Skip to main content

Netskope Help


The Devices page focuses on monitoring the Client's status of all the devices in your deployment. You can export your entire device list to CSV file. To open the Devices page, go to Settings > Security Cloud Platform > Netskope Client > Devices.

To enable or disable the Netskope client, or collect logs from a device, click the checkbox next to the hostname and then click one of the buttons. Logs can only be collected from individual devices, but you can enable and disable the Netskope Client on multiple devices at one time.

To search for a device based on username, enter a username in the search field. The search is not case-sensitive, and many components, in addition to username, can be used to search.

Device information shown on this page includes:

  • Hostname


    For Android devices, the device serial number is shown instead of the hostname. For iOS, only iOS is shown.

  • Device make and model

  • OS platform

  • User (displays user's email address)

  • Client Status

  • Last event

  • Last event time


For iOS devices, the hostname, model, version, and check-in are not shown, and only devices that are installed using MDM managed devices with the VPN profile with the Email listed.

To expand the information shown, click the GearIconBlue.png to open the Customize Columns dialog to select specific columns.


The Devices page shows information based on the default filter selected:

  • All Devices: Shows all devices within your deployment that Netskope client installed.

  • New Devices: Shows all devices that have had the Netskope within the last 24 hours. You can change the filter to look for periods such as the last 7 days or last 30 days.

  • Anonymous Devices: Shows devices where the Netskope client installed, but the user has not logged in yet so an association device and the user has not been made yet.

  • Disabled Devices: Shows devices where the Netskope client disabled. Devices can end up in this state when an admin has taken through the admin console, or when an end user (if allowed)has client from the device.

  • Uninstalled Devices: Shows devices that had the uninstalled.

  • Installation Failure: Shows devices that the installation of the Netskope client failed.

To use custom filters, click Add a select a filter, and then enter text in the search field to show only devices based on:

  • Client status, installation time, or version.

  • Last event, actor, or time.

  • User added time, source, group, or OU.

  • Device with or without an owner, device classification, OS platform, device make or model.

  • Host name.

Device Details
  • To view the details of an individual device, select the device or click the ellipsis and select View Details to open the device details page. The device details page shows, device, and client information. To view event history, group membership, or organization unit information, click the appropriate tab.

    • If Endpoint DLP is enabled, the service can be paused for 30 minutes in the detail view.

  • If a device has more than one user, specific user for which you want details. Click Select, and then the details for that device are shown.

  • To export a CSV file that shows the contents of the Devices page, hover over Export CSV. Select Unique Devices to export a list that information. If a device has multiple users, only the number of shown. Select Devices and Users to export a list that shows both device information.

  • To hide devices not seen for a specified number of days, click ... (Export User Keys), and enter the number days after which should be shown.

  • Click the checkbox in the Hostname column to select all deployed devices. Now you can enable or disable upto 10,000 devices at a time. If there are more than 10,000 devices, make your selection in batches.

Client Status

The following table lists various client statuses and their meaning. You can also query client status via the  Get Client Data REST API.

Table 17. Client Status and Meanings








Via email invitation, distribution tool (i.e. SCCM, Altiris, JAMF etc)

Tunnel Up



'Auto' enabled just after install, upgrade or later

Tunnel Down



disabled - default startup state of client i.e. after installation/upgrade/restart

Tunnel down due to secure forwarder



'Auto' disabled due to Netskope Secure Forwarder found

Tunnel down due to GRE



'Auto' Disabled due to GRE

Tunnel down due to Data Plane on-premises



'Auto' Disabled due to on-premises DP

Tunnel down due to config error



'Auto' disabled due to config errors/missing config

Tunnel down due to error



'Auto' disabled due to (any other) error

Change in network



'Auto' disabled due to change in network

System shutdown



'Auto' disabled due to system restart/ power down

System powerup



'Auto' Tunnel status will be as per actual status

User Disabled



User disabled the client from the system tray

User Enabled



User enabled the client from the system tray

Admin Disabled



Tenant admin disabled the client from the system tray

Admin Enabled



Tenant admin enabled the client from the system tray




Uninstalled by end user, admin, SCCM admin etc

Installation Failure



Installation failed

Client Configuration

You can configure system-wide settings using the Client Configuration dialog box. Click Client Configurations in the top right corner of the Devices page to open the Client Configuration page. Additional configurations can be created to obtain granular control over the behavior of the Netskope Client at a User Group or OU level by creating a new configuration. If these configurations are applied to groups, they must be prioritized to determine which configuration is applied to the Client when there is an overlap in group membership.

Multiple configurations can be created and applied to different OUs or Groups. Only an OU or a User Group can be selected; you cannot use both.

Click New Client Configuration to add a new global configuration.


Enter a name and select an OU or User Group from the dropdown list. The Client Configuration dialog box allows you to:

  • Enable DTLS (Data Transport Layer Security). Optionally enter an MTU value.

  • On-Prem Detection: For On-Premises Detection, enter either your DNS FQDN and IP address or HTTP FQDN and connection timeout period that can be resolved with a known IP address. By enabling this option, you can detect the location of an endpoint. If the endpoint is on-premises or off-premises the Client tunnels the traffic based on the traffic mode configured for dynamic steering.

    • Cert pinned apps

    • Exception domains

    • Exception categories


    The Netskope Client must be running version 72 or later to use this feature.

    For HTTP, the Client will look for the HTTP response code 200, and if successful, the device is deemed to be on-premises. Also enter a connection timeout value. The default is 10 seconds, and the max is 60 seconds.

  • Periodic Re-authentication for Private Apps makes users re-authenticate after a certain period of time, with the option to add a grace period. A Netskope Private Access license is required to use this feature.

  • Click the Advanced toggle to see this option. Interoperate with Proxy (IP address/hostname and port are default selections for the Cisco AnyConnect Web Security proxy). You can change the hostname and/or port. Select Static Web Proxy option from the Proxy dropdown list to add all details of all proxy endpoints used in your network.


    The following are important points to note when enter proxy details:

    • At least one proxy server must be configured in the client endpoint.

    • If a Static Web Proxy is entered, then only one Cisco AnyConnect Web Security Proxy is allowed.

  • Enable device classification and Client-based user notification when the Client is not tunneling traffic. This disables the Client when GRE, IPSec, Secure Forwarder and Data Plane On-Premises steering methods are detected.

  • Perform SNI check allows using Server Name Indication in addition to DNS to determine steering options when multiple domains use the same IP address.

  • Upgrade Client Automatically to a specific release version. You can choose from the following upgrade options:

    • Latest Release - All clients will be upgraded the latest released version.

    • Latest Golden Release - All clients will be upgraded to the latest golden release. To know more about golden releases, check out this Client Downloads page.

    • Specific Golden Release - You can set all clients to be upgraded to a specific golden release. After selecting this option, you can select the golden release from the list of available versions. In addition, you can select Opt-in Upgrade to ensure the clients are upgraded to the latest minor or hot fix version of the selected golden release. To know more about golden releases, check out this Client Downloads page.

    You can also choose to send upgrade notifications to users.

  • Uninstall Clients automatically when users are removed from Netskope.

  • Allow users to unenroll when the Client is provisioned through an IdP.

  • Click the Advanced toggle to see the Enable advanced debugging option. Choose a log type from the dropdown list.

  • Allow users to disable the Client.

  • Hide Client icons in the system tray.

  • Password protection for Client uninstallation and service stop (Windows Mclients only).

  • Fail Close blocks all traffic when a tunnel to Netskope is not established or a user device is not provisioned in the Netskope Cloud. Domain-based, IP-based, and cert-pinned exceptions will be applied, but category-based exceptions will be blocked. When a user is detected as on-premises, the exceptions will be blocked.

    When Fail Close is enabled, the Password Protection for Client Uninstallation and Service Stop become enabled and Allow Disabling of Clients options becomes disabled. With Fail Close, you can Exclude Private Apps Traffic, so Private Access is not affected, and also Show Notifications.


    Fail close does not work the Netskope Client r78 with macOS 11 (Big Sur) due to the Network Extensions change in macOS. There is no impact on Windows with the r78 Client. Fail Close does work on Catalina, or below, using the r77 Client (only).

When finished, click Save. After a Client Configuration has been created, click the MenuIcon.png icon to edit, delete, or clone a configuration.