Tenant specific configuration
These configurations are common configuration shared across all the users (as they are under one tenant). Netskope client service loads these common configurations as soon as it starts and updates on these configurations are done on events like policy change, config change (checked periodically).
Config Location
Netskope-client for Windows stores these configurations in “%PROGRAMDATA%/netskopestagent”.
Netskope-client for MacOS stores these configurations in “/Library/Application Support/Netskope/STAgent”
Config Files
S.No. | Config File | Purpose | Fetching | Mandatory Config | API | Frequency | API Timeout |
|---|---|---|---|---|---|---|---|
1 | nsconfig.json | contains various tenant-level configurations |
| Yes (default is generated) | v2/config/org/clientconfig?orgkey=<orgkey>&hashkey=<userkey>&tenantconfig=1 |
| 10 Seconds
|
| 2 | nsdomain.json | Provides steering mode (CASB/Web) and along with domains to steer (CASB). Also has a config for dynamic steering |
| Yes | (V6) steering_config_2 and dynamic Steering (V5) steering_config_2 (V4) |
| |
| 3 | nscacert.pem | Netskope CA Certificate used as the root certificate | Yes | config/ca/cert?hashkey=<userkey>&orgkey=<orgkey> | |||
| 4 | nstenantcert.pem | Tenant specific Certificate used as an intermediate certificate | Yes | config/org/cert?orgkey=<orgkey> | |||
| 5 | nsbypass.json | Provides a list of cert-pinned apps that needs to be bypassed/blocked by the Client. | No | (V3) steering_config_2 and dynamic Steering (V2) steering_config_2 (V1) | |||
| 6 | nsexception.json | Provides a list of domains/subnets/IP addresses which needs to be bypassed by the Client | Yes | (V3) steering_config_2 and dynamic Steering (V2) steering_config_2 (V1) | |||
| 7 | nstunnelpolicy.json | It provides a set of apps and domains which needs to be bypassed/blocked by the Client. | No | config/org/gettunnelpolicy?orgkey=<orgKey>&os=<OS> | |||
| 8 | nsoverlap.json | Provides Steering decision for the scenario where different sass services get resolved to the same IP address. | No | config/getoverlappingdomainlist?orgkey=<OrgKey> | |||
| 9 | nsdeviceid.json | Lists the rules need to be checked for the purpose of device classification (managed, unmanaged, unknown, unconfigured) | No | v2/config/org/getmanagedchecks?orgkey=<OrgKey>&os=<OS> | |||
| 10 | nsbypasscat.json | TBD | No | (V2) steering_config_2 (V1) | |||
| 11 | certutil.json | Install the certificate in Firefox cert store | For each logged-in user, In case Firefox installation/Firefox update is detected the cert utils are downloaded (if already not downloaded) and certutil.json is created (having the firefox version) | No | config/getcertutil?orgkey=<OrgKey>&version=<FireFoxVersion>&os=<OS> |
| |
| 12 | nsuserconfig.json | Use to identify multi-user deployment | Generated locally during Netskope client installation | No (Yes in case of multi-user deployment) | N/A |
User-specific configuration
These configurations are specific to the logged-in user.
Config Location
For single-user mode deployment, these configurations are created at the same location as tenant-specific configuration. For Multi-User deployment these files are located as follows
- Netskope-client for Windows stores these configurations in “%APPDATA%/netskopestagent”.
- Netskope-client for MacOS stores these configurations in “<Home Direcotry>/Library/Application Support/Netskope/STAgent”
Config Files
S.No. | Config File | Purpose | Fetching | Mandatory Config | API | Frequency | Timeout |
|---|---|---|---|---|---|---|---|
| 1 | nsbranding.json | This config is required to bootstrap the Client for each user. It uniquely identifies the user. | Downloaded (if already not present) on user-login or on force config update (from nsdiag or UI) | Yes | Activation Key: config/useractivationkey/getbranding?tenantid=<TenantID>&userkey=<Userkey>&activationkey=<activationkey>&os=<os>
Install Params: api/v1/userconfig?token=<restToken>&email=<userEmail>&configtype=agent
IdP Enrollment: config/user/getbrandingbyemail?orgkey=<org key>&email=<email-id>
User Login (UPN): /config/user/getbrandingbyupn?orgkey=<orgKey>&upn=<username/UPN Hash>
| One time - During Installation (Single user):
Multiple Times based on Login Events (PerUser deployment or IdP deployment) :
| 10 Seconds |
| 2 | nsusercert.p12 | user-specific Certificate, use to sign Tunnel | Downloaded on On user login | Yes | v2/config/user/cert |
| |
| 3 | eventcache.json | Used as a cache to store client status events | This config file is locally created (i.e. not downloaded) on user login. But it is used to push cached client status later. | No | v2/update/clientstatus |
| 10 Seconds |
| 4 | nsdeviceidstatus.json | Use to store the device classification status obtained from an addon (by post method) | Downloaded On user login if device classification rules are configured (see nsdeviceid.json above) | No | client/deviceclassification?orgKey=<OrgKey>&hashkey=<Userkey> |
| 10 Seconds |
| 5 | nsuser.conf | Use to maintain client-status and tunnel status | This file is locally generated but certain configuration parameters like admin-force-enable-client are fetched during user login or force-update config file. | No. | v3/support/client/post | Every 5 minutes. | 10 Seconds |
Addon API calls during user login
Netskope client on user-login hits Addon for following APIs. These APIs are called by design and currently, there is no config that can disable these API calls
- Download Admin settings (done to identify if we have config of a higher priority user group) and update nsconfig.json
- API to get support parameters
- detect Admin-force-enable the client and update nsuser.conf
- detect auto-uninstall
- Fast Config synching
- Client Log Upload
- Client user reconfigure.
- Download user cert
- If device classification rules are configured, API to post device classification status and update nsdeviceidstatus.json