Secure Enrollment

Secure Enrollment

Secure enrollment is a mechanism to enforce the strict authentication of Netskope Client Enrollment.

Netskope recommends configuring Enforce authentication of Netskope Client Enrollment on all tenants so that the user enrollments for Netskope Client are secure.

Once the Netskope client is installed on the end-user device, it enrolls the user by downloading the enrollment configurations. Secure enrollment enforces the strict authentication parameters on the Client enrollment process.

Secure enrollment feature provides two configurable parameters: 

  • Enforce authentication of Netskope Client Enrollment(Mandatory): This feature protects against the enrollment bypass issues irrespective of the Client deployment methods and the token generated is used as authentication parameter in UPN-based enrollment of Netskope Client.

    Enforce authentication of Netskope Client Enrollment is mandatory to be enabled to protect against enrollment bypass issues. If user enrollment is enforced using UPN, then the token must be present in the end-user machine. For IDP enrollments, the token need not be present on the end-user machine as the user is authenticated using IdP.
  • Enforce encryption of initial configuration of Netskope client(Optional): The token generated as part of this option is used for encryption of the enrollment configuration files on top of TLS.

    – This feature is optional and can be enabled based on your requirements. If this feature is enabled, the tokens generated must be present in end-user machines for successful enrollments.
    – If Enforce encryption of initial configuration of Netskope client is enabled on macOS devices, there are chances of having an issue with the encryption token leading to an enrollment failure.

Refer to Frequently Asked Questions to understand more scenarios regarding Secure Enrollment.

Prerequisites

Refer to the following to understand the supported Netskope Client version and operating systems.

  • Netskope Client Version: 111.0.0 or later(Netskope provides support for versions N-2 where N is latest Golden release for Netskope client).

    To learn more about the user impact on various Client versions: Netskope Client Deployment with Secure Enrollment.

    The feature Secure Enrollment is supported from Client version 98.0.0 and later. However, Netskope recommends using the latest supported versions.
  • Supported OS:

    • Windows 10 and higher

    • macOS 11.0 and higher

    • Android 11 and higher

    • Windows Server 2016, 2019, 2022

    • Linux: Ubuntu 18.04 and higher

    • iOS: 15.1 or higher

Enable Secure Enrollment

You can enable the Secure Enrollment options from Settings > Security Cloud Platform > MDM Distribution > Secure Enrollment. To learn more about the tokens, view Manage Secure Enrollment Tokens.

By default, these tokens are disabled. Toggle each button to enable.

Secure Enrollment Workflow

Refer to the following workflow diagram with different enrollment methods supported by Netskope Client depicting the changes required to enable and use Secure enrollment.

Manage Secure Enrollment Tokens

  • By default, the validity for any token is 90 days. The administrator can generate only one token each for authentication and encryption.

  • The administrator can extend the validity period of the token between the values of seven days to 365 days.

  • If you toggle to disable the Authentication or Encryption token, the token gets deleted.

  • Once the administrator generates a token, use the following options:

    • Show/Hide token:  The tokens generated in a hidden state by default. Use the Hide/View option to view them.

    • Revoke token: Use this option when a token is declared unused.

    • Refresh token: Use this option to generate or renew an existing token.

    • Edit: Modify the expiration date of an existing token.

  • All expired tokens must be replaced before enabling it for enrollment. For example, If there is an Email ID change for a user and the secure enrollment tokens are expired and the enrollment fails. You need to redeploy the Client using the correct tokens to successfully enroll or apply tokens using nsdiag on Windows.

All token operations are captured in Settings > Administration > Audit Logs.

Netskope Client Deployment with Secure Enrollment

Refer to the following sections to understand the changes required in the Netskope Client deployment or installation process for different enrollment methods after enabling Secure Enrollment:

UPN

In this mode, the user’s UPN (User Principal Name) is used as user identity from the logged in domain-joined system. To identify if this method is used, refer the installation commands or methods and check for the following parameters:

  • token=” ”

  • host= “ “ (tenant name)

    And does not contain installmode=IDP

    Refer to the following table to understand the changes required after enabling Secure Enrollment options:

    ModeSecure Enrollment Token StateInstallation Commands
    UPN(AD user)
    • Authentication Token = On

    • Encryption Token = Off
    <OS utility> <NSClient> host=<addon URL> token=<orgID> enrollauthtoken=<auth token>
    • Authentication Token = On

    • Encryption Token = On

    <OS utility> <NSClient> host=<addon URL> token=<orgID> enrollauthtoken=<auth token> enrollencryptiontoken=<encryption token>
    • Authentication Token = On

    • Encryption Token = Off

    • Mode = peruserconfig

    <OS utility> <NSClient> host=<addon URL> token=<orgID> mode=peruserconfig enrollauthtoken=<auth token>
    • Authentication Token = On

    • Encryption Token = On

    • Mode = peruserconfig

    <OS utility> <NSClient> host=<addon URL> token=<orgID> mode=peruserconfig enrollauthtoken=<auth token> enrollencryptiontoken=<encryption token>
User Impact

Client version 116.0.0 or earlier (includes any upgrades to these versions) 

Device
Existing User

New User Enrollments

Existing Enrolled User Requiring Re-enrollment
Personal Corporate MachineNo changeNetskope Client package with Secure enrollment tokens– Uninstall the client
– Reinstall Client package with Secure enrollment tokens
Shared Desktop/VDIs and so onNo change– Uninstall the client
– Reinstall Client package with Secure enrollment tokens
– Uninstall the client 
– Reinstall Client package with Secure enrollment tokens
All operating systems other than Windows, do not require uninstallation and reinstallation before version 116.1.0.

Client Version 116.1.0 or later (includes during upgrades)

DeviceExisting UserNew User EnrollmentsExisting Enrolled User Requiring Re-enrollment
Personal Corporate MachineNo changeNetskope Client package with Secure enrollment tokens– Client package with Secure enrollment tokens, Or
– Apply tokens using nsdiag on windows
Shared Desktop/VDIs and so onNo change– Client package with Secure enrollment tokens, Or
– Apply tokens using nsdiag on windows
– Client package with Secure enrollment tokens, Or
– Apply tokens using nsdiag on windows

Example commands:

  • Re-run the MSIEXEC command with the new tokens.

    This flexibility is available only for Windows devices and the MSI rerun is not supported if the Protect Client configuration and resources option is selected in the Client Configuration webUI
  • Use the following nsdiag command to update the tokens(in Admin mode):

    nsdiag -e enrollauthtoken=<token> enrollencryptiontoken=<token>

    The preceding nsdiag command is supported only on Windows platforms. You can run nsdiag command using the path: C:\Program Files (x86)\Netskope\STAgent.

IdP

In this mode, the user’s email address is used as the user identity fetched from the idP authentication. To identify if this method is used, refer the installation commands or methods and check if that contains following parameter:

installmode=IDP

And does not contain:

  • token=” ”

  • host= “ “ (tenant name)

    Refer to the following table to understand the changes required after enabling Secure Enrollment options:

ModeSecure Enrollment Token StateInstallation Commands
IdP(Example: Okta)

Note: Enable Enforce authentication of Netskope Client Enrollment option for IdP and it is not required to apply the token generated.
  • Authentication Token = On

  • Encryption Token = Off
<OS utility> <NSClient> installmode=IDP
  • Authentication Token = On

  • Encryption Token = On


<OS utility> <NSClient> installmode=IDP enrollencryptiontoken=<encryption token>
  • Authentication Token = On

  • Encryption Token = On

  • Mode=peruserconfig
<OS utility> <NSClient> installmode=IDP tenant=<tenant-name> domain=<tenant-domain-name> enrollencryptiontoken=<encryption token>

Note:Use this command in IdP mode enrollment if you do not want users to use the entire tenant name. For example, if your tenant is abc.goskope.com , then the tenant name and domain are “abc” and “goskope.com” respectively.
  • Authentication Token = On
  • Encryption Token = On

  • Mode = peruserconfig

<OS utility> <NSClient> installmode=IDP mode=peruserconfig enrollencryptiontoken=<encryption token>
User Impact

Client Version 116.0.0 or earlier (includes any upgrades to these versions)

DeviceExisting UserNew User EnrollmentsExisting Enrolled User Requiring Re-enrollment
Personal Corporate Machine
No change

Netskope Client package with token
– Uninstall the client
– Reinstall Client package with token
Shared Desktop/VDIs and so on
No change
– Uninstall the client
– Reinstall Client package with token
– Uninstall the client
– Reinstall Client package with token
– These changes are required only if Enforce encryption of initial configurations of Netskope client is enabled.
– All operating systems other than Windows, do not require uninstallation and reinstallation before version 116.1.0.

Client version 116.1.0 or later (includes during the upgrades)

DeviceExisting UserNew User EnrollmentsExisting Enrolled User Requiring Re-enrollment
Personal Corporate MachineNo change

Netskope Client package with token
– Client package with token, Or
– Apply token using nsdiag on Windows
Shared Desktop/VDIs and so onNo change– Client package with token, Or
– Apply tokens using nsdiag on Windows
– Client package with tokens, Or
– Apply tokens using nsdiag on Windows
These changes are required only if Enforce encryption of initial configurations of Netskope client is enabled.

Example commands:

  • Re-run the MSIEXEC command with the new tokens.

    This flexibility is available only for Windows devices and the MSI rerun is not supported if the Protect Client configuration and resources option is selected in the Client Configuration webUI.
  • Use the following nsdiag command to update the tokens(in Admin mode):

    nsdiag -e enrollencryptiontoken=<token>

    The preceding nsdiag command is supported only on Windows platforms. You can run nsdiag command using the path: C:\Program Files (x86)\Netskope\STAgent.

Here is another set of examples for each OS using IdP method:

Using Command-Line

  • Windows

    msiexec /I NSClient.msi installmode=IDP mode=peruserconfig enrollencryptiontoken=<encryption token>

    To learn more, view Netskope Client for Windows.

  • MAC

    jamfnsclientconfig.sh <dummy param 1> <dummy param 2> <dummy param 3> idp <domain> <tenant-name>[enrollencryptiontoken=<token>]mode=peruserconfig

    To learn more, view Jamf.

  • Linux

    sudo ./STAgent.run -i | --idp

    To learn more, view Netskope Client for Linux.

Using MDM

If you have enabled Secure Enrollment in your Netskope tenant, refer to the following guides to deploy Netskope Client with secure enrollment using MDM.

Email Invitation

In this mode, the user’s userkey is used as the user identity fetched from the email invitation.

Apart from enabling Secure Enrollment, no other changes are required for this method.

User Impact

There is no impact on the email invitation-based installations and enrollments.

Share this Doc

Secure Enrollment

Or copy link

In this topic ...