Unanswered questions

Hello everyone,I’m looking for guidance on how best to handle chat bots within business web applications, particularly when they are being blocked under Online Ads filtering.For example, we use the Blackbaud web application. While the main application functions as expected, the embedded chat bot is being blocked because it is categorized as Online Ads. The chat bot is an important feature, as it is used to create support cases for the application.Additionally, I’ve included screenshots from SkopeIT and had a couple of related questions:Is it normal for the same application to appear under multiple App Categories? What is the difference between a URL and a Page as shown in SkopeIT?Any insights or best practices would be appreciated. Business WebAppChat bot on Business WebApp 

Generated with the assistance of Claude Opus 4.6 (Anthropic) -- but any slop is my fault for not managing context.Summary We need a per-user, one-time enrollment token mechanism for IdP-mode enrollments on devices that cannot receive tokens via MDM (mostly Chrome or Linux laptops, unmanaged or “lightly managed” endpoints). The current Secure Enrollment model provides tenant-wide shared tokens distributed via MDM. We have specific questions about how Enforced/Not Enforced status interacts with IdP vs UPN enrollment, and whether per-user scoped tokens are available or planned. EnvironmentTenant: XXXX.goskope.com Secure Enrollment Service: Enabled Token set 1: Created Jan 2026, Status: Enforced (auth + encryption), Expiry: roughly 1 yr Token set 2: Created Mar 2026, Status: Not Enforced (auth + encryption), Expiry: roughly1yr Secure Configuration Service: Enabled IdP: Okta (SAML Forward Proxy configured with Client Enrollment access method) Deployment modes: UPN via Intune/Jamf (Windows/m

SUBJECT- Issue with Activity Control Policy for Banking/Finance URLs in Netskope Hello Team,Today, I created a policy related to custom URLs for banking and finance/accounting websites. I selected specific domains to control user activity and configured the policy properly.However, I am unable to control activities on banking websites in particular. I am not sure why this is happening.When I perform a URL lookup in Netskope, it shows that the traffic is being steered to Netskope, so the steering is working.If anyone knows how to resolve this issue—especially for banking sites—please guide me

Hi,What is the script to use to deploy netskope client for macos ?Our IDP is Google Workspace and the saml conf has been setup on GWS and Netskope (saml-forward-proxy). Our MDM is Addigy.Best regardsMathias 

We tried with Iban (ALL) option but didn’t worked So Please provide an appropriate solution for this 

I am struggling with the props.conf setup to pull web transaction logs via S3 bucket. I have set up per Stream Logs to Splunk - Netskope Knowledge Portal .This would replace my setup for using REST API v2 for transaction logs eventually.  I currently have logs going in parallel into a temp index for validation before cut over.I am using queries below to validate time stamp detection and proper data parsing. If you have this setup to your satisfaction, Can I request you to share your props.conf? Validation queries: #Check if _time matches x-cs-timestampearliest=-10mindex=nsweb_temp sourcetype="netskope:web:test"| eval payload_time = tonumber(coalesce('x-cs-timestamp','x_cs_timestamp'))| eval splunk_time  = _time| eval diff_seconds = splunk_time - payload_time| eval status = if(diff_seconds==0, "PERFECT", "OFFSET")| eval diff_abs_s = abs(diff_seconds)| eval diff_hms   = tostring(diff_abs_s, "duration")| table _time payload_time splunk_time diff_seconds diff_hms status| sort - _time| head

Hello I have NextGen API for Microsoft outlook. For 12 of my users I want to steer the outlook traffic via netskope.I know it is the pinned app and got a bypass, but is there any way to steer via Netskope

We are experiencing an issue where Cursor AI traffic stops working when routed through Netskope with SSL decryption enabled. Specifically, the Cursor agent fails to function when traffic is inspected via Netskope.For security reasons, we do not want to bypass or exclude the Cursor AI domains from inspection. We would like to understand if there is a recommended solution that allows Cursor to function properly without bypassing SSL decryption.Could you please advise on: Any best practices for handling similar AI/agent-based applications under SSL inspection As part of our troubleshooting, we attempted lowering the HTTP version to 1.0. While this has resulted in partial functionality for some users, the issue is not fully resolved and the agent remains unstable. 

Looking for recommendations here. We are currently trying to onboard a group of consultants and provided them a requirements document for use of Enterprise Browser. One office could not use EB due to network issues. So they are currently whitelisting the domains and ports from your list. Their question was what to replace MP with? Are there regional static MP domain names that can be used? Network Connectivity: Netskope Enterprise Browser needs access to the following domains/ports:https://nsbrowser-updates.<MP>.goskope.com: Browser updates and installer downloads. https://nsbrowser-config.<MP>.goskope.com: To retrieve tenant and user configurations.I assume if they whitelist by subnet instead, will that cover these MP domains, correct? Consolidated Whitelist CIDR Notation IP Address Range 8.36.116.0/24 8.36.116.0 - 8.36.116.255 8.39.144.0/24 8.39.144.0 - 8.39.144.255 31.186.239.0/24 31.186.239.0 - 31.186.239.255

Question for the community…..Assuming we are blocking the following 2 categories (and of course blocking all of the known malicious)"Newly Observed Domain" "Newly Registered Domain"What is the opinion as to allowing “Uncategorized”?   I do understand that it is not impossible that a malicious link (in an email for example) could contain just an IP address (since all IP addresses generally are categorized as “Uncatgorized” by default) and therefore is an outlier risk (as uncommon this may be), but are there other known risks here I am not considering? The reason for the ask is that we have found that websites that are categorized by Netskope, on occasion at least, are legitimate business sites and thus have negative impact.  While we can add these to a custom policy that will allow access, it is a bit of a whack-a-mole exercise in futility since sites are added to this list all the time.

Hiis it mandatory to provision on the tenant the users that will only have access to Browser Access apps? I mean, for third-party or contractors, that won’t install the Netskope Client and that only need access to browser access private apps, is needed to provision them via SCIM or manually?I have checked that having the user associated on the IdP, the user authenticates when trying to access the public URL of the BA private app, but if the user is not provisioned on the Netskope tenant, get a 401 error after authenticating even if the RTP policy allows “all users”The user only access the private app via BA after provisioning on the tenant. Is this correct? I wouldn’t like to provision all my contractors on the tenant Regards

Is anyone aware of a library of APIv2 scripts that can be shared?   Looking for scripts that can discover devices and details about them as well as automating some functions like URL list updates and such.

We see a discrepancy in file names being visible in DLP incidents. Currently we have a DLP policy to detect exfiltration of sensitive information using file converter tools. While we are getting the file information using forensics for https://www.sejda.com/, the same is not happening for ilovepdf and ilovepdf only captures “blob” as an object and does not show any information. Is this a known limitation? 

Hello Community,  we have an Netskope Elite offer for China and have difficulties to have WECOM working with Netskope. A lot of delay in the message exchange. Before going full bypass, which is a clear security problem for my company, I would like to know if someone managed to make this app compatible with Netskope.  Official doc: https://work.weixin.qq.com/h5app/wework_domain_ip/latest Thanks! Robin

In corporate environment there are scenario where endpoint machine needs to perform patching for their drivers, application, OS and sync-ing / upload files to corporate sanctioned file storage. How do we overcome the Advanced File Scanning’s DLP, File Profile and Threat Protection without editing the fall back behavior if we deem the destination or the source is sanctioned  ? I explore the options to use real time policy’s file constraints to overcome, however it seems to be not working just wish to check anyone have any idea to overcome it? Thanks in advance! 

Hello,Is there a way we can create dashboard to track all the endpoints that are enabled vs disabled and the observed trend on how often does a user disable the client and enable it again (for example)? Thank you,Jennifer

Are only predefined Profiles are Working? If Any Regex is there Kindly Provide!