Using Netskope Client

Using Netskope Client

The end-user client provides the following options

  • Enabling or Disabling: By default, for all AD users or devices the client is enabled. However, users can chose to disable the client by selecting the Disable Netskope Client option from the Netskope Client system tray icon.
  • Enable/Disable Private Apps Access: You can allow users to enable or disable the Client for Private Apps Access. Select the option Allow disabling of Private Apps Access from Client Configuration to view this option in the Netskope Client system tray icon.
  • Configuration: During a troubleshooting scenario, user can click the Configuration option to view and share the following configuration details about the installed client.
    • Organization
    • Gateway (in FQDN format)
    • Gateway IP (IP address and POP name)
    • User Email (of the device user)
    • Client Configuration (name of the client configuration)
    • Steering Configuration (name of the steering configuration)
    • Device Classification (if the device is manage or unmanaged)
    • Tunnel Protocol
    • Private Access (status of private access)
    • Private Access Gateway (if private access is enabled, then the IP address of )
    • On-Premise check (displayed when dynamic steering is used)
    • Traffic Steering Type (all traffic, web traffic or cloud-app traffic)
    • Config Updated (date when the client configuration was last updated)
    • Configuration status.

    Users can update Client configuration if an update is available.

    See also: Netskope Client Command Reference for more options.

    On WindowsOn macOS
  • Save Logs: Use this option to save client logs that can be shared with support team for troubleshooting.
  • Advanced Debugging: Use this option to allow the Client to collect detailed log files like kernel driver logs, Inner packet capture, external packet capture without the need of a 3rd party software.


    • This option is visible only if the Enable advanced debug option is enabled in the client configuration. The logs collected by the Client will depend on the log level selected for the debug option.


    Setting log level to Debug may impact the performance due to high disk operations.

  • Block Events: To view the list of blocked events, right click on the client icon and select View Blocked Events. The resulting pop-up window displays the list of access attempts that are made to any certs pinned and which are configured as blocked by the admin. Use this option to view the list of blocked events relating to certificate pined apps. These are apps that are set to be blocked in the tenant.

Enabling or Disabling

EnabledThe client is successfully connected to the Netskope Gateway and the client icon is in full color.
DisabledThe Netskope client has failed to download the required configuration. The client will continue to be in this state until the configuration downloaded. Possible causes are: 
  • The client was disabled by end user.
  • The cient was disabled by the admin in the Netskope admin console.
  • The client automatically disables itself due to the presence of a secure Forwarder, a GRE Tunnel, or a Dataplane On-Premises configuration.
  • The client is disabled in a multi-user scenario for the local admin or users who are not provisioned in the tenant.
Disabled due to errorThe Client is disabled and the icon is grayed out with an orange circle and an exclamation point. Possible causes are: 
  • The client has connectivity issues to the Netskope Gateway.
  • The health check has failed.
  • The client service is stopped manually.
Disabled due to fail close.The Client is disabled and the icon is in red color. Possible causes:
  • Tunnel connection could not be established.

Client Status

The following table lists various client statuses and their meaning. You can also query client status via the  Get Client Data REST API.

Internet Security Service Status

InstalledSystemDisabledVia email invitation, distribution tool (i.e. SCCM, Altiris, JAMF etc)
Tunnel UpSystemEnabled‘Auto’ enabled just after install, upgrade or later
Tunnel DownSystemDisableddisabled – default startup state of client i.e. after installation/upgrade/restart
Tunnel down due to secure forwarderSystemDisabled‘Auto’ disabled due to Netskope Secure Forwarder found
Tunnel down due to GRESystemDisabled‘Auto’ Disabled due to GRE
Tunnel down due to IPSecSystemDisabled‘Auto’ Disabled due to IPSec
Tunnel down due to Data Plane on-premisesSystemDisabled‘Auto’ Disabled due to on-premises DP
Tunnel down due to config errorSystemDisabled‘Auto’ disabled due to config errors/missing config
Tunnel down due to error in Modern Standby modeSystem DisabledAuto’ disabled due to device in modern standby mode (AOAC)
Tunnel down due to errorSystemDisabled‘Auto’ disabled due to (any other) error
Change in networkSystemDisabled‘Auto’ disabled due to change in network
System shutdownSystemDisabled‘Auto’ disabled due to system restart/ power down
System powerupSystemDisabled/Enabled‘Auto’ Tunnel status will be as per actual status
Enrollment Token ErrorSystemErroredDisplayed when an invalid enrollment authentication token is used
Once the user enroll using IdP mode through the Netskope Client webUI.
User DisabledUserDisabledUser disabled the client from the system tray
User EnabledUserEnabledUser enabled the client from the system tray
Admin DisabledAdminDisabledTenant admin disabled the client from the system tray
Admin Disabled
(This event is available only for tenants with Dynamic Steering(Beta))
AdminEnabledTenant admin disabled the Client from the webUI.
Whenever the admin selects None steering option, the Netskope Client disables only traffic steering and sends “Admin Disable” event to the Device info.
Admin EnabledAdminEnabledTenant admin enabled the client from the webUI
InstalledSystemDisabledVia email invitation, distribution tool (i.e. SCCM, Altiris, JAMF etc)
UninstalledSystemUninstalledUninstalled by end user, admin, SCCM admin etc
Installation FailureSystemDisabledInstallation failed
Uninstallation FailureSystemDisabledDisabled  Failed to uninstall the Client
Upgrade SuccessSystemDisabledClient upgraded successfully
Upgrade FailureSystemDisabledClient failed to upgrade
Rollback SuccessSystemEnabledRolled back to client version ‘x’
Rollback FailureSystemEnabledFailed to rollback to client version ‘x’
Device Posture ChangeSystemEnabledTo understand the events in your device. The following events trigger when device posture changes between managed, unmanaged, and unknown.
CA Installation ChangeSystemDisabled/EnabledCA rotation is detected and new CAs are installed to the system store.
When the CA rotation is detected (the new downloaded CA is different from the existing CA and the subject name is the same), Netskope Client  posts the “CA Installation Change” event for cert rotation monitoring.
CA Installation FailureSystemEnabledCA installation failed. This event is posted when the first attempt fails. Consecutive installation failures are not posted onto the webUI until the CA installation succeeds. Once the CA installation succeeds, it resets the status.
CA Installation SuccessSystemEnabledSuccessful CA installation after the failed CA installation attempts. No CA Installation Success event is posted on the webUI when there are no failed attempts.
– The CA Installation Change event is available only for Windows, macOS, and Linux. For Mobile applications(iOS, Android, and ChromeOS), use MDM to install the new CAs before cert rotation. You can download Netskope Root CA and Tenant Intermediate CA from the tenant UI Signing CA section.
– If the CA rotation is detected and CA installation in the system store fails, the Netskope Client falls back to the older CA and user cert.

Network Private Access Status

DisabledSystemDisabledNPA is not available for the customer. NPA status code is 0.
DisabledSystemDisabledNPA is available for the tenant but tunnel is not yet established. It should be transient state. NPA status code is 0.
DisabledSystemDisabledNPA is available, but not enabled from the tenant UI. NPA status code is 0.
EnabledSystemEnabledNPA tunnel is connected. NPA status code is 2.
DisabledSystemDisabledUser disables the NPA Client. NPA status code is 0.
DisabledSystemDisabledAdmin disables the NPA Client from the tenant UI. NPA status code is 0.
ErroredSystemDisabledNPA tunnel is disconnected due to error. NPA status code is 11.

Endpoint DLP Status

If Endpoint DLP is enabled, you can click View Details to see Endpoint DLP Service Details.

The Services section on the Devices page.

There are two Endpoint DLP statuses:

  • Config Status: The configuration state for the endpoint, which comes from the Client configurations applying to the endpoint. It displays Enabled or Disabled indicating if the endpoint should have Endpoint DLP enabled or not based on the Client configurations.

  • Service Status: The reported status of the Endpoint DLP software on the endpoint. This is the same status displayed in the Services table above, which is reported by epdlp.exe (Windows) on the endpoint. You can see one of the following states:

    • Enabled: The service is running, communicating correctly, and working properly.

    • Disabled: The service is not running.

    • Paused: The service is paused by clicking Pause Service. This action lasts for 30 minutes.

    • Device Control Error/Device Control Disabled: The driver for USB Device Control is unable to load correctly. This status might appear for machines that are turned off.

    • System Reboot Required: The endpoint needs a reboot so the USB device control functions properly. This occurs when the system has a non-resettable USB controller and an Endpoint DLP upgrade occurs. The new driver can’t be loaded until the reboot occurs.

    The Endpoint DLP Services Details pane.
Share this Doc
In this topic ...