The Netskope Client (or the mobile profile on iOS) can be installed via the email invitation sent from the admin console. The user can click the link to download and install the Client (or the mobile profile) on their device. Additionally, if you use the email invite option for iOS devices, ensure that you follow the steps defined here to trust manually installed certificates. Email invites are time-bound and can be used only by the intended user.
Target Devices: Devices running Microsoft Windows, Apple macOS, iOS and Android.
For iOS devices running versions after 12.1.3, Apple has changed how profile installations work on iOS devices. Automatic installation of profiles has been restricted, and now requires additional steps. In such cases, for a new profile to be installed, end users must manually navigate to device settings to install the profile after clicking on the link in the email and downloading the profile. Netskope recommends updating the email invitation template to call the users’ attention to this important step. This change does not impact MDM-based configuration profile installation.
- Reference: https://support.apple.com/en-us/HT209435
- To enroll is iOS beta program, and try this experience: https://appleseed.apple.com/
Prerequisites to Deploy Client via Email
- The users’ account must be set up on the tenant before sending out the email invite.
- Installation of client requires administrator rights on the end-user devices.
Fresh Installation of Client on macOS 10.13.4
All new installations that are done using the email invitation feature will require the end user to approve the kernel extension. Users will be presented with a message that guides them through the steps to take for granting approval.
The system behavior presents the approval dialog in the Security > Privacy preferences pane for 30 minutes after the above alert is generated. No traffic is tunneled to Netskope unless this approval is granted if the client is installed manually via the email invitation method.
The following is required before you do a fresh installation of client on macOS 10.13.4
- Install the client as an admin user. (KEXT approval by a non-admin is not allowed).
- When the KEXT is blocked during installation, users must approve the KEXT from System Preferences > Security > Privacy. In few minutes, the client will detect the approved KEXT.
Create Email Invite
Use the following procedure in your (administrator account required) Netskope admin console to create the email invite:
- Go to Settings > Security Cloud Platform > Netskope Client > Users page.
- Click Add Users and enter the following in the Add Users pop-up window:
- User email address. Enter comma separated email address if adding more than one user.
Alternatively, to bulk add users you can upload a CSV file with the email address of all users. The CSV file entries must have this format: email, lastname, firstname. Last name and First name are optional.
- Select the Send email invite checkbox and click the Add button.
An email invite is single use and the invite is valid for 7 days only, whichever happens first.
Support for Chromebook
To install Netskope client in Chromebook, use the following procedure to install the Netskope root CA cert in Chrome OS cert store.
- Ensure that you have purchased additional Chromebook management licence for the Google admin account.
- Cert pinned app domains are bypassed in Netskope Android App
Enroll Chromebook to Google Managed Account
- Power on the Chromebook and follow the on-screen instructions until you see the sign-in screen. Don’t sign in yet. If you see the enrollment screen instead of the sign-in screen, go to step 4.
- If you’re enrolling a Chromebook tablet, tap Email or phone. Then, tap the More option (three vertical dots).
- Switch to full layout to open the on-screen keyboard.
- Choose an option to get to the enrollment screen:
- Press Ctrl+Alt+E.
- Click More options > Enterprise enrollment
This option is not available on Chromebook tablets.
- Enter the username and password from your Google admin welcome letter or for a Google Account that has the permissions to enroll. If prompted, enter the asset ID and location and click Next.
- When you get a confirmation message that the device is successfully enrolled, click Done.
Configure Google Admin Account
- Sign in to your Google admin account console.
- Click Device Management.
- On the left, click Network and click Certificates.
- [Optional] On the left, choose the organizational unit to add the certificate.
The top-level organization is selected by default to give all users (including those in sub-organizations) access to any added certificates.
- Click Add Certificate. Choose the certificate file to upload and click Open.
- [Optional] If the certificate is used as a root CA for an SSL-inspecting web filter or to allow the browser to validate the full digital certificate chain of servers, check the Use this certificate as an HTTPS certificate authority box.
- Click Save and then Done to confirm.
Deploy the Certificate to Chrome Devices
Enroll the Chromebook to the organization’s Google account. Chrome devices will authenticate to Google and receive the SSL certificate. The pushed certificate applies to all enrolled Chrome devices.
The admin sends an invitation email to the Chromebook user and the user must click the Android app link to install the Android app in Chromebook.
ChromeOS devices use the same Netskope Client app as Android devices.