Distribution of Netskope iOS/iPadOS App (beta) using Microsoft Intune

The Netskope iOS/iPadOS application was recently launched as a beta version. Although it has been possible to deploy Netskope on iOS/iPadOS for some time, the deployment and management of Netskope has been difficult due to the separation of CASB/SWG and NPA deployment methods. The new app version integrates these functions and makes them easier to manage.

We are currently testing the Netskope iOS/iPad OS app (beta) within our company, but since we have received comments from our customers that they are curious about it and would like to try it, we would like to blog about it in small parts, starting with the parts we know about. This blog is the first of many, and will cover topics related to application distribution with Microsoft Intune. As a reader, I think you are more interested in "how it turned out" than "how to distribute". Please wait for the sequel article for the details.

## Prerequisites
- The current version provided is a beta version. Operation is not guaranteed and it is not suitable for production operation. Please use it only for small-scale PoC.
- After the Netskope iOS app has been GA'd, there is a **possibility** that you will need to redistribute the GA version of the app to devices that have already received the beta version of the app. Please check back after GA for details.
- After the Netskope iOS app has been GA'd, there is a possibility that the distribution settings using MDM, app specifications, etc. may change.
- Communication requirements will be [the same as Netskope Client](https://docs.netskope.com/en/netskope-client-network-configuration.html) for the PC version [*1].

**Please note**.
The content of this blog is based on information available as of February 27, 2023, but the situation may change in the future due to changes in the specifications of cloud services. If we are able to confirm specification changes, we will revise the information as much as possible, but please understand that it is difficult to keep the information up to date at all times.

## Preparation

### Obtaining a root/intermediate certificate

First, download the Netskope certificate from the Netskope Management Console.

①. In the Netskope Management Console, navigate to Settings > Security Cloud Platform > MDM Distribution.

②. [In the Certificate Setup section of the MDM Distribution, obtain the root and intermediate certificates.

**Note**
Certificates downloaded from Netskope are in `.pem` format, but must be converted to `.cer` format before uploading to MDM in the subsequent steps. Rename the file and convert it from `.pem` to `.cer` format.

### Obtaining OrgKey (OrgID)

Next, follow the steps below to obtain the OrgKey (OrgID) for Netskope's own tenant.

①. In the Netskope Management Console, navigate to Settings > Security Cloud Platform > MDM Distribution.

②. On the [MDM Distribution] page, scroll down to the [Create VPN Configuration] section, copy the OrgKey (OrgID) and keep it handy.

### Linking Devices to Users
While Netskope can log access to cloud services and control policies on a per-user basis, it uses email addresses associated with devices registered with Intune to identify users. Therefore, you should associate users with devices before setting up delivery.If you have the "Register using user affinity" setting in the link below, the user will be logged into Intune and associated to the device when onboarded in iOS. If you have not done so, log in to the Intune portal app to manually associate them.

<a href="https://learn.microsoft.com/ja-jp/mem/intune/fundamentals/deployment-guide-enrollment-ios-ipados#ade-administrator-tasks" target="_blank" rel="nofollow">https://learn.microsoft.com/ja-jp/mem/intune/fundamentals/deployment-guide-enrollment-ios-ipados#ade-administrator-tasks</a>

## Step 1: Register the certificate

Upload the Netskope root and intermediate certificates obtained in the preliminaries to Intune. [Create a new profile and assign it to the user at Microsoft Endpoint Admin Center (Intune) > Devices > Configuration Profiles > Create Profile.

## Step 2: Configure VPN.

[In Microsoft Endpoint Admin Center (Intune) > Devices > Configuration Profiles > Create Profile, create a VPN profile for use with Netskope iOS/iPadOS and assign it to the group to be distributed.

Configuration settings are set as follows.

①.  [For Connection Type, select Custom SSL.

②.  For [Connection Name], set an arbitrary, easy-to-understand name.

③.  Enter [gateway-***{tenant_hostname}***.goskope.com] for [VPN Server Address]. The ****{tenant_hostname}*** part can also be checked in Netskope's Client Configuration.

iv.  For [Authentication Method], select [User Name and Password].

④. For [Split Tunneling], select [Disable].

⑤.  Enter [com.netskope.Netskope] for [VPN Identifier].

## Step 3: Distribute "Unified Netskope iOS

Configure the distribution settings for "Unified Netskope iOS", the Netskope iOS/iPadOS app version. In [Microsoft Endpoint Admin Center (Intune)] > [Apps] > [iOS/iPadOS] > [iOS/iPadOS Apps], select "Unified Netskope iOS" and assign it to the group for distribution.

Also, for [Automatic VPN Type], select [On-Demand VPN].

**Note**.

Since the purpose of this project is a PoC using the beta version, [Block users from disabling VPN settings] is set to [No].

## Step 4: Set the app configuration policy

Set the configuration policy for the app. [Create a policy in Microsoft Endpoint Admin Center (Intune) > Apps > App Configuration Policy > Add > Managed Devices. Give it any name, select [iOS/iPadOS] as the platform and [Unified Netskope Client] as the target app.

Set the configuration setting type to [Use configuration designer] and the actual value should be set as follows.

**Note**

Enter the hostname of your tenant (the same information as in "Step 2: Configure VPN") in the `{tenant_hostname}` field of [AddonHost].
  
## Step 5: Activate the configuration

Once the above configuration profile and app distribution settings have been applied, launch the NetskopeiOS/iPadOS app on your iOS/iPadOS device and activate the settings. Launching the app requires only two clicks: "Allow" notifications and press "OK" on the first screen that appears.

It is a little hard to see, but when the [VPN] symbol appears at the top of the screen, it is a sign that activation is complete.

## End

The new Netskope iOS/iPadOS app version has relatively few configuration items, and we were able to deploy Netskope on iOS using MDM. Although it is still in beta status and not yet suitable for production operation, we hope readers will try it out using the verification environment and give Netskope a lot of FB.

## Note
1. Netskope Client Network Configuration <a href="https://docs.netskope.com/en/netskope-client-network-configuration.html" target="_blank">https://docs.netskope.com/en/netskope-client-network-configuration.html</a>

GUCCI'S NOTES

Search This Blog

Distribution of Netskope iOS/iPadOS App (beta) using Microsoft Intune

Comments

Post a Comment