Secure Enrollment

Secure Enrollment

Secure enrollment is a mechanism to enforce the strict authentication of Netskope Client Enrollment.

Netskope recommends configuring Enforce authentication of Netskope Client Enrollment on all tenants so that the user enrollments for Netskope Client are secure.

Once the Netskope client is installed on the end-user device, it enrolls the user by downloading the enrollment configurations. Secure enrollment enforces the strict authentication parameters on the Client enrollment process.

Secure enrollment feature provides two configurable parameters: 

  • Enforce authentication of Netskope Client Enrollment(Mandatory): This feature protects against the enrollment bypass issues irrespective of the Client deployment methods and the token generated is used as authentication parameter in UPN-based enrollment of Netskope Client.

    Enforce authentication of Netskope Client Enrollment is mandatory to be enabled to protect against enrollment bypass issues. If user enrollment is enforced using UPN, then the token must be present in the end-user machine. For IDP enrollments, the token need not be present on the end-user machine as the user is authenticated using IdP. However, to use NPA Prelogon, auth token must be present on the end-user machine even with IDP enrollments.
  • Enforce encryption of initial configuration of Netskope client(Optional): The token generated as part of this option is used for encryption of the enrollment configuration files on top of TLS.

    This feature is optional and can be enabled based on your requirements. If this feature is enabled, the tokens generated must be present in end-user machines for successful enrollments.

Refer to Frequently Asked Questions to understand more scenarios regarding Secure Enrollment.

Prerequisites

Refer to the following to understand the supported Netskope Client version and operating systems.

  • Netskope Client Version: 111.0.0 or later(Netskope provides support for versions N-2 where N is latest Golden release for Netskope client).

    To learn more about the user impact on various Client versions: Netskope Client Deployment with Secure Enrollment.

    Netskope recommends using the latest supported versions: 117.1, 120.1, 121 or later to ensure a smooth  adoption of Secure Enrollment in your environment. These versions include usability enhancements and mitigate recently-discovered enrollment issues that may occur in your multi-user environments.
  • Supported OS:

    • Windows 10 and higher

    • macOS 11.0 and higher

    • Android 11 and higher

    • Windows Server 2016, 2019, 2022

    • Linux: Ubuntu 18.04 and higher

    • iOS: 15.1 and higher

    • ChromeOS: 129 and higher

Allowlist for Secure Enrollment

For normal functioning, the Netskope Client must be allowed to connect outbound directly to the subnets, domains, ports, and protocols as given in the following table:

DomainPortProtocol
enrollment.goskope.com

enrollment.*.goskope.com
443TCP
enrollment.*.govskope.ca

enrollment.*.govskope.us
443TCP

Enable Secure Enrollment

You can enable the Secure Enrollment options from Settings > Security Cloud Platform > MDM Distribution > Secure Enrollment. To learn more about the tokens, view Manage Secure Enrollment Tokens.

By default, these tokens are disabled. Toggle each button to enable.

With version 122.0.0, Netskope introduced multi-token support that allows administrators to create multiple authentication and encryption tokens using Secure Enrollment. To learn more, view Multi-Token Support.

Secure Enrollment Workflow

Refer to the following workflow diagram with different enrollment methods supported by Netskope Client depicting the changes required to enable and use Secure enrollment.

Manage Secure Enrollment Tokens

  • By default, the validity for any token is 90 days. The administrator can generate only one token each for authentication and encryption.

  • The administrator can extend the validity period of the token between the values of seven days to 365 days.

  • If you toggle to disable the Authentication or Encryption token, the token gets deleted.

  • Once the administrator generates a token, use the following options:

    • Copy token: Use this option to copy the auth or encryption tokens with a simple mouse click.

    • Show/Hide token:  The tokens generated in a hidden state by default. Use the Hide/View option to view them.

    • Revoke token: Use this option when a token is declared unused.

    • Refresh token: Use this option to generate or renew an existing token.

    • Edit: Modify the expiration date of an existing token.

  • Enforce: Use this option to enforce Netskope Client installation using secure enrollment token(s). This acts as an additional layer of security that prevents any unwanted vulnerabilities. To enable token enforcement, click Enforce Token(s). This enforces the security feature. Click Do not Enforce Tokens to disable. The Client enrollment service returns a default HTTP 405 status code if the Netskope Client calls the enrollment service without enabling the Secure Enrollment tokens.

    This option works only with Netskope Client version: 117.1.7, 120.1.0 and later.

  • All expired tokens must be replaced before enabling it for enrollment. For example, If there is an Email ID change for a user and the secure enrollment tokens are expired and the enrollment fails. You need to redeploy the Client using the correct tokens to successfully enroll or apply tokens using nsdiag on Windows.

All token operations are captured in Settings > Administration > Audit Logs.

Multi-Token Support

With version 122.0.0, admins can create multiple authentication and encryption tokens using the Secure Enrollment feature.

With this new flexibility, administrators can now easily overlap between the old and new tokens sufficient enough to allow user deployments. Also use the Enforce button introduced in version 120.1.0. Administrators can create the tokens now and distribute the token set and enable enforcement at a later time. 

The new webUI changes eases the token management process and does not include any functional changes in the Secure Enrollment feature.

New Features Available With Version 122.0.0

Administrators can:

  • Create two sets of authentication and encryption tokens using Add New TokenSet. It is optional to create the Encryption token.
  • Delete a token set after disabling the Enforce feature enabled for that token set. You cannot delete a token set if the tokens are already enforced for Client deployment.
  • Extend the token expiration date according to the options set on the webUI. The webUI displays N/A in the Expiration Date column if the tokens are not enforced. For more details, refer Enforce Tokens.

Migrating from Netskope Client Versions Prior To Version 122.0.0

  • After the initial migration, the existing token(s) from the old secure enrollment token table will continue to work for both new and old Netskope Clients.
  • With a single valid token set, both old and new Netskope Clients work, regardless of the presence of the encryption token.
  • With two valid and enabled token sets, it is recommended to use the version 122.0.0 Netskope Client.

The following table outlines the new multi-token support feature, how existing and new token sets work between Client versions.

Token(s)Netskope Client version prior to 122.0.0Netskope Client version 122.0.0 or laterNotes
The existing valid and enforced token(s)WorksWorksOne-time migration for existing token(s).
Only one token setWorksWorksOnly one new token set: token(s) with or without encryption token.
Two token sets; neither of the token set has an encryption tokenWorksWorksNo encryption token set in either of the token sets.
Two token sets;
has at least one set with encryption token
FailWorksPrior to R122.0.0 Client failed due to encryption branding file. Netskope recommends using the latest Client version.

Add New Token Set

Click +Add New TokenSet to create a new token set on the webUI. Once you add another token set, the webUI displays only the authentication token and you need to manually add the encryption token as it is optional.

Once the administrator generates a token, use the following options:

  • Copy token: Use this option to copy the authentication or encryption tokens with a simple mouse click.
  • Show/Hide token:  Tokens are generated in a hidden state by default. Use the Show/Hide option to view them.
  • Delete token: Delete a token when it is not in an enforced state.

Add Encryption Token

Since adding an encryption token is an optional task, administrators need to create them manually. Click + Add Token displayed in the Encryption column. Add encryption token before enforcing the tokens.

Enforce Token

Use this option to enforce Netskope Client installation using secure enrollment token(s). This acts as an additional layer of security that prevents any unwanted vulnerabilities. To enable token enforcement, click the ellipsis() and select Enforce.

After you click Enforce, you can set the token expiration details. Select an Expiration Date from the following options displayed in the dropdown:

  • 7 days from today
  • 30 days from today
  • 60 days from today
  • 90 days from today (Default option)
  • 180 days from today
  • 365 days from today

Click Save to apply the expiration date.

Use Do Not Enforce Option to disable the Enforce feature.

Delete Token Set

Administrators can delete the token set only if the tokens are not enforced. If the tokens are enforced, disable it first and then delete the tokens. The Delete option is grayed-out when the tokens are enforced.

Netskope Client Deployment with Secure Enrollment

Refer to the following sections to understand the changes required in the Netskope Client deployment or installation process for different enrollment methods after enabling Secure Enrollment:

UPN

In this mode, the user’s UPN (User Principal Name) is used as user identity from the logged in domain-joined system. To identify if this method is used, refer the installation commands or methods and check for the following parameters:

  • token=” ”

  • host= “ “ (tenant name)

    And does not contain installmode=IDP

    Refer to the following table to understand the changes required after enabling Secure Enrollment options:

    ModeSecure Enrollment Token StateInstallation Commands
    UPN(AD user)
    • Authentication Token = On

    • Encryption Token = Off
    <OS utility> <NSClient> host=<addon URL> token=<orgID> enrollauthtoken=<auth token>
    • Authentication Token = On

    • Encryption Token = On

    <OS utility> <NSClient> host=<addon URL> token=<orgID> enrollauthtoken=<auth token> enrollencryptiontoken=<encryption token>
    • Authentication Token = On

    • Encryption Token = Off

    • Mode = peruserconfig

    <OS utility> <NSClient> host=<addon URL> token=<orgID> mode=peruserconfig enrollauthtoken=<auth token>
    • Authentication Token = On

    • Encryption Token = On

    • Mode = peruserconfig

    <OS utility> <NSClient> host=<addon URL> token=<orgID> mode=peruserconfig enrollauthtoken=<auth token> enrollencryptiontoken=<encryption token>
User Impact

Client version 116.0.0 or earlier (includes any upgrades to these versions) 

Device
Existing User

New User Enrollments

Existing Enrolled User Requiring Re-enrollment
Personal Corporate MachineNo changeNetskope Client package with Secure enrollment tokens– Uninstall the client
– Reinstall Client package with Secure enrollment tokens
Shared Desktop/VDIs and so onNo change– Uninstall the client
– Reinstall Client package with Secure enrollment tokens
– Uninstall the client 
– Reinstall Client package with Secure enrollment tokens
All operating systems other than Windows, do not require uninstallation and reinstallation before version 116.1.0.

Client Version 116.1.0 or later (includes during upgrades)

DeviceExisting UserNew User EnrollmentsExisting Enrolled User Requiring Re-enrollment
Personal Corporate MachineNo changeNetskope Client package with Secure enrollment tokens– Client package with Secure enrollment tokens, Or
– Apply tokens using nsdiag on windows
Shared Desktop/VDIs and so onNo change– Client package with Secure enrollment tokens, Or
– Apply tokens using nsdiag on windows
– Client package with Secure enrollment tokens, Or
– Apply tokens using nsdiag on windows

Example commands:

  • Re-run the MSIEXEC command with the new tokens.

    This flexibility is available only for Windows devices and the MSI rerun is not supported if the Protect Client configuration and resources option is selected in the Client Configuration webUI
  • Use the following nsdiag command to update the tokens(in Admin mode):

    nsdiag -e enrollauthtoken=<token> enrollencryptiontoken=<token>

    The preceding nsdiag command is supported only on Windows platforms. You can run nsdiag command using the path: C:\Program Files (x86)\Netskope\STAgent.

    If nsdiag -e command fails then an error message is displayed in the command prompt.

IdP

In this mode, the user’s email address is used as the user identity fetched from the idP authentication. To identify if this method is used, refer the installation commands or methods and check if that contains following parameter:

installmode=IDP

And does not contain:

  • token=” ”

  • host= “ “ (tenant name)

    Refer to the following table to understand the changes required after enabling Secure Enrollment options:

ModeSecure Enrollment Token StateInstallation Commands
IdP(Example: Okta)

Note: Enable Enforce authentication of Netskope Client Enrollment option for IdP and it is not required to apply the token generated.
  • Authentication Token = On

  • Encryption Token = Off
<OS utility> <NSClient> installmode=IDP
  • Authentication Token = On

  • Encryption Token = On


<OS utility> <NSClient> installmode=IDP enrollencryptiontoken=<encryption token>
  • Authentication Token = On

  • Encryption Token = On

  • Mode=peruserconfig
<OS utility> <NSClient> installmode=IDP tenant=<tenant-name> domain=<tenant-domain-name> enrollencryptiontoken=<encryption token>

Note:Use this command in IdP mode enrollment if you do not want users to use the entire tenant name. For example, if your tenant is abc.goskope.com , then the tenant name and domain are “abc” and “goskope.com” respectively.
  • Authentication Token = On
  • Encryption Token = On

  • Mode = peruserconfig

<OS utility> <NSClient> installmode=IDP mode=peruserconfig enrollencryptiontoken=<encryption token>
If Prelogon and Secure Enrollment are enabled, auth token must be present on the end-user machine even with IDP enrollments. Failing to do so will result in the Prelogon user being unable to be provisioned. For example,
msiexec /I NSClient.msi host=<addon URL> token=<orgID> installmode=IDP mode=peruserconfig enrollauthtoken=<auth token> enrollencryptiontoken=<encryption token> prelogonuser=<user>@prelogon.netskope.com
To learn more, view Configure Client Prelogon Connectivity.
User Impact

Client Version 116.0.0 or earlier (includes any upgrades to these versions)

DeviceExisting UserNew User EnrollmentsExisting Enrolled User Requiring Re-enrollment
Personal Corporate Machine
No change

Netskope Client package with token
– Uninstall the client
– Reinstall Client package with token
Shared Desktop/VDIs and so on
No change
– Uninstall the client
– Reinstall Client package with token
– Uninstall the client
– Reinstall Client package with token
– These changes are required only if Enforce encryption of initial configurations of Netskope client is enabled.
– All operating systems other than Windows, do not require uninstallation and reinstallation before version 116.1.0.

Client version 116.1.0 or later (includes during the upgrades)

DeviceExisting UserNew User EnrollmentsExisting Enrolled User Requiring Re-enrollment
Personal Corporate MachineNo change

Netskope Client package with token
– Client package with token, Or
– Apply token using nsdiag on Windows
Shared Desktop/VDIs and so onNo change– Client package with token, Or
– Apply tokens using nsdiag on Windows
– Client package with tokens, Or
– Apply tokens using nsdiag on Windows
These changes are required only if Enforce encryption of initial configurations of Netskope client is enabled.

Example commands:

  • Re-run the MSIEXEC command with the new tokens.

    This flexibility is available only for Windows devices and the MSI rerun is not supported if the Protect Client configuration and resources option is selected in the Client Configuration webUI.
  • Use the following nsdiag command to update the tokens (in Admin mode):

    nsdiag -e enrollencryptiontoken=<token>

    The preceding nsdiag command is supported only on Windows platforms. You can run nsdiag command using the path: C:\Program Files (x86)\Netskope\STAgent.

    If nsdiag -e command fails then an error message is displayed in the command prompt.

Here is another set of examples for each OS using IdP method:

Using Command-Line

  • Windows

    msiexec /I NSClient.msi installmode=IDP mode=peruserconfig enrollencryptiontoken=<encryption token>

    To learn more, view Netskope Client for Windows.

  • MAC

    jamfnsclientconfig.sh <dummy param 1> <dummy param 2> <dummy param 3> idp <domain> <tenant-name>[enrollencryptiontoken=<token>]mode=peruserconfig

    To learn more, view Jamf.

  • Linux

    sudo ./STAgent.run -i | --idp

    To learn more, view Netskope Client for Linux.

Using MDM

If you have enabled Secure Enrollment in your Netskope tenant, refer to the following guides to deploy Netskope Client with secure enrollment using MDM.

Email Invitation

In this mode, the user’s userkey is used as the user identity fetched from the email invitation.

Apart from enabling Secure Enrollment, no other changes are required for this method.

User Impact

There is no impact on the email invitation-based installations and enrollments.

Enrollment Methods Comparison

IDPUPNEmail Invitation
User IdentificationUser’s Email addressUPN/Email (depending on OS and deployment method)Userkey
Userauthentication
Through configured idP– Legacy: OrgKey
– Current: Authentication Token part of Secure enrollment
User activation key (One time token)
User ExperienceRequires user interactionNo user interactionUser needs to have admin rights to deploy
SecuritySupports security levels setup for idP such as MFAUse same token across organization– One time token distribution via Email.
– Lacks control by customer on the usage of Email invitation
Share this Doc

Secure Enrollment

Or copy link

In this topic ...