Golden Release Notes Between 117.0.0 and 120.0.0
Golden Release Notes Between 117.0.0 and 120.0.0
Here are the latest features, issues fixed, and other updates published between the golden releases 117.0.0 and 120.0.0. This is a consolidated list of items published in the release notes for versions between 117 and 120.
New Features and Enhancement
117.0.0
Antivirus (AV) and OS Check Support
Introduced separate AV and OS checks in Device Classification for macOS devices.
OS Version Check
This feature checks and classifies device compliance for the detected OS version that matches or is above the version information configured by the administrator.
Supported OS: macOS (Beta), Windows (Beta).
Already supported in iOS and Android.
AV check
This feature checks the status of the selected AV running in the macOS devices.
-
Supported Antivirus products: CrowdStrike, SentinelOne, Carbon Black, Microsoft Defender.
-
Supported OS: Windows, macOS
To learn more, view Device Classification for mac.
Flexible Dynamic Steering
This feature was earlier in Controlled-GA and is now available for all new tenants. The feature still continues with the same enhancements that were made in the Beta release.
Flexible Dynamic Steering is currently in GA and is available to new tenants by default. For existing tenants, contact Netskope Support to enable this feature.
In flexible dynamic steering:
-
On-Prem detection enhancement support multiple IPs for DNS detection and multiple HTTP hosts detection.
-
For the steering traffic mode, you can switch traffic mode between On-Prem, Off-Prem and the new mode None. When the traffic mode is None, the client will establish a tunnel but will not steer traffic. Exceptions will not be processed as they are only applicable for steered traffic.
-
For the steering exception rules:
-
Firewall app exceptions contains separate sets of rules between On-Prem and Off-Prem in All steering traffic mode.
-
Category exceptions contains set of rules between On-Prem and Off-Prem in Web or All mode.
-
If the packet matches configured exceptions and needs to be bypassed, you can select new exception bypass options to bypass locally on the client device, or bypass by tunnelling on backend.
-
To learn more, view Dynamic Steering.
Gateway Selection Enhancements
This feature is now available for all new tenants by default.
As part of improving user experience through Netskope cloud, a new service is created that helps Netskope Client in finding the optimal datacenter for tunnel establishment based on machine learning algorithms. To learn more: Netskope Client Network Configuration.
118.0.0
Periodic Device Classification Update
The admin can now configure a value between 1-120 minutes in the Periodic Device Classification under Client Configuration (previously the minimum value was 5 and from release 118.0.0, Netskope updated the minimum value to 1).
To learn more: Netskope Client Configuration.
Master Password for macOS
With 118.0.0, Netskope Client now supports Master Password for macOS devices.
To learn more, view Client Configuration.
One-Time Password-Based Client Disable
Netskope is introducing One-Time Password-based disable option for Netskope Client. With 118.0.0, this feature is supported on Windows platforms for SWG services. Other platforms/OSes will be added in the future releases.
Admins have to configure this first on the tenant UI under the option Allow disabling of Internet Security in Settings > Security Cloud Platform > Client Configuration > Tamperproof. Once enabled, it generates a dynamic password for each device which can be accessed or viewed from the Devices page. Use this password to disable the Netskope Client SWG services.
Antivirus (AV) and OS Check Support
This was earlier available as Beta in the earlier releases and is now available in Controlled GA for Windows and macOS devices.
OS Version Check
This feature checks and classifies device compliance for the detected OS version that matches or is above the version information configured by the administrator.
Supported OS: macOS (Controlled GA), Windows (Controlled GA). Already supported in iOS and Android.
AV check
This feature checks the status of the selected AV running in the Windows and macOS devices.
-
Supported Antivirus products: CrowdStrike, SentinelOne, Carbon Black, Microsoft Defender.
-
Supported OS: Windows, macOS
To learn more: Device Classification for Windows and Mac.
Top-Level Domains (TLD)
The steering configurations now support Top-Level Domains (TLD).
General Availability of Secure Enrollment
This was earlier available as a controlled-GA feature and starting 118.0.0, Secure Enrollment is available for all tenants on the webUI.
Secure enrollment is a mechanism to enforce the strict authentication of Netskope Client Enrollment.
To learn more: Secure Enrollment.
119.0.0
Linux OS Check Support
Introduced OS check rule in Device Classification for Linux devices.
This feature checks and classifies device compliance for the detected OS version that matches or is above the version information configured by the administrator.
Client Log Data Migration to Google Cloud Storage (GCS)
Client logs are stored in an AWS S3 bucket that creates challenges from PBMM compliance due to defined boundary scope without any AWS service. To address these challenges, there is a need to migrate the client log from AWS S3 to GCS while adhering to information security guidelines.
To learn more: Devices.
Block IPv6 traffic
You can block IPv6 non-web traffic in your devices to avoid any undesired IPv6 access. When Netskope Client is enabled in a dual stack computer, applications fall back to IPv4 and the traffic is tunnelled to Cloud Firewall.
To learn more: IPv6 Traffic Steering.
– Supported only on Windows.
120.0.0
Support for Various OS Versions
Netskope Client now supports the following versions:
- Windows 365.
- MAC 15.0 (Sequoia)
- iOS 18
- ChromeOS 128
To learn more: Supported OS and Platform.
Top Level Domain
This was earlier available as a Beta feature. This is now available for all tenants.
The steering configurations now support top-level domains(TLD).
To learn more: Exceptions.
Fixed Issues
Issue Number | Description |
117.0.0 | |
461851 | Fixed an issue by reducing tunnel flapping during network change or sleep/wake condition. |
463329 | Fixed an issue where tunnelling through proxy was not working when GSLB was enabled. |
454765 | Fixed an issue with the traffic bypassing for a few proprietary TCP connection. Basically, the bypassing socket is closed before all the data packets are sent that leads to data loss. To fix this issue, added logic to ensure that all bypassing data packets are sent out before the bypassing socket is shutdown. |
453051 | Fixed an issue where the Netskope Client service received a SIGTERM signal that caused the tunnel to reconnect. |
465363 | Fixed an Android ANR (crash) issue that occurred when it took more than five seconds for tunnel to reconnect after network switch. |
451987 | The Netskope Client consistently checks for alternative steering methods before initiating a tunnel connection. In the event of a network switch, the tunnel connection is restarted to enable the detection of other steering methods. However, if the connection manager thread breaks amidst the network switch timeout, it leads to simultaneous activation of both the alternative steering method detection and the tunnel connection. Consequently, the Client tunnel remains active alongside the alternative steering method. This issue is now fixed by updating the Client to disconnect all active tunnels upon detection of an alternative steering method. |
470539 | Fixed an issue where the flag that was used to eliminate the occurrences of the launch a new auto-upgrade, while another auto-upgrade launch is in progress, was not getting reset, this issue was specific to macOS. |
457109 | Fixed an issue where the users are unable to run outer packet captures on Netskope Client unless they disabled “Protect Client configuration and resources” in Tamperproof settings. If Protect Client configuration and resources is enabled on Windows: The “Save Driver Logs” and “Outer Packet Capture” buttons in the Netskope Client UI is greyed out. Using “nsDiag.exe -d start -o <output driver log file path>” command to capture driver log, “nsDiag -d stop” is used to stop capturing. Using “nsDiag.exe -p start -o <output outer packet file path>” command to capture outer packet, “nsDiag -p stop” is used to stop capturing. Both commands require Admin privilege due to security concern. Both commands do not support output wide characters file path for now. Neither the driver log nor the outer packet file is collected in the local or remote log bundle. If self-protection is disabled, the default files location are in %ProgramData% directory. There are no changes on other platforms. |
455776 | In GRE Gateway there was a change in behaviour for version 116.0.0, wherein all the tunnels for QOS tenants will go down if QOS service goes down, but with this fix in 117.0.0, we are defaulting back to the original behaviour where if health of QOS service goes down only the tunnels linked to QOS for respective tenant’s will go down. |
117.0.8 | |
487256 | Fixed an interop issue with the ZScaler Client that was first observed in version 117.0.0. With the fix, ZScaler Client works coherently with Netskope Client. |
118.0.0 | |
472565 | In macOS devices, once an auto-upgrade trigger condition is met, the network extension sends a message to the Client UI process to launch the new Client package. In this issue, the network extension attempted to send a message even when there was no Client UI process running(no users logged in). With this fix, whenever there are no users logged in, an upgrade trigger message is not sent from the network extension. |
466281 | Rest API /api/v1/clients was not working for the most of the parameters across fields and query. This issue is now fixed and now, the Rest API /api/v1/clients execution for field and query with various parameters appears for Devices under Security Cloud Platform. This issue occurred for a new MP. |
437196 | The DPS.json file holds the user configuration path for uninstallation cleanup. When this file is corrupted, it blocks any user data added in the file. With this fix, the DPS.json file is cleared to continue with the subsequent updates. |
419687 | Fixed Device Classification Certificate check to verify if the user certificate is available and signed by the CA in addition to the previous checks to verify the presence of CA certificate. |
437047 | With this fix, Netskope Client checks certificate digest (unique hash) in addition to the issuer name of the signing certificate for validating integrity of the NS Client installer images. |
486403 | When “Steer non-standard ports“ is disabled in Steering Configuration, it resulted in default domain and category exception to be generated unexpectedly. |
119.0.0 | |
482990 | With this fix, Netskope Client Captive Portal feature now supports meta refresh element HTTP redirection. |
492545 | Fixed an issue where the UI logs were missing in Netskope Client for macOS log bundle if collected remotely. |
489520 | Fixed Netskope Client for macOS crash issue caused by the Client trying to bypass IPv6 mDNS packets. |
487939 | Fixed an issue where the Netskope Client cannot auto upgrade when self-protection and per user mode are both enabled. |
470467 | Fixed an issue where the Docker pull failed as the Docker proxy process is unable to handle a force reset in a closing connection. The fix is released as part of mainstream release version 119.0.0 and is back ported to versions such as 114, 117, and 118. |
495212 | Fixed a crash issue by enhancing DEM exception handling. |
351919 | Fixed an issue where installation time was not getting displayed on Mac device installed with IDP mode. |
392768 | Fixed an issue where Device Posture change event always displayed Client Status as disabled. |
473189, 465601 | Fixed an issue where the Netskope Client failed to establish a tunnel due to the Client cert validation issue in OpenSSL for Chromebook devices running ChromeOS version 125. |
486408, 351919 | Fixed an issue where the Netskope Client installed in IDP mode did not display the correct Installation Time on the Device webUI. |
492785 | Fixed an outer packet capture issue where it took longer time to stop the packet capture. With this fix, the outer packet capture stops immediately for Netskope Client for Windows. |
504328 | Fixed an issue on the macOS devices that resulted in the Netskope Client to crash on a network change. |
453717 | After the”TLS 1.3 hybridized Kyber support” feature was enabled by Google Chrome in version 124, the “Client Hello” packet of the TLSv1.3 negotiation became bigger than the normal MTU, and required fragmentation. Netskope Client failed to fetch the hostnames when SNI check is enabled in Client Configuration. This issue is now fixed. With this fix, the Netskope Client can fetch the SNI from the packets when the SNI Check feature is enabled. You will have to enable a feature flag to enable this fix. Contact Netskope Support to enable this feature flag. If the feature flag is disabled and the SNI Check feature is enabled, Netskope Client instead gets the hostname from DNS query. |
503501 | Fixed an issue where if the Netskope Client fails to establish DTLS connection and did not fallback to TLS. |
467283 | Fixed an issue where deleting certificate-pinned applications in App Definitions > Certificate Pinned Apps did not remove the corresponding certificate pinned exceptions under the Steering Exceptions page. With this fix, Netskope deletes related app exceptions in Steering Configuration while deleting custom cert-pinned apps. |
493685 | Fixed an issue that caused losing the tenant name configured by the MDM server. |
484812 | With this fix, Client automatically reloads when system reports irrecoverable kernel memory errors. |
492851 | Fixed an issue where traffic is getting bypassed for off-premises mode after enabling dynamic steering in the steering configuration and removing all category exceptions. |
119.1.0 | |
510348 | The workaround given as part of issue number: 504528 had to be reverted as the fix did not work as expected. The issue number: 504528 still needs to be fixed. |
502014 | Previously, in version 118.0.0, Netskope Client forcibly disabled the CA certificate to pass the device classification cert check. In release 119.0.0, Netskope reverted it to the previous behavior where the CA certificate can pass the device classification check. At the same time, introduced a feature flag for those users who want to disable the CA cert check. You can contact Netskope Support to enable the feature flag for your tenant. |
120.0.0 | |
505439 | Fixed an issue by adding a feature flag, where the system proxy after getting detected and added in the Netskope Client active proxy list cannot be removed. Contact Netskope Support to enable this flag to remove system proxy from the Netskope Client active proxy list even when it was not detected in the later proxy detection. |
499052 | Fixed an issue where Netskope Client did not allow Microsoft Office applications to be bypassed by OS. This requires a feature flag to be enabled for your tenant. Contact Netskope Support to enable the feature flag. |
503670, 496830 | Fixed an issue by introducing a new feature flag to block a process in Cert-pinned application even when it is running in Session 0 in a Windows operating system. The default value is false; that means the process gets bypassed when it is running in Session 0. |
502429 | Fixed an issue where the UI justification notification does not pop-up on Windows devices if the Justification hint text exceeds the maximum length of 140 characters. |
429954 | In a multi-user environment, the Client Install Time in the Client status changes whenever a user logs out. This is now fixed and the Client Install Time does not change in the event of a user logout. |
496412 | With this fix, iOS app can parse DNS over TCP port 53 query and response packets to set up the IP-domain mapping inside the iOS app. |
501419 | Fixed a Windows client UI process issue in multi-user Windows environment. When a user opens client UI configuration, they might see incorrect configuration such as empty device classification. This is due to stagentUI incorrectly fetching the wrong session id for the user and is not able to find related user configuration. |
500870 | Webview2 used for NPA reauth caused issues while in use for other applications. Client uses defalut user directory folder(UDF) as the temp folder for Webview2 operations. If there are any other third-party Webview2 applications that use default UDF, it leads to resource contention. Fixed this issue by using a custom temp folder for Webview2 operations by Netskope Client so that Client does not interfere with the other application operations. |
506543 | Fixed an issue where the user can proceed with the user alerts without providing any justification inputs in a Linux device. |
502315 | Fixed an issue where it was unable to set Privileges under Roles for “Client Configuration” unless “Cloud Apps” functional area is specified in the Access Settings. |
Known Issues
Issue Number | Description |
466448 | With self protection enabled, when the Secure Enrollment tokens change in a tenant, the MSIEXEC command (for example, msiexec /I NSClient.msi mode=peruserconfig host=<tenant-name>.goskope.com token=<token ID> enrollauthtoken=<new authentication ID> enrollencryptiontoken=<new encryption ID>) failed to update the tokens while repeating the Client installation using the new tokens. As a workaround, use nsdiag to update the secure enrollment tokens. |
438566 | Netskope does not support DNS over TCP response handling when DNS responses are received through the tunnel when DNS Security is enabled. |
525134 | The error message displayed for the Minimum OS Version in Device Classification is not consistent and descriptive enough for users. The error message must include the OS version format. Additionally, there is no maximum character limit in the input field. |