Netskope Client For Android and ChromeOS

Netskope Client for Android and ChromeOS

This document describes the various methods to install Netskope Client on Android and ChromeOS devices and how to configure and steer traffic to the Netskope Cloud.

Prerequisites

Android phones, tablets, and Chromebook devices.

Supported versions

Refer to Netskope Client Supported OS and Platform to understand the supported versions for Android and ChromeOS.

Netskope Private Access periodic re-authentication is not supported on Android and Chromebook.

Client Installation Methods

Refer to the following section to understand the various Client installation methods in Android and ChromeOS devices:

Netskope Client installation methods are the same for Android and ChromeOS devices.

Deploy Client in Android and Chrome OS

You can install Netskope Client using one of the following methods:

  • Email Invite
  • Other Deployment Options

Email Invite

You can install Netskope Client using the email invitation sent from the admin console.

After you receive the email:

  1. Check your email from Netskope Onboarding and click Android Client.

  2. Follow the instructions on your screens to install Netskope Client from Google Play Store.

  3. Click Install.

  4. After you install, Click Open.

  5. Click Allow for notifications.

  6. The app opens after it completes downloading the configurations.

    To learn more, view Email Invite.

Other Deployment Options

Netskope supports the following deployment options for Android:

SSL Inspection for Android

SSL/TLS inspection is a foundational capability that enables Netskope  to perform efficient threat and data protection services. Netskope performs SSL inspection and serves as a Man-in-the-Middle. In order to establish trust between source applications and Netskope it is required to install CA certificate into appropriate OS store. To learn more, view Certificates for SSL/TLS Inspection.

SSL decryption policies allow you to specify the traffic you want to leave encrypted and not further analyzed by Netskope via the Real-time Protection policies. To learn more, view SSL Decryption.

In Android devices, a CA certificate can only be  installed in the user cert store irrespective of device ownership and enrollment method. Starting with Android Nougat (7.0), Netskope certificates stored in the user certificate store are not trusted by Android and 3rd party app services, since Google does not trust the certificates installed in the user store. This leads to errors during SSL inspection due to broken chain of trust – native or 3rd party mobile applications would drop SSL handshake because server certificates presented by Netskope SWG won’t get recognized as trusted. However web-browsers (such as Chrome, Edge etc) will still be able to verify chain of trust against user cert store and therefore SSL inspection won’t cause issues.

There are two options to get around Android limitations: 

  1. Disable SSL inspection for Android. At the time of Netskope client distribution & enrollment (and irrespective of enrollment method and device ownership) CA certificate distribution can be skipped. Netskope Client won’t find a CA certificate on the device and will signal upstream proxy that SSL inspection should not be performed. The traffic will still be tunneled via NewEdge according to Steering Configuration.

  2. Enable selective SSL inspection on Android based on the source App. Once a CA certificate is detected on the device by Netskope client, SSL inspection would be enabled for the entire device (or Work profile, depending on device enrollment method). All apps except browsers would have to be added to Netskope Steering Exceptions.

You can start bypassing traffic from SSL inspection by adding exceptions.

To add a Certificate Pinned Application exception type, view Certificate Pinned Application. In the Definition field, you can select the RegEX option and add the desired app identifier. 

Application ID can be found in GooglePlay Store as a part of its URL. An example below illustrates that CNN App is defined in PlayStore as com.cnn.mobile.android.phone

Instead of adding every single application as an exception (which is not scalable) regular expressions could be used. The goal is to use least amount of configurations and describe applications in bulls. For example com\.google\.android\..*. This regular expression contains the following:

  • com.google.android.tts

  • com.google.android.apps.maps

  • com.google.android.calendar

  • com.google.android.gms

  • com.google.android.gms.persistent

  • com.google.android.webview

  • com.google.android.play.a.h.e

  • com.google.android.googlequicksearchbox

An example on how to bypass all Apps but Microsoft Edge will look like the following: ^(?!.*(com\.microsoft\.emmx)).*$

An example on how to bypass all Apps but Microsoft Edge and Google Chrome will look like the following: ^(?!.*(com\.microsoft\.emmx|com\.android\.chrome|com\.sample\.application)).*$

While bypassing SSL inspection through Certificate Pinned Apps, you can either Block or Bypass traffic.

Traffic Steering Exceptions on Android and ChromeOS

Netskope steers all traffic except for ones configured as Certificate Pinned Application, Domain, and Destination Locations exceptions. Netskope validates the exceptions setup in the steering configured and bypass the traffic from the selected source and sent directly to their respective destination. If you want your Apps to be bypassed in the steering configuration you can configure it in Settings > Security Cloud Platform > Steering Configuration >  Your <Steering Configuration> Exception other than those that needs to be inspected by Netskope. To learn more, view Exceptions.

Netskope Client Uninstallation

The uninstallation of Netskope Client from your Android device with a personal account is simple:

  1. Open the Google Play Store app.

  2. Tap your Profile icon.

  3. Tap Manage apps & devices > Manage.

  4. Tap Netskope Client.

  5. Tap Uninstall.

To learn more, view Uninstall Apps in Android.

Netskope restricts a user to uninstall Netskope Client (provisioned by your organization) from your Work profile.
Share this Doc

Netskope Client For Android and ChromeOS

Or copy link

In this topic ...