Hello, we are attempting to enable/disable Netskope using the command line on MacOS and Windows. Previous discussions surrounding this provided solutions that are not working in my environment:
For Windows:
Restart the Netskope client through Task manager or Services
From cmd (as admin): stagentsvc -stop
From cmd (as admin): stagentsvc -start
For Mac:
Restart the Netskope client from a Mac terminal window
> sudo launchctl unload /Library/LaunchDaemons/com.netskope.stagentsvc.plist
> sudo launchctl load /Library/LaunchDaemons/com.netskope.stagentsvc.plist
When running these commands in my environment, I'm met with the following errors in Windows and Mac respectively:
Windows: "Command not found" or
'stagentsvc' is not recognized as an internal or external command,
operable program or batch file.
Mac:
/Library/LaunchDaemons/com.netskope.stagentsvc.plist: No such file or directory
Unload failed: 2: No such file or directory
We are looking for same solution.
Hi @Indu, after doing some additional research I've come up with a potential solution on Macs. This workaround kills the Netskope process and renames the Netskope folder in Application Support, which successfully disables Netskope.
#!/bin/sh
# Rename Netskope Application Support Folder to break LaunchAgent
sudo mv /Library/Application Support/Netskope /Library/Application Support/Netskope_disabled
# Kill Netskope Process
sudo ps aux | grep Netskope | grep -v grep | awk '{ print "kill -9", $2 }' | sudo sh
echo "Netskope Process Killed"
echo 'Successfully disabled.'
Renaming the folder back to "Netskope" and reinstalling the NSClient PKG re-activates Netskope without any interaction from users!
If Netskope comes up with an official solution I'm all ears though 🙂
Hi @mpray
Interesting to have your comments here 😊
With R105 we've introduced a new flag that will automatically re-enable the client after restarting the service. This feature applies to user disabled clients and will not affect admin disabled clients.
overrideUserDisableAfterLogin
Release notes here.
Introduced a feature flag overrideUserDisableAfterLogin to override the user disabling Client after restart or logoff/login. When the flag is enabled and user disables the Client, it automatically enables the Client after the user:
Restarts the system, or
Logoff and login again
With that flag enabled these commands can be sent remotely and will result in the client being enabled.
If you have having difficulty running these commands you should open a support ticket to review. Just be sure you are running them with elevated privileges.
Requirement: Netskope Client Version R105 or above.
Work with your CSM/TSM/TAM/SE to get the flag enabled. Please request that "AutoStart NSClient with Reboot/Relogin" be enabled and they will be able to make that happen.
Does this feature flag require the 105 client or will it work with older clients? I tried testing this with 104 installed but with the feature flag enabled and it didn't work.
I forgot to mention that this feature applies to user disabled clients and will not affect admin disabled clients. Did you test against a user disabled client?
I've updated the my original reply to include this information.
Yes, we did a user disable - waited a couple hours and rebooted the laptop. The agent never re-enabled. We had to manually enable it. Again, it was a 104 build, not 105. So is 105 client a requirement in addition to the feature flag?
Yes, Netskope Client R105 or above is a requirement. I've opened a DOC ticket to get the release notes updated so that is clear. We will also update the release notes with some of the information I've provided in my post as to the name of the flag (overrideUserDisableAfterLogin is a backend flag that is not exposed in our frontend systems) as well as additional note and the condition of restarting the service.
Example of what your device page would look like when using this feature. I've disabled the client (user disabled), then logged out and logged back in. The status updates are posted from the client ~5min so I did wait, got the device update, then proceeded with the next step of testing.
Thanks mpray, R105 feature flag “AutoStart NSClient with Reboot/Relogin” comes close to our requirement. Additional to this, following powershell script every day (for users who don't reboot/re-login for days) can re-enable NS client with agent service restart.
$my_service_name = "stAgentSvc";
$my_service_status = (Get-Service $my_service_name).Status;
if ($my_service_status -eq "stopped")
{
Restart-Service stAgentSvc
}
The MacOS commands do not work on my device despite being on the correct version of Netskope. Do I need to have AutoStart NSClient with Reboot/Relogin enabled as well?
Above commands are for Windows.
Yes, feature flag "AutoStart NSClient with Reboot/Relogin" has to be enabled in the backend by Netskope Support to use those commands on Windows.
Thanks for the update @Indu ! An earlier post by @mpray included a screenshot with Terminal commands that can be run on Mac, suggesting this is possible on Mac as well.
My question was specifically asking if "AutoStart NSClient with Reboot/Relogin" is required for those Mac commands to work, as I have found that they do not work in my testing.
In my original post, I gave an example of the output of one of the Mac commands:
/Library/LaunchDaemons/com.netskope.stagentsvc.plist: No such file or directory
Unload failed: 2: No such file or directory
Hello,
Checking in on this? Any updates?
