Updated on January 24, 2024

Secure Enrollment

Secure Enrollment

A mechanism to add an extra layer of security to the Netskope Client enrollment process using tokens. This secures the branding file download using tenant-specific authentication and encryption tokens as required and thereby securing the Netskope Client APIs used to download the configuration.

Secure Enrollment supports the following Client deployment modes for single-user and multi-user scenarios:

This feature is currently in Beta. Contact Netskope Support or your Sales representative to enable this feature.

There are two aspects that includes in securing the download of the branding file – authentication and encryption. To use authentication and encryption, you can enable the following tokens using the Secure Enrollment user interface(UI):

  • Authentication token: Authenticates the API call to download branding file for the tenant.

  • Encryption token: Encrypts the branding file for the tenant and returns to the Netskope Client.

You can enable these tokens from Settings > Security Cloud Platform > MDM Distribution > Secure Enrollment.

You can install Netskope Client using the Authentication and Encryption tokens as an installation parameter that is used for download and decryption of the branding file. If you are trying to enroll Netskope Client for the first time, ensure to add valid tokens for successful enrollment. In case of multi-user systems or VDIs, you need to reinstall Netskope Client with the updated tokens so that new users can receive an appropriate branding file and successfully enroll.

By default, these tokens are disabled. Toggle each button to enable.

Secure Enrollment Token Command Format

Windows

The following is the MSIEXEC command to install Client using IdP method with secure enrollment tokens:

msiexec /I NSClient.msi host=addon-<tenant>[.region].<tenant-domain> [token]=<Organization ID> installmode=IDP enrollauthtoken=<authtoken> enrollencryptiontoken=<encrypttoken> [mode=peruserconfig [userconfiglocation=<path>]] [fail-close=no-npa|all] [autoupdate=on|off] [/l*v %PUBLIC%\nscinstall.log]

Secure enrollment token parameters are: enrollauthtoken and enrollencryptiontoken. To learn more, view Netskope Client for Windows.

macOS

jamfnsclientconfig.sh <dummy param 1> <dummy param 2> <currentUsername> 
<Adonman url> <Org ID> [preference_file_name][enrollauthtoken=<token>][enrollencryptiontoken=<token>]

To learn more, view Jamf.

Linux

sudo ./STAgent.run -H <tenant> -o <orgkey> -m <user email> -a <authtoken> -e <encrypttoken>

To learn more, view Netskope Client for Linux.

Supported OS

  • Windows 10 and higher

  • macOS 11.0 and higher

  • Android 11 and higher

  • Windows Server 2016, 2019, 2022

  • Linux: Ubuntu 18.04 and higher

  • iOS: 15.1 or higher

  • Netskope Client version: 109.0.0.0 or later

Token Specifications

  • By default, the validity for any token is 90 days. The administrator can generate only one token each for authentication and encryption.

  • The administrator can extend the validity period of the token between the values of seven days to 365 days.

  • If you toggle to disable the Authentication or Encryption token, the token gets deleted.

  • Once the administrator generates a token, use the following options:

    • Show/Hide token:  The tokens generated in a hidden state by default. Use the Hide/View option to view them.

    • Revoke token: Use this option when a token is declared unused.

    • Refresh token: Use this option to generate or renew an existing token.

    • Edit: Modify the expiration date of an existing token.

  • All expired tokens must be replaced before enabling it for enrollment. For example, If there is an Email ID change for a user and the secure enrollment tokens are expired and the enrollment fails. You need to redeploy the Client using the correct tokens to successfully enroll.

All token operations are captured in Settings > Administration > Audit Logs.

Enrollment Authentication Token Workflow

Enrollment Encryption Token Workflow

Token Management During Client Upgrade

Multi-User Upgrade

During the Netskope Client upgrade, newly enrolled users must have fresh tokens to complete the enrollment process. The existing users do not need tokens as they have already enrolled and have a branding file.

Fresh tokens are required on multi-user systems where new users enroll. For example, Windows multi-user, VDI, MAcOS multi-user, Linux multi-user

Single-User Upgrade

For single users, the upgrade completes successfully as the branding file already exists along with the tokens.

Frequently Asked Questions

This section can help answer various queries while enabling secure enrollment in Netskope tenants.

What are the different types of deployment methods used for Secure Enrollment?

Secure Enrollment supports the following Netskope Client deployment modes for single-user and multi-user scenarios:

I want to use the secure enrollment feature for my tenant, however the authentication and encryption tokens are disabled from the webUI. What should I do next?

 If the tokens are disabled on the webUI, you can enable them by toggling it. Navigate to Settings > Security Cloud Platform > MDM Distribution > Secure Enrollment to enable the tokens. New user enrollment can be done using the secure enrollment token.

I have enabled Secure Enrollment in my tenant. However, I have not upgraded my Netskope Client to the latest version. Will secure enrollment work properly?

Yes, if the Client is already enrolled or provisioned, it will continue to work.

I have enabled secure enrollment tokens in my tenant. How can I disable this feature for my tenant?

You can disable Secure Enrollment from the webUI using the navigation path:  Security cloud platform > MDM distribution > Secure Enrollment. Here, you can disable the following tokens:

  • Enforce authentication of Netskope Client enrollment

  • Enforce encryption of initial configuration of Netskope Client

After you disable tokens from the webUI, the existing Client continues to work without any error. 

 Which operating systems are supported for Secure Enrollment?

The following versions of operating systems are supported:

  • Windows 10 and higher

  • macOS 11.0 and higher

  • Android 11 and higher

  • Windows Server 2016, 2019, 2022

  • Linux: Ubuntu 18.04 and higher

  • iOS: 15.1 or higher

  • Netskope Client version: 109.0.0.0 or later

 Is there any expiry date or validity for the secure enrollment tokens?

 Yes. The validity for any token is 90 days. However, you can extend the validity of the tokens using the EDIT functionality on the webUI. To learn more: Token Specifications.

How can I audit token exposure to Netskope administrators?

All token operations are captured in Settings > Administration > Audit Logs.

How can I push the enrollment and authentication token to a local machine using IdP method?

Use the following command to install Netskope Client using IdP:

msiexec /I NSClient.msi installmode=IDP enrollauthtoken=<authtoken> enrollencryptiontoken=<encrypttoken>

The Netskope client adds the encryption and authentication token to the following location in registry: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Netskope\SecureToken

How can I install Netskope Client using ‘peruserconfig’ mode using the encryption and authentication tokens in a Windows operating system?

Use the following command to install Netskope Client in peruserconfig mode:

msiexec /I NSClient.msi host=<addon URL> token=<orgID> mode=peruserconfig enrollauthtoken=<auth token> enrollencryptiontoken=<encryption token>

General Troubleshooting Methods

General troubleshooting involves checking the Netskope Client failure during installation using secure enrollment tokens.

Problem 1: The secure tokens are enabled on the webUI but not downloaded in my machine.

In this scenario, the Netskope Client enrollment fails. You can check Netskope client nsdebuglogs for the following error:

stAgentSvc p93a0 t1304 error stAgentSvcEx.cpp:2829 nsAgentSvc Unable to download Branding File for email:nsclientteam@gmail.com, addon:addon-abhishek.au.goskope.com, tenant:17083, sessId 1
stAgentSvc p93a0 t1304 info stAgentSvcEx.cpp:2000 nsAgentSvc Replying User Provision request with Status 3 for sessID 1
stAgentSvc p93a0 t1304 info NSCom2.cpp:1851 NSCOM2 message RESP_IDP_USER_PROVISIONING_WITH_TOKEN sent from server to "nsClientUI_s1" client with count 1
stAgentUI p6870 t6298 info MainFrame.cpp:1626 CMainFrame Got RESP_IDP_PROVISIONING_WITH_TOKEN Status 3
stAgentUI p6870 t6298 error IdPProvisioning.cpp:189 IdPProvisioning Got User Provisioning Response as Branding File Error
stAgentUI p6870 t6298 info IdPProvisioning.cpp:671 IdPProvisioning Got User Provisioning Response as Branding File Error Change State from: NS_IDP_WORKFLOW_STATE_TOKEN_VERIFYING to NS_IDP_WORKFLOW_STATE_TOKEN_VERIFY_FAILURE
stAgentUI p6870 t80f0 info MainFrame.cpp:1777 CMainFrame on IdP Page 32777
stAgentUI p6870 t80f0 error IdPProvisioning.cpp:717 IdPProvisioning Starting to show error page 3 on state NS_IDP_WORKFLOW_STATE_TOKEN_VERIFY_FAILURE
stAgentUI p6870 t80f0 info IdPProvisioning.cpp:671 IdPProvisioning Showing error page Change State from: NS_IDP_WORKFLOW_STATE_TOKEN_VERIFY_FAILURE to NS_IDP_WORKFLOW_STATE_ERROR
stAgentUI p6870 t80f0 info IdPProvisioningWebView2Impl.cpp:841 idpwebview2 making window visible
stAgentUI p6870 t80f0 info IdPProvisioningWebView2Impl.cpp:865 idpwebview2 Cleaning main window for new page
stAgentUI p6870 t80f0 info IdPProvisioning.cpp:662 IdPProvisioning Clearing user data and authentication token
stAgentUI p6870 t80f0 info IdPProvisioningWebView2Impl.cpp:891 idpwebview2 Creating Blank window

You can push the tokens to the machine along with the Netskope Client installation. The Netskope Client installation will succeed.

– If the Client installation fails due to enrollment, you can initially check the syntax. 
– If syntax is correct, check the tokens available in the registry.

Problem 2: Netskope Client enrollment fails after pushing the tokens on the machine using the IdP method using the following command:

msiexec /I NSClient.msi installmode=IDP enrollauthtoken=<authtoken> enrollencryptiontoken=<encrypttoken>

The Netskope Client installation can fail due to token mismatch. You can check the nsdebuglog.log for error:

stAgentSvc p1ff8 t457c info stAgentSvcEx.cpp:2000 nsAgentSvc Replying User Provision request with Status 3 for sessID 1
stAgentSvc p1ff8 t457c info NSCom2.cpp:1851 NSCOM2 message RESP_IDP_USER_PROVISIONING_WITH_TOKEN sent from server to "nsClientUI_s1" client with count 1
stAgentUI p3874 t94c info MainFrame.cpp:1626 CMainFrame Got RESP_IDP_PROVISIONING_WITH_TOKEN Status 3
stAgentUI p3874 t94c error IdPProvisioning.cpp:189 IdPProvisioning Got User Provisioning Response as Branding File Error
stAgentUI p3874 t94c info IdPProvisioning.cpp:671 IdPProvisioning Got User Provisioning Response as Branding File Error Change State from: NS_IDP_WORKFLOW_STATE_TOKEN_VERIFYING to NS_IDP_WORKFLOW_STATE_TOKEN_VERIFY_FAILURE
stAgentUI p3874 t441c info MainFrame.cpp:1777 CMainFrame on IdP Page 32777
stAgentUI p3874 t441c error IdPProvisioning.cpp:717 IdPProvisioning Starting to show error page 3 on state NS_IDP_WORKFLOW_STATE_TOKEN_VERIFY_FAILURE
stAgentUI p3874 t441c info IdPProvisioning.cpp:671 IdPProvisioning Showing error page Change State from: NS_IDP_WORKFLOW_STATE_TOKEN_VERIFY_FAILURE to NS_IDP_WORKFLOW_STATE_ERROR
stAgentUI p3874 t441c info IdPProvisioningWebView2Impl.cpp:841 idpwebview2 making window visible
stAgentUI p3874 t441c info IdPProvisioningWebView2Impl.cpp:865 idpwebview2 Cleaning main window for new page
stAgentUI p3874 t441c info IdPProvisioning.cpp:662 IdPProvisioning Clearing user data and authentication token
stAgentUI p3874 t441c info IdPProvisioningWebView2Impl.cpp:891 idpwebview2 Creating Blank window
stAgentUI p3874 t441c error IdPProvisioningWebView2Impl.cpp:497 idpwebview2 WebView2 is not initialized
stAgentUI p3874 t441c info IdPProvisioningWebView2Impl.cpp:503 idpwebview2 WebView2 window is being created.
stAgentUI p3874 t441c info IdPProvisioningWebView2Impl.cpp:510 idpwebview2 WebView2 window is successfully created
stAgentUI p3874 t441c info IdPProvisioningWebView2Impl.cpp:517 idpwebview2 WebView2 window is added in tab view
stAgentUI p3874 t441c info IdPProvisioningWebView2Impl.cpp:521 idpwebview2 WebView2 show window is called
stAgentUI p3874 t441c info IdPProvisioningWebView2Impl.cpp:524 idpwebview2 WebView2 update window is called
stAgentUI p3874 t441c info IdPProvisioningWebView2Impl.cpp:542 idpwebview2 WebView2 environment is being created
stAgentUI p3874 t441c info IdPProvisioningWebView2Impl.cpp:546 idpwebview2 WebView2 initialization is in progress
stAgentUI p3874 t441c info IdPProvisioningWebView2Impl.cpp:571 idpwebview2 WebView2 is initialized successfully

Problem 3: Some of the user email IDs changed on the webUI and the  secure tokens are valid on the machine. Are the tokens still valid for the new users?

If the secure tokens present on machine(You can find the tokens on your local machine from Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Netskope\SecureToken are matching with the secure tokens on thewebUI, then the Netskope Client can download the branding file for the new users. The new user gets enrolled with the new email addresses upon user logout and login as domain user.

Share this Doc

Secure Enrollment

Or copy link

In this topic ...