Netskope Client For Android and ChromeOS

Netskope Client for Android and ChromeOS

This document describes the various methods to install Netskope Client on Android and ChromeOS devices and how to configure and steer traffic to the Netskope Cloud.

Prerequisites

Android phones, tablets, and Chromebook devices.

Minimum Hardware and Software Requirements:

  • Hardware:

    • Memory: 2 GB or more.

      Recommended memory for optimal performance: 4 GB.

  • Software:

    • Android Runtime Container/ Virtual Machine version: Android 11 or above.

Supported versions

Refer to Netskope Client Supported OS and Platform to understand the supported versions for Android and ChromeOS.

Netskope Private Access periodic re-authentication is not supported on Android and Chromebook.

Client Installation Methods

Refer to the following section to understand the various Client installation methods in Android and ChromeOS devices:

Netskope Client installation methods are the same for Android and ChromeOS devices.

Deploy Client in Android and Chrome OS

You can install Netskope Client using one of the following methods:

  • Email Invite
  • Other Deployment Options
Netskope Client for Android does not coexist with any third-party VPN applications due to Android limitation that stops an existing service when a new service is started. To learn more, view VPN.

Email Invite

You can install Netskope Client using the email invitation sent from the admin console.

After you receive the email:

  1. Check your email from Netskope Onboarding and click Android Client.

  2. Follow the instructions on your screens to install Netskope Client from Google Play Store.

  3. Click Install.

  4. After you install, Click Open.

  5. Click Allow for notifications.

  6. The app opens after it completes downloading the configurations.

    To learn more, view Email Invite.

Other Deployment Options

Netskope supports the following deployment options for Android:

Configure Tenant Name in Google Admin Console

Secure Web Gateway (SWG) service support is added on the Android application.

Chrome

You can configure the tenant name in Devices > Chrome > Apps&extensions > Users &browsers.

The MDM administrators while enabling the Netskope Client app provisioning through MDM can use one of the following configurations:

Configuration 1
  • User Email Address – The user email address. For example, < emailID@example.com >.

  • Host – The addon host. For example, addon-< tenant-name >.skope.com.

  • Token – The organization ID.

Configuration 2

Tenant – The tenant name. For example, < tenant-name >.skope.com.

The application inspects for any pre-deployed app configuration and applies them immediately. If both the configurations contain valid data, then Configuration 1 always takes precedence.

Android

You can configure the tenant name in Apps > Web and mobile apps > Netskope Client > Managed Configurations to select the configuration. Click Add Managed Configuration to create a new configuration.

Use Google Admin Console to install CA Certificates. Go to Device > Chrome > Settings > Users&Browsers > Android Applications > Certificate Synchronization.

Enrollment Workflow in ChromeOS and Android Devices

Important

Netskope recommends that you consider the following notes before proceeding with deployment:

  • End-user devices must support Android AppLink feature for auto enrollment process.
  • Firewall must allow  access to Applink. If Android OS encounters a network glitch or Android OS applink binding API error while connecting to Applink, then Netskope recommends you to uninstall and reinstall the Netskope Client to fix the issue.
    IdP_applink_issue.png
  • Netskope recommends the use of Google Admin console or your MDM tool for deploying CA certificates. See Traffic Steering > Explicit Proxy > Traffic Steering from Chromebooks for more information.
  • With the release 97, Netskope recommends to use MDM solutions to install Netskope CA certificates.
  • In the steering configuration, ensure that you specify the appropriate exceptions actions for Android and ChromeOS

The following steps illustrate the client deployment and enrollment workflow in ChromeOS and Android devices.

  1. Visit the Google Play Store and download Netskope Client.
    NetskopeClient.png
  2. Install Netskope Client. After the installation is complete, a pop-up is displayed to the user to enter the tenant name and select the tenant domain as shared with the user by their respective IT.
  3. Click Next to continue with enrollment. User is redirected to their IdP login screen. Authentication status message is displayed in the browser.
    img-04.png
  4. Once the user enrollment is complete, the Client will initiate configuration download and establish tunnel.
    img-07.png
  5. After the Client is connected, user can click the mobile menu icon (3 vertical dots in the top right corner of the client) for options to view configuration details.
    12.png

SSL Inspection for Android

SSL/TLS inspection is a foundational capability that enables Netskope  to perform efficient threat and data protection services. Netskope performs SSL inspection and serves as a Man-in-the-Middle. In order to establish trust between source applications and Netskope it is required to install CA certificate into appropriate OS store. To learn more, view Certificates for SSL/TLS Inspection.

SSL decryption policies allow you to specify the traffic you want to leave encrypted and not further analyzed by Netskope via the Real-time Protection policies. To learn more, view SSL Decryption.

In Android devices, a CA certificate can only be  installed in the user cert store irrespective of device ownership and enrollment method. Starting with Android Nougat (7.0), Netskope certificates stored in the user certificate store are not trusted by Android and 3rd party app services, since Google does not trust the certificates installed in the user store. This leads to errors during SSL inspection due to broken chain of trust – native or 3rd party mobile applications would drop SSL handshake because server certificates presented by Netskope SWG won’t get recognized as trusted. However web-browsers (such as Chrome, Edge etc) will still be able to verify chain of trust against user cert store and therefore SSL inspection won’t cause issues.

There are two options to get around Android limitations: 

  1. Disable SSL inspection for Android. At the time of Netskope client distribution & enrollment (and irrespective of enrollment method and device ownership) CA certificate distribution can be skipped. Netskope Client won’t find a CA certificate on the device and will signal upstream proxy that SSL inspection should not be performed. The traffic will still be tunneled via NewEdge according to Steering Configuration.

  2. Enable selective SSL inspection on Android based on the source App. Once a CA certificate is detected on the device by Netskope client, SSL inspection would be enabled for the entire device (or Work profile, depending on device enrollment method). All apps except browsers would have to be added to Netskope Steering Exceptions.

You can start bypassing traffic from SSL inspection by adding exceptions.

To add a Certificate Pinned Application exception type, view Certificate Pinned Application. In the Definition field, you can select the RegEX option and add the desired app identifier. 

Application ID can be found in GooglePlay Store as a part of its URL. An example below illustrates that CNN App is defined in PlayStore as com.cnn.mobile.android.phone

Instead of adding every single application as an exception (which is not scalable) regular expressions could be used. The goal is to use least amount of configurations and describe applications in bulls. For example com\.google\.android\..*. This regular expression contains the following:

  • com.google.android.tts

  • com.google.android.apps.maps

  • com.google.android.calendar

  • com.google.android.gms

  • com.google.android.gms.persistent

  • com.google.android.webview

  • com.google.android.play.a.h.e

  • com.google.android.googlequicksearchbox

An example on how to bypass all Apps but Microsoft Edge will look like the following: ^(?!.*(com\.microsoft\.emmx)).*$

An example on how to bypass all Apps but Microsoft Edge and Google Chrome will look like the following: ^(?!.*(com\.microsoft\.emmx|com\.android\.chrome|com\.sample\.application)).*$

While bypassing SSL inspection through Certificate Pinned Apps, you can either Block or Bypass traffic.

Traffic Steering Exceptions on Android and ChromeOS

Netskope steers all traffic except for ones configured as Certificate Pinned Application, Domain, and Destination Locations exceptions. Netskope validates the exceptions setup in the steering configured and bypass the traffic from the selected source and sent directly to their respective destination. If you want your Apps to be bypassed in the steering configuration you can configure it in Settings > Security Cloud Platform > Steering Configuration >  Your <Steering Configuration> Exception other than those that needs to be inspected by Netskope. To learn more, view Exceptions.

Netskope Client Uninstallation

The uninstallation of Netskope Client from your Android device with a personal account is simple:

  1. Open the Google Play Store app.

  2. Tap your Profile icon.

  3. Tap Manage apps & devices > Manage.

  4. Tap Netskope Client.

  5. Tap Uninstall.

To learn more, view Uninstall Apps in Android.

Netskope restricts a user to uninstall Netskope Client (provisioned by your organization) from your Work profile.
Share this Doc

Netskope Client For Android and ChromeOS

Or copy link

In this topic ...