Netskope Client for macOS

Netskope Client for macOS

This document describes the various methods to install Netskope Client on a macOS device and how to configure and steer traffic to the Netskope Cloud.

Supported Versions

Refer to Netskope Client Supported OS and Platform to understand the supported versions for macOS.

Install Netskope Client

You can install Netskope Client in macOS using one of the following methods:

  • Email Invite
  • Using PLIST
  • MDM Deployment Options

Using Email Invite

You can install Netskope Client using the email invitation sent from the admin console. Click the download link and install Client on your device.

Important

Email invites are time-bound and can be used only by the intended user.

After you receive the email:

  1. Check your email from Netskope Onboarding and click the link for Mac Client.
  2. Click Download. This downloads to your default location.
  3. Click the installer file.
  4. Follow the steps as displayed in the Install Netskope Client window.
  5. Once the installation is complete, you can see the Netskope Client running on your taskbar.

To learn more, view Email Invite.

Using PLIST

This method uses scripts and a PLIST to install Netskope client on macOS devices in a single-user mode. The steps include:

  1. Generate .plist file.
  2. Download script.
Generate .plist File

Run the following command in a terminal:

sudo /usr/libexec/PlistBuddy -c "add email string user@example.com" /Library/Managed\ Preferences/template.plist
Generate Script
  1. Download the configuration script from Netskope Support portal. The file contains the essential command-line executable scripts to install and configure the client.

  2. Extract the contents of the MAC-MDM-script.zip file.

  3. Execute this command in Terminal:

    sudo ./macmdmscript.sh 0 0 0 addon-<tenant-name>[.region].<tenant-domain> <Organization ID> <plist file name> preference_email
  4. Place the Netskope client installer in the same folder as the configuration script and install the Netskope client. 

Other Deployment Methods

Netskope currently supports following deployment options for macOS:

Uninstall Client In macOS

To uninstall Client in macOS:

  1. Click the Spotlight icon from your dock or the magnifying glass on the top of your taskbar.
  2. Enter Remove Netskope.
  3. You will be prompted to enter your administrative credentials at this point.
    macoS_uninstallNSClient_98_1.png
  4. The Netskope Client is uninstalled from your machine.
  5. Click OK.

The Password protection for client uninstallation and service stop option under Client Configuration > Tamperproof lets the administrator restrict unauthorized uninstallation of Client by the end users. The end user must know the password set by the administrator while uninstalling the Client. Service stop option is available only to Windows devices.

Tamperproofing of Netskope Client in macOS Ventura

Prior to macOS Ventura versions like Monterey or older versions, the users are unaware about the applications running in the background. With macOS Ventura, it displays the applications running in the background and allows users to enable/disable them. To learn more, view Login and Background items.

When Netskope Client is running in the background and disabling the Client services can impact the Client functionality and end-users can encounter security issues. You can restrict users from enabling/disabling this option through MDMs like VMware Workspace ONE and JAMF using policies.

VMware Workspace ONE

The following configuration steps restrict users from disabling the Client in login items.

  1. Go to Resources > Profiles&Baselines > Profiles.
  2. Click Add > Add Profile.
  3. Select Apple macOS as the platform to start.
  4. Select Device Profile in Select Context.
  5. Enter profile name.
  6. Go to the Custom Settings section and click Add at the right corner of this section. The fields get enabled now.
  7. Provide the following custom payload information in the Custom Settings text-box:
    <dict>
        <key>PayloadDisplayName</key>
        <string>Service Management - Managed Login Items</string>
        <key>PayloadIdentifier</key>
        <string>com.apple.servicemanagement.xxx</string>
        <key>PayloadType</key>
        <string>com.apple.servicemanagement</string>
        <key>PayloadUUID</key>
        <string>xxxxxxxx-xxxx-xxxx-xxxx-xxx</string>
        <key>PayloadVersion</key>
        <integer>1</integer><key>Rules</key>
        <array>
        <dict>
            <key>RuleType</key>
            <string>TeamIdentifier</string>
            <key>RuleValue</key>
            <string>24W52P9M7W</string>
        </dict>
        </array>
    </dict>

    Edit the Payload Identifier and UUID values.

    macoS_loginitems_vmwareworkspace_custompayload_100.png

    Important

    Currently, many MDM providers do not have the user interface (UI) option to disable this functionality. Hence, use Custom Settings to add the payload.

  8. Click Next.
  9. On the Assignment page, assign the profile to Smart Groups.
  10. Click Save and Publish.

JAMF

Using JAMF Pro, you can restrict users disabling Netskope Client from background services. This requires you to upload the following configuration PLIST (netskope login items.mobileconfig).

Configuration file:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" 
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>PayloadContent</key>
        <array>
            <dict>
                <key>PayloadDescription</key>    
                <string>Allows for netskope to register a launch daemons and launch agents</string>
                <key>PayloadDisplayName</key>
                <string>Managed Login Items - Netskope Apps</string>
                <key>PayloadIdentifier</key>
                <string>com.netskope.servicemanagement.xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.</string>
                <key>PayloadUUID</key>
                <string>xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx</string>
                <key>PayloadType</key>
                <string>com.apple.servicemanagement</string>
                <key>PayloadOrganization</key>
                <string>Netskope</string>
                <key>Rules</key>
                <array>
                    <dict>
                        <key>RuleType</key>
                        <string>TeamIdentifier</string>
                        <key>RuleValue</key>
                        <string>24W52P9M7W</string>
                        <key>Comment</key>
                        <string>Allow login items for netskope apps</string>
                    </dict>
                </array>
            </dict>
        </array>
        <key>PayloadDisplayName</key>
        <string>Managed Login Items - Netskope Apps</string>
        <key>PayloadIdentifier</key>
        <string>com.netskope.servicemanagement.xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx</string>
        <key>PayloadUUID</key>
        <string>xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx</string>
        <key>PayloadType</key>
        <string>Configuration</string>
        <key>PayloadScope</key>
        <string>System</string>
    </dict>
</plist>

To learn more, view Uploading a Configuration Profile for Managed Login Items.

Perform the following steps to upload the PLIST file to JAMF:

  1. Log into JAMF with admin credentials.
  2. Go to Computers > Configuration Profiles.
  3. Click Upload.
  4. In Upload OS X Configuration Profile, click Choose File and select the file  (netskope login items.mobileconfig)  from your local machine.
  5. Click Upload. This navigates to the New macOS Configuration Profile.
  6. In the New macOS Configuration Profile, Name under General displays the Payload Display Name string provided in the PLIST file.
  7. Click Save.
  8. Click the Scope tab and configure the scope of the configuration profile.
  9. Click Save.

The configuration profile is now pushed to the target devices in your scope and you can view the new profile from Configuration Profiles.

Jamfpro-macOSTamperproof-ConfigProfile-100.png

To check the configuration profile from your macOS device, go to System Settings > General Settings > Profiles. Here you can see Managed Login Items – Netskope Apps listed under Devices (Managed) section.

Jamfpro-macOSTamperproof-100.png

Approve Full Disk Access Permission For macOS Sonoma(v14) or Later

For enrollments on macOS Sonoma(v14) or later, Netskope Client displays a dialog box instructing you to enable NetskopeClientMacAppProxy from the Security & Privacy tab in System Settings.

After you receive the dialog box, you can perform the following instructions:

  1. Open System Settings from the tray.

  2. It navigates to Full Disk Access under System Settings > Privacy & Security > Full Disk Access.

  3. On the Full Disk Access screen, enable NetskopeClientMacAppProxy. Toggle it to enable the option.

You may also receive similar pop-ups in MDM deployments if you do not push MDM payload (com.apple.TCC.configuration-profile-policy) to grant system extension Full Disk Access. To learn more about the full disk access for MDMs, view Netskope Deployment Options.

Allow Endpoint Security extensions in Settings > General > Items & Extensions > Endpoint Security Extensions to  modify system extensions.
Share this Doc

Netskope Client for macOS

Or copy link

In this topic ...