What is the Zscaler App?
Using the Zscaler App, users can now get all of the benefits of the Zscaler Cloud Security Platform for Internet traffic, as well as granular, policy-based access to internal resources from a single point.
- With the app’s web security feature, you can protect your users' web traffic even when they are outside your corporate network. The app forwards user traffic to the Zscaler service and ensures that your organization's security and access policies are enforced wherever they may be accessing the Internet.
- With Zscaler Private Access (ZPA), you can enable your users to securely access enterprise applications from outside the corporate network. The ZPA service establishes secure transport for accessing your enterprise apps and services.
You have the ability to control various settings for the app in the Zscaler App Portal (a portal dedicated to app management, accessible directly from the Zscaler service and ZPA admin portals). With administration options, you can configure general settings for the app, such as auto-update and in-app support options. You can also configure app profiles and specify, for example, how the app detects when a user is connected to a trusted network, and if a trusted network is detected, whether the app must disable its service. For greater flexibility, you can configure app profiles so that they apply to all users or to specific groups of users in your organization.
After you configure settings and policies in the Zscaler App Portal, you can silently deploy the Zscaler App on users' devices for both Windows and Mac OS X, and users need only complete a simple login process to enroll their devices with the Zscaler service. When users enroll, the app downloads the administration settings you've configured, as well as the appropriate app profile, and begins forwarding traffic and protecting users immediately. The app regularly checks for updates to administration options and app profiles, and downloads any changes you make, ensuring the app reflects your latest settings.
Below are some key Zscaler App features and benefits:
- Authentication: The app supports all authentication mechanisms supported by the Zscaler service. It also supports SAML with two-factor authentication. Your organization's users can seamlessly log in and enroll with their existing user credentials. Note that if you are using the app for ZPA, your organization must use SAML authentication.
- Enforcement: You can configure the app profile so that once users enroll, they cannot log out of, disable, or uninstall the Zscaler app without an admin-provided password.
- Trusted Network Detection: The app can detect when users are connecting from a trusted network (for example, from your corporate network) and disable its web security service so that user traffic is forwarded to the Zscaler service via the network's configured traffic forwarding mechanism. Learn more about configuring trusted networks.
- Captive Portal Detection: The app can detect when users try to connect to networks where a captive portal requires users to pay or accept a use policy before accessing the web (for example, wifi networks at airports or hotels). When it detects a captive portal, it can disable its service for a period of time you specify, allowing users to complete the steps necessary to access the network, before automatically re-enabling itself. Learn more about captive portal detection.
- SSL Inspection: If you are using the Zscaler App to secure your web traffic, it can automatically install the Zscaler SSL certificate during enrollment so that the Zscaler service can perform SSL inspection on web traffic forwarded by the app. Note, however, that you must enable SSL inspection for mobile traffic in the Zscaler admin portal. This feature applies to the web security service only. ZPA does not support SSL inspection.
- Auto-Update to Latest Release: You can enable auto-updates so that apps on users' devices are automatically updated whenever Zscaler releases a new version. If you prefer to test new app versions before allowing updates, you also have the option of pushing app updates from the Zscaler App Portal when you're ready. Learn more about update settings.
- Easy Administration with the Zscaler App Portal: In the Zscaler App Portal, you can easily manage app profiles and administration settings. The app checks regularly for updates and downloads any changes you make. If users exit the app, log out and log back into the app, or restart their devices, the app will also check for updates and download changes.
- Dashboards and Device Fingerprint Information: In the Zscaler App Portal, you can view a dashboard that provides information about devices that have been enrolled with the Zscaler service, including the number of Zscaler app licenses being used, the device models, platforms, and operating systems on which the app is running, as well as information about which devices are running outdated app versions. You can also view device fingerprint information for all devices that have been enrolled.
- In-App Access to Support: You can provide users with different options for requesting support in the Zscaler App. You can allow users to send support request emails directly from the app to your organization's support team, or you can allow users to submit tickets directly from the app to Zscaler Support. Learn more about support access in the Zscaler App.
How does the Zscaler App work?
This section describes how the Zscaler App works when you use it to secure your web traffic. To learn about how the app works when you use it with ZPA to provide secure access to your internal resources, log in to the ZPA Support Portal and see What is Zscaler Private Access?
When you install the Zscaler App, a Zscaler Network Adapter is also installed on your user's computer. When the user connect to the web, the Network Adapter captures web traffic from that device. The app then uses geo-location technology to locate the Zscaler Enforcement Node (ZEN) closest to the user, establishes a lightweight tunnel (called the Z-tunnel) to the ZEN, and forwards the user's web traffic through the tunnel so that the ZEN can apply appropriate security and access policies.
While this is the default behavior of the app, you can modify the app's traffic forwarding settings as necessary. For example:
- Instead of the app automatically determining the ZEN to which it tunnels traffic, you can specify the particular ZENs to which the app must tunnel traffic (for example, you must do this if your organization uses private ZENs or VZENs).
- You can choose to allow some traffic (for example, traffic to certain domains like identity federation URLs) to bypass the app tunnel and go directly to the web.
To modify the app's traffic forwarding behavior in these ways, you can add a custom PAC file in your app profile so that the app forwards traffic according to its instructions. The app checks the PAC file regularly to make sure it retrieves the latest one, and whenever it retrieves a new PAC file, it saves that PAC file to your users' computers. This ensures that the PAC file is accessible even after users restart the app or their computers, allowing them to access internal resources and send traffic to private IP ranges even if your organization faces Internet connectivity issues.
Whether you use a custom PAC file or have the app forward traffic to the service per its default behavior, the app regularly checks to make sure traffic is forwarded correctly and efficiently. For example, it checks, at regular intervals, whether the ZEN to which the app is currently tunneling traffic is still the best ZEN for a given user's traffic. It will also perform these checks whenever a user changes networks, or restarts the app or their devices.
Note that the app by default overrides any proxy settings configured on users' browsers so that users cannot manipulate the app's traffic routing. If you prefer to allow users' browser proxy settings to apply, you can do so with your app profile policy.