NetNXT Logo

How to Deploy Netskope Client via JumpCloud (Windows & macOS)

December 19, 2025
6 min read
ByNetNXT

Overview

Deploying the Netskope Client requires two distinct steps to ensure a silent, zero-touch installation:

  1. Configuration (Pre-Install): Approving System Extensions (macOS) so the user isn't prompted.

  2. Installation: Pushing the installer with the correct host and token arguments so the client auto-enrolls into your specific tenant.

Prerequisites

  • Netskope Tenant URL: (e.g., addon-netnxt.goskope.com)

  • Org Key / Enrollment Token: Found in your Netskope Admin Console > Settings > Security Cloud Platform > Netskope Client > MDM Distribution.

  • Installer Files: Hosted on a public URL or valid internal share (or use the generic download link if supported).

Part 1: macOS Preparation (Critical - Do This First)

Before installing the app on Macs, you must deploy a configuration profile to approve the Netskope Network Extension. If you skip this, the user will be bombarded with "Netskope would like to filter network content" pop-ups, or the agent will fail to steer traffic.

  1. Download the Netskope Config Profile:

    • Netskope provides a standard .mobileconfig for MDMs. You can usually find this in the Netskope Support Portal (looking for Team ID 24W52P9M7W).

  2. Upload to JumpCloud:

    • Go to Device Management > Policy Management > (+) > Mac > MDM Custom Profile.

    • Upload the Netskope .mobileconfig file.

    • Name: Security - Netskope System Extensions.

    • Scope: Bind to your "All Mac Workstations" group.

    • Save.

Note: Wait 15-30 minutes for this profile to land on devices before pushing the application.

Part 2: Deploying to Windows (PowerShell Command)

The most reliable way to install Netskope with arguments on Windows is via a JumpCloud Command.

  1. Go to Device Management > Commands.

  2. Create New Command (Select Windows).

  3. Name: Install - Netskope Client (Windows).

  4. Command: (Paste the script below, replacing the variables).

# Define the download URL and destination path
$downloadUrl = "https://download-gensol.de.goskope.com/dlr/win/get"
$msiPath = "C:\Windows\Temp\NSClient.msi"

# Download the file
Invoke-WebRequest -Uri $downloadUrl -OutFile $msiPath

# Verify if the downloaded file is a valid MSI
if (Test-Path $msiPath) {
    Write-Output "File downloaded successfully. Checking file type..."

    # Get the file extension to verify it's an MSI
    $fileExtension = [System.IO.Path]::GetExtension($msiPath)

    if ($fileExtension -eq ".msi") {
        Write-Output "Valid MSI detected. Proceeding with installation..."

        # Install the MSI package using msiexec
        Start-Process -FilePath "msiexec.exe" -ArgumentList "/I `"$msiPath`" installmode=IDP tenant=netnxt domain=de.goskope.com mode=peruserconfig enrollauthtoken=YOUR_ENROLMENT_TOKEN /quiet /norestart" -Wait

        Write-Output "Installation complete."

        # Clean up the downloaded file (optional)
        Remove-Item -Path $msiPath -Force
    } else {
        Write-Output "Downloaded file is NOT an MSI. Please check the URL."
    }
} else {
    Write-Output "Download failed. Check network connectivity and URL."
}
  1. Launch Type: Run once or bind to a "New Computers" group.

Part 3: Deploying to macOS (Bash Command)

Similar to Windows, we download the .pkg and install it using the installer tool, passing parameters via a specific flag file or command line arguments (depending on the Netskope version).

Current method for newer Netskope Clients (IdP Mode):

  1. Create New Command (Select Mac).

  2. Name: Install - Netskope Client (macOS).

  3. Command:

#!/bin/bash
#Script for installing Netskope Client on OSX machines
#function will install Netskope Client

function Ins_NSClient(){
ag="NSClient.pkg"
spDomain="de.goskope.com"
spTenant="gensol"
perusermode=0 # put 0 for normal installation, put 1 for per user config
echo "Downloading NsAgent..."
curl -o /tmp/$ag  https://download.goskope.com/dlr/mac/get
echo "will now add config file..."
mkdir -p "/Library/Application Support/Netskope/STAgent"
NSIDPCONFIG_FILE_PATH="/Library/Application Support/Netskope/STAgent/nsidpconfig.json"
echo "{ \"serviceProvider\": { \"domain\": \"$spDomain\", \"tenant\": \"$spTenant\" } }" > "${NSIDPCONFIG_FILE_PATH}"
if [ $perusermode -eq 1 ]
then
NSUSERCONFIG_JSON_FILE="/Library/Application Support/Netskope/STAgent/nsuserconfig.json"
echo "{\"nsUserConfig\":{\"enablePerUserConfig\": \"true\", \"configLocation\": \"~/Library/Application Support/Netskope/STAgent\", \"token\": \"\", \"host\": \"\",\"autoupdate\": \"true\"$fail_close_option}}" > "${NSUSERCONFIG_JSON_FILE}"
fi
echo "Installing Agent..."
installer -dumplog -pkg /tmp/$ag -target / && rm /tmp/$ag
}
# Function to create JSON file with provided tokens
Create_Json() {
    # Create directory if it doesn't exist
    mkdir -p $TEMP_BRANDING_DIR
    # Delete previous enroll.conf if it exists
    if [[ -f "$TEMP_ENROLLMENT_TOKEN_FILE" ]]; then
        rm "$TEMP_ENROLLMENT_TOKEN_FILE"
    fi 
    local a=$1 #auth token
    local b=$2 #encryption token
    # Check if parameters are 32 characters hexadecimal
    if ! [[ "$a" =~ ^[a-fA-F0-9]{32}$ ]] && [[ "$a" != "0" ]]; then
        echo "Invalid auth token: must be 32 hexadecimal characters"
        return 1
    fi
    if ! [[ "$b" =~ ^[a-fA-F0-9]{32}$ ]] && [[ "$b" != "0" ]]; then
        echo "Invalid encryption token: must be 32 hexadecimal characters"
        return 1
    fi
    # Start the JSON structure
    echo "{" > $TEMP_ENROLLMENT_TOKEN_FILE
    #if both token is present
    if [[ "$a" != "0" && "$b" != "0" ]]; then
        echo "\"enrollauthtoken\": \"$a\"," >> $TEMP_ENROLLMENT_TOKEN_FILE
        echo "\"enrollencryptiontoken\": \"$b\"" >> $TEMP_ENROLLMENT_TOKEN_FILE
    # only encryption token present
    elif [[ "$a" == "0" && "$b" != "0" ]]; then
        echo "\"enrollencryptiontoken\": \"$b\"" >> $TEMP_ENROLLMENT_TOKEN_FILE
    #only authtoken present
    elif [[ "$b" == "0" && "$a" != "0" ]]; then
          echo "\"enrollauthtoken\": \"$a\"" >> $TEMP_ENROLLMENT_TOKEN_FILE
    else
         echo "Unsupported use case"
    fi
    # End the JSON structure
    echo "}" >> $TEMP_ENROLLMENT_TOKEN_FILE
    chmod 700 "$TEMP_ENROLLMENT_TOKEN_FILE"
    echo "enroll.conf created with provided tokens."
}

# Main script execution

#update these tokens to valid tokens
enrollencryptiontoken=0
enrollauthtoken=YOUR_ENROLLMENT_TOKEN
TEMP_BRANDING_DIR="/tmp/nsbranding"
TEMP_ENROLLMENT_TOKEN_FILE="$TEMP_BRANDING_DIR/enroll.conf"

# Check if atleast one of the token is present, then create enroll.conf
if [[ "$enrollencryptiontoken" != "0" || "$enrollauthtoken" != "0" ]]; then
    echo "Using secure enrollment"
    Create_Json "$enrollauthtoken" "$enrollencryptiontoken"
else
    echo "Not using secure enrollment"
    # Delete previous enroll.conf if it exists
    if [[ -f "$TEMP_ENROLLMENT_TOKEN_FILE" ]]; then
        rm "$TEMP_ENROLLMENT_TOKEN_FILE"
    fi
fi
Ins_NSClient
#end script
  1. Run as: Root.

Validation: How to verify success

After the script runs:

  1. Visual Check: The Netskope icon (grey or blue logo) should appear in the System Tray (Windows) or Menu Bar (Mac).

  2. Connection Check:

    • Right-click the icon > Configuration.

    • Status should say "Enabled" and "Connected".

    • Email address should match the logged-in user (if IdP auto-detection worked).

  3. JumpCloud Console:

    • You can verify the software is present by looking at the "Software" tab in the Device Details view.

Troubleshooting

  • Mac User Prompted for Password: This means the MDM Profile (Part 1) was not installed or didn't cover the correct Team ID. Re-push the profile.

  • Windows "Installation Failed": Check the log file defined in the script (C:\Windows\Temp\ns_install.log). Common error: The token was pasted with extra spaces.

FAQ

1) How to configure AWS SSO with JumpCloud using SAML 2.0?

Activate AWS in JumpCloud SSO, download JumpCloud metadata, upload it in AWS IAM Identity Providers, create SAML 2.0 federation roles, and assign users or groups in JumpCloud.

2) Does AWS SSO via JumpCloud revoke existing AWS sessions after user suspension?

Only new SAML logins are blocked instantly. Existing AWS sessions may persist until token expiry unless SCIM or AWS session revocation is manually triggered in IAM or SSO panels.

3) What IAM role type is required for AWS SSO with JumpCloud?

You must create a SAML 2.0 Federation IAM Role in AWS IAM, attach least-privilege service permissions, and reference the active JumpCloud SAML Identity Provider during role creation.

4) How to verify AWS SSO login works after JumpCloud integration?

Test SP-initiated login via AWS console or IdP-initiated login from JumpCloud SSO. Successful authentication routes to role selection, then loads AWS services without password re-entry.

Was this article helpful?