificate Distribution dropdown list.

    • Source: Select the standalone certificate you created.

    • Signature Algorithm: SHA256 with RSA

    • Subject:

      • emailAddress: ${userEmailAddress}

      • CN: ${userEmailAddress}

      • OU: <Tenant OU from the Netskope UI>

      • O: <Organization Name from the Netskope UI>

      • L: <Your city>

      • ST: <Your state> (in two letter format)

      • C: <Your country> (in two letter format)

    • Subject Alternate Name Type: (Optional)

    • Key Size: 2048

  4. Save this configuration and distribute this certificate to relevant devices.

Here's an example of an identify certificate configuration:

IdentityCertConfig.png
Provision Certificates to Devices

To provision certificates to devices:

  1. Locate the Netskope Root certificate you downloaded from the Netskope UI (Settings > Security Cloud Platform > Netskope Client > MDM Distribution).

  2. In the Mobile Iron Cloud admin console, select Configurations and click Add.

  3. Select Certificate, enter a name, and then upload the Netskope Root certificate.

  4. Distribute the certificate configuration to relevant devices.

Configure an On-Demand VPN

To configure an on-demand VPN:

  1. In the Mobile Iron Cloud admin console, select Configurations and click Add.

  2. Select VPN On-Demand.

    SelectOnDemandVPN.png
  3. Enter these parameters:

    • Name: Enter a unique name.

    • Connection Type: IPSec (Cisco).

    • Server: <VPN Server name from your Netskope tenant>.

    • Account: Leave blank.

    • Machine Authentication: Certificate.

    • Credential: Select the identity certificate you created.

    • Include User PIN: Off

    • Proxy Setup: Automatic

    • Proxy Server URL: <PAC URL from your Netskope tenant>

    • Enable VPN On Demand: On

    • Enable iOS Rules: Selected

  4. Choose to apply this configuration to All Devices, No Devices, or use Custom to specify devices.

  5. When finished, click Done.

Distribute to Devices

To distribute this configuration to devices:

  1. In the Mobile Iron Cloud admin console, select Devices.

  2. Force device check in.

  3. Select Configurations to view the device details.

    PerAppDeviceDetails.png
Configure a Per-App VPN

By default all Netskope tenants are set to On-Demand iOS VPN. If you want to use the Per-App iOS VPN profile, contact your sales rep, professional services rep, customer success manager, or Support to have Per-App VPN enabled.

To configure a Per-App VPN:

  1. In the Mobile Iron Cloud admin console, select Configurations and click Add.

  2. Select Per-App VPN.

    SelectPerAppVPN.png
  3. Enter these parameters:

    • Connection Type: IPSec (Cisco)

    • Server: <VPN Server name from your Netskope tenant>

    • Account: Leave blank.

    • Machine Authentication: Certificate

    • Credential: Select the identity certificate you created.

    • Include User PIN: Off

    • Proxy Setup: Automatic

    • Proxy Server URL: <PAC URL from your Netskope tenant>

    • Enable VPN On Demand: On

    • Enable iOS Rules: On

    • On Demand Match App Enabled: Off

    • Provider Type: app-proxy

  4. When finished, click Save.

Select Apps for the Per-App VPN

To select apps for the Per-App VPN:

  1. In the Mobile Iron Cloud admin console, select Apps and click Add.

  2. Select App Catalog to go through the wizard to select the apps to be distributed to the devices.

    SelectPerAppVPNconfig.png
  3. Select App Configurations, and then select Per-App VPN.

    EnableAppForVPN.png
  4. Enter these parameters:

    • Name: Enter a name.

    • Enable Per-App VPN for this App: On

    • Dropdown list: Select the Per-App VPN configuration you created.

  5. When finished, click Update.

Distribute to Devices

To validate the device has the necessary configurations:

  1. In the Mobile Iron Cloud admin console, select Devices.

  2. Force device check-in.

  3. Select Configurations to view the device details.

    PerAppDeviceDetails.png
iOS VPN Fail Open

Fail open function allows traffic from a device using iOS VPN to bypass Netskope and directly go to an app or service. When fail open is enabled, all iOS devices will no longer steer traffic to Netskope. Fail open occurs when Netskope initiates it due to a service interruption and when an admin enables it in the Netskope UI.

To enable fail open for iOS VPN:

  1. In the Netskope UI, go to Settings > Security Cloud Platform > MDM Distribution.

  2. In the Create VPN Configuration section, confirm that your iOS VPN is operational. If so, click the ToolIcon.png icon to open the Advanced Configuration dialog box.

    iOSvpnFailOpen.png
  3. Enable the toggle and then click Save

To use Android Managed Configurations in MobileIron Cloud, first set up Android for Work in Google. After Android for Work is configured, copy the MDM token from admin.google.com and .json file generated from console.developer.google.com. When you have these, follow these instructions.

To configure Android Managed Configurations in MobileIron Cloud:

  1. Log in to your MobileIron Cloud Admin Portal.

  2. Click Admin in the top menu bar, and then click Android Enterprise in the left nav panel.

  3. In the Android Enterprise window:

    1. Enter the MDM token generated from admin.google.com.

    2. Enter the domain for your google account.

    3. Upload the .json file from console.developer.google.com.

  4. Click Connect, and then authorize the G Suite account.

  5. Click Users in the top menu bar, and then click + Add > Single User.

  6. Create a new user with the domain used for Android Enterprise above, and then enable Google Sync for the user.

  7. Click Apps.

  8. On the App Catalog page, click Add+.

  9. Enter Netskope in the Find Apps field.

  10. Select Netskope Cloud Director, and then enter these values:

    • User Email Address: ${userEmailAddress}

    • Host: addon-<tenant hostname>.goskope.com.

    • Token: <OrgKey>. Use the Organization ID from the VPN Configuration section in the Netskope UI for the OrgKey value (Settings > Security Cloud Platform > Netskope Client > MDM Distribution).

  11. Click Done and then click Publish.

Device Classification for Android

You can classify Android devices based on these criteria:

  • Minimum OS version

  • Passcode required

  • Device not compromised

  • Primary storage encrypted

  • Managed configuration

Go to Settings > Manage > Device Classification and select Android on the New Device Classification dropdown list, and then follow these steps to classify your Android device. Select options and enter the requested parameters.

  1. Rule Name: Enter a name for this classification rule.

  2. Classification Criteria: Select an Any or All criteria match.

  3. Minimum OS Version: Select an OS version from the dropdown list or create a custom OS version.

  4. Passcode Required: No parameters required.

  5. Device Not Compromised: No parameters required.

  6. Primary Storage Encrypted: No parameters required.

  7. Managed Configuration: If you already added a managed configuration for this device on the MDM Distribution page, the key-value pair is shown here. This key-value pair is sent from the MDM to the device so the Netskope app can validate the key-value pair and mark it as Managed or Unmanaged. To regenerate the key-value pair, click Regenerate.

    Note

    Managed Configuration does not work when an app is installed on an Android device using the onboarding email or with the AirWatch SDK.

  8. When finished, click Save.

After creating a device classification rule, you can use it in a Real-time Protection policy.

  1. To use this Device Classification in a Real-time Protection policy, click Policies > Real-time Protection in the Netskope UI. Select an existing policy or click New Policy and choose a policy type.

  2. Proceed through the Users, Cloud Apps + Web, DLP/Threat Protection, and Select Activities sections.

  3. For Additional Attributes, click Access Method and select either Client, Mobile Profile, or Reverse Proxy, and then click Save. Click Device Classification, and then select Managed or Unmanaged, based on the devices you just classified.

    • Managed means the device is managed; the device information sent by the Client matches at least one of the device classification checks configured for that Client's OS.

    • Unmanaged means the device is unmanaged; the device information sent by the Client matches none of the device classification checks configured for that Client's OS.

    When finished, click Save and then Next.

  4. Combine device classification with other policy elements, like using the Block Action for specified applications for activities like uploading files from managed or unmanaged devices. Finish creating or updating this policy to establish this device classification. Click Apply Changes for this policy.

After the policy has been created, perform the process for which the policy was created. Next go to Skope IT > Application Events and click the magnifying icon for an event to open the Application Event Details panel. In the User section you'll see a Device Classification field, which shows one of these device classifications.