Secure Enrollment
Secure Enrollment
Secure enrollment is a mechanism to enforce the strict authentication of Netskope Client Enrollment.
Once the Netskope client is installed on the end-user device, it enrolls the user by downloading the enrollment configurations. Secure enrollment enforces the strict authentication parameters on the Client enrollment process.
Secure enrollment feature provides two configurable parameters:
-
Enforce authentication of Netskope Client Enrollment(Mandatory): This feature protects against the enrollment bypass issues irrespective of the Client deployment methods and the token generated is used as authentication parameter in UPN-based enrollment of Netskope Client.
Enforce authentication of Netskope Client Enrollment is mandatory to be enabled to protect against enrollment bypass issues. If user enrollment is enforced using UPN, then the token must be present in the end-user machine. For IDP enrollments, the token need not be present on the end-user machine as the user is authenticated using IdP. -
Enforce encryption of initial configuration of Netskope client(Optional): The token generated as part of this option is used for encryption of the enrollment configuration files on top of TLS.
– This feature is optional and can be enabled based on your requirements. If this feature is enabled, the tokens generated must be present in end-user machines for successful enrollments.
– If Enforce encryption of initial configuration of Netskope client is enabled on macOS devices, there are chances of having an issue with the encryption token leading to an enrollment failure.
Refer to Frequently Asked Questions to understand more scenarios regarding Secure Enrollment.
Prerequisites
Refer to the following to understand the supported Netskope Client version and operating systems.
-
Netskope Client Version: 111.0.0 or later(Netskope provides support for versions N-2 where N is latest Golden release for Netskope client).
To learn more about the user impact on various Client versions: Netskope Client Deployment with Secure Enrollment.
The feature Secure Enrollment is supported from Client version 98.0.0 and later. However, Netskope recommends using the latest supported versions. -
Supported OS:
-
Windows 10 and higher
-
macOS 11.0 and higher
-
Android 11 and higher
-
Windows Server 2016, 2019, 2022
-
Linux: Ubuntu 18.04 and higher
-
iOS: 15.1 or higher
-
Enable Secure Enrollment
You can enable the Secure Enrollment options from Settings > Security Cloud Platform > MDM Distribution > Secure Enrollment. To learn more about the tokens, view Manage Secure Enrollment Tokens.
Secure Enrollment Workflow
Refer to the following workflow diagram with different enrollment methods supported by Netskope Client depicting the changes required to enable and use Secure enrollment.
Manage Secure Enrollment Tokens
-
By default, the validity for any token is 90 days. The administrator can generate only one token each for authentication and encryption.
-
The administrator can extend the validity period of the token between the values of seven days to 365 days.
-
If you toggle to disable the Authentication or Encryption token, the token gets deleted.
-
Once the administrator generates a token, use the following options:
-
Show/Hide token: The tokens generated in a hidden state by default. Use the Hide/View option to view them.
-
Revoke token: Use this option when a token is declared unused.
-
Refresh token: Use this option to generate or renew an existing token.
-
Edit: Modify the expiration date of an existing token.
-
-
All expired tokens must be replaced before enabling it for enrollment. For example, If there is an Email ID change for a user and the secure enrollment tokens are expired and the enrollment fails. You need to redeploy the Client using the correct tokens to successfully enroll or apply tokens using
nsdiag
on Windows.
All token operations are captured in Settings > Administration > Audit Logs.
Netskope Client Deployment with Secure Enrollment
Refer to the following sections to understand the changes required in the Netskope Client deployment or installation process for different enrollment methods after enabling Secure Enrollment:
UPN
In this mode, the user’s UPN (User Principal Name) is used as user identity from the logged in domain-joined system. To identify if this method is used, refer the installation commands or methods and check for the following parameters:
-
token=” ”
-
host= “ “ (tenant name)
And does not contain
installmode=IDP
Refer to the following table to understand the changes required after enabling Secure Enrollment options:
Mode Secure Enrollment Token State Installation Commands UPN(AD user) - Authentication Token = On
- Encryption Token = Off
<OS utility> <NSClient> host=<addon URL> token=<orgID> enrollauthtoken=<auth token> - Authentication Token = On
- Encryption Token = On
<OS utility> <NSClient> host=<addon URL> token=<orgID> enrollauthtoken=<auth token> enrollencryptiontoken=<encryption token>
- Authentication Token = On
- Encryption Token = Off
- Mode = peruserconfig
<OS utility> <NSClient> host=<addon URL> token=<orgID> mode=peruserconfig enrollauthtoken=<auth token> - Authentication Token = On
- Encryption Token = On
- Mode = peruserconfig
<OS utility> <NSClient> host=<addon URL> token=<orgID> mode=peruserconfig enrollauthtoken=<auth token> enrollencryptiontoken=<encryption token>
User Impact
Client version 116.0.0 or earlier (includes any upgrades to these versions)
Device | Existing User | New User Enrollments | Existing Enrolled User Requiring Re-enrollment |
Personal Corporate Machine | No change | Netskope Client package with Secure enrollment tokens | – Uninstall the client – Reinstall Client package with Secure enrollment tokens |
Shared Desktop/VDIs and so on | No change | – Uninstall the client – Reinstall Client package with Secure enrollment tokens | – Uninstall the client – Reinstall Client package with Secure enrollment tokens |
Client Version 116.1.0 or later (includes during upgrades)
Device | Existing User | New User Enrollments | Existing Enrolled User Requiring Re-enrollment |
Personal Corporate Machine | No change | Netskope Client package with Secure enrollment tokens | – Client package with Secure enrollment tokens, Or – Apply tokens using nsdiag on windows |
Shared Desktop/VDIs and so on | No change | – Client package with Secure enrollment tokens, Or – Apply tokens using nsdiag on windows | – Client package with Secure enrollment tokens, Or – Apply tokens using nsdiag on windows |
Example commands:
-
Re-run the MSIEXEC command with the new tokens.
This flexibility is available only for Windows devices and the MSI rerun is not supported if the Protect Client configuration and resources option is selected in the Client Configuration webUI -
Use the following
nsdiag
command to update the tokens(in Admin mode):nsdiag -e enrollauthtoken=<token> enrollencryptiontoken=<token>
The preceding
nsdiag
command is supported only on Windows platforms. You can runnsdiag
command using the path: C:\Program Files (x86)\Netskope\STAgent.
IdP
In this mode, the user’s email address is used as the user identity fetched from the idP authentication. To identify if this method is used, refer the installation commands or methods and check if that contains following parameter:
installmode=IDP
And does not contain:
-
token=” ”
-
host= “ “ (tenant name)
Refer to the following table to understand the changes required after enabling Secure Enrollment options:
Mode | Secure Enrollment Token State | Installation Commands |
---|---|---|
IdP(Example: Okta) Note: Enable Enforce authentication of Netskope Client Enrollment option for IdP and it is not required to apply the token generated. |
| <OS utility> <NSClient> installmode=IDP |
| <OS utility> <NSClient> installmode=IDP enrollencryptiontoken=<encryption token> | |
| <OS utility> <NSClient> installmode=IDP tenant=<tenant-name> domain=<tenant-domain-name> enrollencryptiontoken=<encryption token> Note:Use this command in IdP mode enrollment if you do not want users to use the entire tenant name. For example, if your tenant is abc.goskope.com , then the tenant name and domain are “abc” and “goskope.com” respectively. |
|
| <OS utility> <NSClient> installmode=IDP mode=peruserconfig enrollencryptiontoken=<encryption token> |
User Impact
Client Version 116.0.0 or earlier (includes any upgrades to these versions)
Device | Existing User | New User Enrollments | Existing Enrolled User Requiring Re-enrollment |
Personal Corporate Machine | No change | Netskope Client package with token | – Uninstall the client – Reinstall Client package with token |
Shared Desktop/VDIs and so on | No change | – Uninstall the client – Reinstall Client package with token | – Uninstall the client – Reinstall Client package with token |
– All operating systems other than Windows, do not require uninstallation and reinstallation before version 116.1.0.
Client version 116.1.0 or later (includes during the upgrades)
Device | Existing User | New User Enrollments | Existing Enrolled User Requiring Re-enrollment |
Personal Corporate Machine | No change | Netskope Client package with token | – Client package with token, Or – Apply token using nsdiag on Windows |
Shared Desktop/VDIs and so on | No change | – Client package with token, Or – Apply tokens using nsdiag on Windows | – Client package with tokens, Or – Apply tokens using nsdiag on Windows |
Example commands:
-
Re-run the MSIEXEC command with the new tokens.
This flexibility is available only for Windows devices and the MSI rerun is not supported if the Protect Client configuration and resources option is selected in the Client Configuration webUI. -
Use the following
nsdiag
command to update the tokens(in Admin mode):nsdiag -e enrollencryptiontoken=<token>
The preceding
nsdiag
command is supported only on Windows platforms. You can runnsdiag
command using the path: C:\Program Files (x86)\Netskope\STAgent.
Here is another set of examples for each OS using IdP method:
Using Command-Line
-
Windows
msiexec /I NSClient.msi installmode=IDP mode=peruserconfig enrollencryptiontoken=<encryption token>
To learn more, view Netskope Client for Windows.
-
MAC
jamfnsclientconfig.sh <dummy param 1> <dummy param 2> <dummy param 3> idp <domain> <tenant-name>[enrollencryptiontoken=<token>]mode=peruserconfig
To learn more, view Jamf.
-
Linux
sudo ./STAgent.run -i | --idp
To learn more, view Netskope Client for Linux.
Using MDM
If you have enabled Secure Enrollment in your Netskope tenant, refer to the following guides to deploy Netskope Client with secure enrollment using MDM.
Email Invitation
In this mode, the user’s userkey is used as the user identity fetched from the email invitation.
Apart from enabling Secure Enrollment, no other changes are required for this method.
User Impact
There is no impact on the email invitation-based installations and enrollments.