Zscaler Mobile Deployment Guide for Apple iOS

With the proliferation of mobile devices, both corporate and user owned, security for mobile devices has become increasingly critical. The Zscaler iOS solution extends the Zscaler security service to Apple iOS devices, whether they’re connected to Wi-Fi or cellular networks. It enforces the policies that you set in the Admin portal to protect web and mobile traffic, and provides the ability to define policies that protect mobile devices as well. For example, you can control whether users can use the camera or install apps on the mobile device. This comprehensive solution secures every aspect of your user’s mobile usage, covering the device and its browser and app traffic as well.

From the Zscaler admin portal where you define administrative settings and policies for web and mobile traffic, you can go to the Zscaler App Portal to manage mobile devices. On the Zscaler App Portal, you can define policies that control how a device forwards traffic to the Zscaler service and which apps, functionality and content can be accessed from a device. The portal also has a Dashboard where you can monitor the mobile devices and view their compliance status. Additionally, you can define an Acceptable Use Policy (AUP) and notifications specifically for mobile devices.

Zscaler SecureAgent is an app that is installed on mobile devices to authenticate the mobile device users and forward their traffic to the Zscaler service. When you run SecureAgent, it installs the policy that you configured on the Mobile portal as a profile on your mobile device. Additionally, it enrolls the device to the Zscaler service. Once the device is enrolled, the device establishes a VPN tunnel to the Zscaler gateway “on demand” whenever the user surfs the Internet. As the browser retrieves web pages, the service scans all inbound and outbound traffic to protect devices from malware and malicious apps that can compromise the security of your data.

Deployment Methods

The Zscaler iOS solution offers an enforceable, intelligent on-demand IPsec VPN through which users can forward all mobile traffic (browser and apps) over cellular or Wi-Fi networks to the Zscaler service. The VPN can be used by both supervised and non-supervised iOS devices.

Forwarding Traffic from Supervised Devices

Apple iOS devices support the ability to configure devices as supervised. Supervising devices is a useful option for corporate-owned devices because it provides tighter control over devices. Admins configure supervised devices over the air using the Apple Device Enrollment program or by using Apple Configurator. (For more information on supervising devices, refer to the Apple iOS documentation.)

Supervised devices support Global HTTP Proxy, a feature that redirects all mobile traffic to a proxy server. You can leverage the Global HTTP Proxy feature to ensure that Internet connectivity over Wi-Fi or cellular networks is always redirected to the Zscaler service, when the IPsec VPN is not in use.

You can use the following traffic forwarding mechanisms for supervised devices:

  • Enforceable VPN: Zscaler recommends this solution, which combines forwarding mobile traffic through the IPsec VPN and defining the Zscaler service as the proxy server in a Global HTTP Proxy profile. If users turn off the VPN, the device automatically uses the Global HTTP Proxy profile to forward its traffic to the Zscaler service. This mechanism prevents users from circumventing the Zscaler service. Using the Global HTTP Proxy, you can be assured that all traffic to/from the iOS device is directed to the service.
    Note: Bypasses defined in a PAC file will not work with a VPN.
  • Global HTTP Proxy + Surrogate IP: This solution combines defining the Zscaler service as the proxy server in a global HTTP proxy profile to enforce forwarding all mobile traffic to the Zscaler service and leveraging the Zscaler Surrogate IP feature to map users to device IP addresses. The service then uses this mapping to apply the appropriate group and user policies and for logging purposes. (To learn more about Surrogate IP, see What is Surrogate IP?)
    This is useful, for example, for schools that want to protect student devices when they are on the school Wi-Fi network.

NOTE: The Global HTTP Proxy + Surrogate IP forwarding mechanism can only be used in Wi-Fi networks. It cannot be used in cellular networks.

Forwarding Traffic from Non-Supervised Devices

You can configure non-supervised devices to use the IPsec VPN to forward traffic to the Zscaler service. If your organization has an existing MDM solution, Zscaler recommends that you work with your MDM solution provider to define a profile to push SecureAgent on mobile devices for enforceability.
Note: Bypasses defined in a PAC file will not work with a VPN.

Requirements

You will need the following:

  • A Zscaler SecureAgent subscription
  • An iOS device (iPhone, iPod, or iPad) that runs iOS 6.0 or higher

In addition, configure your firewall to allow the following necessary connections:

  • Used for the Apple Push Notification Service: Port 5223, 2195, 2196, 443.
  • Used to connect with the Zscaler Enforcement Node (ZEN): 8080 (outbound only)
  • Web ports: 80, 443, any dedicated ports (if your organization is subscribed)

Configuration Tasks

A. On the Zscaler App Portal, configure the app profile, and optionally, AUP and reminders.

About the Zscaler App Portal

In addition to the admin portal where you manage users and policies that control web and mobile traffic, the service also provides the Zscaler App Portal where you manage mobile devices.

The Zscaler App Portal provides the following:

  • A dashboard where you can track mobile devices and their compliance status.
  • An App Profiles tab where you can define Secure Agent policies that control and secure mobile devices.
  • An Administration tab where you can create a custom AUP just for mobile devices and where you can define reminders to users who may need to update their security profile.

Configuring a SecureAgent App Profile

The SecureAgent app profile policy controls the functions, apps, and media content that a device can access and controls how the device forwards traffic to the Zscaler service. The policy is installed as a profile on a mobile device when the Secure Agent app is installed.

The SecureAgent policy specifies the following:

  • The user group to which the policy applies
  • The PAC file URL
    Mobile devices use a PAC file to forward traffic to the service. The service provides a default PAC file that sends all browser traffic to port 8080 of the nearest Zscaler Enforcement node (ZEN).
    Note: The PAC file is only applicable to devices using Global HTTP Proxy.
  • The traffic forwarding mechanism
  • Apps and content users can access

The service provides a default policy that specifies the default PAC file hosted on the Zscaler cloud for mobile devices. This default policy applies to all groups and cannot be changed or deleted.

To add a new policy for iOS devices:

  1. Go to Policy > Zscaler App Portal.
  2. From the Zscaler App Portal, go to the App Profiles tab.
  3. Click on iOS from the menu on the left and click Add iOS Policy.
  4. Complete the following in the General tab:
    • Enter a name for the policy and optionally, a description.
    • Enable the rule.
    • The service automatically sets the rule order, which you can change, as necessary.
    • Enter a passcode that users need to enter before they can remove the profile from their device.
    • Enter the URL from which the device fetches the PAC file.
Configuring a SecureAgent App Profile
  1. Do the following in the Traffic Forwarding tab:
    • Enable traffic forwarding.
    • Choose a traffic forwarding mechanism.
    • URL String Probe: Enter a URL from your internal network. If the device tries to access this URL, then the mobile device won't send the traffic through the VPN.
    • SSID Match: Enter the SSID of your internal wireless local-area network (WLAN). When the device uses this SSID, then it will not send the traffic through the VPN.
  1. By default, users are allowed to access all available apps, functionality, and media content. To restrict access, go to the Restrictions tab, click Enable Restrictions, and select the items you want to block.
  1. If the Apple devices are supervised, select any additional restrictions you want to place.
  1. Additionally, you can restrict the content that your users can access. For example, you can allow them to view only PG-rated movies and TV shows and to install a specific number of apps.
  1. Click Save.

Configuring the Acceptable Use Policy (AUP)

You can create an Acceptable Use Policy (AUP) statement specifically for mobile devices and require users to accept it before the Zscaler service allows them to browse the Internet from their mobile devices. To configure:

  1. Go to Policy > Zscaler App Portal.
  2. From the Zscaler App Portal, go to Administration.  
  3. Go to Zscaler App Notifications from the menu on the left.
  4. In the Acceptable Usage Policy (AUP) Settings tab, complete the following:
    • Choose how often the service displays the AUP page. You can choose one of the predefined intervals or select Custom and enter the number of days, between 1 and 180 inclusive. The service tracks the AUP acceptance time and expiration for the user.
    • Type in or paste an "Acceptable Use" statement. You can enter HTML tags as well as images, as long as the image files are accessible from the Internet. You can click Preview AUP Message to view the AUP as your users would see it.
  5. Click Save.

Configuring Reminder Notifications

You can send reminders on demand or schedule reminders to users who turn off the Zscaler VPN or who need to update their SecureAgent profile.

To schedule reminders:

  1. Go to Policy > Zscaler App Portal.
  2. From the Zscaler App Portal, go to Administration.
  3. Go to Zscaler App Notifications from the menu on the left.
  4. In the Reminder Notification Settings tab, complete the following:
    • Choose how often the service sends the reminders.
    • Type in or paste text for the reminder. You can enter HTML tags as well as images, as long as the image files are accessible from the Internet.
  5. Click Save to exit the dialog.

To send a reminder to a user:

  1. Go to Policy > Zscaler App Portal.
  2. From the Zscaper App Portal, go to Enrolled Devices.
  3. Choose Device Overview from the menu on the left.
  4. Point to the user and click the Device Details icon.
  5. Click Send Reminder.

 

B.  Supervise and Deploy a Global HTTP Proxy over the air

You can supervise devices and deploy a Global HTTP Proxy over the air using Apple's Device Enrollment Program or by using Apple Configurator.

 

C.  Install SecureAgent on a mobile device and register the mobile device to the Zscaler service.

About SecureAgent

The Zscaler SecureAgent app is used in conjunction with the Zscaler service to secure every aspect of your users’ mobile usage. SecureAgent is required on all mobile devices that forward traffic to the Zscaler service.

When a user installs SecureAgent on a mobile device, SecureAgent authenticates the user using your corporate authentication mechanism and does the following:

  • Installs the appropriate SecureAgent profile, which includes the VPN settings and certificates. The service generates a unique per-user VPN certificate which establishes the user context.
  • Registers the mobile device to the Zscaler service.

The device then establishes a VPN tunnel to the Zscaler gateway “on demand” whenever the user surfs the Internet. The Zscaler service can now enforce group and user policies and provide per-user and per-department logging and reporting.

Additionally, SecureAgent displays notifications to users when the service blocks transactions due to policy or malware that it detected. The service issues notifications to mobile devices via the Apple Push Notification Service. Zscaler SecureAgent then displays the notifications and stores them until the user clears them. These notifications inform the user about the transactions blocked from specific apps, including the reasons. You can customize the notifications that are displayed to the user on the Zscaler Admin Portal.

Users can download and install SecureAgent from the iTunes App store. If your organization has an MDM, Zscaler recommends that you use your MDM solution provider to define a profile to push SecureAgent to mobile devices.

Installing SecureAgent on a Device

Zscaler SecureAgent for Apple iOS devices is available for download on the iTunes App store.

Installing SecureAgent on a Device

When you download it, ensure that SecureAgent is allowed to push notifications to your iOS device.

Registering the Device

  1. On the mobile device, click the installed SecureAgent app.
  2. When it displays the login form, enter the user's Zscaler credentials.
Registering the Device

SecureAgent starts the registration process.

  1. When SecureAgent is ready to install the profile, click Install.
  1. You may be required to enter the pin code, if it was set on the device.
  1. When the app displays the warning, click Install.

SecureAgent displays a page similar to the one shown below after the profile is successfully installed.

Installing SecureAgent with an MDM

For non-supervised devices, Zscaler recommends that you work with your MDM solution provider to push SecureAgent to mobile devices.

Your MDM provider will need to do the following:

  • Deploy a certificate for each user.
  • Optionally, configure a PIN to restrict the removal of the profile.

Configuration Example: Airwatch

The admin must complete the following tasks:

  1. Create an iOS device supervision and device enrollment plan.
  2. Configure SecureAgent profiles on the Zscaler App Portal. See Configuring a SecureAgent App Profile.
  3. Configure Airwatch Profiles to push the Zscaler SecureAgent app. See Configure Airwatch Profiles to Push SecureAgent.

On the iOS device, users must do the following:

  1. Enroll the device to Airwatch. For information about this task, refer to the Airwatch documentation.
    Note that once the device is enrolled to the Airwatch MDM, Zscaler SecureAgent will be installed on the device automatically.
  2. Register the iOS device to the Zscaler service. See Registering the Device.

Configure Airwatch Profiles to Push SecureAgent

This document assumes that the Airwatch MDM is already deployed and user/group configuration and other related configurations required to enroll the device to the MDM are already completed. Please contact Airwatch Support for the deployment instructions.

This section provides guidelines on how to push the SecureAgent app using the Airwatch MDM. For additional information on the steps and questions related to Airwatch MDM, please contact Airwatch Support.

  • Configure 'Apps & Books' profile for 'Zscaler SecureAgent' iOS App, such that it is installed on the user's device when the user enrolls with Airwatch MDM. Please note that in certain conditions, it may not be possible to install SecureAgent silently and will need user approval. Please contact Airwatch Support for the exact steps. Please note the following:
    • Zscaler SecureAgent for iOS devices is available on the iTunes AppStore. The Airwatch profile can be configured to install the app using the AppStore Link, as shown below.
    • On supervised devices, the app is installed silently.
    • For non-supervised devices, please contact Airwatch Support for instructions on how to install the app silently.

D.  Enable SecureAgent to push notifications to users.

The Zscaler service can push notifications to users when it blocks or restricts mobile apps from accessing certain sites, files, or Internet applications. For example, the Zscaler service will send a notification when an app tries to access a site that has certain vulnerabilities or when an app is blocked because it is known to leak information to third parties. The Zscaler service can send notifications when it blocks or restricts known apps as well as those that it cannot identify. After the initial notification, you can suppress subsequent notifications for a selected number of minutes, to avoid users receiving multiple successive notifications from a single app. You can specify the number of minutes per app and per user.

To configure notifications for the SecureAgent app:

  1. From the admin portal, go to Administration > Resources > SecureAgent Notifications.
  2. Complete the following:
    • Enable Send Push Notifications.
    • You can enable the service to suppress the notification for a certain time period so the user sees the notification at certain intervals only and not after every blocked transaction.
    • Enable Send Notifications for Unknown Apps to allow the service to send notifications when it blocks or restricts access to apps that it cannot identify.
    • Enter the text for the Notification Message (up to 128 bytes).
  3. Click Save and activate the change.

 

E. If applicable, enable Surrogate IP for the location.

If you are using the Global HTTP Proxy + Surrogate IP traffic forwarding mechanism, go to the Admin Portal and enable Surrogate IP for the location.

 

F.  If applicable, enable SSL Inspection.

You can enable SSL inspection to allow the Zscaler service to decrypt and inspect HTTPS traffic to and from the browser on a mobile device, and to and from the destination server. SecureAgent installs the Zscaler intermediate certificate by default. If you would like to use an intermediate certificate signed by your own CA, install that certificate on the mobile devices. For more information on SSL inspection, see How do I deploy SSL inspection?

Enabling SSL Inspection

To enable SSL inspection for mobile devices:

  1. From the admin portal, go to Policy > SSL Inspection.
  2. In the Policy for Mobile Traffic section, select Enable SSL Scanning for Mobile Traffic.
  3. Click Save and activate the change.
Enabling SSL Inspection

Exempting URLs from SSL Inspection

To exempt specific URLs from SSL inspection, add them to the Bypassed URLs list. The service does not decrypt transactions to sites in this list. The following instructions describe how to create a custom category for the URLs and how to add the custom category to the Bypassed URLs list. If you already have a custom category for bypassed URLS, edit the category and add the URLs.

To create a custom URL category:

  1. From the admin portal, go to Administration > URL Categories.
  2. Click Add and do the following:
    • Enter a name for the category.
    • Add the following to the Custom URLs field:
      • itunes.apple.com
      • .mzstatic.com
      • gs.apple.com
      • albert.apple.com
      • phobos.apple.com
      • securemetrics.apple.com
      • .phobos.apple.com
      • mzstatic.com
      • deimos.apple.com
      • .deimos.apple.com
      • .albert.apple.com
      • .gs.apple.com
      • ax.itunes.com
      • .ax.itunes.com
      • .securemetrics.apple.com
      • .itunes.apple.com
  3. Click Save and activate the change.
Exempting URLs from SSL Inspection

To add the custom category to the Bypassed URL Categories list:

  1. From the admin portal, go to Policy > SSL Inspection.
  2. From Bypassed URL Categories, choose the URL category that contains the URL that are exempted from decryption.
  3. Click Save and activate the change.

About the Dashboard

The Dashboard provides information about the mobile devices that have SecureAgent in your corporate network. The Dashboard provides multiple views so you can monitor the status of the mobile devices and take action when you see unregistered devices or devices with outdated profiles.

To learn more about the Dashboard, see About the Zscaler App Portal.

Removing a Profile

You can remove a profile from a device if, for example, an employee leaves the company. To remove a profile:

  1. Go to the Zscaler App Portal, go to  the Enrolled Devices tab.
  2. Choose Device Overview from the menu on the left.
  3. Point to the user and click the Device Details icon.
  4. Click Remove.