Secure Enrollment Frequently Asked Questions
Secure Enrollment Frequently Asked Questions
This section can help answer various queries while enabling secure enrollment in a Netskope tenant.
What is the risk if Secure Enrollment is not enabled?
If Secure Enrollment is not enabled, a malicious entity can bypass the enrollment process and enroll Netskope Client with a user’s profile from your environment.
How do I know if the tokens are applied on the user device or not?
The tokens are stored in Windows registry key and keychain in macOS. If the tokens are not stored properly or incorrect tokens are stored, the Client enrollment process fails and the appropriate logs are generated in the nsdebuglog file of the Client. Additionally, the device will be listed under Devices on the tenant webUI. It will not have Tunnel Up for installation.
What will happen when the feature is enabled for my environment?
Once the feature is enabled, any malicious entity cannot enroll Netskope Client from your environment without proper authentication.
What is the impact of enabling this feature for my environment or on current deployments?
This depends on the scenario of the Netskope Client enrollment mechanism used in your environment. To learn more: Netskope Client deployment with Secure enrollment.
Do I have to re-enroll all existing users?
No, since the existing users have already completed the enrollment process, there is no need to re-enroll those users.
Is there a countermeasure available to remediate the gap without enabling the feature?
No, there is no countermeasure available to remediate the gap without enabling Secure Enrollment. Refer to the following steps to minimize the risk:
-
Enable device compliance and device classification.
-
Create a policy to block all traffic for the devices which are not meeting the device compliance checks and are not falling under proper device classification.
-
Enable Fail Close in the Client Configuration so that if the tunnel is not up, it blocks all traffic.
-
Enable Periodic re-authentication for Private Apps in the Client Configuration (if you have IdP configured for your tenant).
How can I identify if the gap before Secure enrollment is being exploited or abused in our environment?
Netskope maintains complete logs of the devices and associated profiles and that can be used to identify the abuse. Refer the following pointers for the initial investigations:
-
Using Netskope Advanced Analytics (NAA): Netskope have built a dashboard for NAA that can be used to filter the devices based on device compliance such as managed vs. unmanaged, configured vs. not configured, and known vs. unknown and also can be used to filter users with multiple devices “1” vs. many.
-
Using device list: Netskope maintains the list of devices under Settings > Security Cloud Platform > Netskope Client > Devices. This list can be filtered and exported based on users vs device mapping, presence of unmatched hostname, and son on.
-
Using SIEM: If you have integrated SIEM with Netskope Device REST API v1, you can have this data available via their SIEM.
Further indicators can be found in UEBA:
-
Netskope automatically generates a user score based on the behavior. These are listed under Incidents > Behaviour Analytics.
-
Under Behaviour Analytics following alerts can help in pointing the indicators:
-
Bulk Failed Logins
-
Rare Events
-
Risky Countries
-
If there are any user(s) who have these alerts, then those can be potential candidates for further analysis.
Depending on your environment, here are some filters that can serve as a starting point for an investigation into suspicious users/devices that may have exploited this gap:
-
Users who have more than 1 device associated with them.
-
Users associated with Unmanaged, Unknown, or Not Configured devices.
-
Devices which are not part of an organization’s endpoint inventory list.
-
Devices which are not part of an MDM or EDR device installation list.
-
Disregard known testing devices.
-
What are the next steps if I identify a rogue device or abuse?
Based on the analysis if you find any rouge or suspicious device, refer to the following steps:
-
Enable the security feature to prevent any further enrollment of the users on the devices.
-
Look for any events, alerts, or activities performed by the user on/from that device.
-
Contact Netskope Support for further assistance.
What will happen after the expiry of the tokens on the existing enrollments?
There will be no impact on the existing enrolled users and the enrollment process is already completed for those users.
What are the rollback steps?
The Secure enrollment option can be disabled if there are any issues in user enrollments after enabling the feature.
Should I use a specific version of Netskope Client to enable Secure Enrollment?
Since the feature is not associated with the Netskope Client package, there is no direct dependency on the Client version. However Secure enrollment is most compatible and easy to use with version 116.1.0 or later as the tokens that are part of Secure enrollment can be applied on end-user devices without requiring to uninstall and reinstall the Client. To learn more: Netskope Client Deployment with Secure Enrollment.
I have enabled Secure Enrollment in my tenant. However, I have not upgraded my Netskope Client to the latest version. Will secure enrollment work properly?
Yes, if the Client is already enrolled or provisioned, it will continue to work.
I have enabled secure enrollment tokens in my tenant. How can I disable this feature for my tenant?
You can disable Secure Enrollment from the webUI using the navigation path: Security cloud platform > MDM distribution > Secure Enrollment. Here, you can disable the following tokens:
-
Enforce authentication of Netskope Client enrollment
-
Enforce encryption of initial configuration of Netskope Client
After you disable tokens from the webUI, the existing Client continues to work without any error.
Do I need to do any changes in the user certificates after enabling Secure Enrollment?
No user cert rotation is required.
Which operating systems are supported for Secure Enrollment?
The following versions of operating systems are supported:
-
Windows 10 and higher
-
macOS 11.0 and higher
-
Android 11 and higher
-
Windows Server 2016, 2019, 2022
-
Linux: Ubuntu 18.04 and higher
-
iOS: 15.1 or higher
To learn more: Prerequisites.
Is there any expiry date or validity for the secure enrollment tokens?
Yes. The validity for any token is 90 days. However, you can extend the validity of the tokens using the EDIT functionality on the webUI. To learn more: Token Specifications.
How can I audit token exposure to Netskope administrators?
All token operations are captured in Settings > Administration > Audit Logs.
How can I push the encryption token to a machine using IdP method?
Use the following command to install Netskope Client using IdP:
msiexec /I NSClient.msi installmode=IDP enrollencryptiontoken=<encrypttoken>
How can I install Netskope Client using ‘peruserconfig’ mode with the Secure Enrollment tokens in Windows?
Use the following commands with the flag mode = peruserconfig
:
UPN: msiexec /I NSClient.msi host=<addon URL> token=<orgID> mode=peruserconfig enrollauthtoken=<auth token> enrollencryptiontoken=<encryption token>
IdP: msiexec /I NSClient.msi installmode=IDP mode=peruserconfig enrollencryptiontoken=<encryption token>
How can I install Netskope Client using Prelogon Connectivity with the Secure Enrollment tokens in Windows?
Use the following commands with the flag prelogonuser=<user>@prelogon.netskope.com
:
-
For single user mode
UPN: msiexec /I NSClient.msi host=<addon URL> token=<orgID> enrollauthtoken=<auth token> enrollencryptiontoken=<encryption token> prelogonuser=<user>@prelogon.netskope.com
-
For per-user mode
UPN: msiexec /I NSClient.msi host=<addon URL> token=<orgID> mode=peruserconfig enrollauthtoken=<auth token> enrollencryptiontoken=<encryption token> prelogonuser=<user>@prelogon.netskope.com
Some of the user email IDs changed on the webUI and the secure tokens are valid on the machine. Are the tokens still valid for the new users?
If the secure tokens present on the machine matches with the secure tokens on thewebUI, then the Netskope Client can download the branding file for the new users. The new user gets enrolled with the new email addresses upon user logout and login as domain user.
How do I apply my tokens if I deploy Client using UPN mode?
Client version 116.0.0 or earlier (includes any upgrades to these versions)
Device | Existing User | New User Enrollments | Existing Enrolled User Requiring Re-enrollment |
Personal Corporate Machine | No change | Netskope Client package with Secure enrollment tokens | – Uninstall the client – Reinstall Client package with Secure enrollment tokens |
Shared Desktop/VDIs and so on | No change | – Uninstall the client – Reinstall Client package with Secure enrollment tokens | – Uninstall the client – Reinstall Client package with Secure enrollment tokens |
Client Version 116.1.0 or later (includes during upgrades)
Device | Existing User | New User Enrollments | Existing Enrolled User Requiring Re-enrollment |
Personal Corporate Machine | No change | Netskope Client package with Secure enrollment tokens | – Client package with Secure enrollment tokens, Or – Apply tokens using nsdiag on windows |
Shared Desktop/VDIs and so on | No change | – Client package with Secure enrollment tokens, Or – Apply tokens using nsdiag on windows | – Client package with Secure enrollment tokens, Or – Apply tokens using nsdiag on windows |
Example commands:
-
Re-run the MSIEXEC command with the new tokens.
-
Use the following
nsdiag
command to update the tokens:nsdiag -e enrollauthtoken=<token> enrollencryptiontoken=<token>
The preceding
nsdiag
command is supported only on Windows platforms.This flexibility is available only for Windows devices and the MSI rerun is not supported if the Protect Client configuration and resources option is selected in the Client Configuration webUI
To learn more: UPN