Configuring Zscaler App Profiles
About the App Profile
The app profile controls the following key app settings and behaviors:
- Whether users must enter an admin-provided password in order to log out of, disable, or uninstall the app
- The forwarding profile for the web security service and Zscaler Private Access (ZPA)
Additionally, if you are using the app for web security:
- Whether the app can install the Zscaler SSL certificate on user's devices to allow SSL inspection on traffic forwarded by the app.
- How the app generates logs and the maximum size of its log files
You can configure app profiles (one for Windows and one for Mac OS X) in the Zscaler App Portal by adding policy rules to each app profile. You can select the order of precedence among the rules as well as to whom each rule applies (to all users or to different groups of users). When a user enrolls the app with the Zscaler service, the app takes into account this order of precedence and the identity of the user to download the app profile with the appropriate policy rule. See example.
The app checks regularly for updates to the app profile to ensure it reflects any changes you make. If users log out and back into the app or restart their computers, the app also checks then for updates to the app profile and downloads any changes.
For example, consider an organization that has configured the following five Windows app profile policies below (see image). The rules are listed in the order of precedence (with the rule order value listed in Rule # column).
When a user who belongs to the Support user group enrolls with the Zscaler service, the app begins by checking whether Rule 1 applies for the user. It does not (the rule applies only to the HR user group) and the app moves on to Rule 2, which likewise does not apply. It then moves to Rule 3, and upon determining it applies to this user, downloads the rule.
Viewing the Default Policy
Zscaler provides a default app profile policy rule for both Windows and OS X. The default rule cannot be modified or deleted, and it will apply if you do not add additional policy rules. If you configure additional policy rules, the default rule is always the last in the rule order.
To view the default policy rule, in the Zscaler App Portal, go to App Profiles, then from the menu on the left, go to Personal Computers. Select either Mac OS X or Windows, and you can see the default policy rule listed as the last rule in the table. (If you have not configured any additional rules, the default rule is the only one listed.) Click the View icon to see the default rule.
Adding New App Profile Policy Rules
To add a new policy rule, do the following:
- From the Zscaler admin portal, go to Policy > Zscaler App Portal.
- In the Zscaler App portal, go to App Profiles from the top menu.
- Select Personal Computers from the menu on the left, then choose Mac OS X or Windows.
- Click Add [OS X Policy or Windows] Policy.
- Complete the following fields:
Name: Enter a name for the policy.
Rule Order: Select the appropriate rule order value. The Rule Order reflects the order of precedence among configured profile policy rules, and it helps determine which rule the app downloads for a user upon enrollment. Precedence is based on ascending numerical order, so the app begins evaluation with the first rule (the rule with a Rule Order value of 1) then downloads the first rule that applies to the user.
Enable: Enable the rule. If you do not enable the rule, the policy rule is not enforced.
Groups: Specify the user group(s) to which the rule applies. The groups you've configured in the Zscaler admin portal appear in the menu. There is no limit to the number of groups you can select. When a user enrolls the app with the service, the app checks the group to which the user belongs and downloads the app profile with the appropriate rule. If no group is specified, the rule applies to all users.
Logout Password (Optional): Provide the password that users must enter if they want to do any of the following:
- Log out of the app
- Exit the app from the system tray
- Uninstall the app
Disable Password (Optional): Provide the password that users must enter if they want to disable the web security service in the Zscaler app.
Custom PAC URL (Optional): If you do not want the app to forward all web traffic to the Zscaler service and want to specify exceptions for certain types of traffic, you can do so by defining a custom PAC file here. Read more about how the Zscaler app forwards users' web traffic to the Zscaler service. (Skip this If you are using the Zscaler App for ZPA only.)
NOTE: If you want to allow the user to bypass the Zscaler App when connecting to the VPN gateway, you can do so below in Hostname/IP Address bypass for VPN Gateway.
Forwarding Profile: Select a forwarding profile.The forwarding profiles you configured in Administration > Forwarding Profiles appear in the menu. See How do configure forwarding profiles for the Zscaler App?
Install Zscaler SSL Certificate: Turn on this option to allow the app to automatically install the Zscaler SSL certificate on user's devices.
You can also install your organization's custom certificate. Once you upload the custom certificate in the Zscaler App Portal and turn on this option, the custom certificate is automatically installed on users' devices.
Click to learn how to upload the custom certificate.
The SSL certificate allows the Zscaler service to perform SSL inspection on user traffic forwarded by the app. Any SSL bypasses you configure in the admin portal also apply. Note that you must enable SSL scanning for mobile traffic in the Zscaler admin portal. If you wish to use a self-signed certificate for SSL inspection, ensure the certificate is installed in your users’ system certificate store. (Skip this If you are using the Zscaler App for ZPA only.)
Log Mode: The Zscaler App generates logs which users can send either to a designated support admin in your organization, or to Zscaler Support (in encrypted form). You can specify the scope of the logs by selecting one of the log modes below:
- Error: Logs only when the app encounters an error and functionality is affected.
- Warn: Logs when a) the app is functioning but is encountering potential issues or b) when conditions for the Error log mode are met.
- Info: Logs a) general app activity or b) when conditions for the Warn log mode are met.
Debug: Logs a) all app activity that could assist Zscaler Support in debugging issues or b) when conditions for the Info log mode are met.
Log File Size in MB: You can specify the maximum size of the log file. Once logs reach the maximum file size, the oldest logs are truncated from the file to keep the file size below the maximum. You can enter a value between 10 and 1000. The default log file size is 100 MB.(Skip this If you are using the Zscaler App for ZPA only.)
Disable Loopback Restriction (For Windows Policy only, and applicable only if you select Tunnel with Local Proxy mode in forwarding profiles): By default, applications running in the AppContainer are forbidden from loopback communications, meaning they cannot connect to locally running processes external to their own package. Selecting this option disables the restriction against loopback communications and containerized applications can function properly with the Zscaler App in Tunnel with Local Proxy mode.
Override WPAD (For Windows Policy only, and applicable only if you select Tunnel with Local Proxy mode in forwarding profiles): Enabling this feature allows the Zscaler App to override the Web Proxy Autodiscovery Protocol (WPAD) setting on user devices. This ensures that Internet Explorer and Edge browsers can properly follow the Zscaler App proxy setting instead of the WPAD setting.
Restart WinHTTP Service (For Windows Policy only, and applicable only if you select Tunnel with Local Proxy mode in forwarding profiles): Enabling this feature allows the Zscaler App to restart the WinHTTP service on user devices. This ensures that any cached WPAD setting is deleted, and Internet Explorer and Edge browsers can properly follow the Zscaler App proxy setting.
Hostname/IP Address bypass for VPN Gateway: This option is applicable if:
- Your users have a VPN client running on their devices in conjunction with the Zscaler App
- You've chosen Tunnel as the forwarding profile action in forwarding profiles,
Your VPN runs in split-tunnel mode so that it takes some, but not all user traffic, from the device
If all of the above conditions are true, you can allow traffic destined for the VPN to bypass the Zscaler App by entering the hostnames or IP addresses for all your VPN gateways. The Zscaler App sets the routing table to exclude any traffic destined for the VPN gateway. To ensure against connectivity issues, include all VPN hostnames, or all IP addresses to which these hostnames might resolve. For the latter, you can enter a specific IP address (for example, 10.10.1.2) or a range in the following format: 10.10.0.0/16
NOTE: Skip this if you are using the Zscaler App for ZPA only. Users cannot run a VPN client while they are using ZPA to connect to an internal application.
- Optionally, add a Description.
- Name: Enter a name for the policy.
- Click Save.
- In the Zscaler App Portal, go to Administration.
- From the menu on the left, go to Zscaler App Support.
- Click the Advanced Configuration tab.
- In Intermediate Root Certificate > Custom Certificate, click Upload.
About the Policy Token
After you save your profile, a policy token is automatically generated for the profile.
You will need this policy token if you want to use the strictenforcement installer option which requires users to enroll with the Zscaler App before accessing the Internet. The policy that corresponds with this policy token is enforced for the App until the user enrolls. Once the user enrolls, this policy is replaced with the App Profile policy that matches the user based on the user's group affiliation.
You can view the policy token for a profile by clicking the Edit icon.