Cert Pinned App Changes to the Netskope Client

To help provide a better out of the box security posture, Netskope introduced the "EnhanceCertPinnedApplist" feature to prevent users from bypassing certain controls.

Affected Products:

Netskope

Affected Versions:

v76 and Later

Not applicable.

What does "EnhancedCertPinnedApplist" do?

Netskope can allow admins to make steering decisions for certificate-pinned apps. By default, this is done based on the name of the process where the traffic originates from. However, this is easy to manipulate or spoof if you are aware of this logic. Because of this, Netskope also allows enabling of the "EnhanceCertPinnedApplist" feature. Once EnhanceCertPinnedApplist is enabled, it allows customers to also leverage domains that a cert-pinned app must send traffic to, and to only those domains. This adds an additional level of security control.

Why and what did we change in Netskope Release 76?

Netskope is moving towards a secure out of the box posture and has enabled the "EnhanceCertPinnedApplist" flag to be the default in Netskope release 76.

Understanding the impact

For scenarios where the cert-pinned apps talk to additional domains that are not known to Netskope, these domains can either be added individually. They could also be added by using a wildcard (*). Alternatively, the feature can be disabled entirely.

To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.