Deploy Client on iOS Using Intune

Deploy Client on iOS Using Intune

Netskope supports Intune on-demand and per-app VPN for iOS devices, so you can provide users with access to corporate applications, data, and resources while keeping your sensitive information secure.


Before you configure Intune:

  • In the Netskope UI, go to Settings > Security Cloud Platform > Netskope Client > MDM Distribution. Download the Netskope Root Certificate.
  • Locate and save Organization ID token from MDM Distributions.
  • User accounts provisioned within the MDM/EMM platform must match with those provisioned with the Netskope tenant.

Create a Trusted Netskope Root Certificate Profile

You need to download the Netskope Root certificate from the Netskope UI to complete these steps. To get the certificate, go to Settings > Security Cloud Platform > Netskope Client > MDM Distribution .


The Netskope Root certificate is in .pem format. You need to convert it to .cer or .crt format before importing it. Rename the file to convert from .pem to .cer format.

To create a trusted Netskope certificate profile:

  1. In the Intune UI proceed to Devices > iOS/iPadOS > Configuration profiles.

  2. Click Profile > Create Profile. Enter and select these parameters:


    • Name: Enter a unique name.

    • Platform: iOS.

    • Profile type: Trusted certificate.

  3. In the Trusted Certificate panel, provide a name in the Basics tab and click Next.

  4. In the Configurations settings tab, upload the Netskope Root certificate.

  5. Review your settings, and click Create.

  6. Repeat the same steps for Netskope Intermediate Certificate.

Deployment Procedure

Perform the instructions in the following sections to deploy Netskope Client using Intune.

Enroll Unified Netskope iOS Client in MS Intune

  1. Go to Apps > iOS/iPadOS apps.

  2. Click + Add.

  3. Select iOS store app from the App type drop-down menu.


    Purchase Netskope Client through the respective tools if your organization is leveraging Apple Business Manager or Apple School Manager. The Netskope Client shows up in the list of applications available for deployment after the tokens are synchronized.
  4. Click Select.

  5. From App Information, click Search the App Store and select Netskope Client app to add the application.


  6. Click Select. The App Information section displays more information on the UI. No additional configuration is required here.

  7. Click Next.

  8. Assign the application to devices or users. Click Next to continue.

  9. Click Create to complete creating the application.

Create App Configuration Policy

  1. Go to Apps > App Configuration Policies to add the required policies to Unified Netskope Client.

  2. Click +Add and select Managed Devices.

  3. In the Basics section of the Create app configuration policy page, enter the following details and click Next:

    • Name: Give a name to the policy.

    • Platform: Select iOS/iPadOS.

    • Targeted App: Select Netskope Client.

  4. In the Settings section of the Create app configuration policy page, select the Use configuration designer option from the Configuration settings format dropdown menu.

  5. Provide the required Key-Value pairs to complete the Netskope Client enrollment process:

    • UserEmail: {{mail}}

    • AddonHost: <addon-hostname>. For example, addon-<tenant-URL>.

    • OrgKey: <Organization Key>

    • enrollauthtoken: <Authentication Token>

    • enrollencryptiontoken: <Encryption Token>

     Use keys <enrollauthtoken> and <enrollencryptiontoken> only if you have enabled Secure Enrollment. 
    The Organization ID is case-sensitive.
    1. Login to your tenant with admin credentials.
    2. Click Settings > Security Cloud Platform > MDM Distribution.
    3. In the MDM Distribution page, scroll down to Create VPN Configuration section to find your Organization ID.
  6. In the Assignments section of the Create app configuration policy page, select groups from the Assign to dropdown menu to which the policy is applied and click Next.


  7. In the Review + create section of the Create app configuration policy page, review the configuration and click Create.

Create VPN Profile

Once the Netskope Client is installed, it attempts to create an On-Demand VPN profile on the mobile device that results in the additional user prompt. In order to suppress user prompts as well as customize VPN profile settings (such as create Per-App instead of On-Demand), it is recommended to create and push VPN profile with Intune. To learn more, view Create Profile.

  1. Go to Devices > iOS/iPadOS  policies > Configuration Profiles > Create Profile.

  2. Select Profile Type as Templates and Template name as VPN.

  3. Click Create.

  4. In Basics, enter a descriptive name for the profile and click Next.

  5. In Configuration settings, choose the Connection Type as Custom VPN.

  6. Once you select the connection type, do the following:

    1. Under Base VPN and provide the following:

      • Connection name

      • VPN server address: gateway-<tenant-URL>

      • Authentication method: Username and Password

      • VPN identifier: com.netskope.Netskope

      • Intune requires at least one key-value pair for to define custom VPN attributes. In the above screenshot, it used SingleSignOn as a key and True as a value.

      • In case deployment requires NPA only traffic steering, add the following key: value pair to the list of custom VPN attributes.

        • Key: ForceDisabledSteering

        • Value: True

      • To define timeout to control the iOS On-demand connections hold feature, add the key-value pair: OnDemandConnectionsHoldTimeout: <numeric value in seconds>. This numeric value in the VPN profile can hold the connection for a longer time until it establishes the tunnel successfully and handles traffic. Netskope recommends using values that are large enough to cover normal connection time. For example,

        • Key: OnDemandConnectionsHoldTimeout

        • Value: 20

          This numeric value defines the timeout.

    2. Under Automatic VPN, choose one of the following VPN type you want to configure:

      • On-demand VPN

        • Specify on-demand rules if necessary.

        • In order to activate automatic tunnel re-establishment(in case of user manually disable VPN toggle in iOS Settings) it is required to add the following rule:

          • I want to do the following: Connect to VPN.

          • I want to restrict to: All domains.

      • Per-App VPN

        • Specify Provider as Type packet-tunnel.

        • Specify associated domains, Safari URLs, and excluded domains if necessary.

    3. Assign the appropriate user/device groups and click Next.

    4. Review the configuration and click Create

Associating the Per-App VPN profile with the Apps

Associate the Per-App VPN profile with the applications to steer through the VPN connection.

  1. In the MEM admin console, go to Apps > All apps , select one of the apps listed there, and then click Properties.


  2. In the app Properties page, click Edit for Assignments.


  3. In the Required section, click Add Group. Search and choose one or more groups, and then click Select.


  4. Click VPN and select appropriate Per-App VPN configuration from the dropdown menu.

Zero-Touch Enrollment

Netskope client is capable of enrolling silently without any user action when enrollment data is supplied through a VPN profile. Currently Intune does not support variables such as {{mail}} in key:value pairs of VPN profiles. Hence App Configuration is used as a primary enrollment data.

For a limited number of use cases such as testing mapped to single identity, kiosks deployments and alike enrollment data must be populated through VPN profile and email key must use static email address value (that is provisioned in Netskope tenant). In this case, App Configuration is not required and refer to the following image to understand the VPN configuration.

Share this Doc

Deploy Client on iOS Using Intune

Or copy link

In this topic ...