Skip to main content

Netskope Help

Netskope Client For Windows

The MSIEXEC command is used to mass deploy Netskope Client (MSI packages) on Windows devices.

Supported Operating Systems

Refer to Netskope Client Supported OS and Platform to understand the supported versions for Windows.

Download Client Packages

You can download Netskope client installers from Download Netskope Client and Scripts.

MSIEXEC Command Format

The generic format of MSIEXEC command to install Client is as follows:

msiexec /I NSClient.msi host=addon-<tenant>[.region].goskope.com [token]=<Organization ID> [installmode=IDP] [mode=peruserconfig [userconfiglocation=<path>]] [fail-close=no-npa|all] [autoupdate=on|off] [/l*v %PUBLIC%\nscinstall.log]

Note

The parameters in the above command may vary according to the deployment mode used in your script.

For example, use the following command to install Netskope Client in a multi-user system with an auto-update option:

msiexec /I NSClient.msi host=addon-corp.goskope.com token=ifxqWJDBVoLFxmAUq36v mode=peruserconfig autoupdate=on /l*v %PUBLIC%\nscinstall.log

Note

Enter the command in a single line without any line-breaks.

Parameter

Description

/i

Optional Command. Refers to normal installation type.

mode

Optional parameter. Use peruserconfig when installing in a multi-user system.

prelogonuser

Optional parameter. Use prelogonuser when installing in a single user system.

installmode

Optional parameter. Use Idp value when provisioning users via IdP.

userconfiglocation

Specifies the user-specific directory used for storing the user configuration. It is recommended to use default value unless user's home directories are hosted on external file servers or network shares. This is recommended to be used only for the multi-user environment.

This is an optional parameter. By default the path is %AppData%\Netskope\STAgent.

Note

The path can be an absolute path, a network share, or a path having environment variables.

  • To run the above from command prompt with environment variables, append '^' before '%'.

    Example: /I NSClient.msi mode=peruserconfig userconfiglocation=C:\Users\^%USERNAME^%\Netskope

  • To run the above command from a batch script with environment variables, append '%' before '%'.

    Example: /I NSClient.msi mode=peruserconfig userconfiglocation=C:\Users\%%USERNAME%%\Netskope

  • To run the above command from SCCM (or ) with environment variables, append '^' before '%' and prefix with "cmd /c".

    Example: cmd /c /I NSClient.msi mode=peruserconfig userconfiglocation=C:\Users\^%USERNAME^%\Netskope

fail-close

Optional parameter. If fail-close is not present, the client will honor Web UI "fail close" client configuration.

  • all: Fail close will be applicable to CASB / Web traffic for the NPA tunnel too. Example: If the Netskope tunnel is not established, NPA's application traffic will also be blocked.

  • no-npa: Fail close will be applicable only for CASB / Web traffic but not for NPA tunnel.  Example: If the Netskope Tunnel is not established, NPA's application traffic will NOT be blocked.

autoupdate

  • on

  • off

token

Enter your organization ID here. To find your organization ID.

  1. Login to your Netskope Admin Console with admin credentials.

  2. Go to Settings > Security Cloud Platform > MDM Distribution.

  3. Locate your Organization ID under Create VPN Configuration section. The organization ID is case-sensitive.

host

Enter the addon URL of your tenant. For example: if your tenant URL is example.goskope.com, then your addon URL is = addon-example.goskope.com

domain

Enter the domain URL= [region.]goskope.com during IDP enrollment.

tenant

Enter the tenant name.

/l*v

The log file path.

/qn

Use this option for silent installation.

Note

The /j option is not supported while using the msiexec command for Netskope Client installation.

A few other examples for the Client installation are as follows:

  • Single-User Mode Installation for Domain-joined Endpoints: System-level enrollment including local non-AD accounts; auto-enrolled one time based on the UPN of the first domain user to log in.

    msiexec /I NSClient.msi host=addon-<tenant>[.region].goskope.com token=<Organization ID>

    Example: msiexec /I NSClient.msi host=addon-corp.goskope.com token=ifxqWJDBVoLFxmAUq36v

  • Multi-User Mode Installation for Domain-joined Endpoints: Per-user enrollment; each user auto-enrolled at login based on their UPN.

    msiexec /I NSClient.msi host=addon-<tenant>[.region].goskope.com token=<Organization ID> mode=peruserconfig

    Example: msiexec /I NSClient.msi host=addon-corp.goskope.com token=ifxqWJDBVoLFxmAUq36v mode=peruserconfig

Netskope Client Deployment Commands
  • Microsoft Endpoint Configuration Manager

    msiexec /I NSClient.msi token=<token> host=<host> [mode=peruserconfig | installmode=IDP [userconfiglocation=<path>]] fail-close=[no-npa|all] [autoupdate=on|off].

    To learn more, view Microsoft Endpoint Configuration Manager.

  • VMware Workspace One

     msiexec /I NSClient.msi installmode=idP tenant=corp domain=eu.example.com /qn

    To learn more, view VMware Workspace ONE. VMWare Workspace One

  • IDP For Client Deployment

    This includes two modes:

    • Single-User Mode Installation for IdP-based Enrollment: System-level enrollment based on the first user to enroll the Client viaIdP.

      msiexec /I NSClient.msi tenant=<tenant> domain=[region.]goskope.com installmode=IDP

      Example: msiexec /I NSClient.msi tenant=corp domain=eu.goskope.com installmode=IDP

    • Multi-User Mode Installation for IdP-based Enrollment: Per-user enrollment; each user must enroll the Client via IdP.

      msiexec /I NSClient.msi tenant=<tenant> domain=[region.]goskope.com installmode=IDP mode=peruserconfig

      Example: msiexec /I NSClient.msi tenant=corp domain=eu.goskope.com  installmode=IDP mode=peruserconfig

    To learn more, view Deploy Netskope Client via IdP.

  • Microsoft Intune

    Use the Command-Line arguments: token=<organization id> host=addon- <tenant-name> .goskope.com mode=peruserconfig (Use peruserconfig only for multi-user environments) autoupdate=on (only applicable if you want the client to auto-update) /qn

    To learn more, view Deploy Client On Windows Using Intune

  • Microsoft Group Policy Object (GPO)

    You can deploy Netskope Client to Active Directory (AD) joined devices via Microsoft GPO using a script based or MST based deployment option.

    To learn more, view Microsoft Group Policy Object (GPO)

  • Prelogon Connectivity for Netskope Private Access

    To install and enable the Netskope Client for Netskope Private Access Prelogon connectivity, use these commands.

    For single user mode

    The user needs to be different for each Client config. For example:

    Client config1

    msiexec /I NSClient.msi token=<token> host=<host> prelogonuser=user1@prelogon.netskope.com
    

    Client config2

    msiexec /I NSClient.msi token=<token> host=<host> prelogonuser=user2@prelogon.netskope.com
    

    For per user mode

    For per user mode, different Client configs also have different prelogon users.

    msiexec /I NSClient.msi token=<token> host=<host> mode=peruserconfig <prelogonuser=user1@prelogon.netskope.com
    msiexec /I NSClient.msi token=<token> host=<host> mode=peruserconfig <prelogonuser=user2@prelogon.netskope.com
Uninstall Netskope Client

To uninstall Client from Settings in Windows:

  1. Go to Start > Settings > Apps > Apps & Features.

  2. Find and select the Netskope Client app.

  3. Click Uninstall.

    Windows_Uninstall_clickUninstall.png
  4. You are prompted to enter your administrative credentials at this point.

    Windows_Uninstall_enterpassword.png
  5. Click OK.

  6. The Netskope Client is uninstalled from your machine.

You can check Apps & features under Apps to ensure that the Netskope Client is uninstalled from your device. To learn more about uninstalling Client from other features in Windows, view Uninstall Apps in Windows.

The Password protection for client uninstallation and service stop option under Client Configuration > Tamperproof lets the administrator restrict unauthorized uninstallation of Client by the end users. The end user must know the password set by the administrator while uninstalling the Client. To learn more, view Netskope Client Configuration

Netskope Client Auto-Restart

In instances where the user forgets to enable a Client after disabling it, Netskope set a feature flag AutoStart NSClient with Reboot/Relogin to enable the Netskope Client. After the administrator enables the feature flag, the Netskope Client is enabled after the user restarts the system or the user logs off and logs in again.

Note

  • Contact Netskope Support to enable this feature for your tenant.

  • This feature is available only for Windows and macOS devices.

  • Administrator cannot use this feature flag for NPA services.

Netskope Client Auto-Upgrade Failures and Rollback

In certain situations, the Netskope Client may be susceptible to various issues during the auto-upgrade process and the Client installer needs to handle the failure and revert to the previous version.

Client Upgrade or Uninstallation Failure

In the event of any upgrade/uninstall failures, the Netskope Client rollback to the previous version of the client thereby preventing the removal of the Client from the end-user device.

  • In the event of a Client upgrade failure, the Client installer reverts to the previously installed version.

  • In the event of a Client uninstallation failure, the Client installer reverts to the installed version.

Important

The auto-rollback during Client upgrade is available only from Client version 103.0.0 and later. For example, in the event of a failure during the Client upgrade from version 103.0.0 to 104.0.0, the Client automatically rollback to the version 103.0.0. However, the Client is removed for end-user devices running Client versions below 103.0.0.

You can go to Settings > Security Cloud Platform > Netskope Client > Devices to view the events displayed during the Client upgrade failure. Click the device name to view the related events and the corresponding details. The following table lists the different events displayed in the event of a Client upgrade or uninstallation:

Event

Event Details

Installed

Installed client version 'x'

Uninstalled

Uninstalled client version 'x'

Installation Failure

Failed to install client version 'x' - < reason for failure>

Uninstallation Failure

Failed to uninstall client version 'x' - < reason for failure >

Upgraded

Upgraded from client version ‘x' to 'y’

Upgrade Failure

Failed to upgrade from ‘x' to 'y’ - < Reason for failure >

Rollback Success

Rolled back to client version 'x'

Rollback Failure

Failed to rollback to client version 'x'

Rollback Success, Upgrade Failure, Installed

Windows_RollbackSuccess_104.png

Rollback Failure

Windows_upgradefailureevent_104.png

Uninstalled, Uninstallation Failure

Windows_Uninstalled_104.png

Upgraded

Windows_Upgraded_104.png
Client Upgrade Failure During System Restart/ Shutdown/ Hard Reboot/ Power Failure

There are occurrences where the auto-upgrade processes gets impacted due to unplanned events such as:

  • System restart

  • Shutdown

  • Crash

  • Hard reboot

  • Power failure

Windows_UpgradeAborted_104.png

To eliminate this issue, during the upgrade process, Netskope creates an installation monitor service stAgentSvcMon.exe that is a copy of the existing Netskope Client Services, with limited functionality. The installation monitor service relaunches the Client installation process on the end-user device whenever the auto-upgrade process is interrupted by system restart/crash/shutdown/hard-reboot/power failure. Once the auto-upgrade process is completed, this monitor service is removed from the endpoint.

However, there are a few limitations that would stop the monitor service from relaunching the Client installation process. Refer to the following table to learn more:

Scenario

Client Behavior

Consecutive system restart during the auto-upgrade process

The monitor service stops the auto-upgrade process after two attempts.

The monitor service stops

The auto-upgrade process ends.

The auto-upgrade process fails and the system restart/crash happens during rollback phase

The monitor service attempts to reinstall the new build.

Antivirus configurations to block new processes

The copy of the Client services is not launched.

MSIEXEC behavior during upgrades

MSIEXEC restart the system during this process.