Unanswered questions

Hello,I have a DLP policy that blocks the upload of unlabeled documents. The issue I’m facing is that when I try to upload a PPTX file that is labeled with Microsoft Purview Information Protection (MPIP), the upload is blocked by this policy.It’s important to note that not all PPTX files are blocked—only some of them.What I’ve noticed is that, for the blocked files, the “True file type” is detected as “ZIP archive.” In contrast, for files where the label is recognized and the upload is allowed, the “True file type” is shown as “Microsoft PowerPoint 2007 XML.”Has anyone encountered this problem before? Your help would be very much appreciated.Thanks, 

Hello,I am running VirtualBox in NAT mode on my machine with the Netskope Client installed on the host. The VMs inside VirtualBox are failing to connect or update due to SSL/Certificate errors caused by Netskope's inspection.I want to bypass SSL Decryption specifically for the VirtualBox application, but I do not want to bypass traffic for the whole machine or use a broad IP-based exception. Thanks.

What is currently supported to passthrough Phish-Resistant MFA methods like passkeys from unmanaged devices over Reverse proxy, universal reverse proxy and NPA browser access steering methods? We are moving to enforcing phish-resistanct MFA and need to understand what is supported and what has been tested. If this is not currently supported, is this on the roadmap or would this require the use of enterprise browser?  

Does anyone know what the “Export User Key” is used for in Netskope? This feature is located in Setting>Security Cloud Platform>User section?I could not find any documentation on the use case for this feature. I’ve attached the screenshot below.  Is there a place to store the json file once the user key is downloaded?  Thanks.  

Use Case: Create reporting to show users who are and those who are not using paid subscriptions Assume there's three AD groups, each targeting a specific AI tool. For this example, we can say Copilot 365, Claude and ChatGPT.  Please help provide guidance to create resorting/dashboards for this example use case.

Summary.Reviewed https://community.netskope.com/casb-swg-inline-92/netskope-inline-dlp-with-microsoft-information-protect-mip-labels-6942?tid=6942&fid=92It is clear from this article, that we could label a document Confidential, put in a DLP policy that blocks the label "Confidental" into public AI sites, and that document would be prevented (when used in appropriate specific connector situations, with possible adherence to generic connectors.But the question is - if someone were to copy and paste text from a labeled document, and directly pasted it into a prompt, would the DLP block still occur?

EntraIDやjamf　Proでマルチユーザーモードでの展開方法が知りたい

Team,Good morning. Is there a reason I'm getting DNS Leakage? Did I forget something in my configuration  See screenshots below.  All "DNS Traffic" is enabled in the steering configuration. DNS Profile is configured with resolver IP of 162.10.1.1 Real-Time Policy is configured. Thanks.  Expand Post

Hello Team,I am working on SSL inspection with Netskope in our organization (Bogotá, Colombia) and encountered the following issue when accessing a specific domain: Domain: jarvis.grupokonecta.co Netskope error message excerpt: IncompleteCertChain (unable to get local issuer certificate) … Blocked by SSL_INCOMPLETE_CHAIN Verification error: unable to get certificate for issuer = ‘/C=BE/O=GlobalSign nv-sa/CN=GlobalSign GCC R3 DV TLS CA 2020’, subject = ‘/CN=.grupokonecta.co’, altnames = DNS:.grupokonecta.co, DNS:grupokonecta.co’, caissuers = ‘http://secure.globalsign.com/cacert/gsgccr3dvtlsca2020.crt’, sslerrdesc = ‘unable to get local issuer certificate’ I have verified via openssl s_client -connect jarvis.grupokonecta.co:443 -servername jarvis.grupokonecta.co -showcerts and online tools such as SSL Labs, and indeed the certificate chain appears incomplete (missing or not served correctly by the server). What we have reviewed so far: The server certificate for *.grupokonecta.co i

Every time we deploy an Intune image to a new device, the Netskope client registers but will fail when downloading the client configuration.  We have to manually uninstall the client and then send a new invite to the user to reinstall the client.

Thee following topic covering how to block Google AI mode has been posted )How to Block Google AI Mode? | Community ) but now with Google presenting poor quality AI responses via “AI Overview” on nearly all AI searches, we are looking for a way to block these search results without completely blocking Google Search.There is a known way to block “AI Overview” by appending “&udm=14” to the search request URI, however Netskope does not appear to have any support for inline modification of URI’s. Has anyone been able to work around this limitation or found another way (such as HTTP header insertion) to block the “AI Overview”? 

■ご質問内容・F/Wなどで除外しないとIntune条件付きアクセスでMacOSが正しく判定できない場合のNetskopeの設定方法 ■大前提条件・Jamf ProとMicrosoft社のIntuneを連携して利用しております。 ■問題点１）MacOSに限りEntraID時でNetskopeを無効化しなければデバイス情報をMicrosoft社に渡せなく　　EntraIDの準拠がされない状況が発生しております。　　⇒対応策：弊社ではEntraIDに登録時にはNetskopeを無効化して準拠している。　　　　　　　  準拠後はNetskopeを有効化している。 ２）Microsoft社 Intune条件付きアクセスで準拠したMacOSに限りSharepoint上のページにアクセスする場合　　デバイス情報をIntune側に渡せなくてデバイス登録をしてくださいとエラーが発生してしまいます。　⇒対応策：一時的に条件付きアクセスのサイトでアクセスする場合はNetskopeを無効化しております。

Hi Team, Is it possible to integrate/ install AD agent so that we can apply client configuration based on OU. and Use Entra ID integration for SSO? Just for Sign-in.  Possible that we can use OU to provide access to private resources.? One way is to create groups and provide access to private resources and apply client configuration group or all users. Since we have multiple branch offices. we need to create many Groups and import in Entra ID.  So wondering if we can enable private access based on OU and apply client configuration based on OU as well.

Does anyone have any experience with allowing Partner Access for a 3rd party? We are thinking through building out device classification rules for a potential Partner Access use-case and it got me thinking about this topic. what will we see in Devices in our tenant for these devices? I assume we won’t have any “enable”/”disable” options but want to be sure safeguarding our partner safeguarding our environment

Starting a few months ago our company users have reported consistent and numerous blocks by Google to access our own Workspace tenant apps (Google Admin, Gemini, Gdrive, etc). The message received by the users say, “Our systems have detected unusual traffic from your computer network. Please try your request again later.” It then presents your network IP and says it does not equal the Netskope POP IP (e.g. 10.10.10.10 ≠ 163.116.140.55). This implies that Google no longer trusts the Netskope POP subnets and see’s the proxied traffic as a risk. Is Netskope aware of this issue and are you working with Google to remediate it? Thanks 

It seems that users under SkopeIT are only displayed when accessing Cloud Apps or the Web.Events from Cloud Firewall or Private Apps are not included, resulting in limited visibility.Do you have any suggestions on how we can monitor user activity in these cases?

Use case: Our Support team can connect other users’ laptop with AOVPN feature but with zero Trust is blocking the admin drive access.In this user case, Support team can access the laptop CAL-XXX for Admin related activities but with Zero trust its not possible so what is the alternative solution? Is there any tool ? which can be used 

When running a query against “/api/v2/infrastructure/publishers” the list of to be returned fields can be attached. However it seems that only fields from the first level of the JSON can be selected. Does anyone know, if other fields e.g. assessment[latency], can be referenced in the field-list as well? And how? Thanks Timo

Overview Some environments using Netskope Client may encounter SSL or certificate validation issues when running Google Cloud CLI (gcloud) commands.This happens because gcloud relies on its own embedded cacert.pem bundle (under the SDK’s certifi package), which doesn’t automatically include enterprise root certificates — such as Netskope’s Root CA. Important note about bypassing *.googleapis.com In many enterprise deployments administrators add bypass rules for *.googleapis.com (so some Google APIs are sent directly to Google). However, simply configuring core/custom_ca_certs_file with only the Netskope root certificate — or relying only on the Netskope root in a custom bundle — frequently does not resolve SSL errors for these bypassed domains.Why this happens (observed behaviour):After a bypass, the TLS connection may be negotiated directly with Google (or with different certificate chains), or the client and the SDK may expect the full set of public root CAs. If only the Netskope roo

Why sometimes on-premise detection shows “remote" and sometimes it shows “off-premise” when users are not in intranet, such as office environment.

There a lot of AI based browesrs, the likes of Comet by Perplexity, Atlas by Chatgpt etc. which have their own security parameters yet to be assessed and considered safe for use by Corporate Employees. There seem to be no pre defined category and these browsers are not yet identified as applications in Netskope. Is there a workaround to be able to block the applications?

Hi there, I want to use Workato to create an Automation with Netksope. Specifically the OTP feature for disabling internet security. Aim:1. User clicks Disable Internet Security2. Launches web page to enter email address3. Email sends OTP or next page provides OTPSomething along the lines of the above. Can someone share if they have done something similar (with another Automation platform too) or can someone share what I would need for this?

Can we use Netskope NPA to enforce all user sessions to authenticate to all private applications using MFA (using our organization’s IdP)? Let’s say some of our internal applications do not support SSO and we wanted to use NPA to force users to authenticate using MFA (just for those apps that do not support SSO) How can we do that? Can we use Netskope SWG/CASB to do the same for external cloud/SaaS/web applications? In other words, enforce MFA (through our IdP) when those applications are not able to directly support our SSO?Any ideas on how to make this happen with Netskope NPA and SWG/CASB? Thanks!

I have a regex URL list that blocks ai mode in Chrome but I cannot get the AI Mode button in the search bar to block or disable.  I reached out to our CSM who said they in turned reached out the the product team.  It sounds like this is in the works already but we want to block before waiting for their update.  Does anyone have any thoughts on how to do this?  I identified where the  element is within Developer Tools but of course changing that from false to true is temporary.  Injection JavaScript is beyond my scope.  Looking for any help anyone might have.  Thank you.