Skip to main content

General Q/A - Certificate Pinned Application Steering Exceptions

  • June 26, 2025
  • 0 replies
  • 594 views
Mandeep Singh
Netskope Employee
Forum|alt.badge.img+16

AD_4nXfTCan7WHKvi-gAxrjVf_dRjy3i1Xs3fBPD2iZxxEHdgYMqK53PvOv3oAIWyaUnB4OmDXN5yF6CEzSxe2_dTWWpwjjB4ou99ppEXogbjQykU_YswCgSqeZsHl-FD6ff08-eTcKehQ?key=kqmkyKrT5otlk9WfoRXw3Q

Netskope Global Technical Success (GTS)

 General Q/A - Certificate Pinned Application Steering Exceptions

 

Netskope Cloud Version - 127

 

Objective

Discuss general Questions & Answers related to Certificate Pinning Applications.

 

Prerequisite

Netskope SWG or Next-Gen SWG license

 

Context

The purpose of this document is to discuss and outline key facts, considerations, and recommendations related to steering exceptions for certificate pinned applications.

 

Q & A

  • Question 1: What is Traffic Steering?

Answer - Traffic steering refers to the process of directing your network traffic to Netskope for inspection and policy enforcement. There are several methods for forwarding traffic to Netskope, including Tunnels (such as GRE or IPSec), Netskope Client, Explicit Proxy, and Proxy Chaining. Among these methods, Netskope Client is recommended for end-user traffic.

 

  • Question 2:  What is Steering Exception?

Answer - When utilizing Netskope Client as a traffic steering method, it's important to note the existence of a setting called "Steering Exception." This setting allows certain traffic to bypass forwarding to Netskope for policy enforcement. The Steering Exception setting is further categorized into:

  1. Application
  2. Category
  3. Certificate Pinned Applications
  4. Countries
  5. Destination Location
  6. DNS
  7. Domain
  8. Source Location

Each steering category has its own parameters. For instance, under the category "Domain," "Source Location," "Destination Location," "Certificate Pinned Application," and "DNS," all traffic will be directly routed to the destination without being steered to Netskope. Transaction logs will be stored locally on the end-user machine and cannot be routed to the Netskope Tenant.

Conversely, under the categories "Category" and "Countries," traffic will be directed to the Netskope Data Center, but policy enforcement will not be applied. Transaction logs will be stored locally on the end-user machine as well as on the Netskope Tenant.

 

  • Question 3: What are Certificate Pinned Applications?

Answer - Certificate-pinned applications are apps that use certificate pinning to enhance security by ensuring that the app only communicates with a server using a specific, trusted SSL/TLS certificate or public key. It’s a security technique used to prevent man-in-the-middle attacks (MITM) and secure access to your organization’s applications.

 

  • Question 4: Who is responsible for deciding whether an application will implement certificate pinning?

Answer - The application owner is responsible for deciding whether certificate pinning is implemented.

For example, Google Drive is a certificate-pinned application. Google has designed the app to trust only its own SSL/TLS certificates. As a result, if a third-party security solution attempts to perform SSL decryption—such as through a proxy or inspection tool—the app will detect the certificate mismatch and fail to connect. This behavior is intentional and serves as a security measure to prevent man-in-the-middle (MITM) attacks.

 

  • Question 5: According to Netskope, how many internet applications use certificate pinning?

Answer - 

  1. Netskope does not maintain comprehensive data on the number of internet applications that use certificate pinning.
  2. However, as of June 26, 2025, Netskope has identified approximately 52 applications commonly used in enterprise environments that use certificate pinning and by default, these applications are included in Steering Exceptions.

AD_4nXeg8d5GNGdlBSGBEO4_msnd3E06_zT20dDMe__VqoCtmo2b5qu7l9n0YRY-ISBl2T3fsOGsuk34L1-Y1c2Ov57dQiqwVtmBm4jbPLDtkW3pzgpVuw8jtYvkrGStRQCRsAzSX228ZA?key=kqmkyKrT5otlk9WfoRXw3Q

 

  • Question 6: What is Netskope recommendation for these default Certificate Pinned Applications?

Answer - 

  1. Review the default list of certificate-pinned applications.
  2. Identify which applications are sanctioned and which are unsanctioned.
  3. Remove all unsanctioned applications from the list.
  4. For sanctioned applications, the customer must decide whether to maintain the steering exception or enforce SSL decryption.

For example, if a sanctioned application can be accessed both through a web browser and its native agent—and the end user prefers the native agent—it is strongly recommended that the administrator evaluate the business justification for using the native agent. This is important because, this sanctioned application uses certificate pinning, traffic from the native agent will be bypassed by the Netskope Client, resulting in no visibility into user actions for that traffic.

 

  • Question 7: What kind of traffic matched against certificate-pinned applications?

Answer - Traffic generated by a native application agent is subject to steering exceptions, whereas browser-generated traffic is not bypassed.

For example, Google Drive can be accessed both through a web browser and its native agent. By default, Google Drive’s native application is included in the list of certificate-pinned applications, meaning that any traffic originating from the native app will bypass the Netskope Client. In contrast, traffic to Google Drive generated through a browser will be routed through the Netskope Client for inspection and policy enforcement.

 

  • Question 8: Will any transaction be recorded for traffic bypassed by the Netskope Client due to certificate pinned applications?

Answer - With the current Netskope product design, no transaction records will be available on the Netskope tenant for bypassed traffic due to certificate pinned applications steering exception. All transaction logs for such traffic are stored locally on the end-user’s machine within the Netskope Client logs.

 

Workaround

Bypass + Tunnel Mode

AD_4nXc1615BO7pQRzOIm_rrneEIYoePKKjP7JXaQXDr3ta1aIKJSiR8XTnEwLbZaG7y_aqrXfNO-Z748O4boCG5txIBykZygVUpcID_YKip2RgE2Pw4RmINA_D83TYXCLK2xdCP1c6Q3Q?key=0tacCo6ESBT-sPCfwLIBag

  • In Tunnel mode, traffic is routed through the Netskope Client to a Netskope data centre. There, the traffic is NATed (Network Address Translated) and forwarded to its destination. While no Netskope security policies are enforced on this traffic, Netskope still retains visibility into it. This allows the traffic to be logged in Skope IT, providing valuable transaction-level insights without applying policy controls.
  • A key difference with Tunnel mode is that the destination will see the Netskope public IP addresses as the source, rather than the end user's original public IP. Without Tunnel mode, the destination would see the user’s public IP directly.

 

  • Question 9: How often does Netskope introduce new certificate pinned applications?

Answer - Netskope Product Management adds new certificate pinned applications from time to time, based on ongoing analysis. When a new certificate-pinned application is introduced, customers receive a notification directly within their Netskope tenant. The administrator at the customer end has to take the required action.

AD_4nXe5-dDOK1qBKgoaWl-DebmRrcadYd-Jhy7z7D-HlSOpQ-t6Qf22qLO48tJN-7zh2MBleluZ8BiOd5TkGlL3Twad1dJ3EvnWq59mNypdUWt3LuYDt7gaNs2Nd5lWyXQGG3rWRPA7?key=kqmkyKrT5otlk9WfoRXw3Q

AD_4nXen67dHIqY1mN3hFj6eFX_qMU6ZlVOo49r-C9X0DmneWCPmv_BiAW021I1xzE4jxW0IysI1t7MDmg8cGF-81-_PutyjoV3sqHZ6MLgni3qBWFLOKTNfIgI1af_BsRg4OPaIWnUWJQ?key=kqmkyKrT5otlk9WfoRXw3Q

 

  • Question 10: A few customers have reported that they are not receiving these notifications within their Netskope tenant when new certificate-pinned applications are introduced.

Answer - This is typically due to a specific configuration setting within Netskope tenant. Most likely, they have selected ‘Skip’. By default its ‘Ask me’.

Reference

AD_4nXfehRZrR5-8fFRxcApZm6WU4j_TUnmI9OfO08tkZmZjWNjQdLhJ5XC8MozM4IaZNCYOUX-z59f6AGfn01fHRx-x571DEfYJofNuF66Ie72ArKGj5q_QOPEXQM2EnMjhob4GYeE4KA?key=kqmkyKrT5otlk9WfoRXw3Q

AD_4nXda_d1VzjlF9eoKC75IkdyaMTsyB7FFMgmNlXl_n7_P8ugg0BWKeRK14NmeuAr5kmIty5LcAckdcz2QAdoSU2AvdaGnI3qhJrX_BWnyB45in31f2v0qv3-vEqbZYjaB7V6gApcn?key=kqmkyKrT5otlk9WfoRXw3Q

AD_4nXcWTnPES4LQJAL8upEqSvecuBbEOEJ-qNwffqg7BGNCpZgYpsmkFiT7G9BlpOzNhLqj8LKIPBjk7vwlhdE5lVmg3qIDMYn4c5MIpRNvChpXhH8uwB4W2DLLKAz-P933N9ov8fCJ6Q?key=kqmkyKrT5otlk9WfoRXw3Q

This setting applies to all future certificate pinned app updates: new apps and changes to existing apps.

 

Ask Me - Ask me whenever there are updates in the release (Default).

Skip - Add app to the default steering config only.

Bypass - Add app as an ‘Bypass’ exception to all steering configurations.

 

  • Question 11: Is it possible to create user based steering exceptions?

Answer - Steering exceptions are part of Steering Configuration. With the current Netskope product design, Steering Configurations can only be applied at the Organizational Unit (OU) or User Group level. Therefore, if you create a dedicated user group for a specific user and apply a separate Steering Configuration to that group, then yes—user-based steering exceptions are possible through this approach.

 

  • Question 12: A customer wants their end users to use the native agent of an application that uses certificate pinning, and to ensure the native application functions properly, they have implemented an SSL bypass policy. What is Netskope’s stance on this?

Answer - According to Netskope best practices, this approach is not recommended because any browser-based traffic to the same URLs and domains will also be bypassed from SSL decryption and policy enforcement.

 

Author Notes

  • Netskope’s foremost recommendation is to decrypt as much SSL traffic as possible, allowing customers to enforce policies effectively and ensure comprehensive visibility into network traffic.
  • The customer’s administrator is responsible for determining which traffic should be bypassed. In cases where an application can be accessed both through a browser and a native agent—and the end user prefers the native agent—it is strongly recommended that the administrator evaluate the business justification for using the native agent. This is important because if the application uses certificate pinning, traffic from the native agent will be bypassed by the Netskope Client, resulting in no visibility into user actions for that traffic.

 

Terms and Conditions

  • All documented information undergoes testing and verification to ensure accuracy.
  • In the future, If any such platform changes are brought to our attention, we will promptly update the documentation to reflect them.

 

Notes

  • This article is authored by Netskope Global Technical Success (GTS).
  • For any further inquiries related to this article, please contact Netskope GTS by submitting a support case with 'Case Type – How To Questions'.
    This topic has been closed for replies.

    Badges Winner

    Show all badges

    Not finding what you're looking for?

    Don't be shy and let us know about your challenge.

    Ask your question here!
    Terms & ConditionsCookie settingsAccessibility statement