Cato SDP Client to be auto intelligent to login instead of manual logging

Question

I have recently migrated from Netskope to Cato Networks. One issue we have noticed is that users need to login once to Cato SDP client and then "Always-on policy" gets enabled. But users are smart, they don't login to SDP client itself as many sites gets blocked as per policy which they don't want so they don't login once also to SDP client thus making us non-compliant as absence of SDP client makes them vulnerable as they can browse malicious sites as well as can upload company data on public sites which typically gets blocked when connected over SDP client.

In Netskope, we just had to push agents to the laptop and no user intervention was required, it automatically detects logged in user credentials so there was no scope for user to not login or bypass security controls. Can't we make zero touch experience for user so that there is no room for escape or delay as now we are totally dependent on user.

prakashrindia · Answer

Yes we have enabled "Always-on Policy" as well as "Authenticate users with windows credentials" but the problem is that both works only when user has done first time login to Cato SDP client but the problem is we are now at mercy of enduser wherein in Netskope, there was zero touch experience for users and we did not ask user to authenticate at all. This will help customers to achieve 100% compliance without dependency on end user.

prakashrindia · Answer

Yes we are authenticating to Cato using SSO but in our case, user needs to login for the first time to enrol in SDP client.

jm · Answer

Basically by following the instructions at https://support.catonetworks.com/hc/en-us/articles/12952071873181-Authenticate-Users-Automatically-with-Windows-CredentialsI assume the crucial bit is populating the registry with LaunchAuthPageOnStartup set to enabled, we do that using a pre-deployment PowerShell script for the Cato app via Intune.

michaelgoldberg · Answer

Hi PrakashRIndiaHave you enabled connect on boot?&nbsp; Also you might find this article relevant.&nbsp;

himeh · Answer

Have you looked at pre-login?&nbsp; It works on Windows but not MAC.&nbsp; The client will fire up regardless of them not launching and if they login to their laptop we will pass the creds across the tunnel and the client will then be configured. &nbsp;Pre-LoginAnother approach that I like.....I leverage one of the main SaaS providers for the company.&nbsp; Say, SalesForce.&nbsp; Tell them you want your instance to be accessible from a static CATO IP address.&nbsp; Then setup a Network rule that access to the Application must be NAT'd via CATO IP.&nbsp; Your users that don't login to CATO are then blocked.....they will call the helpdesk and ask "why can I not get to SalesForce?!!?!"&nbsp; Helpdesk then helps the login to CATO to solve the problem and Always-On is enabled.&nbsp; &nbsp;

Forum Discussion

Cato SDP Client to be auto intelligent to login instead of manual logging

Related Content

Re: CMA Logins

Recent Discussions

Setting up custom email alerts for changes in CMA

IPS Whitelist GEO_RESTRICTION using domain name

LAN Firewall rules - missing "IP range" in src/dst

Allow Only Specific Channels in YouTube

App catalog categorizations?