In case you missed the latest webinar in our Inside Netskope series—where Netskope experts show you how we protect our users, applications, and data using our own cloud-based architecture—a recording and recap of our recent session on “Managing Certificate Errors with Netskope Client” can be found below. Feel free to comment and continue the discussion!
Watch on-demand 
Q: Our recommendation from a Netskope implementation engineer was to keep developers in a steering configuration group that was only cloud apps, not all traffic. This doesn't seem like a feasible nor secure option. Is this recommended to most all customers?
A: This is the initial approach to temporarily resolve the issue and keep things running. But as mentioned in the webinar, you will have to work with the developers and understand their traffic patterns to add the Netskope CA to tools to securely enable developers.
Q: There is a script that is available on your Support site but it doesn't appear to be updated often. Is this something that you all can maintain so that we can use those scripts to ease the burden?
A: You can find the updated script in the comments section of this post.
Q: Request CA bundle is not resolved many times and the solution file is also outdated, may we request you to please update it?
A: Please comment in this post about the issues you are facing and our team will reach out.
Q: VMs & Containers—if we are connecting to client VMs, company-provided asset, how are we going to address this issue?
A: As mentioned in the webinar, the Netskope CA Certificates must be trusted and imported into the VMs & Containers.
Q: We are having similar issues with Podman.
A: Please refer to this link to add Netskope CA certificates to Podman.
Q: Hello, team. Thank you for your presentation. I would like to know more about the certificate pinned applications that are released by Netskope such as Cisco Webex, Adobe Creative Cloud, etc. Those can be added in the Steering configuration and define whether to block or bypass. Do you know what the default behavior for a new cert pinned app issued by Netskope which is not added within the Steering Configuration is?
A: If Netskope adds a new default Certificate Pinned application, the default action would be 'Bypass'.
Q: Once 'Do not decrypt' applies to a domain, does it mean there are no logs for that domain at all?
A: Even if traffic is in DND mode, it should still be visible on SkopeIT → Page Events.
Q: How do you handle NPM related SSL error because Support also does not have a solution for this issue? They suggest to bypass or create the cert pin app.
A: You can point NPM to a CA file, please refer here.
Q: Do you have any solutions where more than 500 developers are having an SSL issue?
A: As mentioned in the webinar, you will have to test and verify the solution and push it over MDM for this solution to work at scale.
Q: The thing is one user uses many apps. Its not practically possible to configure certificate for each and every application on thousands of systems without having a production impact.
A: As discussed in the webinar, an inventory of all the applications used is needed to effectively mitigate the issue. Not having a proper inventory of all the applications used by end users is not a security best practice and can possibly introduce multiple risks to the environment
Q: Is there a HTTP response data field in the logs to see if the connect was HTTP response = 200 vs another response?
A: No, this is not part of the Netskope Client logs.
View past events in this series!
Some responses above contain roadmap items. These are intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Netskope’s products remains at the sole discretion of Netskope.
