Secure Enrollment Frequently Asked Questions

Secure Enrollment Frequently Asked Questions

This section can help answer various queries while enabling secure enrollment in a Netskope tenant.

I want to use the secure enrollment feature for my tenant, however the authentication and encryption tokens are disabled from the webUI. What should I do next?

 If the tokens are disabled on the webUI, you can enable them by toggling it. Navigate to Settings > Security Cloud Platform > MDM Distribution > Secure Enrollment to enable the tokens. New user enrollment can be done using the secure enrollment token.

Which versions of Netskope Client supports Secure Enrollment?

Netskope Client version 105.0.0 or higher provides the option to enable Secure Enrollment in your tenant.

I have enabled Secure Enrollment in my tenant. However, I have not upgraded my Netskope Client to the latest version. Will secure enrollment work properly?

Yes, if the Client is already enrolled or provisioned, it will continue to work.

I have enabled secure enrollment tokens in my tenant. How can I disable this feature for my tenant?

You can disable Secure Enrollment from the webUI using the navigation path:  Security cloud platform > MDM distribution > Secure Enrollment. Here, you can disable the following tokens:

  • Enforce authentication of Netskope Client enrollment

  • Enforce encryption of initial configuration of Netskope Client

After you disable tokens from the webUI, the existing Client continues to work without any error. 

 Which operating systems are supported for Secure Enrollment?

The following versions of operating systems are supported:

  • Windows 10 and higher

  • macOS 11.0 and higher

  • Android 11 and higher

  • Windows Server 2016, 2019, 2022

  • Linux: Ubuntu 18.04 and higher

  • iOS: 15.1 or higher

What are the Client versions that are supported in Secure Enrollment?

Netskope Client version: or later

 Is there any expiry date or validity for the secure enrollment tokens?

 Yes. The validity for any token is 90 days. However, you can extend the validity of the tokens using the EDIT functionality on the webUI. To learn more: Token Specifications.

How can I audit token exposure to Netskope administrators?

All token operations are captured in Settings > Administration > Audit Logs.

How can I push the enrollment and authentication token to a local machine using IdP method?

Use the following command to install Netskope Client using IdP:

msiexec /I NSClient.msi installmode=IDP enrollencryptiontoken=<encrypttoken>
Enable authentication token for IdP and it is not required to be passed onto the end devices.

How can I install Netskope Client using ‘peruserconfig’ mode using the encryption and authentication tokens in a Windows operating system?

Use the following commands with the flag mode = peruserconfig:

UPN: msiexec /I NSClient.msi host=<addon URL> token=<orgID> mode=peruserconfig enrollauthtoken=<auth token> enrollencryptiontoken=<encryption token> 
IdP: msiexec /I NSClient.msi installmode=IDP mode=peruserconfig enrollencryptiontoken=<encryption token>

Some of the user email IDs changed on the webUI and the  secure tokens are valid on the machine. Are the tokens still valid for the new users?

If the secure tokens present on the machine matches with the secure tokens on thewebUI, then the Netskope Client can download the branding file for the new users. The new user gets enrolled with the new email addresses upon user logout and login as domain user.

How do I manage my tokens if I deploy Client using UPN mode?

  • If you are using Single User mode devices:

    • Once the user is enrolled, token refresh or expiry does not impact on Single User mode devices unless the admin redeploys the Client.

    • In case of Client redeployment, add the new tokens, if the existing token is expired or refreshed.

  • If you are using Multi user mode devices/ Shared machines/ Non-persistent VDIs:

    • For existing enrolled users, if a token is refreshed or expired, it continues to work, However, new user enrollments fail as the token is expired or refreshed.

    • In case of token expiry or refresh, a redeployment of the Client is required with updated token.

    • As soon as secure enrollment is enabled, redeployment of Client is required in these environments.

Share this Doc

Secure Enrollment Frequently Asked Questions

Or copy link

In this topic ...