Distribution of Netskope iOS/iPadOS App (beta) using Jamf Pro

The Netskope iOS/iPadOS application was recently launched as a beta version. Although it has been possible to deploy Netskope on iOS/iPadOS for some time, the deployment and management of Netskope has been difficult due to the separation of CASB/SWG and NPA deployment methods. The new app version integrates these functions and makes them easier to manage.

We are currently testing the Netskope iOS/iPad OS app (beta) within our company, but since we have received comments from our customers that they are curious about it and would like to try it, we would like to blog about it in small parts, starting with the parts we know about. This blog is the first of many, and will cover topics related to application distribution with Jamf Pro. As a reader, I think you are more interested in "how it turned out" than "how to distribute". Please wait for the sequel article for the details.

## Prerequisites
- The current version provided is a beta version. Operation is not guaranteed and it is not suitable for production operation. Please use it only for small-scale PoC.
- After the Netskope iOS app has been GA'd, there is a **possibility** that you will need to redistribute the GA version of the app to devices that have already received the beta version of the app. Please check back after GA for details.
- After the Netskope iOS app has been GA'd, there is a possibility that the distribution settings using MDM, app specifications, etc. may change.
- Communication requirements will be [the same as Netskope Client](https://docs.netskope.com/en/netskope-client-network-configuration.html) for the PC version [*1].

**Please note**.
The content of this blog is based on information available as of February 27, 2023, but the situation may change in the future due to changes in the specifications of cloud services. If we are able to confirm specification changes, we will revise the information as much as possible, but please understand that it is difficult to keep the information up to date at all times.

## Preparation

### Obtaining a root/intermediate certificate

First, download the Netskope certificate from the Netskope Management Console.

①. In the Netskope Management Console, navigate to Settings > Security Cloud Platform > MDM Distribution.

②. [In the Certificate Setup section of the MDM Distribution, obtain the root and intermediate certificates.

**Note**
Certificates downloaded from Netskope are in `.pem` format, but must be converted to `.cer` format before uploading to MDM in the subsequent steps. Rename the file and convert it from `.pem` to `.cer` format.

### Obtaining OrgKey (OrgID)

Next, follow the steps below to obtain the OrgKey (OrgID) for Netskope's own tenant.

①. In the Netskope Management Console, navigate to Settings > Security Cloud Platform > MDM Distribution.

②. On the [MDM Distribution] page, scroll down to the [Create VPN Configuration] section, copy the OrgKey (OrgID) and keep it handy.

### Make sure you have an email address set up on your Jamf Pro device.

Netskope can log access to cloud services and control policies on a per-user basis, but it uses the email address registered with Jamf Pro to identify users. Therefore, before setting up Netskope, make sure that the Jamf Pro device is configured with an email address. When I verified, Netskope could not be activated if this was not set.

## Step 1: Create a configuration profile.

[In the Jamf Pro Management Console > Devices > Configuration Profiles > New, create a configuration profile for use with Netskope iOS/iPadOS and assign the iOS/iPadOS devices to be distributed.

### General

General is configured as follows.

①. Set an arbitrary, easy-to-understand name in [**Name**].

②. For [Distribution Method], select [Install Automatically].

### VPN

Configure VPN as follows.

①.  For [Connection Name], set an arbitrary, easy-to-understand name.

②.  For [VPN Type], select [VPN].

③.  For [Connection Type], select [Custom SSL].

④.  Enter [com.netskope.Netskope] for [Recognizer].

⑤.  Enter [gateway-***{tenant_hostname}***.goskope.com] for [Server]. The ****{tenant_hostname}*** part can also be checked in Netskope's Client Configuration.

⑥.  [For User Authentication, select Password.

⑦.  [For Provider Type, select Packet-tunnel.

⑧.  Check the [Enable On-Demand VPN] checkbox.

⑨. Since the purpose of this PoC is to use the beta version, do not check [Do not allow users to disable on-demand VPN settings].

### Certificate

In Certificate, upload the root certificate and intermediate certificate of Netskope that you have obtained in the preparation.

## Step 2: Distribute "Unified Netskope iOS".

At [Jamf Pro Management Console] > [Devices] > [Mobile Device App] > [New], configure the distribution settings for "Unified Netskope iOS", the Netskope iOS/iPadOS app version. Then, in Type selection, select "App Store app or apps purchased in volume" and add "Unified Netskope iOS".

### General

General is set as follows.

①. For [Display Name], set an arbitrary, easy-to-understand name.

②. For [Distribution Method], select [Install Automatically/Prompt Users to Install].

③. Select [Install Automatically/Prompt Users to Install] for [Distribution Method]. Check [Show App in Self Service after installation].

④. Check the [Make App managed if possible] checkbox. ⑤.

⑤. Since this is a PoC using a beta version, check the [Allow users to delete Apps (iOS 14 or later)] checkbox.

### Managed Distribution

If you want to distribute without using Apple ID, check [Assign bulk purchase content] in [Managed Distribution]. In this case, you need to purchase "Unified Netskope iOS (free app)" in advance.

### App Configuration

Configure [App Configuration] as follows.

<div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-Vfr-kE5RPmt2WQNsqwyis0j0Dpu8I9PojJtCx9XT524GvvFSlkiM0ZckgOD9sfxicBgDMLq0Z2dy2QivJz3Gj1UF0AhpNjkwiBL_ajyuPhG-hpUg2dUfe5VEyp_yNFuMKvp_W2VaopLNT70BDi4yn80mgLxiwyqLnJ1W6ERtuozORvett0LocgK8/s1600/06.png" style="display: block; padding: 1em 0; text-align: center; "><img alt="" border="0" data-original-height="1054" data-original-width="1920" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-Vfr-kE5RPmt2WQNsqwyis0j0Dpu8I9PojJtCx9XT524GvvFSlkiM0ZckgOD9sfxicBgDMLq0Z2dy2QivJz3Gj1UF0AhpNjkwiBL_ajyuPhG-hpUg2dUfe5VEyp_yNFuMKvp_W2VaopLNT70BDi4yn80mgLxiwyqLnJ1W6ERtuozORvett0LocgK8/s1600/06.png"/></a></div>
  
**Note**
- Enter the OrgKey (OrgID) you obtained in advance in the `XXX` field directly under [OrgKey].
- Enter the name of your tenant (the same information as VPN-⑤ in "Step 1: Creating a configuration profile") in the `{tenant_hostname}` field directly under [AddonHost].

## Step 3: Activate the configuration

Once the above configuration profile and app distribution settings have been applied, launch the NetskopeiOS/iPadOS app on your iOS/iPadOS device and activate the settings. Launching the app requires only two clicks: "Allow" notifications and press "OK" on the first screen that appears.

It is a little hard to see, but when the [VPN] symbol appears at the top of the screen, it is a sign that activation is complete.

## End

The new Netskope iOS/iPadOS app version has relatively few configuration items, and we were able to deploy Netskope on iOS using MDM. Although it is still in beta status and not yet suitable for production operation, we hope readers will try it out using the verification environment and give Netskope a lot of FB.

## Note
1. Netskope Client Network Configuration <a href="https://docs.netskope.com/en/netskope-client-network-configuration.html" target="_blank">https://docs.netskope.com/en/netskope-client-network-configuration.html</a>

GUCCI'S NOTES

Search This Blog

Distribution of Netskope iOS/iPadOS App (beta) using Jamf Pro

Comments

Post a Comment