Netskope Client Enrollment Methods

Netskope Client Enrollment Methods

The enrollment process includes three methods:

  • Idp
  • UPN
  • Email Invite

IdP Enrollment Method

Using this method, the user is authenticated against IdP before enrolling Netskope Client. Netskope supports the following IdP methods:

Community Supported Apps

Prerequisites

Refer here to understand the prerequisites for Netskope Client deployment.

Advantages

  • Requiring user password during enrollment ensures that the actual user is completing the process and prevents potential impersonation attacks.
  • Leveraging the security features of IdP, such as strong authentication mechanisms and password policies, provides a higher level of trust for enrolled devices.
  • Enabling multi-factor authentication (MFA) during the enrollment phase adds a second layer of verification, offering protection even if the user credentials are compromised.

Disadvantages

  • Typically not a silent deployment. Requires integrated Windows authentication configured with IdP for silent deployment.
  • NPA Pre-logon requires users to be authenticated at least once.
  • In a non-SSO environment, before the user enrolls, FailClose is not enforced.

UPN Enrollment Method

Using this method, the user machine is joined to Active Directory or LDAP directory integration. The user in this case is identified in Netskope by their User Principal Name.

Advantages

  • Organizations can easily adopt as no user inputs are required.
  • Works seamlessly with the AD environment.

Disadvantages

  • Admin need to ensure token deployment is secure and prevent any token compromises.
  • Requires periodic token maintenance by the admin (similar to certificates).

Email Invite

Install Netskope Client (or the mobile profile on iOS) using the email invitation sent from the admin console. The user can click the link to download and install the Client (or the mobile profile) on their device.

Prerequisite

One-time activation key shared as part of the email invitation.

Advantages

  • Admin need not share any user authentication parameters for enrollment.
  • Email can be initiated for personal Email IDs.
  • Quick way to deploy for BYOD users.

Disadvantages

  • User requires admin rights to install the Client software.
  • Misuse of Email by forwarding it to the unintended recipients.
  • Download installation package name contains org key and activation key (not secure).

Enrollment Methods Comparison

IDPUPNEmail Invitation
User IdentificationUser Email addressUPN or Email (depending on OS and deployment method)Userkey
User AuthenticationThrough the configured IdP

  • Legacy - OrgKey

  • Current - Authentication Token part of Secure enrollment

User activation key (One-time token)
User ExperienceRequires user interactionNo user interactionUser needs admin rights to deploy
SecuritySupports security levels setup for IdP such as MFAUse same token across organization

  • One time token distribution through Email

  • Lacks control on the distribution of Email invitation

Share this Doc

Netskope Client Enrollment Methods

Or copy link

In this topic ...