Using Netskope Client

Using Netskope Client

The end-user client provides the following options

  • For macOS

  • For Windows

  • For Linux

  • Services(Windows Only): Displays the Netskope services enabled at your endpoint. Services displays either one of the following or both options:

    • Internet Security

    • Private Access

    In Windows and macOS, you can find the services displayed in the tooltip when you hover your mouse over the Netskope Client icon in the toolbar.

    Windows

    macOS

  • Enabling or Disabling Client Services: By default, for all AD users or devices the client is enabled. However, users can chose to disable the client by selecting the Disable Netskope Client option from the Netskope Client system tray icon. For Windows and macOS, it displays the option Disable All Client Services.

    In Windows devices, if the administrator configures the Master Password for a tenant, the end-user needs to provide a password shared by the IT administrator to disable the Netskope Client services that includes Internet Security and Netskope Private Access(NPA).

    To disable Netskope Client services using Master Password:

    1. Click Disable All Client Services.

    2. This prompts another dialog box with the option to enter the master password shared by the IT administrator.

    3. Enter the password.

    4. Click Disable.

    5. The webUI displays All Netskope Client Services are Disabled pop-up.

      The webUI displays a warning “Error Message” if the end-user enters a wrong master password in the text box.

      Netskope also provides the nsdiag option to disable Netskope Client: nsdiag -t disable.

      After you run the command, it asks you to provide the master password shared by your IT administrator. Once the password is entered, it displays a successful message Enable/disable client successful.

      The CLI displays Incorrect Password, Client cannot be disabled message if you enter an incorrect password.

  • Private Access On/Off: You can allow users to enable or disable the Client for Private Apps Access. Select the option Allow disabling of Private Apps Access from Client Configuration to view this option in the Netskope Client system tray icon.

  • Re-authenticate Private Access: Re-authentication for Private Apps option to force Netskope client to  re-authenticate the user. This will reset the time for the next  periodic re-authentication. Contact Support to enable this functionality in your tenant.

    In Windows:

    If Re-authentication is enabled with Grace Period configured under Tunnel Settings on the Client Configuration UI, the Client UI displays a message with the time remaining before the private access disconnects.The message displays the total time in Hours: Minutes: Seconds left to re-authenticate to Netskope Client.

    For example, you have configured 24 hours in the Re-Authentication Interval on the Client Configuration webUI and 30 minutes as Grace Period, then the Private Access section under Services on the Client UI displays a warning message for 24:0:0.

    Once the 24 hour is completed, the webUI then displays another 30 minutes as the grace period.You can also notice the Warning icon beside the text displayed that indicates that the time left for re-authentication is going to expire soon.

    Once the re-authentication window expires, the Private Access status gets disabled with a proper error message.

  • Configuration: During a troubleshooting scenario, user can click the Configuration option to view and share the following configuration details about the installed client.

    • Organization

    • Gateway (in FQDN format)

    • Gateway IP (IP address and POP name)

    • User Email (of the device user)

    • Client Configuration (name of the client configuration)

    • Steering Configuration (name of the steering configuration)

    • Device Classification (if the device is managed)

    • Tunnel Protocol

    • Private Access (status of private access)

    • Private Access Gateway

    • On-Premise check (displayed when dynamic steering is used)

    • Traffic Steering Type (all traffic, web traffic or cloud-app traffic)

    • Config Updated (date when the client configuration was last updated)

    • Configuration status.

    Users can update Client configuration if an update is available.

    See also: Netskope Client Command Reference for more options.

    On WindowsOn macOS
    OnWindowsOn macOS
  • Save Logs: Use this option to save client logs that can be shared with support team for troubleshooting.

  • Advanced Debugging: Use this option to allow the Client to collect detailed log files like kernel driver logs, Inner packet capture, external packet capture without the need of a 3rd party software.

    This option is visible only if the Enable advanced debug option is enabled in the client configuration. The logs collected by the Client will depend on the log level selected for the debug option.
    Setting log level to Debug may impact the performance due to high disk operations.

    In Windows, the Reveal Logs option in the Advanced Debugging window displays:

    •  %appdata%/netskope/stagent/logs folder if  Protect Client configuration and resources is enabled in Client Configuration > Tamperproof.

    • %programData%/netskope/stagent/logs folder if Protect Client configuration and resources is disabled in Client Configuration > Tamperproof.

    The behavior is due to the access restriction on %ProgramData% folder when Protect Client configuration and resources is enabled.  This update is available only for Client versions from 113.0.0 and prior to 113.0.0, it displayed the %PUBLIC%/netskope/log folder.

  • Block Events: To view the list of blocked events, right click on the client icon and select View Blocked Events. The resulting pop-up window displays the list of access attempts that are made to any certs pinned and which are configured as blocked by the admin. Use this option to view the list of blocked events relating to certificate pined apps. These are apps that are set to be blocked in the tenant.

Enabling or Disabling

The following table describes various Netskope Client status icons that are displayed on the user interface, according to the operating system that you use.

Netskope Client Icon Status For Platforms Except Windows and macOS

IconStatusDescription
Client Icon is ENabledEnabledThe client is successfully connected to the Netskope Gateway and the client icon is in full color.
client-disabled-icon.pngDisabledThe Netskope client has failed to download the required configuration. The client will continue to be in this state until the configuration is downloaded. Possible causes are:

  • The client was disabled by the end user.

  • The client was disabled by the admin in the Netskope admin console.

  • The client automatically disables itself due to the presence of a secure Forwarder, a GRE Tunnel, or a Dataplane On-Premises configuration.

  • The client is disabled in a multi-user scenario for the local admin or users who are not provisioned in the tenant.

client-error-icon.pngDisabled due to errorThe Client is disabled and the icon is grayed out with an orange circle and an exclamation point. Possible causes are:
  • The client has connectivity issues to the Netskope Gateway.

  • The health check has failed.

  • The client service is stopped manually.

nskp-icon-red.pngDisabled due to fail close.The Client is disabled and the icon is in red color.

Possible causes:Tunnel connection could not be established.

Netskope Client Icon Status For Windows and macOS

IconStatusDescription
EnabledThe Client icon is in full color when either one of the following services or both are enabled:

  • Internet security

  • Private Access

DisabledThe Netskope client has failed to download the required configuration.

The color here denotes that if all services are disabled and there is no Client Configuration download failure. The client will continue to be in this state until the configuration is downloaded.

Possible causes are:

  • The Internet security and Private Access was disabled by the end user.

  • Internet Security and Netskope Private Access was disabled by the admin in the Netskope admin console.

  • Internet Security and Netskope Private Access automatically disables itself due to the presence of a secure Forwarder, a GRE Tunnel, or a Dataplane On-Premises configuration.

  • Internet security and Netskope Private Access is disabled in a multi-user scenario for the local admin or users who are not provisioned in the tenant.

Enabled with warningThe icon is orange in color which states at least one of the services is enabled but has a warning in at least one of the services.
Enabled with errorThe icon is red in color which states at least one of the services is enabled but has an error with at least one of the services.
Disabled with warningAll services are disabled and one of the services has a warning.
Disabled with errorAll services are disabled and one of the services has an error.

The icon is grayed out with a red circle. The tooltip displays the following when both services are disabled and one of the services are disabled due to an error:

  • Internet Security disabled due to error.

  • Private Access disabled due to error.




Possible causes are:

  • Internet Security and Netskope Private Access have connectivity issues to the Netskope Gateway.

  • The health check has failed.

  • The client service is stopped manually.

Disabled due to fail close.The icon is in red color when:

  • Internet security is disabled due to fail close, but Private Access is exempted from fail close.

  • Internet Security and Private Access is disabled due to fail close.


Possible cause: Tunnel connection could not be established.

Client Service Status

The following table lists various client service statuses and their meaning. You can also query client status via the  Get Client Data REST API.

Internet Security Service Status

This represents the status of the tunnel that forwards traffic to Cloud Apps, Proxy, and Firewall.

EventActorStatusMeaning
InstalledSystemDisabledVia email invitation, distribution tool (i.e. SCCM, Altiris, JAMF etc)
Tunnel UpSystemEnabled‘Auto’ enabled just after install, upgrade or later
Tunnel DownSystemDisableddisabled – default startup state of client i.e. after installation/upgrade/restart
Tunnel down due to secure forwarderSystemDisabled‘Auto’ disabled due to Netskope Secure Forwarder found
Tunnel down due to GRESystemDisabled‘Auto’ Disabled due to GRE
Tunnel down due to IPSecSystemDisabled‘Auto’ Disabled due to IPSec
Tunnel down due to Data Plane on-premisesSystemDisabled‘Auto’ Disabled due to on-premises DP
Tunnel down due to config errorSystemDisabled‘Auto’ disabled due to config errors/missing config
Tunnel down due to error in Modern Standby modeSystem DisabledAuto’ disabled due to device in modern standby mode (AOAC)
Tunnel down due to errorSystemDisabled‘Auto’ disabled due to (any other) error
Change in networkSystemDisabled‘Auto’ disabled due to change in network
System shutdownSystemDisabled‘Auto’ disabled due to system restart/ power down
System powerupSystemDisabled/Enabled‘Auto’ Tunnel status will be as per actual status
Enrollment Token ErrorSystemErroredDisplayed when an invalid enrollment authentication token is used
EnrolledUserDisabled
Once the user enroll using IdP mode through the Netskope Client webUI.
User DisabledUserDisabledUser disabled the client from the system tray
User EnabledUserEnabledUser enabled the client from the system tray
Admin DisabledAdminDisabledTenant admin disabled the client from the system tray
Admin Disabled
(This event is available only for tenants with Dynamic Steering)
AdminBacked OffTenant admin disabled the Client from the webUI.
Whenever the admin selects None steering option, the Netskope Client disables only traffic steering and sends “Admin Disabled” event to the Device info.
Admin EnabledAdminEnabledTenant admin enabled the client from the webUI
InstalledSystemDisabledVia email invitation, distribution tool (i.e. SCCM, Altiris, JAMF etc)
UninstalledSystemUninstalledUninstalled by end user, admin, SCCM admin etc
Installation FailureSystemDisabledInstallation failed
Uninstallation FailureSystemDisabledDisabled  Failed to uninstall the Client
Upgrade SuccessSystemDisabledClient upgraded successfully
Upgrade FailureSystemDisabledClient failed to upgrade
Rollback SuccessSystemEnabledRolled back to client version ‘x’
Rollback FailureSystemEnabledFailed to rollback to client version ‘x’
Device Posture ChangeSystemEnabledTo understand the events in your device. The following events trigger when device posture changes between managed, unmanaged, and unknown.
CA Installation ChangeSystemDisabled/EnabledCA rotation is detected and new CAs are installed to the system store.
When the CA rotation is detected (the new downloaded CA is different from the existing CA and the subject name is the same), Netskope Client  posts the “CA Installation Change” event for cert rotation monitoring.
CA Installation FailureSystemEnabledCA installation failed. This event is posted when the first attempt fails. Consecutive installation failures are not posted onto the webUI until the CA installation succeeds. Once the CA installation succeeds, it resets the status.
CA Installation SuccessSystemEnabledSuccessful CA installation after the failed CA installation attempts. No CA Installation Success event is posted on the webUI when there are no failed attempts.
– The CA Installation Change event is available only for Windows, macOS, and Linux. For Mobile applications(iOS, Android, and ChromeOS), use MDM to install the new CAs before cert rotation. You can download Netskope Root CA and Tenant Intermediate CA from the tenant UI Signing CA section.
– If the CA rotation is detected and CA installation in the system store fails, the Netskope Client falls back to the older CA and user cert.

Network Private Access Status

This represents the status of the tunnel that forwards private application traffic to Netskope.

EventActorStatusMeaning
DisabledSystemDisabledNPA is not available for the customer. NPA status code is 0.
DisabledSystemDisabledNPA is available for the tenant but tunnel is not yet established. It should be transient state. NPA status code is 0.
DisabledSystemDisabledNPA is available, but not enabled from the tenant UI. NPA status code is 0.
EnabledSystemEnabledNPA tunnel is connected. NPA status code is 2.
DisabledSystemDisabledUser disables the NPA Client. NPA status code is 0.
DisabledSystemDisabledAdmin disables the NPA Client from the tenant UI. NPA status code is 0.
ErroredSystemDisabledNPA tunnel is disconnected due to error. NPA status code is 11.

Endpoint DLP Status

If Endpoint DLP is enabled, you can click View Details to see Endpoint DLP Service Details.

The Services section on the Devices page.

There are two Endpoint DLP statuses:

  • Config Status: The configuration state for the endpoint, which comes from the Client configurations applying to the endpoint. It displays Enabled or Disabled indicating if the endpoint should have Endpoint DLP enabled or not based on the Client configurations.

  • Service Status: The reported status of the Endpoint DLP software on the endpoint. This is the same status displayed in the Services table above, which is reported by epdlp.exe (Windows) on the endpoint. You can see one of the following states:

    • Enabled: The service is running, communicating correctly, and working properly.

    • Disabled: The service is not running.

    • Paused: The service is paused by clicking Pause Service. This action lasts for 30 minutes.

    • Device Control Error/Device Control Disabled: The driver for USB Device Control is unable to load correctly. This status might appear for machines that are turned off.

    • System Reboot Required: The endpoint needs a reboot so the USB device control functions properly. This occurs when the system has a non-resettable USB controller and an Endpoint DLP upgrade occurs. The new driver can’t be loaded until the reboot occurs.

    The Endpoint DLP Services Details pane.
Share this Doc

Using Netskope Client

Or copy link

In this topic ...