New Features And Enhancements In Release 123.0.0
New Features And Enhancements In Release 123.0.0
Here is the list of the new features and enhancements.
Advanced Analytics
Endpoint DLP Data Support in Advanced Analytics
Endpoint Events data collection and accompanying dashboard is now available in Advanced Analytics. The out-of-the-box dashboard is accessible through the Netskope Library, providing:
-
Visibility for endpoint activities and trend analysis
-
Content and device control policy violations
-
Offending user/user groups
Business Service Industry Label
Added ‘Business Services’ as an industry label for ‘Industry Benchmarks’ dashboard in the Netskope Library. Some tenants which were under ‘Other’ will be recategorized to this industry based on their account information. This change will improve comparison relevance across industry verticals.
Pause and Resume Controls for Transaction Events
UI controls are added to allow users to pause/resume ingestion of transaction events to Advanced Analytics.
To learn more: Advanced Analytics Pause/Resume Transaction Events
Behavior Analytics
Enhanced Shared Credentials Alert Logic
Enhanced Shared Credentials detection logic to display alerts regularly throughout the day.
Compromised Credentials Enhancements for Detection Settings
Compromised credentials allows selecting specific tracked domains and users to match, including the ability to restrict to corporate domains. This functionality is now available for FedRAMP and PBMM. You can use this configuration to limit credential matching to your choice of corporate domains or specified corporate users. To learn more: Detection Settings
CASB Real-time Protection
Support for Slack Lists
Enhanced Activity and DLP support for Slack’s new feature Lists. The following activities are supported with DLP support:
-
Add
-
Share
-
Edit
-
Delete
-
Upload
-
Download
-
Post
Real-time Policy Support for Microsoft Applications
Netskope real-time policy support for the following Microsoft Applications will be discontinued from release R124:
Application Name | Justification |
---|---|
Microsoft Docs.com Microsoft GCC Docs.com Microsoft GCC Sway Microsoft StaffHub Microsoft GCC STaffHub | Not supported by Microsoft |
Microsoft Skype for Business Microsoft GCC Skype for Business | Skype suite is replaced by Microsoft Teams. Please set Real-time policies using “Microsoft Teams” Connector. |
Microsoft Office 365lync Online | Lync Online is replaced by Microsoft Teams. |
Microsoft GCC Yammer | Moved under “Microsoft Viva Engage”. Please set Real-time policies using “Microsoft Viva Engage” connector. |
Microsoft GCC Office Delve | Not supported by Microsoft, as of December 2024. |
Cloud TAP
Enhanced Cloud TAP Stitcher Tool Performance
Updated Cloud TAP Stitcher tool performance qualification for various cloud environments.
Data Protection
Standarized Names using new API
Extracted metadata field names are normalized and use standardized names. For example, “LastSave_DTM” is now “Modified”. This change in behavior is only applicable when new API is in use. The use of new API is disabled by default. Enabling new API has the advantage of using normalized field names and support to extract additional metadata from formats like MP4.
Support for Additional File Types
This release includes support for over 93 additional file types accessible through the DLP file filter.
Digital Rights Management (DRM)
Reading Labels using Microsoft Purview Classification
Extended the integration with Microsoft Purview classification that allow customers to define policy controls based on reading the classification label on the file, email as well as inspecting content from encrypted files. Reading of labels is supported for CASB Realtime, API, endpoint, storage scans and DLP for Email.
To learn more, see: Microsoft Purview Information Protection and Netskope DRM.
Email DLP
DEM Dashboard for Email DLP Service
Added a DEM dashboard for the Email-DLP service. It provides visibility into the health and performance of the Email service and helps to troubleshoot the email delivery issues faster.
Next Generation API Data Protection
Manual Remediation Actions from the DLP Incident page
You can now manually take a remediation action against a DLP incident.
If a customer wants to configure Alert as an action in a Next Generation API Data Protection policy and take sensitive actions (such as quarantine, delete, etc.) after reviewing an incident, this feature enables them to take these actions following a file review. While Alert is not supported as a direct DLP incident-based action, Next Generation API Data Protection fully supports other policy actions, including Legal Hold, Quarantine, Delete, and Restrict Access.

Microsoft Teams Shared Channel Support
Next Generation API Data Protection for Microsoft 365 Teams can now trigger Data Loss Prevention (DLP) scans and threat protection for new and updated chat messages, subjects, and file attachments within shared channels.
General Availability (GA) of ChatGPT Enterprise
Next Generation API Data Protection has introduced the support for ChatGPT Enterprise. Next Generation API Data Protection for ChatGPT Enterprise can now support policy creation, DLP, threat protection using ongoing scan, alerts and more. To learn more:
-
For features supported, see Next Generation API Data Protection Feature Matrix per Cloud App.
-
To configure ChatGPT Enterprise, see Configure ChatGPT Enterprise for the Next Generation API Data Protection.
-
For a list of activities monitored by Netskope, see Activities Monitored by Netskope.
Forensics
Support for Adding Notes within DLP incidents.
Netskope now allows DLP analysts to add Notes within the DLP incidents tenant UI, providing a space for capturing important details, updates, or comments regarding the incident. This feature helps retain valuable analysis and findings during incident triage and provides context when handing off an incident to another team.
To learn more, see: About DLP.
Netskope Secure Web Gateway (NG SWG)
Multiple IDP Domain Selection
This feature allows multiple domain name to be added instead of just one in user authentication domain.
NGWeb for SWG Custom Categories
Enhanced the UI for SWG Custom Categories with these new features:
-
Filter based on name of the custom category.
-
Column that displayed the predefined categories, included URL lists and excluded URL lists has been broken into 3 separate columns. In addition, if one of these column has overflowing text, there is a view more to view hidden value and copy all text.
-
User preference is remember for both column used for sorting and number of entries per page.
Retrieve Group Membership from SAML Assertion
Netskope has introduced the ability to leverage group information from SAML assertion responses to streamline policy enforcement and group management. Here are the key responsibilities:
-
Auto populating SAML groups: Automatically populate group memberships based on “memberof” values in the SAML assertion response for group-based policy creation .
-
Pre-defined SAML groups: Netskope Administrators can create SAML groups using “memberof” values from the SAML assertion response and configure policies in advance even before intercepting user traffic
-
Friendly group name mapping: Netskope administrators can manually map SAML attribute values to user-friendly group names for simplified management and improved clarity in policy configuration and reporting.
This is a Beta feature, and is not yet available for steering method Edge Proxy. Contact Netskope Support or your Sales Representative to enable this feature for your tenant.
This feature is not available on the compliant cloud (FedRamp or PBMM).
Support for OS Family in Real-Time Policies
Operating System (OS) family is now available in Real-Time Policies (RTP), providing consistent behavior with SSL DND policies.
With this new feature, admins can now create policies with OS family as a criteria, allowing for more granular control over network traffic. In addition, all events generated for web traffic now include OS family information, ensuring consistency and easier troubleshooting
This is a Beta feature, and is not yet available for steering method Edge Proxy. Contact Netskope Support or your Sales Representative to enable this feature for your tenant.
Real-time Protection Policies using Custom AD Attributes
Introduced the ability to create real-time protection policies using custom user attributes, when user information is synced from the directory importer.
Additional Notification Variables
Additional variables are now available when configuring user notifications to provide more contextual information and empower end users to make informed decisions.
New variables include source IP, destination IP, groups, OU, POP, Dataplane name, From User, Date, Time, Malware Name, Application Session ID, Transaction ID, HTTP Referer, URI Query, URI Path, URI Port, URI Scheme, and URL Re-categorization link.
In addition, variables will be displayed in a single scrollable list, with updated template names (aligned to transaction event fields). In the form, “double curly brackets” like “{{updated name in template}}” will now be used allowing admins to add bracketed text to their notification text without escaping.
This is a Beta feature. Contact Netskope Support or your Sales Representative to enable this feature for your tenant.
Extended MITM security level support for BYOK
Netskope has added support for keys with strength greater than 128 bits for SSL decryption when the customer are using their own PKI. Supported algorithms will include ECDSA-256, ECDSA-384, ECDSA-521, RSA-3K and RS-4K.
Disabled Steering Configuration in NS Proxy
Steering exceptions no longer act as SSL or Real-time Protection bypasses for all access methods. You must create explicit SSL and Real-time Protection policeis for these methods.
In addition, non-standard port steering configuration is no longer used to control the TCP ports allowed for HTTPS requests. All ports are allowed by default in the proxy. Use the Service objects to control access for each port.
Netskope Private Access (NPA)
Pre-Logon Trust Chain Validation Enhancement
Improved certificate validation by supporting complete trust chain verification, allowing customers to upload and validate entire certificate hierarchies from root to device certificate.
-
Expanded CA file upload capability to support full trust chains
-
Enables validation of multi-level intermediate CA certificates
Here are the technical details:
-
Customers can now upload a single CA file containing root and intermediate certificates
-
Supports complex certificate hierarchies (for example, Root → Intermediate1 → Intermediate2 → Device Cert)
Local Broker for Remote Users
Local Brokers for remote users is an officially supported use case. Learn more.
App Discovery Host Limit Change
The App Discovery feature can now support a limit of up to 500 hosts. For current tenants, the default limit remains at 32. However, beginning with version R123, new tenants will have a default limit of 100 for app discovery hosts. Customers can request increased host limits (up to 500) beyond the current 32 and 100 limits. Contact your Netskope account team for assistance.
Local Broker for On-Premises ZTNA
Local Brokers for Private App Access is now Generally Available. Please contact your Netskope account team for more information.
Support for Windows ARM
Netskope has expanded it’s support regarding device compatibility towards Windows devices that are running on a ARM-based CPU architecture. This allows for a seamless integration with ARM-based Windows systems.
NPA Publisher Container Image Update
Upgraded base docker container images from Ubuntu 20.04 LTS to Ubuntu 22.04 LTS for the NPA Publisher. This ensures that Netskope leverages the latest Ubuntu LTS security patches and provides continued support beyond Ubuntu 20.04’s EOL date.
NPA Browser Access Source IP Criteria
Private Access now supports Source IP as a criteria in Policy for Browser Access applications. Learn more.
Remote Browser Isolation (RBI)
Enhanced Contextual Menu Functionality
Enhanced the functionality of the Delete/Cut/Copy/Paste buttons on RBI isolated context menu to take into account the context for the element on which the Context menu was opened.
Delete/Cut/Copy/Paste buttons will be available considering if the element includes selected text and if the element is editable.


RBI search dialog has no restriction on clipboard operations
Extended Isolation of 3rd party Auth flows
RBI has expanded the functionality to Isolate authentication flows transparently in the context of the isolated browsing session, without requiring admins to add “sidecar categories” (that is, Application Suite) or cloud apps (for example, Google accounts) to their isolate policies to create a functional policy. Supported 3rd party auth apps included: Google, Microsoft and Facebook accounts (R122) and LinkedIn, X (Twitter) accounts (R123).
Improved User Experience for Lost Connectivity
RBI has improved the user experience for situations where the RBI isolated session is expired due to user inactivity or connection loss.

Hybrid Rendering
RBI tooltips and status messages are now rendered in the client side.
Extended RBI Scope
Netskope security admins are able to define and create isolate policies for any web destination they consider untrusted according to their security posture. Admins can create isolate policies based on any of the criteria supported in Extended RBI. Creating such policies does not show any error or warning (not supported / not recommended) to the admin: Destination (Category, Application and now also App Suites), CCI App Tag, CCL, Destination Country.

SaaS Security Posture Management (SSPM)
Enhancements to NGL
Added support for the where
expression in Netskope Governance Language (NGL). This new feature lets you target specific resources where your rules apply, making them run more efficiently and faster. For more details, refer to the NGL Expression documentation.
Enhancements to Predefined Rules and Templates
Recent updates for SSPM rules are as follows:
New Predefined Rules
44 new predefined rules are shipped with this release. It covers the following categories:
-
Apps
-
AzureAD / Entra ID: 4
-
Microsoft 365: 23
-
Slack Enterprise: 17
-
-
Mitre Attack
-
Credential Access: 2
-
Collection: 2
-
Initial Access: 23
-
Discovery: 1
-
Execution: 1
-
Defense Evasion: 3
-
Exfiltration: 1
-
Reconnaissance: 1
-
-
Security Domains
-
Application: 2
-
3rd Party Apps: 3
-
Email Security: 4
-
Collaboration: 19
-
Device Security: 5
-
Data & File Security: 2
-
Sharing: 1
-
Authentication: 7
-
IAM: 5
-
Templates
1 new predefined rules are shipped with this release for the following apps:
-
Slack Enterprise: 1
Existing Rule Updates
-
GitHub: 2
-
AzureAD: 3
-
Microsoft 365: 14
-
Salesforce: 4
-
Intune: 30
Updates
-
Added support for the CIS Microsoft 365 v4.0 compliance standard.
-
Deprecated the Salesforce rule: “Cache-Only Key Service Should Be Disabled.”
Enhancements to Audit Logging for SSPM
New Audit Log Types have been added for SSPM. The newly added Audit Log types are:
-
[SSPM] Created new SSPM Rule
-
[SSPM] Updated SSPM Rule
-
[SSPM] Deleted SSPM Rule
-
[SSPM] Bulk update of SSPM Rules
-
[SSPM] Bulk delete of SSPM Rules
-
[SSPM] Mute action
-
[SSPM] Unmute action
-
[SSPM] Export Findings data
-
[SSPM] Export 3rd Party App
You can use these Audit Log Types to view and filter logs in the Netskope Audit Log.
Enhancements to 3rd Party App Scoring
The number of permissions analyzed and scored for 3rd Party Apps on Okta and Google Workspace has increased. Risk assessment of 3rd Party Apps on Okta and Google have been enhanced. Additionally, several apps previously classified as “Unknown” risk level will now be reclassified to a known risk level.
Support for Exporting Muted Fields
You can now export the fields Muted By, Muted Until, and Muted Justification when you export Findings on the SSPM Findings page.
Threat Protection
Support for Deleting Malware Retention Profiles
You now can delete inline Malware Retention profiles.
To learn more: About Malware Retention.
Traffic Steering
General Availability Of Block IPv6 Traffic
This was available as a Controlled GA feature in 122.0.0. With version 123.0.0, this is available for all tenants.
You can block IPv6 non-web traffic in your devices to avoid any undesired IPv6 access. When Netskope Client is enabled in a dual stack computer, applications fall back to IPv4 and the traffic is tunnelled to Cloud Firewall.
Supported OS: Windows and macOS
To learn more: IPv6 Traffic Steering.
General Availability Of Master Password Support For Netskope Client Disablement
This was available as a Beta feature and with version 123.0.0, this is available for all tenants.
- Supported OS: Windows and macOS
- Supported minimum Client version: 118.0.0
This is an option for administrators that enables them to set a Master Password while configuring “Allow disabling of all Client Services together” under Settings > Security Cloud Platform > Client Configuration > Tamperproof on the webUI. This is optional and if enabled by the administrators, makes it mandatory for the end-users to enter the password while disabling Netskope Client.
To learn more: Client Configuration.
General Availability Of One-Time Password-Based Client Disable
This was earlier available as a Beta feature for Windows in 118.0.0. With release 123.0.0, this feature is available for all tenants.
- Supported OS: Windows
- Supported Minimum Client Version: 118.0.0

To learn more: Netskope Client Configuration.
Improvements In nsdiag -e Option
With this release, you can now understand if the command nsdiag -e
is successful or not. After you run the command, if the return value is 0, it means successful. Else, it failed.
The command prompt user interface also displays an error message “Failed to save Enrollment Tokens” if the command fails.

Supported minimum Client version: 123.0.0
To learn more: Secure Enrollment.
Device Status Page Read Operation
With this release, you can use APIv2 for read operations on the Devices page. Check the following instructions to view the API documentation:
-
Log into your tenant.
-
Go to Settings > Tools > Rest API V2 > API Documentation.
IDP Enrollments
Introduced a feature flag which when enabled makes Netskope Client perform IDP based enrollment. When the feature flag is enabled, and if the Netskope Client is installed in IDP mode, the Client will not try UPN enrollment. The default value is set to false, which means there is no behavioral change.
– Netskope recommends not to enable this feature flag if Fail Close is enabled in a multi-user environment. Otherwise, the second user IDP will fail since Fail Close drops the IDP traffic.
To learn more: Netskope Client via IDP.
Removal Of Certificate Option In Device Classification for iOS
From version 123.0.0, Netskope is removing the Certificates webUI option for Device Classification: iOS. This option available was for iOS devices installed with iOS Profile which was deprecated in March 2024.

Support For Non-Chrome Browsers
Earlier, Netskope allowed IDP enrollments for Android devices only through Chrome web browser. With this release, Netskope Client for Android now supports IDP-based enrollment using Microsoft Edge browser.
Default Enforcement of Secure Enrollment for New Tenants
With version 123.0.0, Secure Enrollment is enforced by default for all new tenants.
This feature was available from version 118.0.0. You need to enforce this security feature on existing tenants.
To learn more: Secure Enrollment.
Controlled General Availability (GA) of Multiple Token Support
This feature was earlier available as Beta in version 122.0.0. In version 123.0.0, Netskope extends as a Controlled GA feature. There is no change in the functionality or working of this feature.
Supported minimum Client version: 122.0.0
To learn more: Secure Enrollment.
General Availability of GSLB Fallback Option In China
This was available as a Beta feature in version 121.0.0. From version 123.0.0, this feature is available for all tenants.
Supported minimum Client version: 121.0.0
To learn more: Netskope Client Network Configuration.
Retention For Device Event Data
Device Events are now retained for a maximum of one year.
Explicit Proxy over Tunnel Support for Port 80
Explicit proxy over tunnel (EPoT) now supports sending traffic through port 80. If EPoT traffic is sent on port 80, there is no additional requirement to configure Steering Configuration > Non-Standard Ports on your account.
To learn more: Explicit Proxy over IPSec and GRE Tunnels.