New Features And Enhancements In Release 119.0.0
New Features And Enhancements In Release 119.0.0
Here is the list of the new features and enhancements.
To check your tenant software version, navigate to Settings > General.
Advanced Analytics
General Availability (GA) of DSPM Dashboard
Data Security Posture Management (DSPM) dashboard is now generally available in the Netskope Advanced Analytics Library. The DSPM dashboard provides visibility, statistics, and actionable insights into your SaaS data landscape so that you can ensure that your sensitive data is under control. This version of the DSPM dashboard answers the following questions about your organization’s SaaS data:
-
Where is my sensitive data?
-
By SaaS app
-
By instance of SaaS app
-
By geographic region
-
-
What sensitive data do I have?
-
How much sensitive data do I have?
-
What sensitive data is publicly exposed?
-
Where is my sensitive data going outside of my organization?
-
Which unmanaged apps
-
Which non-corporate instances
-
You can access this dashboard by navigating to Advanced Analytics > Netskope Library. Under All categories, look for Data Security Posture Management and click it.
This dashboard is available for customers with CASB API and CASB Inline licenses. If you do not have one of the CASB licenses and would like to use the DSPM dashboard, talk to your Netskope sales representative.
Folder Access Enhancements
The Folder Share feature allows users to share and collaborate contents of a personal or group folder, with a group of users or individual users.
To learn more: Sharing Netskope Advanced Analytics Folders
CASB Real-time Protection
WhatsApp E2E File Encryption
Organizations can now leverage the Netskope RBI solution in order to apply real-time inspection policies to the WhatsApp application.
This consist of inspecting files while uploading and/or downloading and applying DLP policies according to their sensitivity.
Data Protection
Additional File Type Support
This release includes support for over 88 additional file types accessible through the DLP file filter. A few of these include:
-
Python Wheel/WHL package
-
HTTP Archive (HAR)
-
Android App Bundle
-
Android XAPK installer
-
Planetary Data System data version 2/3/4
-
ConceptDraw fileformats
DEA Registration Number Support
Added support for DEA Registration Numbers (Entity: ‘Healthcare Provider Numbers (US; “DEA”)’) and related terms.
Entity Support for ICD-10/11 Codes
Added support for ICD-10-CM, ICD-11-PCS, and ICD-11-MMS codes.
TYOC v2 and File View for Predefined Classifiers
DLP admins can now manage files within a custom classifier by listing, deleting, and exporting a list of valid and invalid files. The functionality also applies to exclusion lists in predefined classifiers.
For custom classifiers, as part of the file upload process, the administrators will also receive feedback on the ML classifier performance, including suggestions for improving the training data (such as adding more positive samples) and adjusting thresholds. Additionally, the feedback process will identify outliers as candidates for removal with the goal of improving the overall quality and the efficacy of the ML classifier.
For more information, see File Classifiers
Digital Rights Management (DRM)
Support MIP Integration for GCC High tenants (Government)
The Microsoft Purview Information Protection integration is now validated and available to Federal customers. While the overall functionality still remains the same, these customers will have a separate grant page in the UI during the setup. For more information, see Microsoft Purview Information Protection and Netskope DRM.
Endpoint DLP (EPDLP)
Alert Dialog for Prohibited Printer
Printer Device Control no longer blocks printers at system startup or printer installation. Instead, prints are blocked when the user attempts to use an prohibited printer. This allows alert dialogs to be displayed at the time of print (Windows-only).
Usermode Device Control Implementation
USB Device Control has been moved from kernel enforcement to a user-mode mechanism. This reduces the risk inherent in kernel-mode code, and allows for additional features. This change makes the epdlp_dev_ctrl.sys driver obsolete and it will be removed (Windows-only).
USB Storage Device Constraints
USB Storage Device constraints now can target either only phones/mobile devices, only USB mass storage devices, or both. A new selector in the USB Storage Device constraint page allows administrators to select “Any Type”, “USB Mass Storage Devices”, or “Mobile Phones and Devices”.
Encryption Detection for USB Mass Storage devices
USB Storage Device constraints can now differentiate between file systems encrypted with Bitlocker (Windows)/FileVault (macOS) and unencrypted filesystems. There is a new checkbox in the USB Storage Device constraint page to enable this detection.
Bluetooth Device Control for Windows
Bluetooth Device Control is now generally available for the Windows Endpoint DLP agent. This feature allows policy-based decisions to prevent data transfer using Bluetooth (Windows-only).
USB-4 Support
EPDLP now also supports USB-4 for USB Storage Device and Content control policies (Windows-only).
Printer Content Control Support for AIP/MIP Sensitivity Labels
Content control based on AIP/MIP sensitivity labels is now supported when printing from Microsoft Word, Microsoft Excel, and Microsoft Powerpoint (Windows-only). This improvement requires Printer Content Control.
One-Time Password Support
The one-time password feature now applies to Endpoint DLP (Windows-only).
Next Generation API Data Protection
General Availability (GA) of Box
Starting this release, Next Generation API Data Protection has introduced the support for Box. Next Generation API Data Protection for Box can now support policy creation, DLP, threat protection using ongoing scan, alerts and more. To learn more:
-
For features supported, see Next Generation API Data Protection Feature Matrix per Cloud App.
-
To configure Box, see Configure Box in the Next Generation API Data Protection.
-
For a list of activities monitored by Netskope, see Activities Monitored by Netskope.
General Availability (GA) of Cisco Webex
Starting this release, Next Generation API Data Protection has introduced the support for Cisco Webex. Next Generation API Data Protection for Cisco Webex can now support policy creation, DLP, threat protection using ongoing scan, alerts and more. To learn more:
-
For features supported, see Next Generation API Data Protection Feature Matrix per Cloud App.
-
To configure Cisco Webex, see Configure Cisco Webex in the Next Generation API Data Protection.
-
For a list of activities monitored by Netskope, see Activities Monitored by Netskope.
General Availability (GA) of ServiceNow
Starting this release, Next Generation API Data Protection has introduced the support for ServiceNow. Next Generation API Data Protection for ServiceNow can now support policy creation, DLP, threat protection using ongoing scan, alerts and more. To learn more:
-
For features supported, see Next Generation API Data Protection Feature Matrix per Cloud App.
-
To configure ServiceNow, see Configure ServiceNow in the Next Generation API Data Protection.
-
For a list of activities monitored by Netskope, see Activities Monitored by Netskope.
General Availability (GA) of Slack Enterprise
Starting this release, Next Generation API Data Protection has introduced the support for Slack Enterprise. Next Generation API Data Protection for Slack Enterprise can now support policy creation, DLP, threat protection using ongoing scan, alerts and more. To learn more:
-
For features supported, see Next Generation API Data Protection Feature Matrix per Cloud App.
-
To configure Slack Enterprise, see Configure Slack Enterprise in the Next Generation API Data Protection.
-
For a list of activities monitored by Netskope, see Activities Monitored by Netskope.
Support Automatic Classification of Files using Box Labels
Box allows users to classify, label, and protect data as part of its security classification capability. Starting this release, Next Generation API Data Protection has introduced a new policy action – Apply Sensitivity Label. With this action, you can now apply a Box classification label on DLP-sensitive Box files.
The policy action is available when you Configure a Next Generation API Data Protection Policy.
This feature is part of the Advanced DLP offering. To enable this on your tenant, talk to your Netskope sales representative.
General Availability (GA) of Microsoft Purview Information Protection Write Capability Action
In release 118, Microsoft Purview Information Protection (MPIP, formerly Microsoft Information Protect) was launched as a controlled-GA feature. Starting this release, this feature is promoted to General Availability (GA).
MPIP is a solution provided by Microsoft to help classify, label, and protect data. Starting this release, Next Generation API Data Protection has introduced a new policy action – Apply Sensitivity Label. With this action, you can apply an MPIP label on DLP-sensitive Box, Dropbox, Egnyte, Google Drive, Microsoft 365 OneDrive, and SharePoint files.
The policy action is available when you Configure a Next Generation API Data Protection Policy.
This feature is part of the Advanced DLP offering. To enable this on your tenant, talk to your Netskope sales representative.
Policy Enhancement – Scan Content Type for Storage, Ticketing, and Messaging Apps
In release 118, Scan Content Type for Storage & Messaging Apps was launched as a controlled-GA feature. Starting this release, this feature is promoted to General Availability (GA).
Starting this release, Next Generation API Data Protection has introduced a new Scan Content Type for Ticketing Apps.
A new criteria Scan Content Type is introduced under Policies > API Data Protection > SAAS > Next Gent > New Policy > Object. With this enhancement, you can specify additional content filtering criteria for storage, ticketing, and messaging apps.
-
For storage:
-
Personal Drive
-
Team Drive
-
-
For ticketing:
-
Custom Objects
-
Default Objects
-
-
For messaging:
-
Direct Message
-
Private Channel
-
Public Channel
-
To learn more: Scan Content Type.
The policy enhancement is available when you Configure a Next Generation API Data Protection Policy.
Policy Enhancement – Exclude Microsoft 365 SharePoint Sites
Starting this release, you can now have a more refined scanning of Microsoft 365 SharePoint objects. With this enhancement, you can now include and exclude a SharePoint file, folder, and sub-site by site name or site ID. Navigate to Policies > API Data Protection > SaaS > Next Gen, then click New Policy. Under Object, select Applications, then select SharePoint from the drop-down menu. Click Specify App Instance and select the appropriate SharePoint instance. Under Scan Content, select Specific Resources. Click the edit box under Specify Resources to Scan and Specify Resources to Exclude. Select the appropriate SharePoint sites from the drop-down menu.
The policy enhancement is available when you Create a Next Generation API Data Protection Policy.
Next Generation Inventory – Export Inventory Data
Starting this release, Next Generation API Data Protection has introduced an Export button on the Inventory page. With this enhancement, you can export the inventory data as a CSV file. You can customize the export to include selected columns and number of rows.
Support New Restrict Access Policy Actions
Starting this release, Next Generation API Data Protection has introduced a set of new restrict access policy actions:
-
Restrict Access to Owner’s Domain – Restrict access to users within the current domain. Remove file permissions if a user’s email domain differs from the file owner’s. Only users in the current domain will have access.
-
Restrict Access to Specific Domains – Restrict access to users of the domains in the domain profile. Only users matching the specified domain profile will have access.
-
Restrict Access to Specific Users – Restrict access only to the users in the user profile. Only users matching the specified user profile will have access.
-
Revoke Access from Specific Users – Revoke access to all users except the ones in block-list user profiles. Remove access for users matching the specified user profile.
-
Disable Print & Download – Restrict users from printing and downloading files. You can apply this policy action to restrict access to view only.
This action applies to users who have viewing and commenting permissions only. -
Restrict Sharing to View: Remove edit and comment permissions from files and folders.
For a list of SaaS apps that support these actions, see Next Generation API Data Protection Feature Matrix per Cloud App.
Netskope Private Access (NPA)
Publishers NGWeb Migration
Migrated the Publisher page to the Next Gen UI, adhering to the latest UX standards based on UX research feedback. The token generation and the Edit Publisher flow is updated for a better user experience.
Port Segments
When any Private App is created or updated, NPA will inspect port specification and automatically optimize discrete ports into port range and/or merge overlapped port ranges.
Auth Bypass for Specific URIs
Added authentication bypass support for specific URIs in Private App accessed with the NPA Browser Access method.
Multiple IDPs with Browser Access
NPA Browser Access now supports multiple SAML accounts (up to 10) for Private Apps to accommodate various IdP configurations. End-users will authenticate against one of the IdPs based on a domain match configured by the admin within the SAML account.
Private Access Tunnel
Netskope Client now supports the ability to enable and disable Private Access tunnel independently on both Windows and macOS.
Netskope Secure Web Gateway (NG SWG)
Transaction Events Fields – Format 4
Updated Netskope Transaction Events to include log Format 4 with 35 new fields in the following categories:
-
Identity
-
Device
-
Threat Protection
-
Connection
To learn more: Transaction Event Fields.
Netskope URL Lookup API
The Netskope URL Lookup API allows you to search for multiple URLs at once and implement rate limiting. The response now includes the URL list and custom category of the DNS resolved IP in addition to the URL/domain.
To learn more: URL Lookup.
UI Enhancement for Custom Categories
Introduced usability enhancements to the Web profiles.
-
Custom categories, URl Lists and URL Lookup have been separated into three different sections. Custom categories and URL Lists are separate sections under Policies and URL Lookup as separate section under SkopeIT.
-
Improved user experience when creating, modifying, or deleting a custom category. With this new UI, new custom categories appear first when sorted by default.
To learn more: Create Custom Categories.
API for Forcing Reauthentication Administrative Option
For IPsec, GRE and EPoT deployments, an API option to remove IP surrogate is available.
To learn more: Forward Proxy Global Settings.
Device Classification Criteria
Currently device classification conditions are not evaluated in realtime policies for non-decrypted traffic. The device classification is known in the proxy for non-decrypted traffic and will now be evaluated in realtime policies for non-decrypted traffic.
Additional File Types in Activity Constraints
The list of available files types in activity constraints under real time policies has been enhanced to support 40 new file types.
HTTP/2 Enabled Account Compatibility with RBI
Netskope supports HTTP/2 across its platform. However, certain services such as RBI, CEP, F2P, and IPS does not function with HTTP/2 traffic. As a result, HTTP/2 traffic for these services is bypassed. With this release, HTTP/2 traffic is downgraded to HTTP/1.1 exclusively for traffic to be isolated by RBI.
For example, when RBI is enabled for an account and a Real-time Protection Policy with an “Isolate” action is configured, traffic initially using HTTP/2 is downgraded to HTTP/1.1. This downgrade is handled by the Netskope proxy before the traffic is forwarded to RBI for isolation.
SaaS Security Posture Management (SSPM)
Enhancements to Predefined Rules and Templates
Recent updates for SSPM rules are as follows:
New Predefined Rules
11 new predefined rules are shipped with this release. It covers the following categories:
-
Apps:
-
Salesforce: 8
-
Workday: 3
-
-
MITRE ATT&CK:
-
Credential Access: 2
-
Initial Access: 8
-
-
Security Domains:
-
Application: 8
-
Authentication: 2
-
IAM: 2
-
Threat Protection: 8
-
New Rule Templates
-
Workday: 1
Existing Rule Updates
-
Zoom: 1
-
Github: 2
-
Microsoft 365: 1
-
Entra ID: 1
Updates to Microsoft 365 Instance Configuration
Microsoft 365 instance configuration for SaaS Security Posture Management (SSPM) is updated because Microsoft 365 is deprecating the existing Azure ACS onboarding method. The changes are as follows:
-
Additional Permissions Required: New permissions are needed in the Microsoft 365 SaaS app instance. For details, refer to the Permissions Required for Microsoft 365 article.
-
Action for Existing Users: No action is required unless ACS is explicitly disabled on your M365 instances. SSPM will continue to monitor your currently configured M365 SaaS instances until Microsoft retires ACS support. However, if you disable ACS, you must regrant access to your Microsoft 365 SaaS instances on the Configure App Access page to ensure SSPM continues to monitor your instances.
Enhancements to Navigation Flow on the Overview Page
On the Overview page, in the Applications widget, the navigation flow is changed to redirect to Apps and 3rd Party Apps page. Previously, it was redirected to the Inventory page with particular filters.
To learn more: View Security Posture Overview – Applications.
Improvements to the 3rd Party Apps page
3rd Party Apps page has been updated to show Resource Id
, an unique identifier to identify your 3rd Party App. Refer to the 3rd Party App documentation to know the mapping between Resource Id and the corresponding 3rd Party App on your SaaS App.
Enhancements to Risk Scoring
Risk scoring for 3rd Party Apps on Entra ID, Workday and Google Workspace has been enhanced with additional scopes.
Threat Protection
File Retention Option for Detected Malware
The Malware Retention profile for real-time Threat Protection policy allows you to retain and obtain a copy of malicious files. Files are uploaded to IaaS folder/location designated and configured by the customer in the retention profile.
To learn more: About Malware Retention.
Traffic Steering
Linux OS Check Support
Introduced OS check rule in Device Classification for Linux devices.
This feature checks and classifies device compliance for the detected OS version that matches or is above the version information configured by the administrator.
To learn more: Device Classification for Linux.
Client Log Data Migration to Google Cloud Storage (GCS)
Client logs are stored in an AWS S3 bucket that creates challenges from PBMM compliance due to defined boundary scope without any AWS service. To address these challenges, there is a need to migrate the client log from AWS S3 to GCS while adhering to information security guidelines.
To learn more: Devices.
Block IPv6 traffic
You can block IPv6 non-web traffic in your devices to avoid any undesired IPv6 access. When Netskope Client is enabled in a dual stack computer, applications fall back to IPv4 and the traffic is tunnelled to Cloud Firewall.
To learn more: IPv6 Traffic Steering.
– Supported only on Windows.
User Interface (UI)
License Information and Renewal Notices
Introduced a new page to display purchased subscriptions in the management console.
Additional Documentation Updates
-
Updated Secure Enrollment with detailed information regarding the user impact with respect to different Client versions and enrollment methods.
-
Added a new topic for deploying Netskope Client with Kandji for iOS devices.