> For the complete documentation index, see [llms.txt](https://help.aikido.dev/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://help.aikido.dev/aikido-device-protection/deploying-aikido-endpoint/device-protection-compatibility-with-vpns-ztnas/device-protection-and-netskope.md).

# Device Protection & Netskope for Mac

This guide explains how to configure your Netskope Steering Configuration so that Aikido Device Protection works reliably alongside Netskope.

{% hint style="warning" %}
These instructions are for macOS only!
{% endhint %}

## Why This Is Needed

Device Protection inspects and protects software supply chain traffic, the connections your developers make to package registries (npm, PyPI, Maven, NuGet, Go) and developer tool marketplaces (Visual Studio, Cursor, Chrome Web Store), as well as Aikido's own protection services.

When both a corporate VPN/ZTNA and Aikido Device Protection attempt to steer or inspect the same traffic, the two can conflict, leading to unreliable behavior. To avoid this, you should configure VPN/ZTNA to **bypass (exclude) the domains that Device Protection handles**.

## Steps

1. Log in to the **Netskope Admin Console**.
2. Navigate to **Settings → Security Cloud Platform → Steering Configuration.**
3. Click New Steering Configuration (do not edit the Default tenant config) and assign a new name e.g. "macOS tenant config".
4. Under Match Criteria, set OS Family = macOS (leave User Group/OU = Any, or scope it to the same group your Default config covers). This is what restricts the bypass to Macs.
5. Under Steered Traffic, mirror your Default config so Mac steering is unchanged — typically All Traffic (HTTP/HTTPS and Non-web) and All Private App Segments.
6. Click the 3 dots for settings on the relevant Steering Configuration (Config) profile you want to modify. Open Edit Configuration → Traffic Steering and make sure "**Bypass exception traffic at:**" is set to **Client**.
7. After you've checked this, enter the profile.
8. Open the **Exceptions** tab.
9. Click **New Exception → Domains**.
10. Enter the domains listed below (one per line, or as supported by your version of the interface).
11. Save the configuration. Changes typically propagate in **1 hour**.

{% hint style="info" %}
If you want to do a quick test, go to the local Netskope client, click Configuration, then check for "Configuration update available" — if it's there, click Update so it fetches the latest policies.
{% endhint %}

## Domains to Exclude

These are the domains Aikido Device Protection intercepts. The list contains package registries, developer tool marketplaces, and Aikido's own protection endpoints.

```
api.nuget.org
app.aikido.dev
aikido-endpoint-binaries.s3.eu-west-1.amazonaws.com
central.maven.org
chromewebstore.google.com
chromewebstore.googleapis.com
clients2.google.com
clients2.googleusercontent.com
crates.io
index.crates.io
static.crates.io
device-protection.aikido.help
files.pythonhosted.org
gallery.vsassets.io
gallerycdn.vsassets.io
github.com
globalcdn.nuget.org
marketplace.cursorapi.com
marketplace.visualstudio.com
open-vsx.org
proxy.golang.org
pypi.org
pypi.python.org
registry.npmjs.com
registry.npmjs.org
registry.yarnpkg.com
repo.maven.apache.org
repo1.maven.org
repository.apache.org
rubygems.org
index.rubygems.org
repo.packagist.org
sum.golang.org
update.googleapis.com
www.nuget.org
```


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://help.aikido.dev/aikido-device-protection/deploying-aikido-endpoint/device-protection-compatibility-with-vpns-ztnas/device-protection-and-netskope.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.