Secure Enrollment
Secure Enrollment
Secure enrollment is a mechanism to enforce the strict authentication of Netskope Client Enrollment.
Once the Netskope client is installed on the end-user device, it enrolls the user by downloading the enrollment configurations. Secure enrollment enforces the strict authentication parameters on the Client enrollment process.
Secure enrollment feature provides two configurable parameters:
-
Enforce authentication of Netskope Client Enrollment(Mandatory): This feature protects against the enrollment bypass issues irrespective of the Client deployment methods and the token generated is used as authentication parameter in UPN-based enrollment of Netskope Client.
Enforce authentication of Netskope Client Enrollment is mandatory to be enabled to protect against enrollment bypass issues. If user enrollment is enforced using UPN, then the token must be present in the end-user machine. For IDP enrollments, the token need not be present on the end-user machine as the user is authenticated using IdP. However, to use NPA Prelogon, auth token must be present on the end-user machine even with IDP enrollments. -
Enforce encryption of initial configuration of Netskope client(Optional): The token generated as part of this option is used for encryption of the enrollment configuration files on top of TLS.
This feature is optional and can be enabled based on your requirements. If this feature is enabled, the tokens generated must be present in end-user machines for successful enrollments.
Refer to Frequently Asked Questions to understand more scenarios regarding Secure Enrollment.
Prerequisites
Refer to the following to understand the supported Netskope Client version and operating systems.
-
Netskope Client Version: 111.0.0 or later(Netskope provides support for versions N-2 where N is latest Golden release for Netskope client).
To learn more about the user impact on various Client versions: Netskope Client Deployment with Secure Enrollment.
Netskope recommends using the latest supported versions: 117.1, 120.1, 121 or later to ensure a smooth adoption of Secure Enrollment in your environment. These versions include usability enhancements and mitigate recently-discovered enrollment issues that may occur in your multi-user environments. -
Supported OS:
-
Windows 10 and higher
-
macOS 11.0 and higher
-
Android 11 and higher
-
Windows Server 2016, 2019, 2022
-
Linux: Ubuntu 18.04 and higher
-
iOS: 15.1 and higher
-
ChromeOS: 129 and higher
-
Allowlist for Secure Enrollment
For normal functioning, the Netskope Client must be allowed to connect outbound directly to the subnets, domains, ports, and protocols as given in the following table:
Domain | Port | Protocol |
---|---|---|
enrollment.goskope.com enrollment.*.goskope.com | 443 | TCP |
enrollment.*.govskope.ca enrollment.*.govskope.us | 443 | TCP |
Enable Secure Enrollment
You can enable the Secure Enrollment options from Settings > Security Cloud Platform > MDM Distribution > Secure Enrollment. To learn more about the tokens, view Manage Secure Enrollment Tokens.

With version 122.0.0, Netskope introduced multi-token support that allows administrators to create multiple authentication and encryption tokens using Secure Enrollment. To learn more, view Multi-Token Support.
Secure Enrollment Workflow
Refer to the following workflow diagram with different enrollment methods supported by Netskope Client depicting the changes required to enable and use Secure enrollment.

Manage Secure Enrollment Tokens
-
By default, the validity for any token is 90 days. The administrator can generate only one token each for authentication and encryption.
-
The administrator can extend the validity period of the token between the values of seven days to 365 days.
-
If you toggle to disable the Authentication or Encryption token, the token gets deleted.
-
Once the administrator generates a token, use the following options:
-
Copy token: Use this option to copy the auth or encryption tokens with a simple mouse click.
-
Show/Hide token: The tokens generated in a hidden state by default. Use the Hide/View option to view them.
-
Revoke token: Use this option when a token is declared unused.
-
Refresh token: Use this option to generate or renew an existing token.
-
Edit: Modify the expiration date of an existing token.
-
-
Enforce: Use this option to enforce Netskope Client installation using secure enrollment token(s). This acts as an additional layer of security that prevents any unwanted vulnerabilities. To enable token enforcement, click Enforce Token(s). This enforces the security feature. Click Do not Enforce Tokens to disable. The Client enrollment service returns a default HTTP 405 status code if the Netskope Client calls the enrollment service without enabling the Secure Enrollment tokens.
This option works only with Netskope Client version: 117.1.7, 120.1.0 and later.
-
All expired tokens must be replaced before enabling it for enrollment. For example, If there is an Email ID change for a user and the secure enrollment tokens are expired and the enrollment fails. You need to redeploy the Client using the correct tokens to successfully enroll or apply tokens using
nsdiag
on Windows.
All token operations are captured in Settings > Administration > Audit Logs.
Multi-Token Support
With version 122.0.0, admins can create multiple authentication and encryption tokens using the Secure Enrollment feature.
With this new flexibility, administrators can now easily overlap between the old and new tokens sufficient enough to allow user deployments. Also use the Enforce button introduced in version 120.1.0. Administrators can create the tokens now and distribute the token set and enable enforcement at a later time.
New Features Available With Version 122.0.0
Administrators can:
- Create two sets of authentication and encryption tokens using Add New TokenSet. It is optional to create the Encryption token.
- Delete a token set after disabling the Enforce feature enabled for that token set. You cannot delete a token set if the tokens are already enforced for Client deployment.
- Extend the token expiration date according to the options set on the webUI. The webUI displays N/A in the Expiration Date column if the tokens are not enforced. For more details, refer Enforce Tokens.
Migrating from Netskope Client Versions Prior To Version 122.0.0
- After the initial migration, the existing token(s) from the old secure enrollment token table will continue to work for both new and old Netskope Clients.
- With a single valid token set, both old and new Netskope Clients work, regardless of the presence of the encryption token.
- With two valid and enabled token sets, it is recommended to use the version 122.0.0 Netskope Client.
The following table outlines the new multi-token support feature, how existing and new token sets work between Client versions.
Token(s) | Netskope Client version prior to 122.0.0 | Netskope Client version 122.0.0 or later | Notes |
---|---|---|---|
The existing valid and enforced token(s) | Works | Works | One-time migration for existing token(s). |
Only one token set | Works | Works | Only one new token set: token(s) with or without encryption token. |
Two token sets; neither of the token set has an encryption token | Works | Works | No encryption token set in either of the token sets. |
Two token sets; has at least one set with encryption token | Fail | Works | Prior to R122.0.0 Client failed due to encryption branding file. Netskope recommends using the latest Client version. |
Add New Token Set
Click +Add New TokenSet to create a new token set on the webUI. Once you add another token set, the webUI displays only the authentication token and you need to manually add the encryption token as it is optional.
Once the administrator generates a token, use the following options:
- Copy token: Use this option to copy the authentication or encryption tokens with a simple mouse click.
- Show/Hide token: Tokens are generated in a hidden state by default. Use the Show/Hide option to view them.
- Delete token: Delete a token when it is not in an enforced state.

Add Encryption Token
Since adding an encryption token is an optional task, administrators need to create them manually. Click + Add Token displayed in the Encryption column. Add encryption token before enforcing the tokens.

Enforce Token
Use this option to enforce Netskope Client installation using secure enrollment token(s). This acts as an additional layer of security that prevents any unwanted vulnerabilities. To enable token enforcement, click the ellipsis(…) and select Enforce.

After you click Enforce, you can set the token expiration details. Select an Expiration Date from the following options displayed in the dropdown:
- 7 days from today
- 30 days from today
- 60 days from today
- 90 days from today (Default option)
- 180 days from today
- 365 days from today
Click Save to apply the expiration date.

Use Do Not Enforce Option to disable the Enforce feature.

Delete Token Set
Administrators can delete the token set only if the tokens are not enforced. If the tokens are enforced, disable it first and then delete the tokens. The Delete option is grayed-out when the tokens are enforced.
Netskope Client Deployment with Secure Enrollment
Refer to the following sections to understand the changes required in the Netskope Client deployment or installation process for different enrollment methods after enabling Secure Enrollment:
UPN
In this mode, the user’s UPN (User Principal Name) is used as user identity from the logged in domain-joined system. To identify if this method is used, refer the installation commands or methods and check for the following parameters:
-
token=” ”
-
host= “ “ (tenant name)
And does not contain
installmode=IDP
Refer to the following table to understand the changes required after enabling Secure Enrollment options:
Mode Secure Enrollment Token State Installation Commands UPN(AD user) - Authentication Token = On
- Encryption Token = Off
<OS utility> <NSClient> host=<addon URL> token=<orgID> enrollauthtoken=<auth token> - Authentication Token = On
- Encryption Token = On
<OS utility> <NSClient> host=<addon URL> token=<orgID> enrollauthtoken=<auth token> enrollencryptiontoken=<encryption token>
- Authentication Token = On
- Encryption Token = Off
- Mode = peruserconfig
<OS utility> <NSClient> host=<addon URL> token=<orgID> mode=peruserconfig enrollauthtoken=<auth token> - Authentication Token = On
- Encryption Token = On
- Mode = peruserconfig
<OS utility> <NSClient> host=<addon URL> token=<orgID> mode=peruserconfig enrollauthtoken=<auth token> enrollencryptiontoken=<encryption token>
User Impact
Client version 116.0.0 or earlier (includes any upgrades to these versions)
Device | Existing User | New User Enrollments | Existing Enrolled User Requiring Re-enrollment |
Personal Corporate Machine | No change | Netskope Client package with Secure enrollment tokens | – Uninstall the client – Reinstall Client package with Secure enrollment tokens |
Shared Desktop/VDIs and so on | No change | – Uninstall the client – Reinstall Client package with Secure enrollment tokens | – Uninstall the client – Reinstall Client package with Secure enrollment tokens |
Client Version 116.1.0 or later (includes during upgrades)
Device | Existing User | New User Enrollments | Existing Enrolled User Requiring Re-enrollment |
Personal Corporate Machine | No change | Netskope Client package with Secure enrollment tokens | – Client package with Secure enrollment tokens, Or – Apply tokens using nsdiag on windows |
Shared Desktop/VDIs and so on | No change | – Client package with Secure enrollment tokens, Or – Apply tokens using nsdiag on windows | – Client package with Secure enrollment tokens, Or – Apply tokens using nsdiag on windows |
Example commands:
-
Re-run the MSIEXEC command with the new tokens.
This flexibility is available only for Windows devices and the MSI rerun is not supported if the Protect Client configuration and resources option is selected in the Client Configuration webUI -
Use the following
nsdiag
command to update the tokens(in Admin mode):nsdiag -e enrollauthtoken=<token> enrollencryptiontoken=<token>
The preceding
nsdiag
command is supported only on Windows platforms. You can runnsdiag
command using the path: C:\Program Files (x86)\Netskope\STAgent.If
nsdiag -e
command fails then an error message is displayed in the command prompt.
IdP
In this mode, the user’s email address is used as the user identity fetched from the idP authentication. To identify if this method is used, refer the installation commands or methods and check if that contains following parameter:
installmode=IDP
And does not contain:
-
token=” ”
-
host= “ “ (tenant name)
Refer to the following table to understand the changes required after enabling Secure Enrollment options:
Mode | Secure Enrollment Token State | Installation Commands |
---|---|---|
IdP(Example: Okta) Note: Enable Enforce authentication of Netskope Client Enrollment option for IdP and it is not required to apply the token generated. |
| <OS utility> <NSClient> installmode=IDP |
| <OS utility> <NSClient> installmode=IDP enrollencryptiontoken=<encryption token> | |
| <OS utility> <NSClient> installmode=IDP tenant=<tenant-name> domain=<tenant-domain-name> enrollencryptiontoken=<encryption token> Note:Use this command in IdP mode enrollment if you do not want users to use the entire tenant name. For example, if your tenant is abc.goskope.com , then the tenant name and domain are “abc” and “goskope.com” respectively. |
|
| <OS utility> <NSClient> installmode=IDP mode=peruserconfig enrollencryptiontoken=<encryption token> |
msiexec /I NSClient.msi host=<addon URL> token=<orgID> installmode=IDP mode=peruserconfig enrollauthtoken=<auth token> enrollencryptiontoken=<encryption token> prelogonuser=<user>@prelogon.netskope.com
To learn more, view Configure Client Prelogon Connectivity.
User Impact
Client Version 116.0.0 or earlier (includes any upgrades to these versions)
Device | Existing User | New User Enrollments | Existing Enrolled User Requiring Re-enrollment |
Personal Corporate Machine | No change | Netskope Client package with token | – Uninstall the client – Reinstall Client package with token |
Shared Desktop/VDIs and so on | No change | – Uninstall the client – Reinstall Client package with token | – Uninstall the client – Reinstall Client package with token |
– All operating systems other than Windows, do not require uninstallation and reinstallation before version 116.1.0.
Client version 116.1.0 or later (includes during the upgrades)
Device | Existing User | New User Enrollments | Existing Enrolled User Requiring Re-enrollment |
Personal Corporate Machine | No change | Netskope Client package with token | – Client package with token, Or – Apply token using nsdiag on Windows |
Shared Desktop/VDIs and so on | No change | – Client package with token, Or – Apply tokens using nsdiag on Windows | – Client package with tokens, Or – Apply tokens using nsdiag on Windows |
Example commands:
-
Re-run the MSIEXEC command with the new tokens.
This flexibility is available only for Windows devices and the MSI rerun is not supported if the Protect Client configuration and resources option is selected in the Client Configuration webUI. -
Use the following
nsdiag
command to update the tokens (in Admin mode):nsdiag -e enrollencryptiontoken=<token>
The preceding
nsdiag
command is supported only on Windows platforms. You can runnsdiag
command using the path: C:\Program Files (x86)\Netskope\STAgent.If
nsdiag -e
command fails then an error message is displayed in the command prompt.
Here is another set of examples for each OS using IdP method:
Using Command-Line
-
Windows
msiexec /I NSClient.msi installmode=IDP mode=peruserconfig enrollencryptiontoken=<encryption token>
To learn more, view Netskope Client for Windows.
-
MAC
jamfnsclientconfig.sh <dummy param 1> <dummy param 2> <dummy param 3> idp <domain> <tenant-name>[enrollencryptiontoken=<token>]mode=peruserconfig
To learn more, view Jamf.
-
Linux
sudo ./STAgent.run -i | --idp
To learn more, view Netskope Client for Linux.
Using MDM
If you have enabled Secure Enrollment in your Netskope tenant, refer to the following guides to deploy Netskope Client with secure enrollment using MDM.
Email Invitation
In this mode, the user’s userkey is used as the user identity fetched from the email invitation.
Apart from enabling Secure Enrollment, no other changes are required for this method.
User Impact
There is no impact on the email invitation-based installations and enrollments.
Enrollment Methods Comparison
IDP | UPN | Email Invitation | |
User Identification | User’s Email address | UPN/Email (depending on OS and deployment method) | Userkey |
Userauthentication | Through configured idP | – Legacy: OrgKey – Current: Authentication Token part of Secure enrollment | User activation key (One time token) |
User Experience | Requires user interaction | No user interaction | User needs to have admin rights to deploy |
Security | Supports security levels setup for idP such as MFA | Use same token across organization | – One time token distribution via Email. – Lacks control by customer on the usage of Email invitation |