Using Netskope Client

Using Netskope Client

The end-user client provides the following options

  • Enabling or Disabling: By default, for all AD users or devices the client is enabled. However, users can chose to disable the client by selecting the Disable Netskope Client option from the Netskope Client system tray icon.
  • Enable/Disable Private Apps Access: You can allow users to enable or disable the Client for Private Apps Access. Select the option Allow disabling of Private Apps Access from Client Configuration to view this option in the Netskope Client system tray icon.
  • Configuration: During a troubleshooting scenario, user can click the Configuration option to view and share the following configuration details about the installed client.
    • Organization
    • Gateway (in FQDN format)
    • Gateway IP (IP address and POP name)
    • User Email (of the device user)
    • Client Configuration (name of the client configuration)
    • Steering Configuration (name of the steering configuration)
    • Device Classification (if the device is manage or unmanaged)
    • Tunnel Protocol
    • Private Access (status of private access)
    • Private Access Gateway (if private access is enabled, then the IP address of )
    • On-Premise check (displayed when dynamic steering is used)
    • Traffic Steering Type (all traffic, web traffic or cloud-app traffic)
    • Config Updated (date when the client configuration was last updated)
    • Configuration status.

    Users can update Client configuration if an update is available.

    See also: Netskope Client Command Reference for more options.

    On WindowsOn macOS
  • Save Logs: Use this option to save client logs that can be shared with support team for troubleshooting.
  • Advanced Debugging: Use this option to allow the Client to collect detailed log files like kernel driver logs, Inner packet capture, external packet capture without the need of a 3rd party software.


    • This option is visible only if the Enable advanced debug option is enabled in the client configuration. The logs collected by the Client will depend on the log level selected for the debug option.


    Setting log level to Debug may impact the performance due to high disk operations.

  • Block Events: To view the list of blocked events, right click on the client icon and select View Blocked Events. The resulting pop-up window displays the list of access attempts that are made to any certs pinned and which are configured as blocked by the admin. Use this option to view the list of blocked events relating to certificate pined apps. These are apps that are set to be blocked in the tenant.
Enabling or Disabling
Table 24. Client Icon Status
EnabledThe client is successfully connected to the Netskope Gateway and the client icon is in full color.
DisabledThe Netskope client has failed to download the required configuration. The client will continue to be in this state until the configuration downloaded. Possible causes are: 
  • The client was disabled by end user.
  • The cient was disabled by the admin in the Netskope admin console.
  • The client automatically disables itself due to the presence of a secure Forwarder, a GRE Tunnel, or a Dataplane On-Premises configuration.
  • The client is disabled in a multi-user scenario for the local admin or users who are not provisioned in the tenant.
Disabled due to errorThe Client is disabled and the icon is grayed out with an orange circle and an exclamation point. Possible causes are: 
  • The client has connectivity issues to the Netskope Gateway.
  • The health check has failed.
  • The client service is stopped manually.
Disabled due to fail close.The Client is disabled and the icon is in red color. Possible causes:
  • Tunnel connection could not be established.

Client Status

The following table lists various client statuses and their meaning. You can also query client status via the  Get Client Data REST API.

InstalledSystemDisabledVia email invitation, distribution tool (i.e. SCCM, Altiris, JAMF etc)
Tunnel UpSystemEnabled‘Auto’ enabled just after install, upgrade or later
Tunnel DownSystemDisableddisabled – default startup state of client i.e. after installation/upgrade/restart
Tunnel down due to secure forwarderSystemDisabled‘Auto’ disabled due to Netskope Secure Forwarder found
Fail closeSystemDisabledThe client tunnel could not be established to Netskope gateway.
Tunnel down due to GRESystemDisabled‘Auto’ Disabled due to GRE
Tunnel down due to Data Plane on-premisesSystemDisabled‘Auto’ Disabled due to on-premises DP
Tunnel down due to config errorSystemDisabled‘Auto’ disabled due to config errors/missing config
Tunnel down due to errorSystemDisabled‘Auto’ disabled due to (any other) error
Change in networkSystemDisabled‘Auto’ disabled due to change in network
System shutdownSystemDisabled‘Auto’ disabled due to system restart/ power down
System powerupSystemDisabled/Enabled‘Auto’ Tunnel status will be as per actual satus
User DisabledUserDisabledUser disabled the client from the system tray
User EnabledUserEnabledUser enabled the client from the system tray
Admin DisabledAdminDisabledTenant admin disabled the client from the system tray
Admin EnabledAdminEnabledTenant admin enabled the client from the system tray
UninstalledSystemUninstalledUninstalled by end user, admin, SCCM admin etc
Installation FailureSystemDisabledInstallation failed
Share this Doc
In this topic ...