Netskope Client For Windows
Netskope Client For Windows
The MSIEXEC command is used to mass deploy Netskope Client (MSI packages) on Windows devices.
Supported Operating Systems
Refer to Netskope Client Supported OS and Platform to understand the supported versions for Windows.
Download Client Packages
You can download Netskope client installers from Download Netskope Client and Scripts.
MSIEXEC Command Format
The generic format of MSIEXEC command to install Client is as follows:
msiexec /I NSClient.msi host=addon-<tenant-name>[.region].<tenant-domain> [token=<Organization ID>] [installmode=IDP] [mode=peruserconfig [userconfiglocation=<path>]] [fail-close=no-npa|all] [autoupdate=on|off] [/l*v %PUBLIC%nscinstall.log]
Note
The parameters in the above command may vary according to the deployment mode used in your script.
For example, use the following command to install Netskope Client in a multi-user system with an auto-update option:
msiexec /I NSClient.msi host=addon-<tenant-URL> token=ifxqWJDBVoLFxmAUq36v mode=peruserconfig autoupdate=on /l*v %PUBLIC%nscinstall.log
Note
Enter the command in a single line without any line-breaks.
Parameter | Description |
---|---|
/i | Optional Command. Refers to normal installation type. |
mode | Optional parameter. Use peruserconfig when installing in a multi-user system. |
prelogonuser | Optional parameter. Use prelogonuser to enable prelogon as in Configure Client Prelogon Connectivity for Private Access. |
installmode | Optional parameter. Use Idp value when provisioning users via IdP. |
userconfiglocation | Specifies the user-specific directory used for storing the user configuration. It is recommended to use default value unless user’s home directories are hosted on external file servers or network shares. This is recommended to be used only for the multi-user environment. This is an optional parameter. By default the path is %AppData%NetskopeSTAgent. Note: The path can be an absolute path, a network share, or a path having environment variables.
|
fail-close | Optional parameter. If fail-close is not present, the client will honor Web UI “fail close” client configuration.
|
autoupdate |
|
token | Enter your organization ID here. To find your organization ID.
|
host | Enter the addon URL of your tenant. For example: if your tenant URL is example.skope.com, then your addon URL is = addon-example.skope.com |
domain | Enter the domain URL= [region.] |
tenant | Enter the tenant name. |
/l*v | The log file path. |
/qn | Use this option for silent installation. |
– If Secure Enrollment is enabled, each deployment mode consists of two additional parameters(Authentication and Encryption token):
– enrollauthtoken: Specifies the Enforce authentication of Netskope Client Enrollment token(Mandatory).
– enrollencryptiontoken: Specifies the Enforce encryption of initial configuration of Netskope client token(Optional).
For example,
msiexec /I NSClient.msi installmode=IDP mode=peruserconfig enrollencryptiontoken=<encryption token>
A few other examples for the Client installation are as follows:
- Single-User Mode Installation for Domain-joined Endpoints: System-level enrollment including local non-AD accounts; auto-enrolled one time based on the UPN of the first domain user to log in.
msiexec /I NSClient.msi host=addon-<tenant>[.region].<tenant-domain> token=<Organization ID>
Example:
msiexec /I NSClient.msi host=addon-corp.skope.com token=ifxqWJDBVoLFxmAUq36v
- Multi-User Mode Installation for Domain-joined Endpoints: Per-user enrollment; each user auto-enrolled at login based on their UPN.
msiexec /I NSClient.msi host=addon-<tenant>[.region].<tenant-domain> token=<Organization ID> mode=peruserconfig
Example:
msiexec /I NSClient.msi host=addon-corp.skope.com token=ifxqWJDBVoLFxmAUq36v mode=peruserconfig
Netskope Client Deployment Commands
- Microsoft Endpoint Configuration Manager
msiexec /I NSClient.msi token=<token> host=<host> [mode=peruserconfig | installmode=IDP [userconfiglocation=<path>]] fail-close=[no-npa|all] [autoupdate=on|off].
To learn more, view Microsoft Endpoint Configuration Manager.
- VMware Workspace One
msiexec /I NSClient.msi installmode=idP tenant=corp domain=eu.example.com /qn
To learn more, view VMware Workspace ONE. VMWare Workspace One
- IDP For Client Deployment
This includes two modes:
- Single-User Mode Installation for IdP-based Enrollment: System-level enrollment based on the first user to enroll the Client via
IdP.
msiexec /I NSClient.msi tenant=<tenant> domain=[region.]<tenant-domain> installmode=IDP
Example:
Multi-User Mode Installation for IdP-based Enrollment: Per-user enrollment; each user must enroll the Client via IdP.msiexec /I NSClient.msi tenant=corp domain=eu.skope.com installmode=IDP
msiexec /I NSClient.msi tenant=<tenant> domain=[region.]<tenant-domain> installmode=IDP mode=peruserconfig
Example:
msiexec /I NSClient.msi tenant=corp domain=eu.skope.com installmode=IDP mode=peruserconfig
To learn more, view Deploy Netskope Client via IdP.
- Single-User Mode Installation for IdP-based Enrollment: System-level enrollment based on the first user to enroll the Client via
- Microsoft Intune
Use the Command-Line arguments: token=<organization id> host=addon- <tenant-name> .<tenant-domain> mode=peruserconfig (Use peruserconfig only for multi-user environments) autoupdate=on (only applicable if you want the client to auto-update) /qn. To learn more, view Deploy Client On Windows Using Intune
- Microsoft Group Policy Object (GPO)
You can deploy Netskope Client to Active Directory (AD) joined devices via Microsoft GPO using a script based or MST based deployment option.
To learn more, view Microsoft Group Policy Object (GPO)
- Prelogon Connectivity for Netskope Private Access
To install and enable the Netskope Client for Netskope Private Access Prelogon connectivity, use these commands.
For single user mode
The user needs to be different for each Client config. For example:
Client config1
msiexec /I NSClient.msi token=<token> host=<host> prelogonuser=user1@prelogon.netskope.com
Client config2
msiexec /I NSClient.msi token=<token> host=<host> prelogonuser=user2@prelogon.netskope.com
For per user mode
For per user mode, different Client configs also have different prelogon users.
msiexec /I NSClient.msi token=<token> host=<host> mode=peruserconfig <prelogonuser=user1@prelogon.netskope.com
msiexec /I NSClient.msi token=<token> host=<host> mode=peruserconfig <prelogonuser=user2@prelogon.netskope.com
Uninstall Netskope Client In Windows
This section provides the instructions to uninstall Netskope Client from your Windows devices. You can uninstall using multiple methods such as manually from Settings in Windows, from command-line using MSIEXEC, and so on.
Uninstall Manually
To uninstall Client from Settings in Windows:
- Go to Start > Settings > Apps > Apps & Features.
- Find and select the Netskope Client app.
- Click Uninstall.
- You are prompted to enter your administrative credentials at this point.
- Click OK.
- The Netskope Client is uninstalled from your machine.
You can check Apps & features under Apps to ensure that the Netskope Client is uninstalled from your device. To learn more about uninstalling Client from other features in Windows, view Uninstall Apps in Windows.
The Password protection for client uninstallation and service stop option under Client Configuration > Tamperproof lets the administrator restrict unauthorized uninstallation of Client by the end users. The end user must know the password set by the administrator while uninstalling the Client. To learn more, view Netskope Client Configuration.
Using MSI file From Command-Line
To uninstall Client:
-
Open a command prompt as an administrator.
-
Enter the following command:
msiexec /uninstall %productCode% PASSWORD="<password in plain text within quotes>" /qn /l*v %PUBLIC%nscuninstall.log
- Use the following command to find the product code:
wmic product where "Name like 'Netskope Client'" get IdentifyingNumber /value
- Use the same password that is configured under Tamperproof in Client Configuration.
- Use the following command to find the product code:
Using GPO Scripts
Uninstalling can be done through GPO using a batch script similar to installation. The uninstallation script is:
wmic product where name="Netskope Client" call uninstall
Using Script in SCCM
@echo off
REM
REM This batch file is used to uninstall Password protected Netskope Client from SCCM
REM
SetLocal
for /f "tokens=2 delims==" %%f in ('wmic product where "Name like 'Netskope Client'" get IdentifyingNumber /value ^| find "="') do set "productCode=%%f"
IF DEFINED productCode (
msiexec /uninstall %productCode% PASSWORD="<password in plain text within quotes>" /l*v %PUBLIC%nscuninstall.log /qn
) ELSE (
REM Did not find product code for Netskope Client
)
EndLocal
Multilingual Support For Windows
Netskope supports the following languages for end-user support:
-
French
-
German
This helps non-english speaking users to understand Netskope Client menu and notifications. To display end-user Netskope Client notifications in French and German, modify your language and region settings in the Windows devices. To learn more about how to change your language and region settings in your Windows devices, view Manage display language settings in Windows.
Windows Support For WSLv2
Netskope Client supports Windows Subsystem for Linux (WSL) version 2 that allows you to run Linux on your Windows devices without the need of a separate virtual machine. This enables a seamless and simultaneous usage of Windows and Linux operating systems. You can deploy Netskope Client for Linux onto a Linux distribution to extend Netskope services to wSLv2 Linux environment.
- Currently, Netskope Client extends only command-line interface (CLI) support for WSLv2. This is available only as Beta in version 113.0.0.Netskope Private Access will be available as Beta in 117.0.0. Periodic reauthentication is not supported with the CLI version of the Linux Client on WSLv2.
To learn more, view Install Linux on Windows Using WSL.
Support Versions
-
Windows OS: Windows 10 and later versions.
-
WSLv2 and Minor Version 0.67.6 or above.
-
Netskope Client: Version 113.0.0 or later.
- Set the systemd flag set in your WSL distro settings. If systemd is disabled, turn on the flag and reboot the distro.
- Check the WSL version and Netskope Client does not support WSLv1.
Limitations
-
WSL Linux distribution contains no login name as it does not support UI desktop by default. This info only appears as an install log message and not used by Netskope Client features. Hence it does not impact any functionalities.
-
The device manufacture information is not available in WSL Linux distributions. There is no file naming “/sys/devices/virtual/dmi/id/sys_vendor” that the manufacturer comes from. The information is for display only, it doesn’t impact any functionalities of the products.
-
If Netskope Client for Linux is installed before the installation of applications such as Firefox and Chrome and so on, the WSL distro needs reboot to make the browsers working.
Netskope Client Auto-Restart
In instances where the user forgets to enable a Client after disabling it, Netskope set a feature flag AutoStart NSClient with Reboot/Relogin to enable the Netskope Client. After the administrator enables the feature flag, the Netskope Client is enabled after the user restarts the system or the user logs off and logs in again.
- Contact Netskope Support to enable this feature for your tenant.
- This feature is available only for Windows and macOS devices.
- Administrator cannot use this feature flag for NPA services.
- This re-enable feature of Netskope Client for SWG does not apply when the user puts the device in sleep mode.
Netskope Client Auto-Upgrade Failures and Rollback
In certain situations, the Netskope Client may be susceptible to various issues during the auto-upgrade process and the Client installer needs to handle the failure and revert to the previous version.
Client Upgrade or Uninstallation Failure
In the event of any upgrade/uninstall failures, the Netskope Client rollback to the previous version of the client thereby preventing the removal of the Client from the end-user device.
- In the event of a Client upgrade failure, the Client installer reverts to the previously installed version.
- In the event of a Client uninstallation failure, the Client installer reverts to the installed version.
Important
The auto-rollback during Client upgrade is available only from Client version 103.0.0 and later. For example, in the event of a failure during the Client upgrade from version 103.0.0 to 104.0.0, the Client automatically rollback to the version 103.0.0. However, the Client is removed for end-user devices running Client versions below 103.0.0.
You can go to Settings > Security Cloud Platform > Netskope Client > Devices to view the events displayed during the Client upgrade failure. Click the device name to view the related events and the corresponding details. The following table lists the different events displayed in the event of a Client upgrade or uninstallation:
Event | Event Details |
---|---|
Installed | Installed client version ‘x’ |
Uninstalled | Uninstalled client version ‘x’ |
Installation Failure | Failed to install client version ‘x’ – < reason for failure> |
Uninstallation Failure | Failed to uninstall client version ‘x’ – < reason for failure > |
Upgraded | Upgraded from client version ‘x’ to ‘y’ |
Upgrade Failure | Failed to upgrade from ‘x’ to ‘y’ – < Reason for failure > |
Rollback Success | Rolled back to client version ‘x’ |
Rollback Failure | Failed to rollback to client version ‘x’ |
Rollback Success, Upgrade Failure, Installed
Rollback Failure
Uninstalled, Uninstallation Failure
Upgraded
Client Upgrade Failure During System Restart/ Shutdown/ Hard Reboot/ Power Failure
There are occurrences where the auto-upgrade processes gets impacted due to unplanned events such as:
- System restart
- Shutdown
- Crash
- Hard reboot
- Power failure
To eliminate this issue, during the upgrade process, Netskope creates an installation monitor service stAgentSvcMon.exe
that is a copy of the existing Netskope Client Services, with limited functionality. The installation monitor service relaunches the Client installation process on the end-user device whenever the auto-upgrade process is interrupted by system restart/crash/shutdown/hard-reboot/power failure. Once the auto-upgrade process is completed, this monitor service is removed from the endpoint.
However, there are a few scenarios that would stop the monitor service from relaunching the Client installation process. Refer to the following table to learn more:
Scenario | Client Behavior |
---|---|
Consecutive system restart during the auto-upgrade process | The monitor service stops the auto-upgrade process after two attempts. |
The monitor service stops | In case of improper upgrade, Installation monitor service reattempts to upgrade twice before ending the process. |
The auto-upgrade process fails and the system restart/crash happens during rollback phase | The monitor service attempts to reinstall the new build. |
Antivirus configurations to block new processes | The copy of the Client services is not launched. |
MSIEXEC behavior during upgrades | Somtimes, MSIEXEC may restart the system during this process. |
Private Access Tunnel Status Update in Windows Registry
Private Access service on Netskope Windows Client updates the status of the tunnel in the following registry location:
HKEY_LOCAL_MACHINE\SOFTWARE\NetSkope\NpaTunnel/NpaStatus
Status Descriptions
Tunnel Status Registry Value
Enabled Connected
Disabled Disconnected
In addition, the timestamp at which this status change was made is updated in the following registry location: HKEY_LOCAL_MACHINE\SOFTWARE\NetSkope\NpaTunnel/NpaStatusLastChanged.