JAMF
JAMF
JAMF is an enterprise mobility management tool that is used for the endpoint management of macOS devices. You can install the Client on users’ device using JAMF ( formerly known as Casper Suite ).
Deployment Prerequisites
- Administrators must possess fair knowledge of JAMF/JSS/Casper suite.
- This procedure provides JAMF/JSS configuration instructions for the clients installed in AD controlled macOS devices.
- Download the JAMF scripts from the Download page in Netskope Support portal. The file contains the essential command-line executable scripts to install and configure the client. The script file is available from the Netskope support portal.
- User Configuration: Execute the downloaded script to get the configuration file. This script locates active (online) AD users and downloads user specific configuration files from the Netskope cloud to the end point. Ensure that the AD devices are accessible before executing the script.
Configuration Profile for Auto Approval
Approve Network Extension for Big Sur and Latest
- In JAMF, go to Computers > Configuration Profiles > New > System Extension.
- Select Allow users to approve system extensions.
- Under Allowed Team IDs and System Extensions, select System Extension Types as Allowed System Extensions.
- Add Network Extension Team ID: 24W52P9M7W
- Click the Add button to add the following System Extension:
com.netskope.client.Netskope-Client.NetskopeClientMacAppProxy
Confirming Netskope Client Extension Approval
To confirm that the Netskope Client extension has been approved and the client is running, run the following command in your macOS11 terminal window:
systemextensionsctl list
The output should look like this:
% systemextensionsctl list 1 extension(s) --- com.apple.system_extension.network_extension enabled active teamID bundleID (version) name [state] * * 24W52P9M7W com.netskope.client.Netskope-Client.NetskopeClientMacAppProxy (85.2.0.269/1) NetskopeClientMacAppProxy [activated enabled]
Additionally, inspect the system preferences and Network UI to confirm that Netskope Client extension is active.
Approve VPN Popup for App Proxy
The following procedure is applicable for macOS devices running Big Sur 11.0 or later:
- Go to Computers > Configuration Profiles > New > General
- Go to VPN > Configure and configure the VPN with following
- Connection Name: Any Name
- VPN Type : Select Per-App VPN
- Per-App VPN Connection Type: Select Custom SSL
- Identifier: Enter
com.netskope.client.Netskope-Client
- Server: Enter the Netskope Gateway URL for the tenant: gateway-<tenant_hostname>.goskope.com
- Provider Bundle Identifier: Enter
com.netskope.client.Netskope-Client
- Provider Type: Select App-Proxy
- Select Include All Networks.
- For Specify Provider Designated Requirement: enter the following:
anchor apple generic and identifier”com.netskope.client.Netskope-Client” and (certificateleaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificateleaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificateleaf[subject.OU] = “24W52P9M7W”)
- Select Prohibit users from disabling on-demand VPN settings
Restrict AppProxy Removal
The following configuration steps (applicable for macOS devices running Big Sur 11.0 or later) restrict users from making any changes to network option accessibility.
- In JAMF, go to Computer’s > Configuration Profile > New > Restrictions.
- Configure Restrictions.
- Select Restrict items from System Preferences.
- Select items (Network in this case)
- Add the scope (machine) and push the profile.
Installing the Client
Client installation is done using JAMF policies. The following section describes in detail on creating JAMF policies.
Note
Download the latest JAMF scripts from Netskope Support website.
Create a New JAMF Policy
- In the JSS Dashboard, go to Computer > Policies and click + New.
- On the General page, enter a Display Name, for example: Netskope Client Policy.
- For Trigger, select Login. Scripts can also be run using other options, like Logout and Network State Change.
- For Execution Frequency, select Once per computer.
- Select Packages and on the Packages page, click Configure.
- Add the Client installer package, and for Action, select Install.
- Select Scripts and on the Scripts page, add the JAMFScript_v19_Jan2023.sh script.
- For Priority, select Before. The script must be executed before the installation process, so Priority must be Before.
- Netskope supports six modes of deployment. Before you proceed, ensure that you have the following parameters handy:
- REST API token: In your tenant (Netskope admin console), go to Settings > Tools > REST API > Show to get the token. If you are generating your token for the first time, click the Generate New Token button.
- Organization ID: In your tenant (Netskope admin console), go to Settings > Security Cloud Platform > click MDM Distribution in the left column under Netskope Client. The Organization ID is in the Create VPN Configuration section. The Organization ID is case-sensitive.
- Update the script options for parameters 4 to 8 for each mode. Refer to the table below the instructions to understand the modes and parameters added in the script.
- Click the + button to add another script.
- When finished, click Save.
Deployment Mode | Configuration Parameters |
---|---|
Standard Mode (email-based) |
|
UPN Mode |
|
Multi-user Mode (enabling for each provisioned user on the tenant) |
|
IDP Single-User mode |
|
IDP Multi-User mode |
|
For macOS devices (single-user installations) that are not AD joined. |
To learn about creating a plist, view create plist for Jamf installation in Support portal |
Push Netskope Root and Tenant Certificates
Provide additional trust to end users by pushing certificates during client installation. Before you can push the root and tenant certificates, ensure that you do the following:
- Download root and tenant certificates from Netskope MDM distribution page.
- Login to Netskope tenant admin console with admin credentials.
- Go to Settings > Security Cloud Platform > MDM Distribution. The certificate download options are displayed in the Certificate Setup section.
- Convert the downloaded certificates to .cer format by renaming the .pem files to .cer.
Push Certificate via JAMF
- Login to JAMF admin console. Go to Computer > Configuration Profile > New.
- Under Options, give a name to this profile.
- Select Certificate > Configure.
- Enter a name for the certificates.
- Select Upload to upload the converted root and tenant certificates.
- In the Scope tab, select the target computers.
- Click the Save button.
Verify Client Installation
Check the installation logs on the user’s machine in the /var/log/install.log folder. If the user configuration download script fails and the Netskope client installer is executed, the installer will exit and displays the “Configuration file missing, aborting installation! error” message.
Check Netskope Client Installation Status
- To verify the status of each device, go to Computer > Policies and click on the policy you created.
- Click the Logs button at the bottom to view the log files for each device and then click the Show button.