Skip to main content
  • EN

Hello everyone,

We've seen a few questions lately about the best way to handle Netskope Client upgrades when you have a mixed environment of non-persistent VDIs and traditional laptops. A common challenge is that the same user might use both, but the upgrade strategy needs to be different for each.

Let's break down the problem and the best-practice solution.

 

The Challenge: Different Needs for Different Devices

 

  • Non-Persistent VDIs: You can't use the standard auto-upgrade feature from your Client Configuration. Any update applied during a session gets wiped when the VDI reverts to its golden image. Upgrades need to be manual and controlled.

  • Laptops: You want them to auto-upgrade. It’s the easiest way to keep your users on the latest client version and maintain your security posture with minimal effort.

So, how do you disable auto-upgrades for VDIs while keeping them enabled for laptops, especially when the same user logs into both?

 

The Solution: The autoupdate=off Installer Flag is Key!

 

The great news is that there's a built-in mechanism to handle this. The installation settings on the endpoint itself will override the settings in the user's Client Configuration. You can use this to your advantage by deploying the client differently on your VDI image versus your laptops.

1. For Your Non-Persistent VDI "Golden Image"

When you install the Netskope Client on your master image, use the autoupdate=off flag in your MSIExec command. This permanently disables the auto-update feature on any VDI that is spun up from this image.

Here are the commands you can use in your image creation workflow:

  • For UPN-based deployments:

    Bash 
    msiexec /I NSClient.msi host=addon-<tenant>.tregion].<tenant-domain> token=<Organization ID> mode=peruserconfig autoupdate=off /qn

  • For IdP-based deployments:

    Bash 
    msiexec /I NSClient.msi installmode=IDP mode=peruserconfig tenant=<tenant-name> domain=<domain> autoupdate=off /qn

What this does:

Every VDI session will start with a client that is hard-coded to ignore update commands from the Netskope cloud. You are now in full control, and you can update your VDI fleet simply by installing a newer client on your golden image during your next maintenance cycle.

2. For Your Laptops

For your laptops, just do the opposite! Deploy the client without the autoupdate=off flag. This way, the client will look to the user's assigned Client Configuration in the Netskope tenant and follow whatever update behavior you have defined there (e.g., "Latest Golden Release").

 

How Are Other Customers Handling This? (Best Practices)

 

This differentiated approach is the standard strategy used by most organizations. Many take it a step further by creating a phased rollout plan for upgrades using multiple Client Configurations. A typical setup looks like this:

  • VDI Fleet: Managed manually by updating the golden image. They remain on a specific, highly stable version.

  • IT / Test Group (Laptops): A Client Configuration set to the "Latest Release" to catch any potential issues.

  • Pilot Group / Early Adopters (Laptops): A Client Configuration set to the "Latest Golden Release."

  • General Population (Laptops): A Client Configuration set to a "Specific Golden Release" that has been fully vetted by the IT and Pilot groups.

This combination gives you the stability required for a VDI environment while allowing for a secure, agile, and automated upgrade process for the rest of your fleet.

Hope this helps clear things up! How are you all managing your VDI and laptop upgrades? Feel free to share your own experiences below.

Best,

Justin Forrest Sr. PAL

Be the first to reply!

Reply


Badges Winner

Show all badges

Not finding what you're looking for?

Don't be shy and let us know about your challenge.

Ask your question here!
Terms & ConditionsCookie settings