How do I add rules to the Cloud App Control policy?

You can create rules to control access to specific cloud applications. Cloud apps are organized into categories to facilitate defining rules for similar applications.

Additionally, you can define a daily quota by bandwidth or time. When users browse to these sites after their quota has been reached, the Zscaler service displays a message that explains that the content cannot be viewed because they exceeded their daily quota.

To add a rule, you can go to Policy > URL & Cloud App Control and choose a category. Click on a cloud application category below to learn more about creating rules for the category.

For information on the order in which the service enforces all policies, including this policy, see How does the Zscaler service enforce policies?

Consumer

Online shopping has become the norm. This category includes applications such as eBay, Groupon and PayPal, so you can create rules specifically for these and other similar cloud applications. You can specify which applications your users are allowed to access and define a daily quote by bandwidth or time.

When users browse to these sites after their quota has been reached, the Zscaler service displays a message that explains that the content cannot be viewed because they exceeded their daily quota.

See Cloud App Categories for a list of the apps included under the Consumer category.

To add a rule for Consumer apps:

  1. Go to Policy > URL & Cloud App Control.
  2. From the Cloud App Control Policy tab, click Add and select Consumer.
  3. Enter the rule attributes:
    • Rule Order: Policy rules are evaluated in ascending numerical order (Rule 1 before Rule 2, and so on), and the Rule Order reflects this rule’s place in the order. You can change the value, but if you’ve enabled Admin Rank, your assigned admin rank determines the Rule Order values you can select.
    • Admin Rank: Enter a value from 1-7 (1 is the highest rank). Your assigned admin rank determines the values you can select. You cannot select a rank that is higher than your own. The rule’s Admin Rank determines the value you can select in Rule Order, so that a rule with a higher Admin Rank always precedes a rule with a lower Admin Rank.
    • Status: An enabled rule is actively enforced. A disabled rule is not actively enforced but does not lose its place in the Rule Order. The service skips it and moves to the next rule.
  4. Define the criteria:
    • Cloud Applications: Select Any to apply the rule to all cloud applications in this category, or select any number of cloud applications. You can also search for applications.
    • Users: Select Any to apply the rule to all users, or select up to 4 users under General Users. If you've enabled the unauthenticated users policy, you can select Special Users to apply this rule to all unauthenticated users, or select specific types of unauthenticated users. You can search for users or click the Add icon to add a new user.
    • Groups: Select Any to apply the rule to all groups, or select up to 8 groups. You can search for groups or click the Add icon to add a new group.
    • Departments: Select Any to apply the rule to all departments, or select any number of departments. If you've enabled the unauthenticated users policy, you can select Special Departments to apply this rule to all unauthenticated transactions. You can search for departments or click the Add icon to add a new department.
    • Locations: Select Any to apply the rule to all locations, or select up to 8 locations. You can also search for a location or click the Add icon to add a new location. To apply this rule to unauthenticated traffic, the rule must apply to all locations.
    • Time: Select Always to apply this rule to all time intervals, or select up to two time intervals. You can also search for a time interval or click the Add icon to add a new time interval.
  5. Specify the actions:
    • Application Access: Allow or block users from accessing the selected cloud applications.
    • Daily Bandwidth Quota: (Optional) The bandwidth quota includes data uploaded to and downloaded from the cloud application. To enforce the quota on each location, do not select specific users, group, or departments. To enforce the quota on specific users, groups, or departments, SSL inspection and authentication must be enabled. If a user comes from a known location, the quota is reset at midnight based on the location time zone; for road warriors, the quota is reset based on the organization’s time zone. The minimum value you can enter is 10 MB and the maximum value is 100000 MB.
    • Daily Time Quota: (Optional) The time quota is based on the amount of time elapsed in a session while uploading and downloading data. The session idle times are ignored. The minimum value you can enter is 15 minutes and the maximum value is 600 mins.
  6. Optionally, type in a Description. Enter additional notes or information. The description cannot exceed 10240 characters.
  7. Click Save and activate the change.

Enterprise Collaboration

Organizations are using cloud applications to connect users around the world. They’re using applications such as WebEx and GotoMeeting to meet online and share information; and they’re using enterprise social network applications, such as Yammer, so their teams can collaborate and share their knowledge.

You can create rules for the Enterprise Social/Collaboration policy to control these types of cloud applications. You can specify which applications your users are allowed to access and define a daily quota by bandwidth or time.

When users browse to these sites after their quota has been reached, the Zscaler service displays a message that explains that the content cannot be viewed because they exceeded their daily quota. If a user exceeds the daily quota while in a web video conference over an SSL/TLS connection, the service allows the user to finish the meeting but blocks additional video conferences. If the video conference is not over an SSL/TLS connection (HTTP connection), the service ends the connection immediately.

See Cloud App Categories for a list of the apps included under the Enterprise Collaboration category.

To add a rule for Enterprise Collaboration apps:

  1. Go to Policy > URL & Cloud App Control.
  2. From the Cloud App Control Policy tab, click Add and select Enterprise Collaboration.
  3. Enter the rule attributes:
    • Rule Order: Policy rules are evaluated in ascending numerical order (Rule 1 before Rule 2, and so on), and the Rule Order reflects this rule’s place in the order. You can change the value, but if you’ve enabled Admin Rank, your assigned admin rank determines the Rule Order values you can select.
    • Admin Rank: Enter a value from 1-7 (1 is the highest rank). Your assigned admin rank determines the values you can select. You cannot select a rank that is higher than your own. The rule’s Admin Rank determines the value you can select in Rule Order, so that a rule with a higher Admin Rank always precedes a rule with a lower Admin Rank.
    • Status: An enabled rule is actively enforced. A disabled rule is not actively enforced but does not lose its place in the Rule Order. The service skips it and moves to the next rule.
  4. Define the criteria:
    • Cloud Applications: Select Any to apply the rule to all cloud applications in this category, or select any number of cloud applications. You can also search for applications.
    • Users: Select Any to apply the rule to all users, or select up to 4 users under General Users. If you've enabled the unauthenticated users policy, you can select Special Users to apply this rule to all unauthenticated users, or select specific types of unauthenticated users. You can search for users or click the Add icon to add a new user.
    • Groups: Select Any to apply the rule to all groups, or select up to 8 groups. You can search for groups or click the Add icon to add a new group.
    • Departments: Select Any to apply the rule to all departments, or select any number of departments. If you've enabled the unauthenticated users policy, you can select Special Departments to apply this rule to all unauthenticated transactions. You can search for departments or click the Add icon to add a new department.
    • Locations: Select Any to apply the rule to all locations, or select up to 8 locations. You can also search for a location or click the Add icon to add a new location. To apply this rule to unauthenticated traffic, the rule must apply to all locations.
    • Time: Select Always to apply this rule to all time intervals, or select up to two time intervals. You can also search for a time interval or click the Add icon to add a new time interval.
  5. Specify the actions:
    • Application Access: Allow or block users from accessing the selected cloud applications.
    • Daily Bandwidth Quota: (Optional) The bandwidth quota includes data uploaded to and downloaded from the cloud application. To enforce the quota on each location, do not select specific users, group, or departments. To enforce the quota on specific users, groups, or departments, SSL inspection and authentication must be enabled. If a user comes from a known location, the quota is reset at midnight based on the location time zone; for road warriors, the quota is reset based on the organization’s time zone. The minimum value you can enter is 10 MB and the maximum value is 100000 MB.
    • Daily Time Quota: (Optional) The time quota is based on the amount of time elapsed in a session while uploading and downloading data. The session idle times are ignored. The minimum value you can enter is 15 minutes and the maximum value is 600 mins.
  6. Optionally, type in a Description. Enter additional notes or information. The description cannot exceed 10240 characters.
  7. Click Save and activate the change.

 

Enterprise Productivity

Organizations are moving to the cloud for their business applications. This category includes applications such as Salesforce, Evernote and Microsoft Office 365, so you can create rules specifically for these and other similar cloud applications. You can specify which applications your users are allowed to access and define a daily quote by bandwidth or time.

When users browse to these sites after their quota has been reached, the Zscaler service displays a message that explains that the content cannot be viewed because they exceeded their daily quota.

See Cloud App Categories for a list of the apps included under the Enterprise Productivity category.

To add a rule for Enterprise Productivity apps:

  1. Go to Policy > URL & Cloud App Control.
  2. From the Cloud App Control Policy tab, click Add and select Enterprise Productivity.
  3. Enter the rule attributes:
    • Rule Order: Policy rules are evaluated in ascending numerical order (Rule 1 before Rule 2, and so on), and the Rule Order reflects this rule’s place in the order. You can change the value, but if you’ve enabled Admin Rank, your assigned admin rank determines the Rule Order values you can select.
    • Admin Rank: Enter a value from 1-7 (1 is the highest rank). Your assigned admin rank determines the values you can select. You cannot select a rank that is higher than your own. The rule’s Admin Rank determines the value you can select in Rule Order, so that a rule with a higher Admin Rank always precedes a rule with a lower Admin Rank.
    • Status: An enabled rule is actively enforced. A disabled rule is not actively enforced but does not lose its place in the Rule Order. The service skips it and moves to the next rule.
  4. Define the criteria:
    • Cloud Applications: Select Any to apply the rule to all cloud applications in this category, or select any number of cloud applications. You can also search for applications.
    • Users: Select Any to apply the rule to all users, or select up to 4 users under General Users. If you've enabled the unauthenticated users policy, you can select Special Users to apply this rule to all unauthenticated users, or select specific types of unauthenticated users. You can search for users or click the Add icon to add a new user.
    • Groups: Select Any to apply the rule to all groups, or select up to 8 groups. You can search for groups or click the Add icon to add a new group.
    • Departments: Select Any to apply the rule to all departments, or select any number of departments. If you've enabled the unauthenticated users policy, you can select Special Departments to apply this rule to all unauthenticated transactions. You can search for departments or click the Add icon to add a new department.
    • Locations: Select Any to apply the rule to all locations, or select up to 8 locations. You can also search for a location or click the Add icon to add a new location. To apply this rule to unauthenticated traffic, the rule must apply to all locations.
    • Time: Select Always to apply this rule to all time intervals, or select up to two time intervals. You can also search for a time interval or click the Add icon to add a new time interval.
  5. Specify the actions:
    • Application Access: Allow or block users from accessing the selected cloud applications.
    • Daily Bandwidth Quota: (Optional) The bandwidth quota includes data uploaded to and downloaded from the cloud application. To enforce the quota on each location, do not select specific users, group, or departments. To enforce the quota on specific users, groups, or departments, SSL inspection and authentication must be enabled. If a user comes from a known location, the quota is reset at midnight based on the location time zone; for road warriors, the quota is reset based on the organization’s time zone. The minimum value you can enter is 10 MB and the maximum value is 100000 MB.
    • Daily Time Quota: (Optional) The time quota is based on the amount of time elapsed in a session while uploading and downloading data. The session idle times are ignored. The minimum value you can enter is 15 minutes and the maximum value is 600 mins.
  6. Optionally, type in a Description. Enter additional notes or information. The description cannot exceed 10240 characters.
  7. Click Save and activate the change.

Sales & Marketing

Organizations are moving to the cloud for their sales and marketing applications. This category includes applications such as Marketo and Successfactors, so you can create rules specifically for these and other similar cloud applications. You can specify which applications your users are allowed to access and define a daily quote by bandwidth or time.

When users browse to these sites after their quota has been reached, the Zscaler service displays a message that explains that the content cannot be viewed because they exceeded their daily quota.

See Cloud App Categories for a list of the apps included under the Sales & Marketing category.

To add a rule for Sales & Marketing apps:

  1. Go to Policy > URL & Cloud App Control.
  2. From the Cloud App Control Policy tab, click Add and select Sales and Marketing.
  3. Enter the rule attributes:
    • Rule Order: Policy rules are evaluated in ascending numerical order (Rule 1 before Rule 2, and so on), and the Rule Order reflects this rule’s place in the order. You can change the value, but if you’ve enabled Admin Rank, your assigned admin rank determines the Rule Order values you can select.
    • Admin Rank: Enter a value from 1-7 (1 is the highest rank). Your assigned admin rank determines the values you can select. You cannot select a rank that is higher than your own. The rule’s Admin Rank determines the value you can select in Rule Order, so that a rule with a higher Admin Rank always precedes a rule with a lower Admin Rank.
    • Status: An enabled rule is actively enforced. A disabled rule is not actively enforced but does not lose its place in the Rule Order. The service skips it and moves to the next rule.
  4. Define the criteria:
    • Cloud Applications: Select Any to apply the rule to all cloud applications in this category, or select any number of cloud applications. You can also search for applications.
    • Users: Select Any to apply the rule to all users, or select up to 4 users under General Users. If you've enabled the unauthenticated users policy, you can select Special Users to apply this rule to all unauthenticated users, or select specific types of unauthenticated users. You can search for users or click the Add icon to add a new user.
    • Groups: Select Any to apply the rule to all groups, or select up to 8 groups. You can search for groups or click the Add icon to add a new group.
    • Departments: Select Any to apply the rule to all departments, or select any number of departments. If you've enabled the unauthenticated users policy, you can select Special Departments to apply this rule to all unauthenticated transactions. You can search for departments or click the Add icon to add a new department.
    • Locations: Select Any to apply the rule to all locations, or select up to 8 locations. You can also search for a location or click the Add icon to add a new location. To apply this rule to unauthenticated traffic, the rule must apply to all locations.
    • Time: Select Always to apply this rule to all time intervals, or select up to two time intervals. You can also search for a time interval or click the Add icon to add a new time interval.
  5. Specify the actions:
    • Application Access: Allow or block users from accessing the selected cloud applications.
    • Daily Bandwidth Quota: (Optional) The bandwidth quota includes data uploaded to and downloaded from the cloud application. To enforce the quota on each location, do not select specific users, group, or departments. To enforce the quota on specific users, groups, or departments, SSL inspection and authentication must be enabled. If a user comes from a known location, the quota is reset at midnight based on the location time zone; for road warriors, the quota is reset based on the organization’s time zone. The minimum value you can enter is 10 MB and the maximum value is 100000 MB.
    • Daily Time Quota: (Optional) The time quota is based on the amount of time elapsed in a session while uploading and downloading data. The session idle times are ignored. The minimum value you can enter is 15 minutes and the maximum value is 600 mins.
  6. Optionally, type in a Description. Enter additional notes or information. The description cannot exceed 10240 characters.
  7. Click Save and activate the change.

 

System & Development

Use this to manage the system and development apps.

See Cloud App Categories for a list of the apps included under the System & Development category.

To add a rule for System & Development apps:

  1. Go to Policy > URL & Cloud App Control.
  2. From the Cloud App Control Policy tab, click Add and select System & Development.
  3. Enter the rule attributes:
    • Rule Order: Policy rules are evaluated in ascending numerical order (Rule 1 before Rule 2, and so on), and the Rule Order reflects this rule’s place in the order. You can change the value, but if you’ve enabled Admin Rank, your assigned admin rank determines the Rule Order values you can select.
    • Admin Rank: Enter a value from 1-7 (1 is the highest rank). Your assigned admin rank determines the values you can select. You cannot select a rank that is higher than your own. The rule’s Admin Rank determines the value you can select in Rule Order, so that a rule with a higher Admin Rank always precedes a rule with a lower Admin Rank.
    • Status: An enabled rule is actively enforced. A disabled rule is not actively enforced but does not lose its place in the Rule Order. The service skips it and moves to the next rule.
  4. Define the criteria:
    • Cloud Applications: Select Any to apply the rule to all cloud applications in this category, or select any number of cloud applications. You can also search for applications.
    • Users: Select Any to apply the rule to all users, or select up to 4 users under General Users. If you've enabled the unauthenticated users policy, you can select Special Users to apply this rule to all unauthenticated users, or select specific types of unauthenticated users. You can search for users or click the Add icon to add a new user.
    • Groups: Select Any to apply the rule to all groups, or select up to 8 groups. You can search for groups or click the Add icon to add a new group.
    • Departments: Select Any to apply the rule to all departments, or select any number of departments. If you've enabled the unauthenticated users policy, you can select Special Departments to apply this rule to all unauthenticated transactions. You can search for departments or click the Add icon to add a new department.
    • Locations: Select Any to apply the rule to all locations, or select up to 8 locations. You can also search for a location or click the Add icon to add a new location. To apply this rule to unauthenticated traffic, the rule must apply to all locations.
    • Time: Select Always to apply this rule to all time intervals, or select up to two time intervals. You can also search for a time interval or click the Add icon to add a new time interval.
  5. Specify the actions:
    • Application Access: Allow or block users from accessing the selected cloud applications.
    • Daily Bandwidth Quota: (Optional) The bandwidth quota includes data uploaded to and downloaded from the cloud application. To enforce the quota on each location, do not select specific users, group, or departments. To enforce the quota on specific users, groups, or departments, SSL inspection and authentication must be enabled. If a user comes from a known location, the quota is reset at midnight based on the location time zone; for road warriors, the quota is reset based on the organization’s time zone. The minimum value you can enter is 10 MB and the maximum value is 100000 MB.
    • Daily Time Quota: (Optional) The time quota is based on the amount of time elapsed in a session while uploading and downloading data. The session idle times are ignored. The minimum value you can enter is 15 minutes and the maximum value is 600 mins.
  6. Optionally, type in a Description. Enter additional notes or information. The description cannot exceed 10240 characters.
  7. Click Save and activate the change.

Instant Messaging

Instant messaging (IM) has become nearly as universal as email. Today, more and more people depend on this simple text-based application to stay in touch with friends and colleagues. Instant messaging introduces potential risk and liability to enterprises in several ways, such as:

  • Instant messaging provides transport for proprietary data to escape the corporate network via file transfers.
  • Users may get involved in conversations and relationships that violate corporate policy.
  • Instant messaging can affect productivity at work.

You can completely block or selectively disable IM applications. Popular client-based IMs, such as Yahoo! Messenger, as well as web IMs, such as Meebo, GTalk Gadget, are supported. Admins can completely block the IM or just block file transfers. IM file transfers are scanned for viruses and for DLP (if the respective policies are set).

See Cloud App Categories for a list of the apps included under the Instant Messaging category.

To add a rule for Instant Messaging apps:

  1. Go to Policy > URL & Cloud App Control.
  2. From the Cloud App Control Policy tab, click Add and select Instant Messaging.
  3. Enter the rule attributes:
    • Rule Order: Policy rules are evaluated in ascending numerical order (Rule 1 before Rule 2, and so on), and the Rule Order reflects this rule’s place in the order. You can change the value, but if you’ve enabled Admin Rank, your assigned admin rank determines the Rule Order values you can select.
    • Admin Rank: Enter a value from 1-7 (1 is the highest rank). Your assigned admin rank determines the values you can select. You cannot select a rank that is higher than your own. The rule’s Admin Rank determines the value you can select in Rule Order, so that a rule with a higher Admin Rank always precedes a rule with a lower Admin Rank.
    • Status: An enabled rule is actively enforced. A disabled rule is not actively enforced but does not lose its place in the Rule Order. The service skips it and moves to the next rule.
  4. Define the criteria:
    • Cloud Applications: Select Any to apply the rule to all cloud applications in this category, or select any number of cloud applications. You can also search for applications.
    • Users: Select Any to apply the rule to all users, or select up to 4 users under General Users. If you've enabled the unauthenticated users policy, you can select Special Users to apply this rule to all unauthenticated users, or select specific types of unauthenticated users. You can search for users or click the Add icon to add a new user.
    • Groups: Select Any to apply the rule to all groups, or select up to 8 groups. You can search for groups or click the Add icon to add a new group.
    • Departments: Select Any to apply the rule to all departments, or select any number of departments. If you've enabled the unauthenticated users policy, you can select Special Departments to apply this rule to all unauthenticated transactions. You can search for departments or click the Add icon to add a new department.
    • Locations: Select Any to apply the rule to all locations, or select up to 8 locations. You can also search for a location or click the Add icon to add a new location. To apply this rule to unauthenticated traffic, the rule must apply to all locations.
    • Time: Select Always to apply this rule to all time intervals, or select up to two time intervals. You can also search for a time interval or click the Add icon to add a new time interval.
  5. Specify the actions:
    • Application Access: Allow or block users from accessing the selected cloud applications.
    • Daily Bandwidth Quota: (Optional) The bandwidth quota includes data uploaded to and downloaded from the cloud application. To enforce the quota on each location, do not select specific users, group, or departments. To enforce the quota on specific users, groups, or departments, SSL inspection and authentication must be enabled. If a user comes from a known location, the quota is reset at midnight based on the location time zone; for road warriors, the quota is reset based on the organization’s time zone. The minimum value you can enter is 10 MB and the maximum value is 100000 MB.
    • Daily Time Quota: (Optional) The time quota is based on the amount of time elapsed in a session while uploading and downloading data. The session idle times are ignored. The minimum value you can enter is 15 minutes and the maximum value is 600 mins.
  6. Optionally, type in a Description. Enter additional notes or information. The description cannot exceed 10240 characters.
  7. Click Save and activate the change.

Social Networking & Blogging

Your organization can control access to and usage of social network and blogging sites to guard against the following:

  • Uploading of inappropriate content or content in violation of corporate policy from the corporate network.
  • Data leakage, such as posting proprietary corporate information to external websites.
  • Injecting viruses and other malware inside the network through malicious or compromised web pages.
  • Decreased productivity of users
  • Consumption of your corporate network bandwidth by non-critical applications such as streaming music and video files.

You can configure rules to control access to the most popular social networking sites, and allow or restrict blog posting and file uploads.

See Cloud App Categories for a list of the apps included under the Social Networking & Blogging category.

To add a rule for Social Networking & Blogging apps:

  1. Go to Policy > URL & Cloud App Control.
  2. From the Cloud App Control Policy tab, click Add and select Social Networking and Blogging.
  3. Specify the rule attributes:
    • Rule Order: Policy rules are evaluated in ascending numerical order (Rule 1 before Rule 2, and so on), and the Rule Order reflects this rule’s place in the order. You can change the value, but if you’ve enabled Admin Rank, your assigned admin rank determines the Rule Order values you can select.
    • Admin Rank: Enter a value from 1-7 (1 is the highest rank). Your assigned admin rank determines the values you can select. You cannot select a rank that is higher than your own. The rule’s Admin Rank determines the value you can select in Rule Order, so that a rule with a higher Admin Rank always precedes a rule with a lower Admin Rank.
    • Status: An enabled rule is actively enforced. A disabled rule is not actively enforced but does not lose its place in the Rule Order. The service skips it and moves to the next rule.
  4. Define the criteria:
    • Cloud Applications: Select Any to apply the rule to all cloud applications in this category, or select any number of cloud applications. You can also search for applications.
    • Users: Select Any to apply the rule to all users, or select up to 4 users under General Users. If you've enabled the unauthenticated users policy, you can select Special Users to apply this rule to all unauthenticated users, or select specific types of unauthenticated users. You can search for users or click the Add icon to add a new user.
    • Groups: Select Any to apply the rule to all groups, or select up to 8 groups. You can search for groups or click the Add icon to add a new group.
    • Departments: Select Any to apply the rule to all departments, or select any number of departments. If you've enabled the unauthenticated users policy, you can select Special Departments to apply this rule to all unauthenticated transactions. You can search for departments or click the Add icon to add a new department.
    • Locations: Select Any to apply the rule to all locations, or select up to 8 locations. You can also search for a location or click the Add icon to add a new location. To apply this rule to unauthenticated traffic, the rule must apply to all locations.
    • Time: Select Always to apply this rule to all time intervals, or select up to two time intervals. You can also search for a time interval or click the Add icon to add a new time interval.
  5. Specify the actions:
    • Viewing: Choose to either Allow or Block users from viewing the selected applications.
    • Posting: Choose to either Allow or Block users from posting on the selected applications.
    • Daily Bandwidth Quota: (Optional) The bandwidth quota includes data uploaded to and downloaded from the cloud application. To enforce the quota on each location, do not select specific users, group, or departments. To enforce the quota on specific users, groups, or departments, SSL inspection and authentication must be enabled. If a user comes from a known location, the quota is reset at midnight based on the location time zone; for road warriors, the quota is reset based on the organization’s time zone. The minimum value you can enter is 10 MB and the maximum value is 100000 MB.
    • Daily Time Quota: (Optional) The time quota is based on the amount of time elapsed in a session while uploading and downloading data. The session idle times are ignored. The minimum value you can enter is 15 minutes and the maximum value is 600 mins.
  6. Optionally, type in a Description. Enter additional notes or information. The description cannot exceed 10240 characters.
  7. Click Save and activate the change.

Streaming Media & File Sharing

A typical streaming media/file sharing rule restricts viewing (or downloading) media files to 30 minutes or 100 MB per day, and prevents users from uploading files to web servers. When users browse to these sites and attempt to download media files after their quota has been reached, the Zscaler service displays a message in their browsers explaining that the content may not be viewed because they have exceeded their daily quota limit. Similarly, when users attempt to upload files, the Zscaler service reports that this action was blocked due to corporate policy, in their browsers.

Additionally, Zscaler provides support for YouTube for Schools, which enables schools to access educational videos on YouTube EDU and specify which videos students are allowed to access. When a school signs up for YouTube for Schools, it is provided a unique ID. You can create a Streaming Media/File Share Policy rule that allows YouTube access to students, for example, and specify this ID in the YouTube for Schools filter. Then when a student makes an HTTP request to YouTube, the cloud inserts a custom header with the school’s ID, so YouTube can identify the school and display the videos selected by the school’s administration. You can create different YouTube for Schools rules for different schools or locations, so one set of schools can use one filter and another set of schools can use a different filter. You can also create YouTube for Schools rules for students and create a YouTube rule without the filter for school administrators. The Zscaler service logs YouTube for Schools transactions separately from YouTube transactions. When you view the transactions log in the Analyze tab, the YouTube for Schools transactions display YouTube EDU in the Application field.

See Cloud App Categories for a list of the apps included under the Streaming Media & File Sharing category.

To add a rule for Streaming Media & File Sharing apps:

  1. Go to Policy > URL & Cloud App Control.
  2. From the Cloud App Control Policy tab, click Add and select Streaming Media & FIle Sharing.
  3. Enter the rule attributes.
    • Rule Order: Policy rules are evaluated in ascending numerical order (Rule 1 before Rule 2, and so on), and the Rule Order reflects this rule’s place in the order. You can change the value, but if you’ve enabled Admin Rank, your assigned admin rank determines the Rule Order values you can select.
    • Admin Rank: Enter a value from 1-7 (1 is the highest rank). Your assigned admin rank determines the values you can select. You cannot select a rank that is higher than your own. The rule’s Admin Rank determines the value you can select in Rule Order, so that a rule with a higher Admin Rank always precedes a rule with a lower Admin Rank.
    • Status: An enabled rule is actively enforced. A disabled rule is not actively enforced but does not lose its place in the Rule Order. The service skips it and moves to the next rule.
  4. Define the criteria:
    • Cloud Applications: Select Any to apply the rule to all cloud applications in this category, or select any number of cloud applications. You can also search for applications.
    • Users: Select Any to apply the rule to all users, or select up to 4 users under General Users. If you've enabled the unauthenticated users policy, you can select Special Users to apply this rule to all unauthenticated users, or select specific types of unauthenticated users. You can search for users or click the Add icon to add a new user.
    • Groups: Select Any to apply the rule to all groups, or select up to 8 groups. You can search for groups or click the Add icon to add a new group.
    • Departments: Select Any to apply the rule to all departments, or select any number of departments. If you've enabled the unauthenticated users policy, you can select Special Departments to apply this rule to all unauthenticated transactions. You can search for departments or click the Add icon to add a new department.
    • Locations: Select Any to apply the rule to all locations, or select up to 8 locations. You can also search for a location or click the Add icon to add a new location. To apply this rule to unauthenticated traffic, the rule must apply to all locations.
    • Time: Select Always to apply this rule to all time intervals, or select up to two time intervals. You can also search for a time interval or click the Add icon to add a new time interval.
  5. Specify the actions:
    • Viewing/Listening: Allow or block users from viewing or listening to content on the selected applications.
    • Uploading: Allow or block users from uploading content to the selected applications.
    • YouTube for Schools Filter: Appears only when YouTube is selected as a URL Category. You can use YouTube for Schools to display only educational videos selected by your school. Enter the ID YouTube assigned to your school network. The ID is similar to the following: FEpMvTgPfbZIrWqnDEVgAw. The Zscaler service will insert a custom header with this ID into users’ HTTP requests to YouTube so that YouTube can identify your school and display only educational videos selected by the school’s administration.
  6. Specify the Daily Bandwidth Quota and Daily Time Quota.
    • Daily Bandwidth Quota: (Optional) The bandwidth quota includes data uploaded to and downloaded from the cloud application. To enforce the quota on each location, do not select specific users, group, or departments. To enforce the quota on specific users, groups, or departments, SSL inspection and authentication must be enabled. If a user comes from a known location, the quota is reset at midnight based on the location time zone; for road warriors, the quota is reset based on the organization’s time zone. The minimum value you can enter is 10 MB and the maximum value is 100000 MB.
    • Daily Time Quota: (Optional) The time quota is based on the amount of time elapsed in a session while uploading and downloading data. The session idle times are ignored. The minimum value you can enter is 15 minutes and the maximum value is 600 mins.
  7. Optionally, type in a Description. Enter additional notes or information. The description cannot exceed 10240 characters.
  8. Click Save and activate the change.

Webmail

Enterprises are concerned about webmail for a variety of reasons, such as:

  • Productivity loss if users spend too much time on personal email
  • Leakage of corporate intellectual property through file attachments
  • Reduced network bandwidth due to large email attachments

You can configure a webmail rule, for example, that allows users to read and send personal webmail for up to 30 minutes per day (so they can access personal email during breaks), but blocks outbound file attachments.

See Cloud App Categories for a list of the apps included under the Webmail category.

To add a rule for Webmail apps:

  1. Go to Policy > URL & Cloud App Control.
  2. From the Cloud App Control Policy tab, click Add and select Webmail.
  3. Enter the rule attributes:
    • Rule Order: Policy rules are evaluated in ascending numerical order (Rule 1 before Rule 2, and so on), and the Rule Order reflects this rule’s place in the order. You can change the value, but if you’ve enabled Admin Rank, your assigned admin rank determines the Rule Order values you can select.
    • Admin Rank: Enter a value from 1-7 (1 is the highest rank). Your assigned admin rank determines the values you can select. You cannot select a rank that is higher than your own. The rule’s Admin Rank determines the value you can select in Rule Order, so that a rule with a higher Admin Rank always precedes a rule with a lower Admin Rank.
    • Status: An enabled rule is actively enforced. A disabled rule is not actively enforced but does not lose its place in the Rule Order. The service skips it and moves to the next rule.
  4. Define the criteria:
    • Cloud Applications: Select Any to apply the rule to all cloud applications in this category, or select any number of cloud applications. You can also search for applications.
    • Users: Select Any to apply the rule to all users, or select up to 4 users under General Users. If you've enabled the unauthenticated users policy, you can select Special Users to apply this rule to all unauthenticated users, or select specific types of unauthenticated users. You can search for users or click the Add icon to add a new user.
    • Groups: Select Any to apply the rule to all groups, or select up to 8 groups. You can search for groups or click the Add icon to add a new group.
    • Departments: Select Any to apply the rule to all departments, or select any number of departments. If you've enabled the unauthenticated users policy, you can select Special Departments to apply this rule to all unauthenticated transactions. You can search for departments or click the Add icon to add a new department.
    • Locations: Select Any to apply the rule to all locations, or select up to 8 locations. You can also search for a location or click the Add icon to add a new location. To apply this rule to unauthenticated traffic, the rule must apply to all locations.
    • Time: Select Always to apply this rule to all time intervals, or select up to two time intervals. You can also search for a time interval or click the Add icon to add a new time interval.
  5. Specify the actions:
    • Viewing Mail: Choose to Allow or Block read-only access to webmail. Users can read webmail and attachments, but they cannot send webmail and attachments.
    • Sending Mail: Choose to Allow or Block reading webmail and attachments, and sending webmail but not attachments.
    • Sending Attachments: Choose to Allow or Block reading and sending webmail and attachments.
      If no action is selected, access to the selected webmail applications (and their file attachments) is denied.
    • Daily Bandwidth Quota: (Optional) The bandwidth quota includes data uploaded to and downloaded from the cloud application. To enforce the quota on each location, do not select specific users, group, or departments. To enforce the quota on specific users, groups, or departments, SSL inspection and authentication must be enabled. If a user comes from a known location, the quota is reset at midnight based on the location time zone; for road warriors, the quota is reset based on the organization’s time zone. The minimum value you can enter is 10 MB and the maximum value is 100000 MB.
    • Daily Time Quota: (Optional) The time quota is based on the amount of time elapsed in a session while uploading and downloading data. The session idle times are ignored. The minimum value you can enter is 15 minutes and the maximum value is 600 mins.
  6. Optionally, type in a Description. Enter additional notes or information. The description cannot exceed 10240 characters.
  7. Click Save and activate the change.