Skip to main content

Netskope Help

Deploy Client on iOS Using Intune

Netskope supports Intune on-demand and per-app VPN for iOS devices, so you can provide users with access to corporate applications, data, and resources while keeping your sensitive information secure.

Prerequisites

Before you configure Intune:

  • In the Netskope UI, go to Settings > Security Cloud Platform > Netskope Client > MDM Distribution. Download the Netskope Root Certificate. These are needed to configure Intune certificate profiles.

  • User accounts must be created within Azure AD in synchronization with the Netskope tenant.

  • Create Apple MDM Push Certificate to link the Apple ID and your Intune tenant. To learn more, view Apple MDM Push Certificate.

Create a Trusted Netskope Root Certificate Profile

You need to download the Netskope Root certificate from the Netskope UI to complete these steps. To get the certificate, go to Settings > Security Cloud Platform > Netskope Client > MDM Distribution .

Important

The Netskope Root certificate is in .pem format. You will need to convert it to .cer or .crt format before importing it. Rename the file to convert from .pem to .cer format.

To create a trusted Netskope certificate profile:

  1. In the Intune UI proceed to Devices > iOS/iPadOS > Configuration profiles

  2. Click Profile > Create Profile. Enter and select these parameters:

    • Name: Enter a unique name.

    • Platform: iOS.

    • Profile type: Trusted certificate.

    img-03-mem-trustedCert-a.png

  3. In the Trusted Certificate panel, provide a name in the Basics tab and click Next.

  4. In the Configurations settings tab, upload the Netskope Root certificate.

  5. Review your settings, and click Create.

Deployment Procedure

Perform the following steps to deploy Netskope client using Intune:

Enroll Netskope Client in MS Intune

  1. Go to Apps > iOS/iPadOS apps.

  2. Click + Add.

  3. Select iOS store app from the App type drop-down menu.

    Slect_app_type.png

  4. Click Select.

  5. From App Information, click Search the App Store and select Netskope Client app to add the application.

    iOS_Intune_Enroll_SearchNSClient_103.png

  6. Click Select. The App Information section displays more information on the UI. No additional configuration is required here.

    App_Information.png

  7. Click Next.

  8. Assign the application to devices or users. Click Next to continue.

    Add_Assignments.png

  9. Click Create to complete creating the application.

Create App Configuration Policy

  1. Go to Apps > App Configuration Policies to add the required policies to Netskope Client.

  2. Click +Add and select Managed Devices.

  3. In the Basics section of the Create app configuration policy page, enter the following details and click Next:

    • Name: Provide a name to the policy.

    • Platform: Select iOS/iPadOS.

    • Targeted App: Select Netskope Client

  4. In the Settings section of the Create app configuration policy page, select the Use configuration designer option from the Configuration settings format dropdown menu.

  5. Provide the required Key-Value pairs to complete the Netskope Client enrollment process:

    • UserEmail: {{mail}}

    • AddonHost: <addon-hostname>

    • OrgKey: <Organization Key>

    Keyvalue_pairs.png

    Note

    The Organization ID is case-sensitive. To know theOrganization ID, perform the following steps:

    1. Login to your tenant with admin credentials.

    2. Click Settings > Security Cloud Platform > MDM Distribution.

    3. In the MDM Distribution page, scroll down to Create VPN Configuration section to find your Organization ID.

    orgID.png

  6. In the Assignments section of the Create app configuration policy page, select groups from the Assign to dropdown menu to which the policy is applied and click Next.

    Edit_app_config_policy.png

  7. In the Review + create section of the Create app configuration policy page, review the configuration and click Create.

Create Configuration Profile

Once the Netskope is installed, it will take the VPN profile of the mobile device which will result in the additional user prompt. Here, we will add the VPN profile in Intune instead of making Netskope Client assess it. To learn more, view Create Profile.

  1. Go to Devices > iOS/iPadOS  policies > Configuration Profiles > Create Profile.

  2. Select Profile Type as Templates and Template name as VPN.

  3. Click Create.

  4. In Basics, enter a descriptive name for the profile and click Next.

  5. In Configuration settings, choose the Connection Type as Custom VPN.

  6. After you select the connection type, do the following:

    1. Under Base VPN, provide the following:

      • Connection name

      • VPN server address gateway-<tenant>.goskope.com

      • Authentication method: Username and Password

      • VPN identifier: com.netskope.Netskope

      • Intune requires at least one key-value pair to define custom VPN attributes. Here, SingleSignOn is used as a key and True as a value.

      Note

      If you want Netskope Client steer only Private Access traffic, provide the following Key-Value pair: ForceDisabledSteering: True.

      iOS_Intune_NPAOnly_103.png
      Base_VPN.png

    2. Under Automatic VPN, choose one of the following VPN type you want to configure:

      • On-demand VPN: Specify on-demand rules if necessary

        on-demand_VPN.png

      • Per-app VPN: Specify Provider Type as packet-tunnel and specify associated domains, Safari URLs, and excluded domains if necessary.

        Automatic_VPN.png

    3. Assign the appropriate user/device groups and click Next.

    4. Review the configuration and click Create.

Associating the Per-App VPN profile with the Apps

Associate the Per-App VPN profile with the applications to steer through the VPN connection

  1. In the Microsoft Endpoint Manager admin console, go to Apps > All apps , select one of the apps listed there, and then click Properties.

    11-perApp.png

  2. In the app properties page, click Edit for Assignments.

    12-perApp-assignments.png

  3. In the Required section, click Add Group. Search and choose one or more groups.

    13-perApp-addGroup.png

  4. Click Select.

In this section: