Netskope Client For Android and ChromeOS
Netskope Client for Android and ChromeOS
This document describes the various methods to install Netskope Client on Android and ChromeOS devices and how to configure and steer traffic to the Netskope Cloud.
Prerequisites
Android phones, tablets, and Chromebook devices.
Supported versions
Refer to Netskope Client Supported OS and Platform to understand the supported versions for Android and ChromeOS.
Client Installation Methods
Refer to the following section to understand the various Client installation methods in Android and ChromeOS devices:
Deploy Client in Android and Chrome OS
You can install Netskope Client using one of the following methods:
- Email Invite
- Other Deployment Options
Email Invite
You can install Netskope Client using the email invitation sent from the admin console.
After you receive the email:
-
Check your email from Netskope Onboarding and click Android Client.
-
Follow the instructions on your screens to install Netskope Client from Google Play Store.
-
Click Install.
-
After you install, Click Open.
-
Click Allow for notifications.
-
The app opens after it completes downloading the configurations.
To learn more, view Email Invite.
Other Deployment Options
Netskope supports the following deployment options for Android:
SSL Inspection for Android
SSL/TLS inspection is a foundational capability that enables Netskope to perform efficient threat and data protection services. Netskope performs SSL inspection and serves as a Man-in-the-Middle. In order to establish trust between source applications and Netskope it is required to install CA certificate into appropriate OS store. To learn more, view Certificates for SSL/TLS Inspection.
SSL decryption policies allow you to specify the traffic you want to leave encrypted and not further analyzed by Netskope via the Real-time Protection policies. To learn more, view SSL Decryption.
In Android devices, a CA certificate can only be installed in the user cert store irrespective of device ownership and enrollment method. Starting with Android Nougat (7.0), Netskope certificates stored in the user certificate store are not trusted by Android and 3rd party app services, since Google does not trust the certificates installed in the user store. This leads to errors during SSL inspection due to broken chain of trust – native or 3rd party mobile applications would drop SSL handshake because server certificates presented by Netskope SWG won’t get recognized as trusted. However web-browsers (such as Chrome, Edge etc) will still be able to verify chain of trust against user cert store and therefore SSL inspection won’t cause issues.
There are two options to get around Android limitations:
-
Disable SSL inspection for Android. At the time of Netskope client distribution & enrollment (and irrespective of enrollment method and device ownership) CA certificate distribution can be skipped. Netskope Client won’t find a CA certificate on the device and will signal upstream proxy that SSL inspection should not be performed. The traffic will still be tunneled via NewEdge according to Steering Configuration.
-
Enable selective SSL inspection on Android based on the source App. Once a CA certificate is detected on the device by Netskope client, SSL inspection would be enabled for the entire device (or Work profile, depending on device enrollment method). All apps except browsers would have to be added to Netskope Steering Exceptions.
You can start bypassing traffic from SSL inspection by adding exceptions.
To add a Certificate Pinned Application exception type, view Certificate Pinned Application. In the Definition field, you can select the RegEX option and add the desired app identifier.
Application ID can be found in GooglePlay Store as a part of its URL. An example below illustrates that CNN App is defined in PlayStore as com.cnn.mobile.android.phone.
Instead of adding every single application as an exception (which is not scalable) regular expressions could be used. The goal is to use least amount of configurations and describe applications in bulls. For example com\.google\.android\..*
. This regular expression contains the following:
-
com.google.android.tts
-
com.google.android.apps.maps
-
com.google.android.calendar
-
com.google.android.gms
-
com.google.android.gms.persistent
-
com.google.android.webview
-
com.google.android.play.a.h.e
-
com.google.android.googlequicksearchbox
An example on how to bypass all Apps but Microsoft Edge will look like the following: ^(?!.*(com\.microsoft\.emmx)).*$
An example on how to bypass all Apps but Microsoft Edge and Google Chrome will look like the following: ^(?!.*(com\.microsoft\.emmx|com\.android\.chrome|com\.sample\.application)).*$
While bypassing SSL inspection through Certificate Pinned Apps, you can either Block or Bypass traffic.
Traffic Steering Exceptions on Android and ChromeOS
Netskope steers all traffic except for ones configured as Certificate Pinned Application, Domain, and Destination Locations exceptions. Netskope validates the exceptions setup in the steering configured and bypass the traffic from the selected source and sent directly to their respective destination. If you want your Apps to be bypassed in the steering configuration you can configure it in Settings > Security Cloud Platform > Steering Configuration > Your <Steering Configuration> Exception other than those that needs to be inspected by Netskope. To learn more, view Exceptions.
Netskope Client Uninstallation
The uninstallation of Netskope Client from your Android device with a personal account is simple:
-
Open the Google Play Store app.
-
Tap your Profile icon.
-
Tap Manage apps & devices > Manage.
-
Tap Netskope Client.
-
Tap Uninstall.
To learn more, view Uninstall Apps in Android.