Netskope Client Enrollment Methods
Netskope Client Enrollment Methods
The enrollment process includes three methods:
- Idp
- UPN
- Email Invite
IdP Enrollment Method
Using this method, the user is authenticated against IdP before enrolling Netskope Client. Netskope supports the following IdP methods:
Community Supported Apps
Prerequisites
Refer here to understand the prerequisites for Netskope Client deployment.
Advantages
- Requiring user password during enrollment ensures that the actual user is completing the process and prevents potential impersonation attacks.
- Leveraging the security features of IdP, such as strong authentication mechanisms and password policies, provides a higher level of trust for enrolled devices.
- Enabling multi-factor authentication (MFA) during the enrollment phase adds a second layer of verification, offering protection even if the user credentials are compromised.
Disadvantages
- Typically not a silent deployment. Requires integrated Windows authentication configured with IdP for silent deployment.
- NPA Pre-logon requires users to be authenticated at least once.
- In a non-SSO environment, before the user enrolls, FailClose is not enforced.
UPN Enrollment Method
Using this method, the user machine is joined to Active Directory or LDAP directory integration. The user in this case is identified in Netskope by their User Principal Name.
Advantages
- Organizations can easily adopt as no user inputs are required.
- Works seamlessly with the AD environment.
Disadvantages
- Admin need to ensure token deployment is secure and prevent any token compromises.
- Requires periodic token maintenance by the admin (similar to certificates).
Email Invite
Install Netskope Client (or the mobile profile on iOS) using the email invitation sent from the admin console. The user can click the link to download and install the Client (or the mobile profile) on their device.
Prerequisite
One-time activation key shared as part of the email invitation.
Advantages
- Admin need not share any user authentication parameters for enrollment.
- Email can be initiated for personal Email IDs.
- Quick way to deploy for BYOD users.
Disadvantages
- User requires admin rights to install the Client software.
- Misuse of Email by forwarding it to the unintended recipients.
- Download installation package name contains org key and activation key (not secure).
Enrollment Methods Comparison
IDP | UPN | Email Invitation | |
---|---|---|---|
User Identification | User Email address | UPN or Email (depending on OS and deployment method) | Userkey |
User Authentication | Through the configured IdP |
| User activation key (One-time token) |
User Experience | Requires user interaction | No user interaction | User needs admin rights to deploy |
Security | Supports security levels setup for IdP such as MFA | Use same token across organization |
|