Posted on 04-23-2020 10:44 AM
Hey everyone, I recently got passed handling our Netskope deployment. My predecessor claims that with the v71 client, due to us using Azure AD for our IDP we cannot auto populate the tenant information. Basically once the install finishes we get a popup where we have to input our company name.
I know there has to be a way around it, anyone have any familiarity with it?
Posted on 01-12-2022 09:33 AM
Also in the same boat
Posted on 01-12-2022 09:39 AM
Have you looked on the netskope website? You have to get them to hook you up with an account. They have the instructions to do this. Also to get it to work right you will need to do an adlink on the backend of the netskope portal. They failed to tell me that one. and to make sure it works without blocking everything you need to whitelist the entire apple network. You can ask Netskope for those settings. Hope this helps and If I think of something else I'll update you.
Posted on 12-27-2023 01:49 PM
This config caused me much consternation. I was initially utilizing script logic to pull the UPN from app-sso; however, during the debugging process some bad syntax got me Crowdstruck by our internal InfoSec team. So instead of continuing to that I'm not setting the RealName value on our managed Mac endpoints to the user UPN. The script then removes "RealName" from the results passing on the UPN to the Netskope installer.
The relevant portion follows:
#!/bin/zsh -v
loggedInUser=$( /usr/bin/stat -f %Su "/dev/console" )
echo $loggedInUser
loggedinusername=$( /usr/libexec/PlistBuddy -c "print :dsAttrTypeStandard\:RealName:0" /dev/stdin <<< $(dscl -plist . read /Users/$loggedInUser RealName) )
echo $loggedinusername
I've a companion script running during PreStage which sets the RealName value; it looks like this:
#!/bin/zsh -v
#read the current logged in user
loggedInUser=$( /usr/bin/stat -f %Su "/dev/console" )
# loggedInUser=$( echo show State:/Users/ConsoleUser | scutil | awk '/Name :/ && ! /loginwindow/ { print $3 }' )
#list the REALM currently assigned to that Mac (we have 2 domains in our company)
/usr/bin/su \- "${loggedInUser}" -c "/usr/bin/app-sso -l -j" | grep -- '"' | cut -d'"' -f2 > /private/var/tmp/app-sso-realm.txt
realm=$( cat /private/var/tmp/app-sso-realm.txt )
#extract the user_name value from the info associated with the REALM
# if [ -f "$AppSSO" ];
# then
/usr/bin/su \- "${loggedInUser}" -c "/usr/bin/app-sso -i "$realm" -j" | grep user_name | cut -d'"' -f4 > /private/var/tmp/app-sso-upn.txt
SSOUserName=$( cat /private/var/tmp/app-sso-upn.txt )
# else
# SSOUserName=$ (cat | /usr/local/bin/az account show | grep "name" > /private/var/tmp/app-sso-realm.txt)
# fi
echo "<result>Logged in user is $loggedInUser
Domain is $realm
SSO user is $SSOUserName</result>"
FullName=`dscl . -read /Users/$loggedInUser RealName | awk 'BEGIN {FS=": "} {print $1}'`
FullName2=`echo $FullName | awk '{print $2,$3}'`
dscl . -change /Users/$loggedInUser RealName "$FullName2" "$SSOUserName"@"$realm"
Neither is original to me; I've adapted/modified to suit my enterprise.