New Features And Enhancements In Release 124.0.0

Here is the list of the new features and enhancements.

Deployments occur over a two-week window. If you do not see this feature on your tenant immediately, please wait until the deployment period has concluded.
To check your tenant software version, navigate to Settings > General.

Behavior Analytics

Compromised Credential Update

Compromised Credentials Incidents shows additional details for debugging user activity seen in Netskope that triggered the detection. Additional details include: application, application activity, timestamp of the application activity, and the incident ID.

Detail Description in Compromised Credential

The Compromised Credential email notification page has a new field for detail description.

CASB Real-time Protection

Slack Instance ID Detection

With this release, admins can deploy Real-time Protection policies to block user downloads of the Slack desktop application for Windows, Mac, and Linux.

The new value “Instance-Id” is visible in Alerts and displays “public-download” for the Slack service.

DLP Support for Atlassian

The Atlassian Confluence application has added DLP support for the Edit activity.

Improved Efficacy of Universal Connector

The Universal connector is enhanced with additional support for activity detection.

Cloud Confidence Index (CCI)

CFW Application Search Feature

With this release there is a new CCI > Cloud Firewall tab. You can now search names of desired non-web applications from this tab. Information such as, supportability, decoration status, CCI scoring, app description are detailed. In addition, you can see if an app is a Cloud Firewall or hybrid app.

Email DLP

The DEM Dashboard is currently a controlled-GA feature. To learn more, speak with your Netskope sales representative or support@netskope.com

DEM Dashboard for Email DLP Service

Added a DEM dashboard for the Email-DLP service. It provides visibility into the health and performance of the Email service and helps in troubleshooting the email delivery issues faster.

Endpoint DLP (EPDLP)

Device Control for CD and DVD drives (Windows)

Device Control policy can now target CD/DVD drives. The allowed actions are Allow and Block.

For more information, see Endpoint DLP.

Granular Fallback Action

Granular Fallback Action is currently a controlled-GA feature. To learn more, speak with your Netskope sales representative or support@netskope.com.

Endpoint DLP fallback actions now can be set for individual users groups or OU, allowing different fallback action policies.

For more information, see Endpoint DLP.

Minimum Netskope Client Version: 124.0.0

“No notification (Mute)” Template Option

Endpoint DLP policies now allow the user notification template to be set to “No Notification (Mute)”. This allows the block to happen silently on the endpoint, without alerting the end-user to the block action.

For more information, see Endpoint DLP.

Acrobat Plugins for Source File DLP/Printing Content Control

Endpoint DLP now captures the original source PDF file for Printer Content Control evaluation when printing from Adobe Acrobat/Adobe Acrobat Reader.

For more information, see Endpoint DLP.

Custom Device Classification Support

Endpoint DLP policies now support Custom Device Classification rules.

For more information, see Endpoint DLP.

Printer Content Control Improvements

For GDI/SPL print drivers, the output document has had several improvements to make review of the Original File much easier. These include correct file extensions for the contents of the original file, printed page images organized into a report to allow single file review, and inclusion of extracted text to make searching and copy/paste easier.

For more information, see Endpoint DLP.

Captured Source PDFs in Chrome and Edge

When printing PDF files using a browser (Google Chrome or Microsoft Edge), Endpoint DLP now captures and evaluates the source PDF, rather than the printer output. This enables better fidelity for the DLP examination and keeps file metadata items such as MIP/AIP labels.

For more information, see Endpoint DLP.

Enterprise Browser

Simplified Enterprise Browser Licensing and Enhanced User Management

We’re excited to announce an update to our user management system that will make it easier for you to manage your Enterprise Browser licenses and ensure compliance with your purchased Enterprise Browser licenses. This change is designed to provide a more streamlined experience for both admins and end-users for Enterprise Browser. Highlights include:

Finite Enterprise Browser Licenses: You will now have control over the number of Enterprise Browser licenses available for your users, allowing you to better manage your costs.
Easier Enterprise Browser License Management: Admins can easily remove or reassign Enterprise Browser licenses from one user to another as needed.
Improved Compliance: With our new feature, you can ensure that only authorized users are accessing your platform.

MacOS Support

Enterprise browser is now available for MacOS as Beta, enabling enterprises to provide their users with a consistent browsing experience across Windows and MacOS.

This is a Beta feature. Contact Netskope Support or your sales representative to enable this feature for your account.

Forensics

Support Amazon S3 as a Forensic Destination

As part of Next Gen Forensics, Netskope has rolled out Amazon S3 as a new forensic destination. To learn more: Next Gen Forensics.

Revamped Forensic Page and Match-Criteria Forensic Profiles

Netskope has introduced a new and enhanced forensic page in the Netskope tenant. To access this page, log in to your Netskope tenant and navigate to Settings > Forensics > Configuration. To learn more, see Enable Forensic Profile.

The Encryption Status checkbox has moved from Policies > Profiles > Forensic > New Forensic to Settings > Forensics > Configuration > Edit Forensic Configuration.

The change is happening in phases, so if you do not see it in the new location, check the original page.
Encryption is a controlled GA feature. Talk to your Netskope sales representative to learn more.

Match-Criteria Forensic Profiles

A forensic profile allows customers to store an evidence trail for DLP violations. It captures forensic metadata, the original file, and any sub-files, all of which are considered sensitive. To ensure security and compliance, Netskope requires customers to use a self-managed cloud destination for storing this data.

Currently, each tenant can have only one forensic destination, making forensic data collection an all-or-nothing function. This means forensic data is recorded for all transactions, without the ability to filter based on data type (data sensitivity).

With match-criteria forensic configuration, you can now:

Enable or disable forensic logging, including sub-file and original file storage, based on the associated DLP profile.
Select a forensic destination profile based on the DLP profile.

To configure a match-criteria forensic profile, see Enable Forensic Profile.

Match-criteria is a controlled GA feature. Talk to your Netskope sales representative to learn more.
Match-criteria is not supported for Endpoint DLP.

Next Generation API Data Protection

Enhanced Exposure Insights and Multi-Geo Support

The Next Generation API Data Protection now offers enhanced capabilities for Microsoft 365 OneDrive & SharePoint by leveraging the Microsoft SharePoint REST APIs.

Enhanced Exposure Computation: Exposure calculations now factor in Microsoft 365 SharePoint group membership associated with sites.
Exposure-Based Site Listing: Easily identify and list SharePoint sites based on their exposure levels. You can now view SharePoint sites on the Inventory page by navigating to API-enabled Protection > SAAS (NEXT GEN) > Inventory > Content Collection > Folder and setting the Folder Type filter to Site. Additional site metadata such as site owner is available in the detailed view.
Extended Multi-Geo Coverage: In addition to the central location, Netskope has extended coverage to all satellite locations in a multi-geo environment for Microsoft 365 OneDrive & SharePoint. Next Generation API Data Protection does not support provisioning single geo on multi-geo tenants.

To take advantage of these enhancements, customers must regrant access to their Microsoft 365 OneDrive & SharePoint instances. This regranting process enables the use of Microsoft SharePoint REST APIs, allowing Netskope to re-list all the entities in your Microsoft 365 OneDrive & SharePoint account to compute exposure. Given the critical nature of these enhancements, Netskope strongly recommends completing the regrant process promptly.

In addition to the already existing permission scopes, following new permission scopes are included as part of the regrant instance:

Site.FullControl.All
Sites.Manage.All
Sites.ReadWrite.All

To learn more about the new permissions, see:

Important Points to Note

Customers must re-grant access to their Microsoft 365 OneDrive & SharePoint instances, which will trigger a re-listing of all entities in their accounts. The re-listing duration depends on the volume of data stored in Microsoft 365 OneDrive & SharePoint.
For large retroactive scans, Netskope recommends re-granting Microsoft 365 OneDrive & SharePoint instances before initiating the scans. This ensures accurate exposure calculations in the scan results.

Deployments occur over a two-week window. You must re-grant the Microsoft 365 OneDrive & SharePoint instances after the deployment period has concluded.

General Availability (GA) of Google Calendar

Next Generation API Data Protection has introduced the support for Google Calendar. Next Generation API Data Protection for Google Calendar can now support policy creation, DLP, threat protection using ongoing scan, alerts and more. To learn more:

For features supported, see Next Generation API Data Protection Feature Matrix per Cloud App.
To configure Google Calendar, see Configure Google Calendar for the Next Generation API Data Protection.
For a list of activities monitored by Netskope, see Activities Monitored by Netskope.

Support Restrict Access Action on Files with Inherited Permissions

This feature introduces the ability to remove sharing links inherited from a top-level folder in Microsoft 365 OneDrive & SharePoint.

Previously, when remediation actions were triggered, access restrictions could not be enforced if the access was inherited from a sharing link at a higher-level folder. This limitation left sensitive data exposed, even when remediation policies were in place.

Key benefits:

Enables automatic removal of inherited sharing links using the SharePoint REST API.
Ensures that remediation actions can successfully restrict access to sensitive content.
Enhances security and compliance by preventing unintended data exposure.

To leverage this feature, you must re-grant the Microsoft 365 OneDrive & SharePoint instances with the new permissions scopes for the SharePoint REST API.

Site.FullControl.All
Sites.Manage.All
Sites.ReadWrite.All

Google Label Badge (Write) Support

Netskope now supports Google’s label badge write operation, a content classification feature. With this new capability, you can apply a Google label badge on DLP-sensitive Google Drive files using the policy action – Apply Sensitivity Label.

The policy action is available when you Configure a Next Generation API Data Protection Policy.

Before you can apply a Google label badge, you should set up a Google Drive DRM instance first. To learn more: Digital Rights Management.
This feature is part of the Advanced DLP offering. To enable this on your tenant, talk to your Netskope sales representative.

Feature Enhancements in Zoom

Next Generation API Data Protection has introduced the following enhancements for Zoom.

New Granular Permissions for the Zoom App

Next Generation API Data Protection now offers granular permissions for the Zoom app, enabling more precise access control. To apply these permissions, existing customers must re-grant the Zoom instance via Settings > Configure App Access > Next Gen > CASB API. To learn more, see Configure Netskope to Access your Zoom Account.

Additional Enhancements

For existing customers, the following enhancements require you to re-grant the Zoom instance with new granular permissions as mentioned above.

Team Chat messages posted by external users can now be scanned for DLP and threat protection.
Team Chat attachments can now be scanned for DLP and threat protection, with support for alert and delete remediation actions.
In-Meeting chat messages can now be scanned for DLP, with support for alert and delete remediation actions.
In-Meeting chat attachments can now be scanned for DLP and threat protection, with support for alert and delete remediation actions.

Netskope Secure Web Gateway (NG SWG)

HTTP2 Enabled Tenant Compatibility

HTTP2-enabled tenants are now compatible with Remote Browser Isolation. Isolated sessions will be automatically renegotiated to HTTP1.1 for policy based-access to isolated sites.

“Banking and Payments” Category

With this release, Netskope introduces a new category called “Banking and Payments”. This new category will be available for use in Real-time Protection policies, SSL decryption policies, and steering exceptions.

While this release introduces the new Banking and Payments category, any configuration using this category will not take effect until Netskope begins classifying URLs into the category.

Improved RTP Policy Editor Navigation

With this update, upon exiting the policy editor, admins will automatically return to the specific position in the policy stack where the edited policy is located. This improvement streamlines navigation, reduces the need for manual scrolling, and enhances the overall user experience.

Netskope Private Access (NPA)

Updated Limit for Publishers per Private App Definition

The maximum number of Publishers that can be configured for a tenant per Private App or App Discovery can be increased from 16 (default) to a maximum of 64.

This is a controlled General Availability feature. Contact Netskope Support or your Sales Representative to enable this feature for your tenant.

NPA Linux Client Support for Red Hat

Private Access client is now supported on the Red Hat Enterprise Linux 9.4 (Plow) release.

NPA support for Multi-User Windows Environments

Netskope Private Access now supports multi-user virtual desktop environments based on Windows, such as Citrix VDI and Azure Virtual Desktop.

Remote Browser Isolation (RBI)

Improved Usability for “out of isolation” errors

Improved the usability of RBI by replacing the error message “You are out of web isolation” with the last rendered image.

An informational box is presented to the user, providing options to either refresh the tab or close it to view the last rendered image.

Isolation of 3rd party Auth Flows

RBI introduces functionality to Isolate authentication flows transparently in the context of the isolated browsing session, without requiring admins to add “sidecar categories” (that is, Application Suite) or cloud apps (for example, Google accounts, Microsoft accounts) to their isolate policies to create a functional policy.

This is a controlled General Availability feature. Contact Netskope Support or your Sales Representative to enable this feature for your tenant.

SaaS Security Posture Management (SSPM)

Enhancements to Predefined Rules and Templates

Recent updates for SSPM rules are as follows:

Existing Rule Updates

Microsoft 365: 2

Deprecated Rules

Salesforce: 1

Traffic Steering

General Availability of CRL Validations, Smart Card, and UPN in Device Classification

Check CRL, Check UPN, and Check Smart Card options in Device Classification was earlier available as a Beta feature in version 122.1.0. With version 124.0.0, this is available for all tenants.

Check UPN
- Supported OS: Windows and macOS
Check Smart Card:
- Supported OS: Windows
Check CRL
- Supported OS: Windows

Minimum Netskope Client Version: 122.1.0 or later

To learn more: Device Classification.

Updated Enrollment and Encryption Tokens in Mac

You can now use nsdiag -e command to update the enrollment and encryption tokens on MacOS platforms. This was earlier supported only on Windows.

Minimum Netskope Client Version: 124.0.0

To learn more: Secure Enrollment.

Device Classification(DC) Profile Names in Exported Devices List

With this enhancement, you can now view custom Device Classification profile names in the exported file from the Devices page.

Steering Configuration WebUI Enhancements

With version 124.0.0, Netskope introduces two new capabilities under Match Criteria in the Steering Configuration on the WebUI:

OS Family: Differentiate steering profiles based on different operating systems (Windows, MacOS, Linux, Android, and iOS). This option provides flexibility in configuring steering profiles by choosing the OS type as match criteria.
User Group/ OU: With 124.0.0, Netskope added ability to select multiple User Groups/OUs while configuring Steering profiles.

This is a Beta feature. Contact Netskope Support or your sales representative to enable this feature for your tenant.

To learn more: Steering Configuration.

Minimum Netskope Client Version: 124.0.0

New Features And Enhancements In Release 124.0.0