JAMF
JAMF
JAMF is an enterprise mobility management tool that is used for the endpoint management of macOS devices. You can install the Client on users’ device using JAMF ( formerly known as Casper Suite ).
Deployment Prerequisites
- Administrators must possess fair knowledge of JAMF/JSS/Casper suite.
- Download the JAMF scripts from the Download page in Netskope Support portal. The file contains the essential command-line executable scripts to install and configure the client. The script file is available from the Netskope support portal.
- User Configuration: Execute the downloaded script to get the configuration file. This script locates active (online) AD users and downloads user specific configuration files from the Netskope cloud to the end point. Ensure that the AD devices are accessible before executing the script.
Configuration Profile for Auto Approval
Approve Network Extension for Big Sur and Latest
- In JAMF, go to Computers > Configuration Profiles > New > System Extension.
- Select Allow users to approve system extensions.
- Under Allowed Team IDs and System Extensions, select System Extension Types as Allowed System Extensions.
- Add Network Extension Team ID: 24W52P9M7W
- Click the Add button to add the following System Extension:
com.netskope.client.Netskope-Client.NetskopeClientMacAppProxy
Confirming Netskope Client Extension Approval
To confirm that the Netskope Client extension has been approved and the client is running, run the following command in your macOS11 terminal window:
systemextensionsctl list
The output should look like this:
% systemextensionsctl list 1 extension(s) --- com.apple.system_extension.network_extension enabled active teamID bundleID (version) name [state] * * 24W52P9M7W com.netskope.client.Netskope-Client.NetskopeClientMacAppProxy (85.2.0.269/1) NetskopeClientMacAppProxy [activated enabled]
Additionally, inspect the system preferences and Network UI to confirm that Netskope Client extension is active.
Approve Full Disk Access Permission For Sonoma or Later
-
In JAMF, go to Computers > Configuration Profiles > New > Privacy Preferences Policy Control.
-
Click Configure to define access settings for applications.
-
Under App Access, enter the following:
-
Identifier:
com.netskope.client.Netskope-Client.NetskopeClientMacAppProxy
-
Select Bundle ID for Identifier Type.
-
Code Requirement:
anchor apple generic and identifier "com.netskope.client.Netskope-Client.NetskopeClientMacAppProxy" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "24W52P9M7W")
-
-
Click +Add to allow or deny access to a service or app.
-
Select SystemPolicyAllFiles under App or Service and Allow under Access.
-
Click Save to save the permission.
-
Save the configuration profile.
– Identifier: com.netskope.epdlp.client
– Code Requirement:
anchor apple generic and identifier "com.netskope.epdlp.client" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "24W52P9M7W")
To learn more: Enabling Endpoing DLP on the Netskope Client for macOS.
Approve VPN Popup for App Proxy
The following procedure is applicable for macOS devices running Big Sur 11.0 or later:
- Go to Computers > Configuration Profiles > New > General
- Go to VPN > Configure and configure the VPN with following
- Connection Name: Any Name
- VPN Type : Select Per-App VPN
- Per-App VPN Connection Type: Select Custom SSL
- Identifier: Enter
com.netskope.client.Netskope-Client
- Server: Enter the Netskope Gateway URL for the tenant: gateway-<tenant_hostname>.goskope.com
- Provider Bundle Identifier: Enter
com.netskope.client.Netskope-Client
- Provider Type: Select App-Proxy
- Select Include All Networks.
- For Specify Provider Designated Requirement: enter the following:
anchor apple generic and identifier”com.netskope.client.Netskope-Client” and (certificateleaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificateleaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificateleaf[subject.OU] = “24W52P9M7W”)
- Select Prohibit users from disabling on-demand VPN settings
Restrict AppProxy Removal
The following configuration steps (applicable for macOS devices running Big Sur 11.0 or later) restrict users from making any changes to network option accessibility.
- In JAMF, go to Computer’s > Configuration Profile > New > Restrictions.
- Configure Restrictions.
- Select Restrict items from System Preferences.
- Select items (Network in this case)
- Add the scope (machine) and push the profile.
Installing the Client
Client installation is done using JAMF policies. The following section describes in detail on creating JAMF policies.
Note
Download the latest JAMF scripts from Netskope Support website.
Create a New JAMF Policy
- In the JSS Dashboard, go to Computer > Policies and click + New.
- On the General page, enter a Display Name, for example: Netskope Client Policy.
- For Trigger, select Login. Scripts can also be run using other options, like Logout and Network State Change.
- For Execution Frequency, select Once per computer.
- Select Packages and on the Packages page, click Configure.
- Add the Client installer package, and for Action, select Install.
- Select Scripts and on the Scripts page, add the JAMFScript_v19_Jan2023.sh script.
- For Priority, select Before. The script must be executed before the installation process, so Priority must be Before.
- Netskope supports six modes of deployment. Before you proceed, ensure that you have the following parameters handy:
- REST API token: In your tenant (Netskope admin console), go to Settings > Tools > REST API > Show to get the token. If you are generating your token for the first time, click the Generate New Token button.
- Organization ID: In your tenant (Netskope admin console), go to Settings > Security Cloud Platform > click MDM Distribution in the left column under Netskope Client. The Organization ID is in the Create VPN Configuration section. The Organization ID is case-sensitive.
- Update the script options for parameters 4 to 8 for each mode. Refer to the table below the instructions to understand the modes and parameters added in the script.
- Click the + button to add another script.
- When finished, click Save.
Deployment Mode | Configuration Parameters |
---|---|
Standard Mode (email-based) |
|
Multi-user Mode (enabling for each provisioned user on the tenant) |
|
IDP Single-User mode |
|
IDP Multi-User mode |
|
For macOS devices (single-user installations) that are not AD joined. |
To learn about creating a plist, view create plist for Jamf installation in Support portal |
- Adding the Silent Mode (silent_mode) parameter as one of the script options for any deployment mode can suppress the Netskope Client Installer failure pop-up in the event of any deployment failure.
- If Secure Enrollment feature is enabled, each deployment mode consists of two additional parameters (Authentication and Encryption token):
- enrollauthtoken: Specifies the authentication token.
- enrollencryptiontoken: Specifies the encryption token.
External Browser-based Authentication
Netskope Client supports FIDO authentication with our SAML forward proxy for macOS devices through external browser support.
You can enable the external browser support in the IdP configuration file and set Safari, MS Edge, and Google Chrome as the default browser(Firefox is not supported). Use the following additional parameters in the IdP mode (single user and multi-user) of deployment in the Jamf script:
-
Mode: Enter the mode to specify the browser support to be enabled during Client installation. Mode is a string with values and you can add one of the following values in the script.
-
Embedded: Default value and opens the existing mini-browser.
-
Scheme: Opens the external browser.
-
-
preferEphemeral: If you set the value to:
-
True: It means it request ephemeral (private) browser window from the default browser.
-
False: It means it request regular (non-private) browser window from the default browser.
-
For example,
sudo ./nsclientconfig.sh 1 2 3 idp goskope.com corp 0 preferephemeral=true mode=scheme

Push Netskope Root and Tenant Certificates
Provide additional trust to end users by pushing certificates during client installation. Before you can push the root and tenant certificates, ensure that you do the following:
- Download root and tenant certificates from Netskope MDM distribution page.
- Login to Netskope tenant admin console with admin credentials.
- Go to Settings > Security Cloud Platform > MDM Distribution. The certificate download options are displayed in the Certificate Setup section.
- Convert the downloaded certificates to .cer format by renaming the .pem files to .cer.
Push Certificate via JAMF
- Login to JAMF admin console. Go to Computer > Configuration Profile > New.
- Under Options, give a name to this profile.
- Select Certificate > Configure.
- Enter a name for the certificates.
- Select Upload to upload the converted root and tenant certificates.
- In the Scope tab, select the target computers.
- Click the Save button.
Verify Client Installation
Check the installation logs on the user’s machine in the /var/log/install.log folder. If the user configuration download script fails and the Netskope client installer is executed, the installer will exit and displays the “Configuration file missing, aborting installation! error” message.
Check Netskope Client Installation Status
- To verify the status of each device, go to Computer > Policies and click on the policy you created.
- Click the Logs button at the bottom to view the log files for each device and then click the Show button.