Netskope Client For Windows
The MSIEXEC command is used to mass deploy Netskope Client (MSI packages) on Windows devices.
Supported Operating Systems
Refer to Netskope Client Supported OS and Platform to understand the supported versions for Windows.
Download Client Packages
You can download Netskope client installers from Download Netskope Client and Scripts.
MSIEXEC Command Format
The generic format of MSIEXEC command to install Client is as follows:
msiexec /I NSClient.msi host=addon-<tenant>[.region].goskope.com [token]=<Organization ID> [installmode=IDP] [mode=peruserconfig [userconfiglocation=<path>]] [fail-close=no-npa|all] [autoupdate=on|off] [/l*v %PUBLIC%\nscinstall.log]
Note
The parameters in the above command may vary according to the deployment mode used in your script.
For example, use the following command to install Netskope Client in a multi-user system with an auto-update option:
msiexec /I NSClient.msi host=addon-corp.goskope.com token=ifxqWJDBVoLFxmAUq36v mode=peruserconfig autoupdate=on /l*v %PUBLIC%\nscinstall.log
Note
Enter the command in a single line without any line-breaks.
Parameter | Description |
|---|---|
/i | Optional Command. Refers to normal installation type. |
mode | Optional parameter. Use |
prelogonuser | Optional parameter. Use |
installmode | Optional parameter. Use |
userconfiglocation | Specifies the user-specific directory used for storing the user configuration. It is recommended to use default value unless user's home directories are hosted on external file servers or network shares. This is recommended to be used only for the multi-user environment. This is an optional parameter. By default the path is %AppData%\Netskope\STAgent. Note The path can be an absolute path, a network share, or a path having environment variables.
|
fail-close | Optional parameter. If fail-close is not present, the client will honor Web UI "fail close" client configuration.
|
autoupdate |
|
token | Enter your organization ID here. To find your organization ID.
|
host | Enter the addon URL of your tenant. For example: if your tenant URL is example.goskope.com, then your addon URL is = addon-example.goskope.com |
domain | Enter the domain URL= [region.]goskope.com during IDP enrollment. |
tenant | Enter the tenant name. |
/l*v | The log file path. |
/qn | Use this option for silent installation. |
Note
The /j option is not supported while using the msiexec command for Netskope Client installation.
A few other examples for the Client installation are as follows:
Single-User Mode Installation for Domain-joined Endpoints: System-level enrollment including local non-AD accounts; auto-enrolled one time based on the UPN of the first domain user to log in.
msiexec /I NSClient.msi host=addon-<tenant>[.region].goskope.com token=<Organization ID>
Example:
msiexec /I NSClient.msi host=addon-corp.goskope.com token=ifxqWJDBVoLFxmAUq36vMulti-User Mode Installation for Domain-joined Endpoints: Per-user enrollment; each user auto-enrolled at login based on their UPN.
msiexec /I NSClient.msi host=addon-<tenant>[.region].goskope.com token=<Organization ID> mode=peruserconfig
Example:
msiexec /I NSClient.msi host=addon-corp.goskope.com token=ifxqWJDBVoLFxmAUq36v mode=peruserconfig
Netskope Client Deployment Commands
Microsoft Endpoint Configuration Manager
msiexec /I NSClient.msi token=<token> host=<host> [mode=peruserconfig | installmode=IDP [userconfiglocation=<path>]] fail-close=[no-npa|all] [autoupdate=on|off].
To learn more, view Microsoft Endpoint Configuration Manager.
VMware Workspace One
msiexec /I NSClient.msi installmode=idP tenant=corp domain=eu.example.com /qn
To learn more, view VMware Workspace ONE.
IDP For Client Deployment
This includes two modes:
Single-User Mode Installation for IdP-based Enrollment: System-level enrollment based on the first user to enroll the Client via
IdP.msiexec /I NSClient.msi tenant=<tenant> domain=[region.]goskope.com installmode=IDPExample:
msiexec /I NSClient.msi tenant=corp domain=eu.goskope.com installmode=IDPMulti-User Mode Installation for IdP-based Enrollment: Per-user enrollment; each user must enroll the Client via IdP.
msiexec /I NSClient.msi tenant=<tenant> domain=[region.]goskope.com installmode=IDP mode=peruserconfigExample:
msiexec /I NSClient.msi tenant=corp domain=eu.goskope.com installmode=IDP mode=peruserconfig
To learn more, view Deploy Netskope Client via IdP.
Microsoft Intune
Use the Command-Line arguments: token=<organization id> host=addon- <tenant-name> .goskope.com mode=peruserconfig (Use peruserconfig only for multi-user environments) autoupdate=on (only applicable if you want the client to auto-update) /qn
To learn more, view Deploy Client On Windows Using Intune
Microsoft Group Policy Object (GPO)
You can deploy Netskope Client to Active Directory (AD) joined devices via Microsoft GPO using a script based or MST based deployment option.
To learn more, view Microsoft Group Policy Object (GPO)
Prelogon Connectivity for Netskope Private Access
To install and enable the Netskope Client for Netskope Private Access Prelogon connectivity, use these commands.
For single user mode
The user needs to be different for each Client config. For example:
Client config1
msiexec /I NSClient.msi token=<token> host=<host> prelogonuser=user1@prelogon.netskope.com
Client config2
msiexec /I NSClient.msi token=<token> host=<host> prelogonuser=user2@prelogon.netskope.com
For per user mode
For per user mode, different Client configs also have different prelogon users.
msiexec /I NSClient.msi token=<token> host=<host> mode=peruserconfig <prelogonuser=user1@prelogon.netskope.com
msiexec /I NSClient.msi token=<token> host=<host> mode=peruserconfig <prelogonuser=user2@prelogon.netskope.com
Uninstall Netskope Client
To uninstall Client from Settings in Windows:
Go to Start > Settings > Apps > Apps & Features.
Find and select the Netskope Client app.
Click Uninstall.
You are prompted to enter your administrative credentials at this point.
Click OK.
The Netskope Client is uninstalled from your machine.
You can check Apps & features under Apps to ensure that the Netskope Client is uninstalled from your device. To learn more about uninstalling Client from other features in Windows, view Uninstall Apps in Windows.
The Password protection for client uninstallation and service stop option under Client Configuration > Tamperproof lets the administrator restrict unauthorized uninstallation of Client by the end users. The end user must know the password set by the administrator while uninstalling the Client. To learn more, view Netskope Client Configuration
Netskope Client Auto-Restart
In instances where the user forgets to enable a Client after disabling it, Netskope set a feature flag AutoStart NSClient with Reboot/Relogin to enable the Netskope Client. After the administrator enables the feature flag, the Netskope Client is enabled after the user restarts the system or the user logs off and logs in again.
Note
Contact Netskope Support to enable this feature for your tenant.
This feature is available only for Windows and macOS devices.
Administrator cannot use this feature flag for NPA services.
Netskope Client Auto-Upgrade Failures and Rollback
In certain situations, the Netskope Client may be susceptible to various issues during the auto-upgrade process and the Client installer needs to handle the failure and revert to the previous version.
Client Upgrade or Uninstallation Failure
In the event of any upgrade/uninstall failures, the Netskope Client rollback to the previous version of the client thereby preventing the removal of the Client from the end-user device.
In the event of a Client upgrade failure, the Client installer reverts to the previously installed version.
In the event of a Client uninstallation failure, the Client installer reverts to the installed version.
Important
The auto-rollback during Client upgrade is available only from Client version 103.0.0 and later. For example, in the event of a failure during the Client upgrade from version 103.0.0 to 104.0.0, the Client automatically rollback to the version 103.0.0. However, the Client is removed for end-user devices running Client versions below 103.0.0.
You can go to Settings > Security Cloud Platform > Netskope Client > Devices to view the events displayed during the Client upgrade failure. Click the device name to view the related events and the corresponding details. The following table lists the different events displayed in the event of a Client upgrade or uninstallation:
Event | Event Details |
|---|---|
Installed | Installed client version 'x' |
Uninstalled | Uninstalled client version 'x' |
Installation Failure | Failed to install client version 'x' - < reason for failure> |
Uninstallation Failure | Failed to uninstall client version 'x' - < reason for failure > |
Upgraded | Upgraded from client version ‘x' to 'y’ |
Upgrade Failure | Failed to upgrade from ‘x' to 'y’ - < Reason for failure > |
Rollback Success | Rolled back to client version 'x' |
Rollback Failure | Failed to rollback to client version 'x' |
Rollback Success, Upgrade Failure, Installed
 |
Rollback Failure
 |
Uninstalled, Uninstallation Failure
 |
Upgraded
 |
Client Upgrade Failure During System Restart/ Shutdown/ Hard Reboot/ Power Failure
There are occurrences where the auto-upgrade processes gets impacted due to unplanned events such as:
System restart
Shutdown
Crash
Hard reboot
Power failure
 |
To eliminate this issue, during the upgrade process, Netskope creates an installation monitor service stAgentSvcMon.exe that is a copy of the existing Netskope Client Services, with limited functionality. The installation monitor service relaunches the Client installation process on the end-user device whenever the auto-upgrade process is interrupted by system restart/crash/shutdown/hard-reboot/power failure. Once the auto-upgrade process is completed, this monitor service is removed from the endpoint.
However, there are a few limitations that would stop the monitor service from relaunching the Client installation process. Refer to the following table to learn more:
Scenario | Client Behavior |
|---|---|
Consecutive system restart during the auto-upgrade process | The monitor service stops the auto-upgrade process after two attempts. |
The monitor service stops | The auto-upgrade process ends. |
The auto-upgrade process fails and the system restart/crash happens during rollback phase | The monitor service attempts to reinstall the new build. |
Antivirus configurations to block new processes | The copy of the Client services is not launched. |
MSIEXEC behavior during upgrades | MSIEXEC restart the system during this process. |