Golden Release Updates Between 120.0.0 and 123.0.0

120.0.0

Support for various OS versions

Netskope Client now supports the following versions:

• Windows 365.
• MAC 15.0 (Sequoia)
• iOS 18
• ChromeOS 128

To learn more: Supported OS and Platform.

Top Level Domain

This was earlier available as a Beta feature. This is now available for all tenants.

The steering configurations now support top-level domains(TLD).

To learn more: Exceptions.

120.1.0

Secure Enrollment Enhancements

With the new Enforce feature, it provides better flexibility and control over token management and enrollment processes. Administrators can now create tokens without automatically enforcing the feature. With the new web UI Enforce Token(s) option, administrators have the option to enforce secure enrollment by clicking the Enforce Token(s). Click Do not enforce token(s) to disable. Toggling the option will not change the token values generated.

To learn more, view Secure Enrollment.

121.0.7

GET Method Authentication Support

Added support for authentication service for HTTP GET method. This allows IDP based enrollments work around Safari issue with redundant WebAuth.html confirmation dialog.

To learn more: Jamf.

Client Self Protection Configuration

Enabled Protect Client configuration and resources as a default option in Client Configuration for new tenants.

Block IPv6 non-web traffic in Cloud Firewall mode

This was earlier supported in Windows from version 119.0.0. With version 121.0.7, Netskope supports this behavior on macOS as well.

You can block IPv6 non-web traffic in your devices to avoid any undesired IPv6 access. When Netskope Client is enabled in a dual stack computer, applications fall back to IPv4 and the traffic is tunnelled to Cloud Firewall. 

To learn more: IPV6 Traffic Steering.

GSLB Fallback Option in China

Netskope Client for users in China now falls back to EDNS and LDNS if GSLB is unavailable. Devices in China are now restricted from connecting to POPs outside their country thus ensuring compliance.

To learn more: Netskope Client Network Configuration.

122.0.0

Multiple Token Support

Introduced the ability to configure and manage two token sets for Secure Enrollment, consisting of authentication and encryption tokens (optional).

Each token set can have independent configurable validity periods, offering overlapping flexibility in token management. Administrators can now separate token creation from feature enforcement, allowing more control over when tokens are activated.

To learn more: Secure Enrollment.

New Platform Support for Linux

Netskope Client now supports the following:

• Red Hat Enterprise Linux release 9.4 (Plow).
• Ubuntu 24.04.

To learn more: Supported OS and Platform.

Client Log Data Migration to Google Cloud Storage (GCS)

Netskope is currently migrating Client Log storage from AWS to GCS to better meet PBMM compliance requirements. The migration for PBMM customers has been completed and GCS-based client log storage is now available upon request for all tenants. If you have an urgent need to enable GCS logging, please contact Netskope Support. Otherwise, Client logs for your tenant will continue to be stored in AWS until the migration for all tenants has been completed.

To learn more about the prerequisites: Devices.

Removal of Secure Enrollment Banner

Netskope used to display the Secure Enrollment banner to users on their Home screen for the past few releases.

This banner is now removed as Netskope expect users to have seen and taken action on this. However, Netskope continues to display alerts on the Home screen for Secure token expiry.

Controlled GA for One Time Disablement of Netskope Client 

The One Time Password based disable option feature that was introduced for Netskope Client for Windows in version 118.0.0 is now available as Controlled-GA (General Availablity) from version 122.0.0. Other platforms/OSes will be added in the future releases.

Admins have to configure this first on the tenant UI under the option Allow disabling of Internet Security in Settings > Security Cloud Platform > Client Configuration > Tamperproof. Once enabled, it generates a dynamic password for each device which can be accessed or viewed from the Devices page. Use this password to disable the Netskope Client SWG services.

To learn more: Client Configuration.

Controlled GA for Block IPv6 Traffic

This was earlier available as a Beta feature in version 119.0.0. With version 122.0.0, this is available as a Controlled-GA (General Availablity) feature.

You can block IPv6 non-web traffic in your devices to avoid any undesired IPv6 access. When Netskope Client is enabled in a dual stack computer, applications fall back to IPv4 and the traffic is tunnelled to Cloud Firewall.

To learn more: IPv6 Traffic Steering.

122.1.0

Device Classification Improvements

With version 122.1.0, the Certificate check option available in device classification now supports the following three options:

• Check UPN: The UPN option enables additional checks on the certificate. This extra check compares the current logged in UserPrincipalName with four fields in the certificate: Subject CN, Subject Email, Subject Alternative RFC822, and Subject Alternative Principal Name. If any of these four fields match, the UPN check will pass.
  • Supported OS: Windows and macOS
• Check Smart Card:  If users enable the Smart Card option, Netskope Client checks Certificates on the card instead of the personal store. Secondly, the Netskope Client checks the Smart Card PIN.
  • Supported OS: Windows
• Check CRL: The Certificate Revocation List (CRL) contains digital certificates that were revoked by the issuing CA before their scheduled expiration date, and those certificates should no longer be trusted. If a certificate was revoked, the posture (device classification) check fails.
  • Supported OS: Windows

To learn more: Device Classification.

New Technology for Decrypting Certificate Pinned Application Traffic

Netskope can now decrypt traffic from certificate pinned applications. This significant advancement overcomes the historical challenge of bypassing these applications by default to ensure their proper operation.

Netskope introduced a new steering exception option for these certificate pinned applications: “Steer and Decrypt at Netskope Cloud”. This feature allows you to apply Real-Time Protection policies to this traffic, treating it as you would any traditional application.

123.0.0

General Availability of Block IPv6 Traffic

This was available as a Controlled GA feature in 122.0.0. With version 123.0.0, this is available for all tenants.

You can block IPv6 non-web traffic in your devices to avoid any undesired IPv6 access. When Netskope Client is enabled in a dual stack computer, applications fall back to IPv4 and the traffic is tunnelled to Cloud Firewall.

Supported OS: Windows and macOS

To learn more: IPv6 Traffic Steering.

This is a General Availability feature. This feature is disabled by default. Contact Netskope Support or your Sales Representative to enable this feature for your tenant.

General Availability of Master Password Support for Netskope Client Disablement

This was earlier available as a Beta feature and with version 123.0.0, this is available for all tenants.

Supported OS: Windows and macOS

Supported minimum Client requirements: 118.0.0

This is an option for the administrators that enables them to set a to set a Master Password while configuring “Allow disabling of all Client Services together” under Settings > Security Cloud Platform > Client Configuration > Tamperproof on the webUI. This is optional and if enabled by the administrators, makes it mandatory for the end-users to enter the password while disabling Netskope Client.

The main purpose to add a Master Password is for the business continuity in the event of any disaster and users can continue disable Netskope Client.

To learn more, view Client Configuration.

General Availability of One-Time Password-Based Client Disable

This was earlier available as a Beta feature for Windows in 118.0.0. With release 123.0.0, this feature is available for all tenants.

Supported OS: Windows

Supported Minimum Client Version: 118.0.0

To learn more: Netskope Client Configuration.

General Availability of Multiple Token Support

This was earlier available as a Beta feature in version 122.0.0. From version 123.0.0, this feature is available for all tenants.

Supported Minimum Client Version: 122.0.0

To learn more: Secure Enrollment.

General Availability of GSLB fallback Option In China

This was available as a Beta feature in version 121.0.0. From version 123.0.0, this feature is available for all tenants.

Supported Minimum Client Version: 121.0.0

To learn more: Netskope Client Network Configuration.

Improvements in nsdiag -e Option

With this release, you can now understand if the command nsdiag -e is successful or not. After you run the command, if the return value is 0, it means successful. Else, it failed.

The command prompt user interface also displays an error message “Failed to save Enrollment Tokens” if the command fails.

Supported Minimum Client Version: 123.0.0

To learn more: Secure Enrollment.

Device Status Page Read Operation

With this release, you can use APIv2 for read operations on the Devices page.

To learn more, check the following instructions to view the API documentation:

1. Log into your tenant.
2. Go to Settings > Tools > Rest API V2 > API Documentation.

IDP Enrollments

Introduced a feature flag which when enabled with make the Netskope Client(NSC) perform IDP based enrollment. When the feature flag is enabled, and if the NSC is installed in IDP mode, the NSC will not try UPN enrollment. The default value is set to false, which means there is no behavioral change.

To learn more: Netskope Client via IDP.

Removal of Certificate Option From Device Classification for iOS

From version 123.0.0, Netskope is removing the Certificates webUI option for Device Classification for iOS. This was for iOS devices installed with iOS Profile which was deprecated in March 2024.

Support for Non-Chrome Browsers

Earlier, Netskope allowed IDP enrollments for Android devices only through Chrome web browser. With this release, Netskope Client for Android now supports IDP-based enrollment using Micorsoft Edge browser.

Default Enforcement of Secure Enrollment for New Tenants

With version 123.0.0, Secure Enrollment is enforced by default for all new tenants. This feature was available from version 118.0.0. You need to enforce this security feature on existing tenants.

To learn more: Secure Enrollment.

Retention for Device Event Data

Device Events are now retained for a maximum of one year.

To learn more: Devices.

Issue Number	Description
120.0.0
505439	Fixed an issue by adding a feature flag, where the system proxy after getting detected and added in the Netskope Client active proxy list cannot be removed. Contact Netskope Support to enable this flag to remove system proxy from the Netskope Client active proxy list even when it was not detected in the later proxy detection.
499052	Fixed an issue where Netskope Client did not allow Microsoft Office applications to be bypassed by OS. This requires a feature flag to be enabled for your tenant. Contact Netskope Support to enable the feature flag.
503670, 496830	Fixed an issue by introducing a new feature flag to block a process in Cert-pinned application even when it is running in Session 0 in a Windows operating system. The default value is false; that means the process gets bypassed when it is running in Session 0.
502429	Fixed an issue where the UI justification notification does not pop-up on Windows devices if the Justification hint text exceeds the maximum length of 140 characters.
429954	In a multi-user environment, the Client Install Time in the Client status changes whenever a user logs out. This is now fixed and the Client Install Time does not change in the event of a user logout.
496412	With this fix, iOS app can parse DNS over TCP port 53 query and response packets to set up the IP-domain mapping inside the iOS app.
501419	Fixed a Windows client UI process issue in multi-user Windows environment. When a user opens client UI configuration, they might see incorrect configuration such as empty device classification. This is due to stagentUI incorrectly fetching the wrong session id for the user and is not able to find related user configuration.
500870	Webview2 used for NPA reauth caused issues while in use for other applications. Client uses defalut user directory folder(UDF) as the temp folder for Webview2 operations. If there are any other third-party Webview2 applications that use default UDF, it leads to resource contention. Fixed this issue by using a custom temp folder for Webview2 operations by Netskope Client so that Client does not interfere with the other application operations.
506543	Fixed an issue where the user can proceed with the user alerts without providing any justification inputs in a Linux device.
502315	Fixed an issue where it was unable to set Privileges under Roles for “Client Configuration” unless “Cloud Apps” functional area is specified in the Access Settings.
120.1.2
525139	During Always On Always Connected (AOAC), multiple status messages are sent for the same session ID in the Cache. Ideally, only the latest status message for a session ID must be saved in the cache. However, due to regression, it saved multiple status messages for the same session ID. This led to an issue where the user interface could not process the status messages when the system resumes from AOAC state. This issue is now fixed by caching only the latest message for a session ID. The fix is backported to 120.1.2, 117.1.7, and 114.0.15.
531161	Fixed an issue related to IdP enrollment when secure config is enabled.
120.1.3
534944	Fixed an issue where the Client install time was getting displayed incorrectly and reported a future time while upgrading to version 120.0.0.
509978	Fixed an issue on all platforms where the CA Installation Change event was not getting posted on the Devices page even after the Netskope Client downloads the new certificate.
121.0.7
522438	Fixed an interop issue with lightWAN VPN client. This issued caused tunneled traffic to run into an infinite loop in the Windows Filtering Platform (WFP) driver.
529561	Earlier, the Devices page did not display the One-Time Password when Secure Enrollment is enabled. Fixed this issue by populating tenantID in request payload that in turn displays the one-time password One-Time Password (OTP) field on the Devices webUI.
525139	During Always On Always Connected(AOAC), multiple status messages are sent for the same session ID in the Cache . Ideally, only the latest status message for a session ID must be saved in the cache. However, due to regression, it saved multiple status messages for the same session ID. This lead to an issue where the user interface could not process the status messages when the system resumes from AOAC state. This issue is now fixed by caching only the latest message for a session ID. The fix is backported to 120.1.2, 117.1.7, and 114.0.15.
514923	Fixed an issue in Netskope Client for macOS where the steered traffic was not accessible even after the FailClose is disabled in Netskope Client Configuration and the Netskope Client is in Fail Close activated state.
517882	Fixed an issue where new users were not enrolled when Secure Enrollment was enabled, as the client was unaware of the configuration changes.
438566	Fixed an issue where Netskope did not support DNS over TCP response handling when DNS responses are received through the tunnel when DNS Security is enabled. With this fix, Netskope supports DNS over TCP response handling when DNS response comes via tunnel.
509978	Fixed an issue on all platforms where the CA Installation Change event was not getting posted on the Devices page even after the Netskope Client downloads the new certificate.
525399	Fixed a traffic steering issue with Chrome browser on Chromebook. The issue occurred while using a regex ^(?!.(com.android.chrome)).$ to bypass all traffic except Chrome browser.
531161	Fixed an issue where client was case sensitive to `Authorization: Bearer` and `authorization: Bearer`. Update client to be case insensitive to particular key.
534944	Fixed an issue where the Client install time was getting displayed incorrectly and reported a future time while upgrading to version 120.0.0.
509978	Fixed an issue on all platforms where the CA Installation Change event was not getting posted on the Devices page even after the Netskope Client downloads the new certificate.
122.0.0
532178	Fixed an intermittent missed user notification issue that occurs after Windows wakes up from standby mode.
543242	When an upgrade is interrupted by a system restart and if the installation monitor service (stAgentSvcMon) relaunches the upgrade after restart, the package is unable to install the Client successfully leading to an upgrade failure. In the event of a failure, Netskope Client goes into an inconsistent state causing unknown issues (Microsoft also confirmed that this issue can happen due to upgrade interruption due to system restart). To fix this, Installation monitor service (stAgentSvcMon) delays system restart even if the Client upgrade is already in-progress thereby preventing the Client going into inconsistent state.
540215	Fixed synchronization issues with internal variables where old MSI installers are not cleared even after the auto-upgrade is complete.
519955	Fixed an issue where the user notification template type reset to “Block” whenever the user attempts to import and use a custom language.
533981	Fixed a Tunnel flapping issue on Android due to the failure of the DNS health check using sfchecker.goskope.com.
538206	Fixed a crash issue due to invalid UTF-8 characters present in process name.
533125	Fixed an issue where the Enable/Disable button of One Time Password (OTP) for Internet Security Service got disabled in Device Detail page when user logged in with SSO.
122.1.0
550262	Fixed an issue where Netskope Client crashed causing stagentsvc to stop and disabling Internet Security and NPA tunnels, along with EDLP.
550415	This fix resolves the bad state in the driver stadrv6x64.sys (part of Netskope Client for Windows) that occurs when Windows Filtering Platform (WFP) sublayer fails due to the identifier STATUS_FWP_ALREADY_EXISTS. The bad state can cause the packet to fail while forwarding to the tunnel.
543661, 551399, 551386	On Netskope Client for Windows, domain and IP bypass for web traffic are performed in the driver when steering mode is ‘CFW All traffic’. With the new change, the Domain and IP bypass check for Web traffic is performed in the client service for both ‘Web’ and ‘CFW’ mode.
123.0.0
549061	An intermittent issue that was displaying wrong on-prem status is fixed. Now when user switches networks, correct on-prem status will be shown.
561500	Earlier, when the Web Traffic mode, Steer DNS, and FailClose steering options are configured; DNS traffic is not steered after the device recovers from network disconnection. This issue is now fixed and the DNS traffic is now steered properly after network disconnection.
559121	Fixed an Android battery drain issue related to a feature flag that breaks when the configuration file encryption is enabled.
557778	Fixed a remote log collecting issue when secure config and encryptClientConfig were both enabled.
546710	If the Netskope Client is installed in a per-user mode and Fail Close is enabled and it switches to a non-provisioned user; Fail Close will not work as expected if Captive portal detection is enabled(Grace Period Timeout being greater than zero). The Captive Portal detection does not work for the non-provisioned user. Fixed this issue and now the non-provisioned user (per-user mode) with Captive Portal DetectionTimeout greater than zero and Fail Close enabled works as expected.
549966	Fixed a potential race condition in P-DEM that caused Netskope Client for macOS to crash.
543228	Fixed an issue with the position and keyword for IDP and UPN mode in the Netskope Client installation script. It will use IDP mode only if 4th parameter is "idp" and UPN mode only if 6th parameter is "upn". For example, in IDP single-mode deployments: jamfnsclientconfig.sh idp 0/1 enrollencryptiontoken=
561138	Fixed an issue where the Netskope Client UI shows the tunnel is disconnected but actually the tunnel is up after waking up from the modern standby on Windows.
551274	Fixed an issue where if the Logs were not present under C:\Users\XXXX\AppData\Roaming\Netskope\stagent, auto upgrade failed. This fix makes sure Logs folder is always present before an upgrade is triggered.
538734	Fixed screen mirroring issue in cloud firewall mode.
535028	When multiple user sessions are active, Custom Device Classification is shown empty for the last logged in user. This happens because the right sessionID is not fetched by config lib. This fix helps to fetch the right sessionID corresponding to the logged in User and show right device classification status.
540849	Fixed an issue with Steering Config created before enabling Netskope for Web license, where domain exceptions did not show correctly after cloning a steering profile.