Skip to main content

Netskope Help

Microsoft Endpoint Configuration Manager

Using the Microsoft Endpoint Configuration Manager, you can install the client on the endpoints without any user intervention. After the installation, the client can detect the logged in user's AD login name and download the branding information for the user from the Netskope cloud.

A branding file is a JSON file that contains user details (for example, email address), the addon server URL, and other configuration rules for this user.

Note

  • Application for devices running Windows

  • See the Netskope Command Line Reference for all supported msiexec options.

  • Starting in version 1910, Configuration Manager is now part of Microsoft Endpoint Manager. Reference - Microsoft Docs.

End-user environment: Microsoft Windows

Prerequisites to Deploying Client via SCCM
  • Install and configure Directory Importer to fetch email addresses and usernames from Active Directory. Use Directory Importer version 2.24 or above for importing AD users to Netskope system. This has the capability to capture the user’s principal name (UPN) along with the user's email ID.

    Note

    For details on installing and configuring Netskope Adapters, refer to the Netskope Adapters.Netskope Adapters-OLD

  • Download the Netskope Client installer file from the Netskope Support Portal . Download the MSI file for Windows. 

  • When using SCCM, you will first create a installer package and then use that to install Netskope Clients on the end user devices.

Installing the Client

Execute the following command to install the client using the MSI file (the installation package).

msiexec /I NSClient.msi token=<token> host=<host> [mode=peruserconfig | installmode=IDP [userconfiglocation=<path>]] fail-close=[no-npa|all] [autoupdate=on|off]

Note

If multiple users do not share a system, Netskope recommends that you install the Client in single-user mode. In a multi-user system/devices, the client is installed for all users in that system that have an AD account. The client is not installed for local users and therefore traffic from apps used by a local user is not steered to the Netskope cloud. Also, if the mode is not specified, the Client is installed in single-user mode.

Table 23. Command Line Parameters

Parameter

Description

mode=peruserconfig

Optional parameter. Use this parameter when installing in a multi-user system. 

installmode=IDP

Optional parameter. Use this parameter when provisioning users via IdP.

userconfiglocation=<path>

Specifies the user-specific directory used for storing the user configuration. It is recommended to use default value unless user's home directories are hosted on external file servers or network shares. This is recommended to be used only for the multi-user environment.

This is an optional parameter. By default the path is %AppData%\Netskope\STAgent.

Note

The path can be an absolute path, a network share, or a path having environment variables.

  • To run the above from command prompt with environment variables, append '^' before '%'. For example: /I NSClient.msi mode=peruserconfig userconfiglocation=C:\Users\^%USERNAME^%\Netskope

  • To run the above command from a batch script with environment variables, append '%' before '%'. For example: /I NSClient.msi mode=peruserconfig userconfiglocation=C:\Users\%%USERNAME%%\Netskope

  • To run the above command from SCCM (or ) with environment variables, append '^' before '%' and prefix with "cmd /c". For example: cmd /c /I NSClient.msi mode=peruserconfig userconfiglocation=C:\Users\^%USERNAME^%\Netskope

token=<token>

Specifies organization ID.

To obtain your Organization ID (Token) from the Netskope Admin console:

  1. Go to Settings > Security Cloud Platform > MDM Distribution.

  2. Under Create VPN Configuration, copy the Organization ID.

host=<host>

Specifies the addon manager hostname.

For example: if your URL is seiu.goskope.com, then host = addon-seiu.goskope.com

fail-close=[no-npa|all]

Optional parameter. If fail-close is not present, the client will honor Web UI "fail close" client configuration.

  • all: Fail close will be applicable to CASB / Web traffic for the NPA tunnel too. Example: If the Netskope tunnel is not established, NPA's application traffic will also be blocked.

  • no-npa: Fail close will be applicable only for CASB / Web traffic but not for NPA tunnel.  Example: If the Netskope Tunnel is not established, NPA's application traffic will NOT be blocked.

autoupdate=on|off

  • on

  • off

/qn

Silent installation

/l*v %PUBLIC%\nscinstall.log

Specifies the log file path



Installing Netskope Client in a Multi-User Environment

In addition to installing the Client for a single user, you can install it to provide user visibility for cases where multiple users are sharing the same system. Examples of this include:

  • Persistent and Non persistent VDI

  • Citrix Xenapp with Hosted Shared Desktop (HSD)

  • Windows Remote Desktop Services

  • Floating/Loaner Laptops, when loaner PCs that are given to employees on a temporary basis.

  • Kiosk Desktops, such as shared desktops in call centers, conference rooms, front desks.