Deploying NetSkope

mitulpatel2003
New Contributor

Has anyone on here been able to silently deploy Netskope? Our security team wants to roll it out, but the package they provided, requires an email address to authenticate and link to a user account.

Has anyone been able to deploy without the need to link to a user but rather link to a device, and then pull the username from the system (short name, or full name) if needed
Thanks in advance!

7 REPLIES 7

stevewood
Honored Contributor II
Honored Contributor II

@mitulpatel2003

We are deploying using the UPN setting. Netskope has a script they cobbled together that grabs the UPN value from the AD bind using the dscl command. We found that to be very unreliable, so we deployed NoMAD because we found a lot of devices that the AD bind was either broken, or the machine would be off network and unable to get the UPN.

We then use a script to write the NoMAD and AD UPN values to a plist file, scrape that into Jamf and use that to scope against (no UPN value, you don't get Netskope).

I will tell you their installer is crap and regularly has trouble. Unfortunately, when their installer fails it pops a dialog in front of the user. Not the most ideal situation.

You should be able to grab the necessary data using dscl against the local directory on the machine if you just need the short name. Otherwise I would look at using NoMAD if you are going to be utilizing UPN values.

gachowski
Valued Contributor III

I have had the same experience stevewood, that said I think it's the script that is failing and not the installer. I think the new script needs a profile and what I end up doing is using my 1st run script to create a "fake profile" with the data the script needs. We didn't bind to AD so we were using email address. As the profile would get pushed before the user was logged in and the profile would not have any data in it. Kinda lame install process design IMO you can't control deployment times of profiles.

C

stevewood
Honored Contributor II
Honored Contributor II

@gachowski

You may be right. I know in some cases it's because the JSON file they use is not properly created before the installer runs, or the UPN that we're sending is not present in the tenant, but there have been other instances where the installer flat out crashes.

Ideally it would make more sense if we could read the email address out of Jamf and then use that to build the JSON file. But, we're already 15,000+ deployed so it's easier to just keep trucking.

gachowski
Valued Contributor III

@stevewood 1000% yep!!! We did the same thing and figured we go back and fix the ones later that didn't install correctly.. I was trying to clean up the install process for Catalina and that is when I figured out that the JSON file wasn't getting created correctly or at that right time..

: )

C

taz231190
New Contributor III

@stevewood We are using JAMF connect(Formerly noMad) on some of our new machines and netskope is failing due to not finding the UPN.

"We then use a script to write the NoMAD and AD UPN values to a plist file, scrape that into Jamf and use that to scope against (no UPN value, you don't get Netskope)." Would you mind sharing how you did this?

Hyvonen
New Contributor II

@stevewood - We're having the same struggle trying to implement Netskope. Our Macs are domain joined and our users can logon with either their user ID or their UPN. Their script is only grabbing the user ID, so it doesn't recognize the user. We use Apple Enterprise Connect instead of NoMAD or Jamf Connect. Any chance you can share your script on how to write the UPN values to a plist file?

stevewood
Honored Contributor II
Honored Contributor II

@taz231190 @Hyvonen

I'm not sure if Enterprise Connect stores the UPN locally in a plist file like NoMAD and Jamf Connect do, so you'll have to test that before trying this. NoMAD and JC both store in their respective plist files. You can get the UPN from them with these commands:

defaults read /Users/<user>/Library/Preferences/com.trusourcelabs.NoMAD.plist UPN
defaults read /Users/<user>/Library/Preferences/com.jamf.connect.sync.plist UPN

Obviously changing <user> to be the user that is logged in. You can then store that info in an Extension Attribute so that you can scope a Smart Group to that.

Our EA checks for the presence of either an AD UPN from the "EMailAddress" attribute using dscl, a UPN in the NoMAD plist, or if the agency happens to have Centrify in use it will pick from there. If no value is found, it writes "No UPN Found" in the EA.

I have to give credit to @franton for improving the original way we were gathering this info, which was very very similar, and creating the below:

#!/bin/zsh

CurrUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )
UserHome=$( dscl . read /Users/${CurrUser} NFSHomeDirectory | awk '{print $NF}' )
NoMADPref="${UserHome}/Library/Preferences/com.trusourcelabs.NoMAD.plist"
JCPref="${UserHome}/Library/Preferences/com.jamf.connect.sync.plist"
CentFold="/Applications/Utilities/Centrify"

# Check AD plugin. Read from dscl db if bound.
checkAD=$( dsconfigad -show | grep -i "active directory domain" | awk '{ print $5 }' )

if [ ! -z "$checkAD" ];
then
        results=$( dscl . read /Users/${CurrUser} EMailAddress | awk '{print $NF}' )
        results=$( echo $results | tr -d "[:blank:]" )
        results=$( echo $results | tr _ . )
        [ "$results" ] && echo "<result>$results</result>"
        defaults write /path/to/tatto.plist UPN -string "$results"
        defaults write /path/to/backup/tatto.plist UPN -string "$results"
        exit
fi

# Check if NoMAD is present. Read user UPN from preference file.
if [ -f "$NoMADPref" ];
then
        results=$( defaults read $NoMADPref UserUPN )
        results=$( echo $results | tr -d "[:blank:]" )
        results=$( echo $results | tr _ . )
        [ "$results" ] && echo "<result>$results</result>"
        defaults write /path/to/tatto.plist UPN -string "$results"
        defaults write /path/to/backup/tatto.plist UPN -string "$results"
        exit
fi

if [ -f "$JCPref" ];
then
        results=$( defaults read $JCPref UserUPN )
        results=$( echo $results | tr -d "[:blank:]" )
        results=$( echo $results | tr _ . )
        [ "$results" ] && echo "<result>$results</result>"
        defaults write /path/to/tatto.plist UPN -string "$results"
        defaults write /path/to/backup/tatto.plist UPN -string "$results"
        exit
fi

# Ok we failed on AD plugin and NoMAD. What about Centrify.
[ -d "$CentFold" ] && { results=$( dscl "/CentrifyDC/" -read "/Users/${CurrUser}" dsAttrTypeNative:userPrincipalName | awk '{ print $2 }') ; echo "<result>$results</result>" ; exit }

# Last chance. Read out from the survey file.
survey=$( defaults read /path/to/tatto.plist UPN )
survey=$( echo $survey | tr -d "[:blank:]" )
survey=$( echo $survey | tr _ . )
[ "$survey" ] && echo "<result>$survey</result>"
[ ! "$survey" ] && echo "<result>No UPN found</result>"
exit

I added in the block for Jamf Connect preferences, but the rest is Richard's doing.

Hope that helps!