Deploy Client on macOS Using Intune
This article provides instructions to deploy Netskope Client on macOS devices(Big Sur and later) using the Microsoft Intune. The following steps are for deploying Netskope Client on macOS devices running macOS 11.x (Big Sur) or later.
Prerequisites
Devices running macOS 11.x (Big Sur) or later.
Enroll devices in Microsoft's Endpoint Manager
Download Netskope Root and Intermediate certificates and convert them to the .cer extension. To learn more, see Certificates
Ensure that users are provisioned to the Netskope tenant using SCIM or Directory Importer. To learn more about user provisioning, see Provisioning and Authentication and Configure Directory Importer.
If you are using IdP mode for the Client deployment configure and verify SAML forward proxy authentication. To learn more about SAML Forward Proxy authentication, see Provisioning and Authentication
Deployment Procedure
Perform the following steps to deploy client on macOS using Intune:
Sign in to Microsoft Intune Admin Center.
Go to Devices > macOS devices. Ensure that the devices to which you will install Netskope Client are listed.
Create two configuration profiles to deploy the Netskope certificates.
Go to macOS policies > Configuration Profiles > Create Profile and select Profile Type as Templates and Template name as Trusted Certificate.
Click Create. The page will refresh with settings. Enter a name for the root certificate profile and click Next.
Click the folder icon to select the Netskope root certificate (.cer file) and click Next to continue.
Assign the appropriate device group and click Next.
Review the configuration and click Create.
Repeat the steps used to upload Netskope root certificate and create another configuration profile to upload Netskope intermediate certificate.
Validate Certificate Chain
You can validate the complete certificate chain in your Mac keychain.
Download the Netskope Intune configuration script from Netskope Support portal .
Extract the contents of MAC-MDM-script.zip file.
Open the script in a text editor and search for the commented line
Update here for Intune deployment
.Choose a deployment mode according to your requirement and update the script options for parameters 4 to 8 as follows for each mode:
Deployment Modes
Configuration Parameters
Standard Mode (Email-based)
Parameter 4: Your tenant name. If your tenant URL is https://addon-corp.goskope.com, then enter addon-corp.
Parameter 5: Your AD name.
Parameter 6:
For rel 89 and before: Enter REST API token.
For rel 90.2 and later: Your Organization ID.
For example, set -- 0 0 0 <addon-host> <AD> <Org ID/ REST API Token>
UPN Mode
Parameter 4: Your addon URL. If your tenant URL is https://corp.goskope.com, then the addon URL is addon-corp.goskope.com.
Parameter 5: Your Organization ID.
Parameter 6: Enter the keyword upn (lowercase).
For example, set -- 0 0 0 <addon-host> <Org ID> upn
Multi-user Mode (enabling for each provisioned user on the tenant)
Parameter 4: Your addon URL. If your tenant URL is https://corp.goskope.com, then enter addon-corp.goskope.com.
Parameter 5: Your Organization ID.
Parameter 6: Enter the keyword peruserconfig.
For example, set -- 0 0 0 <addon-host> <AD> <Org ID> peruserconfig
IDP Single-User mode
Parameter 4: Enter IDP to specify the client deployment mode is IDP.
Parameter 5: Domain name. Example, if your tenant URL is https://corp.goskope.com, then enter goskope.com.
Parameter 6: Tenant name. Example: If your tenant URL is https://corp.goskope.com, enter corp.
Parameter 7: Email Address request option. Enter 0, if you do not want to request the user's email address. Enter 1 to request the user's email address.
For example, set -- 0 0 0 idp <tenant domain name> <tenant name> 0/1
IDP Multi-User mode
Parameter 4: Enter IDP to specify that the client deployment is in IDP mode.
Parameter 5: Domain name. Example, if your tenant URL is https://corp.goskope.com, then enter goskope.com.
Parameter 6: Tenant name. Example: If your tenant URL is https://corp.goskope.com, enter corp.
Parameter 7: Email Address request option. Enter 0, if you do not want to request user email address. Enter 1 to request the user's email address.
Parameter 8: Enter peruserconfig to specify multi-user IDP deployment mode.
For example, set -- 0 0 0 idp <tenant domain name> < tenant name> 0/1 peruserconfig
For macOS devices (single-user installations) that are not AD joined
Parameter 4 : Your tenant URL.
For rel 89 and before: If your tenant URL is corp.goskope.com, enter corp.goskope.com.
For rel 90.2 and later: If your tenant URL is https://corp.goskope.com, enter addon-corp.goskope.com.
Parameter 5:
For rel 89 and before: Enter REST API token.
For rel 90.2 and later: Your Organization ID.
Parameter 6: Preferences file (plist) name. When entering the filename, enter the complete filename including the .plist extension. Example: netskope.plist . Do not add HTTP to the URL in the .plist file.
Parameter 7 : Enter the keyword preference_email.
For example, set -- 0 0 0 <addon-host> <Org ID> <plist file name> <preference_email>
To learn about creating plist in Intune, view plist in Intune.
Save the script.
Go to Devices > macOS > Shell Scripts and click Add.
Enter a Name and click Next.
Select the script (.sh file) from your local storage in your computer. Make the following changes:
Run script as signed in users - NO
Hide script notifications on devices - Yes
Script frequency - Every 30 minutes
Max number of times to retry if script fails - 3 times.
Assign the script to groups, users, and/or devices. Click Next to continue.
Click Add to the add the script and push to all devices.
Go to macOS policies > Configuration Profiles > Create Profile and select Profile Type as Templates.
Under Template Names select Extensions and click Create.
Provide a name for the Netskope System Extension profile and click Next.
Expand System Extensions and configure Allow Systems Extensions as follows:
Bundle Identifier:
com.netskope.client.Netskope-Client.NetskopeClientMacAppProxy
Team Identifier:
24W52P9M7W
Select Next to continue.
Assign appropriate users or device group and select Next.
Review your configuration and click Create.
Use the Profiles options in the end-user device to validate if the System Extension was deployed successfully.
Go to macOS policies > Configuration Profiles
Download custom configuration profiles from Netskope Support Portal. Here, click Files > View All to find the configuration profile file (NetskopeClient.mobileconfig).
Select Create Profile and under the Profile Types option, select Templates > Custom. Click Create.
Specify a profile name.
Keep the Deployment Channel option to Device Channel.
Upload the custom configuration profile downloaded from Netskope Support Portal. Click Next to continue.
Select and assign appropriate users or groups. Click Next to continue.
Review configuration and click Create.
Use the Profiles option in the end-user device to validate if the installation was successful.
Create a line-of-business applications to be deployed on the Apple devices (Big Sur).
Go to Apps > macOS and click Add. Select Line-of-business app from the App type drop-down menu and click Select.
Click Select app file to browse and upload the app package.
Click OK.
Enter a publisher name and click Next.
Assign the application to devices or users. Click Next to continue.
Click Create to complete creating the application.
Now login to your IdP to start the enrollment process.
IdP Enrollment Workflow
The following steps illustrate the client enrollment workflow in Microsoft Intune.
After you complete the steps to deploy Netskope Client in Intune, you will receive a notification to allow the proxy configurations.
Click Allow.
In Enroll Netskope Client, enter an email address.
Click Next.
Enter the tenant name and select the tenant domain as shared with the user by their respective IT.
Now, you can sign in using your authentication credential to complete the enrollment process.
Create PLIST in Intune for non-AD domain-Joined Devices
Creating a preference file in Intune include the following steps:
Create the Profile with Preference file.
Create and Upload the Script file on Intune.
To learn more, view Add a Property List.
Create a Profile using the preference file
If you are deploying a Client using a PLIST-based installation, create the Profile type as Preference file and define the email variable with the token {{mail}}.
Follow the steps to create a profile:
Sign in to Microsoft Intune Admin Center.
Navigate to Devices > Configuration Profiles > Create Profile.
Provide the following details in Create a Profile page:
Platform: Select macOS.
Profile Type: Templates. Select the Template name as Preference File.
Click Create.
In Basics, enter the name and description.
Click Next.
In Configuration Settings, provide the following details:
Preference domain name: Enter the bundle ID. For example, com.netskope.client.Netskope-Client.
Upload the property list file.
<key>email</key> <string>{{mail}}</string>
Select Next.
In Scope, assign a tag to filter the profile to specific IT groups.
Select Next.
In Assignment, select the users or groups that will receive your profile.
Select Next.
In Review + Create, review your configuration and click Create.
Create and Upload the Preinstallation Script file on Intune
Get the latest Preinstallation script and update the Email Preference mode in the script as given in the following example, set -- 0 0 0 addon-<tenant-Name>.goskope.com <ORG ID> template.plist preference_email
Go to Devices > Scripts.
Click + Add.
Select macOS.
In Basics, enter a Name and Description.
Click Next.
In Script Settings, select the file from your local storage in your computer. Make the following changes:
Run script as signed in users - NO
Hide script notifications on devices - Yes
Script frequency - Based on your requirement
Max number of times to retry if script fails - 3 times
Assign the script to groups, users, and/or devices.
Click Next to continue.
Click Add to the add the script and push to all devices.