Secure Enrollment

Secure Enrollment

A mechanism to harden the Netskope Client enrollment process by adding extra protection to the enrollment configurations on top of TLS.

  • This feature is currently in Controlled General Availability. Contact Netskope Support or your Sales representative to enable this feature for your tenant.
  • Netskope recommends enabling this feature for all new tenants so that their user enrollments are secure from the first day. For the existing tenants, contact Netskope Support or respective Technical Account Managers and Customer Success Managers to plan the migration.

There are two aspects that includes in securing the download of the branding file: authentication and encryption. This secures the branding file download using tenant-specific authentication and encryption tokens as required and thereby securing the Netskope Client APIs used to download the configuration.

Branding file used to bootstrap client operations  and contains a  pair of User Email and UserKey. UserKey used as Auth to download the following configuration files:
  • Client configuration
  • Steering Configuration
  • Device Classification

To use authentication and encryption, you can enable the following tokens using the Secure Enrollment user interface(UI):

  • Authentication token: Used for signing the user specific parameters to fetch the enrollment configuration files.

    Authentication token is mandatory to be enabled in order to use secure enrolment. If user enrollment is not enforced using IdP, then this token must be present in the end-user machine. In case of IdP enrollment the token is not needed as the user is authenticated using IdP.
  • Encryption token: Used to encrypt the enrollment configuration files on top of TLS.

    These tokens can be used independently. If the Encryption token is enabled, it must be present in the end-user machine; else the enrollment process fails as the Client cannot decrypt the required enrollment files.

You can enable these tokens from Settings > Security Cloud Platform > MDM Distribution > Secure Enrollment.

You can install Netskope Client using the Authentication and Encryption tokens as an installation parameter that is used for download and decryption of the branding file. If you are trying to enroll Netskope Client for the first time, ensure to add valid tokens for successful enrollment. In case of multi-user systems or VDIs, you need to reinstall Netskope Client with the updated tokens so that new users can receive an appropriate branding file and successfully enroll.

By default, these tokens are disabled. Toggle each button to enable.


Supported OS

  • Windows 10 and higher

  • macOS 11.0 and higher

  • Android 11 and higher

  • Windows Server 2016, 2019, 2022

  • Linux: Ubuntu 18.04 and higher

  • iOS: 15.1 or higher

Supported Netskope Client Version

Netskope Client version: or later

Manage Secure Enrollment Tokens

  • By default, the validity for any token is 90 days. The administrator can generate only one token each for authentication and encryption.

  • The administrator can extend the validity period of the token between the values of seven days to 365 days.

  • If you toggle to disable the Authentication or Encryption token, the token gets deleted.

  • Once the administrator generates a token, use the following options:

    • Show/Hide token:  The tokens generated in a hidden state by default. Use the Hide/View option to view them.

    • Revoke token: Use this option when a token is declared unused.

    • Refresh token: Use this option to generate or renew an existing token.

    • Edit: Modify the expiration date of an existing token.

  • All expired tokens must be replaced before enabling it for enrollment. For example, If there is an Email ID change for a user and the secure enrollment tokens are expired and the enrollment fails. You need to redeploy the Client using the correct tokens to successfully enroll.

All token operations are captured in Settings > Administration > Audit Logs.

Secure Enrollment Tokens In a Multi-User Client Deployment

There is no need for the administrator to uninstall and reinstall Netskope Client in a multi-user setup after renewing or revoking the tokens or the existing tenants migrating to Secure Enrollment. The admin can simply perform one of the following action:

  • Rerun the MSIEXEC command with the new tokens. To know more, view Client Deployment using secure enrollment.

  • Use the following nsdiag command to update the tokens:

    nsdiag -e enrollauthtoken=<token> enrollencryptiontoken=<token>
This flexibility is available only for Windows devices and the MSI rerun is not supported if the Protect Client configuration and resources option is selected in the Client Configuration webUI.

For example, in the following scenario, you can continue with the deployment without any reinstallation of the Netskope Client:

The administrator enrolls user 1 and user 2 without enabling the secure enrollment feature. The admin now decided to enroll user 3 after enabling the secure enrollment feature.

Existing Tenant Migration

Netskope recommends existing tenants to migrate to secure enrollment. Refer to the following table to understand the impact on the existing users.

When secure enrollment is enabled, new users are enrolled to Netskope using the secure enrollment tokens.
Enrollment ModeRequires Secure EnrollmentImpact on Existing UsersImpact on New UsersRedeployment/ Re-installation
Email InvitationYesNoNoNo
IdP (Single and per user mode)YesNoNoNo
Single User Mode – UPNYesNoYesOnly for new deployments
Peruser Mode – UPNYesNoYesYes
  • Email Invitation-based enrollments:

    • No impact on existing or new user enrollments with this enrollment method, when the Secure Enrollment is enabled. 

  • IdP-based enrollments: 

    • No impact on existing or new user enrollments with this enrollment method, when Secure Enrollment is enabled.

  • UPN based enrollments: 

    • If the deployment is based on MDM and enrollment is using UPN, no impact on users and machines which are single user mode and not shared.

    • With Secure Enrollment, all new deployments need to use the authentication token as part of the deployment process.

Client Deployment Options Using Secure Enrollment

Use the following options to deploy Netskope Client using Secure Enrollment:



Refer to the following table to understand a few MSIEXEC commands used in different scenarios:

ModeSecure Enrollment Token StateMSIEXEC Command
UPN(AD user)
  • Authentication Token = On

  • Encryption Token = Off

msiexec /I NSClient.msi host=<addon URL> token=<orgID> mode=peruserconfig enrollauthtoken= <auth token>
  • Authentication Token = On

  • Encryption Token = On

  • Mode = peruserconfig

msiexec /I NSClient.msi host=<addon URL> token=<orgID> mode=peruserconfig enrollauthtoken=<auth token> enrollencryptiontoken=<encryption token>
IdP(Example: Okta)

Note: Enable authentication token for IdP and it is not required to be passed onto the end devices.
  • Authentication Token = On

  • Encryption Token = Off

msiexec /I NSClient.msi installmode=IDP
  • Authentication Token = On

  • Encryption Token = On

msiexec /I NSClient.msi installmode=IDP enrollencryptiontoken=<encryption token>
  • Authentication Token = On

  • Encryption Token = On

msiexec /I NSClient.msi installmode=IDP mode=peruserconfig tenant=>tenant-name> domain=<tenant-domain-name> enrollencryptiontoken=<encryption token>

Note: Use this command in IdP mode enrollment if you do not want users to use the entire tenant name. For example, if your tenant is , then the tenant name and domain are “abc” and “” respectively.
  • Authentication Token = On

  • Encryption Token = On

  • Mode = persuerconfig

msiexec /I NSClient.msi installmode=IDP mode=peruserconfig enrollencryptiontoken=<encryption token>

Secure enrollment token parameters are: enrollauthtoken and enrollencryptiontoken. To learn more, view Netskope Client for Windows.

macOS <dummy param 1> <dummy param 2> <currentUsername> 
<Adonman url> <Org ID> [preference_file_name][enrollauthtoken=<token>][enrollencryptiontoken=<token>]

To learn more, view Jamf.

sudo ./ -H <tenant> -o <orgkey> -m <user email> -a <authtoken> -e <encrypttoken>

To learn more, view Netskope Client for Linux.


If you have enabled Secure Enrollment in your Netskope tenant, refer to the following guides to deploy Netskope Client with secure enrollment using MDM.

Share this Doc

Secure Enrollment

Or copy link

In this topic ...