Skip to main content

dM8EuJ_ZbG6ImYOm9ge6Zzo8iyjGyFzCnS0fmTs1C1mdsepP-sQl1a0w_PK6blQwOjNLcsoslM0TYuN1WjoO8lsZIHYT69OdIpm7QpoTVC7ehKqkoDSjmsgMZ-HeKOtHhLPDDW5myHokpuFbYRDLfKw

Netskope Global Technical Success (GTS)

Case Insights - Device Classification

 

Netskope Cloud Version - 126

What is this article about?

As a new initiative, this report examines the most recurrent “How-to” questions raised by customers and managed by Netskope Global Technical Success (GTS) Team.

 

Netskope Device Classification

The most common issues raised by customers regarding Device Classification revolve around the logic applied within the rules and debugging its status.

 

Logic in Device Classification Rules (AND vs OR)

When configuring a Device Classification rule, the "Classification Criteria" setting offers two options: "All" or "Any." This setting determines whether all specified criteria must be met ("All") or if meeting any of the specified criteria ("Any") is sufficient for the rule to apply.

Path: Netskope Tenant UI >>> Manage >>> Device Classification >>> New Device Classification Rule

 

AD_4nXflSU-M7Buus_nVJodwxK8YmHi-lfuGYGcyIzp-vUJwAJG6gpCm5Fc3x9P92Wrna-eGGiOJHFVJRJP0wzD4sTbLjsX5ppxIzhCUwUoVkBWwqmwpO_H1X-UhCKxXnb9CDLevrHFdog?key=8rV6Rct7eIoChIAGYoFQTA

When "All" is selected, the criteria operate with AND logic. However, for criteria allowing multiple definitions, at least one of those definitions must be true. The diagram below illustrates this behaviour.

For instance:

AD_4nXd6bERR0tnfE9I6_LZXblNAlcUrCk6K19uc_9-pNDPI9Be4vdWk8PBL_nG3SzAac2HFaDttw60pkOLo4j6nTja2Iohs29Wm8C7POq7y7BxnV4Atr2gU3blNI-tlYANyBilgIs5n0g?key=8rV6Rct7eIoChIAGYoFQTA

This rule includes the conditions: (chrome.exe OR test.exe) AND (Windows 10 All). As a result:

 

chrome.exe

test.exe

Windows 10 all

Device Classification status

0

0

0

Unmanaged

0

0

1

Unmanaged

0

1

0

Unmanaged

0

1

1

Managed

1

0

0

Unmanaged

1

0

1

Managed

1

1

0

Unmanaged

1

1

1

Managed

 

Selecting "Any" activates an OR logic across all criteria. The diagram below illustrates this behaviour.

For example:

Based on the previous example, the rule logic would be: (chrome.exe OR test.exe) OR (Windows 10 All), As a result:

 

chrome.exe

test.exe

Windows 10 all

Device Classification status

0

0

0

Unmanaged

0

0

1

Managed

0

1

0

Managed

0

1

1

Managed

1

0

0

Managed

1

0

1

Managed

1

1

0

Managed

1

1

1

Managed

 

Debugging Device Classification Status

Netskope Client obtains all device classifications based on the operating system. This information is combined into a configuration file called nsdeviceid.json. The default logging level for Netskope Client is info, and when operating at this level, the resolution of each rule definition can be observed in the nsdebuglog.log file.

 

Criteria

nsdebuglog.log

Encryption

deviceId Disk encryption check: name <encryption name>, status 0|1

OPSWAT

#1: deviceId process check: status 0|1, name GearsAgentService.exe
#2: deviceId reg info: HKEY_LOCAL_MACHINE, SOFTWARE\OPSWAT\GEARS Client\Status, Policy, REG_DWORD
#3: deviceId reg check: status: 0|1

Registry

deviceId reg check: status: 0|1, data: <Data Value>

Process

deviceId process check: status 0|1, name <process name>.exe

File

deviceId File check: status 0|1 name <filename>.<file extension>

AD Domain

deviceId Domain check: status 0|1, name <AD Domain>

AV

nsUtil AVRunning status: 0|1

OS

deviceId OSVersion check: status 0|1

Certificate

deviceId Client cert check :status 0|1

 

ℹ️ 

  • Status codes for device classification: 0: Not found, 1: Found.
  • macOS:

/Library/Application Support/Netskope/STAgent/data/nsdeviceid.json

/Library/Application Support/Netskope/STAgent/Logs/nsdebuglog.log

  • Windows:

%programdata%\netskope\stagent\data\nsdeviceid.json

%programdata%\netskope\stagent\Logs\nsdebuglog.log

 

Where to check what was the last Device Classification applied?

End-User

By default, Netskope Client log level is in info while in debug, we could search for the following entries:

 

nsdebuglog.log

info tunnel.cpp:x nsTunnel DTLS Device classification status: managed

info tunnel.cpp:x nsTunnel DTLS Device classification custom status: <Device Classification name>

info tunnel.cpp:x nsTunnel DTLS Device classification custom status id: <Device Classification ID>

 

Or look for the heartbeat that Netskope Client sends with its status, this will be a json format,

 

info clientStatusHandler.cpp:x clientStatusHandler client status message {..."device_classification_status": "managed","device_classification_custom_status": "<Device Classification name>","device_classification_custom_status_id": <Device Classification ID>...}

 

nsAppUI.log

info config.cpp:10972 Config csessId x] Last dcStatus: managed

info config.cpp:10976 Config csessId x] Last custom dcStatus: <Device Classification name>

info config.cpp:10980 Config csessId x] Last custom dcStatusId: <Device Classification ID>

 

Also on the device, you can leverage nsdiag with --check-dc to force Netskope Client to run a device classification validation. For example:

Command: nsdiag.exe --check-dc

AD_4nXcdbgDdvY9Rj3aC4xxOY_j46FZQ9-8TmHXmB5LX9qPCIONYaw9eR0yKjUgchPl8cIK1DACG8LO3FXwfxpeN8IuYrpzzONlPvRBpCdbui8ghK2PZCcJKvVBlwrI2VN5IFkdM7yYSrQ?key=8rV6Rct7eIoChIAGYoFQTA

 

ℹ️ 

  • By default, Netskope Client checks its device classification when the user logs in, upon any network change, nsclient service restart, or system reboot.
  • When "Periodic Device Classification" is enabled via Client Configuration profile, admin can configure a value between 1-120 minutes.
 
  • macOS:

"/Users/<user>/Library/Logs/Netskope/nsAppUI.log"

"/Library/Application Support/Netskope/STAgent/nsdiag"

  • Windows:

%appdata%\Netskope\stagent\Logs\nsAppUI.log

%programfiles(x86)%\Netskope\STAgent\nsdiag.exe

 
  • When in debug level, Netskope Client will show each definition, whether or not it was found, and the result, for example:
 

debug deviceId.cpp:xxx deviceId result device info: {

    "device_classification_rules": {

        "win": {

            "reg_check": c

                {

                    "rootKey": "HKEY_LOCAL_MACHINE",

                    "key": "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion",

                    "value": "ProductName",

                    "type": "REG_SZ",

                    "data": "Windows Server 2016 Datacenter",

                    "status": "true"

                },

...

debug NSMsg2.cpp:xxx NSMSG2 detach msg

    "168": {

        "status": "managed",

        "custom_dc_status": "<Device Classification Name>"

    }

}

 

Netskope Tenant

Devices tagged by Device Classification are visible on the Devices page.

Path: Netskope Tenant UI >>> Settings >>> Security Cloud Platform >>> Devices

This information can also be found within the General Section of Application Events or Alerts.

Path: Netskope Tenant UI >>> SkopeIT >>> Application Events or Alerts.

ℹ️ Advanced Analytics distinguishes only between managed or unmanaged devices. It does not report/consume custom device classifications fields.

 

REST API V2

The endpoint /api/v2/events/datasearch/clientstatus can be used to pull device classification information.

Path: Netskope Tenant UI >>> Settings >>> Tools >>> REST API V2

REST API V1

The endpoint /api/v1/clients can be used to pull device classification information.

Path: Netskope Tenant UI >>> Settings >>> Tools >>> REST API V1

Helpful content

Device Classification

Using the REST API v2 Datasearch Endpoint

Get Client Data

 

Terms and Conditions

  • All documented information undergoes testing and verification to ensure accuracy.
  • In the future, it is possible that the application's functionality may be altered by the vendor. If any such changes are brought to our attention, we will promptly update the documentation to reflect them.

Notes
 

  • This article is authored by Netskope Global Technical Success (GTS).
  • For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.
Be the first to reply!