Zscaler Mobile Deployment Guide for Android Devices

With the proliferation of mobile devices, both corporate and user owned, security for mobile devices has become increasingly critical. The Zscaler SecureAgent app extends the Zscaler security service to Android devices, whether they’re connected to Wi-Fi or cellular networks.

When a user installs SecureAgent on a mobile device, SecureAgent authenticates the user and does the following:

  • Enforces the appropriate SecureAgent policy, which includes a quota for cellular data for mobile devices.
  • Registers the mobile device to the Zscaler service.
  • Displays notifications to users when the service blocks transactions due to policy or malware that it detected. The service issues notifications to Android mobile devices via Google cloud messaging.  Zscaler SecureAgent then displays these notifications and stores them until they are cleared. These notifications inform the user about the transactions blocked from specific apps, including the reasons. You can customize the notifications that are displayed to the user on the Zscaler admin portal.

SecureAgent establishes a proprietary, secure HTTP-tunnel based VPN to forward the mobile traffic from endpoints to the Zscaler service. The VPN tunnel is enforceable on Samsung devices running Android 4.1 and above. Zscaler uses Samsung Approved for Enterprise (SAFE) KNOX APIs for enforceability. (Note that users may be able to turn off the VPN on non-Samsung Android devices.)

Users can download and install SecureAgent from the Google Play store. If your organization has an MDM, Zscaler recommends that you work with your MDM solution provider to define a profile to push SecureAgent to Android mobile devices.

Firewall Requirements

To ensure that users on your corporate network receive the SecureAgent notifications, configure your firewall to allow the following connections:

  • To enable connectivity with Google Cloud Messaging (GCM): Ports 5228, 5229 and 5230. GCM typically uses 5228, but it sometimes uses 5229 and 5230.
  • To enable connectivity with a Zscaler Enforcement Node (ZEN): Port: 8080. (outbound only)
  • To enable connectivity with Web servers:  Ports 80, 443.

Configuration Tasks

Below are the tasks necessary to secure the mobile devices of current Zscaler users. It assumes that the users have been provisioned on the service, an authentication mechanism has been installed, and the policies have been configured on the admin portal.

A. On the Zscaler App Portal, configure the app profile, and optionally, AUP and reminders.

B. Install SecureAgent and Ztunnel on a mobile device (manually or with an MDM) and register the mobile device on the Zscaler service.

C. Enable SecureAgent to push notifications.

After you complete these tasks, you can view the status of devices by going to the dashboard.

A. On the Zscaler App Portal, configure the app profile, and optionally, AUP and reminders.

About the Zscaler App Portal

From the Zscaler admin portal, you can go to the Zscaler App Portal to manage your mobile devices. The Zscaler App Portal provides the following:

  • A dashboard where you can track mobile devices and their compliance status.
  • An App Profiles tab where you can define SecureAgent policies.
  • An Administration tab where you can create a custom AUP just for mobile devices and where you can define reminders to users who may need to update their security profile.

About the SecureAgent App Profile

The SecureAgent policy specifies the following:

  • The user group to which the policy applies
  • The PAC file URL
    Mobile devices use a PAC file to forward traffic to the service. The service provides a default PAC file that sends all browser traffic to port 8080 of the nearest Zscaler Enforcement Node (ZEN).
  • Cellular quota settings

Configuring a SecureAgent App Profile

The service provides a default policy that you cannot change or delete. The default policy applies to all groups and specifies the default PAC file that is hosted on the Zscaler cloud.

To add a new policy for Android devices:

  1. Go to Policy > Zscaler App Portal.
  2. From the Zscaler App Portal, go to the App Profiles tab.
  3. Click on Android from the menu on the left and click Add Android Policy.
  4. Complete the following in the General tab:
    • Enter a name for the policy and optionally, a description.
    • Enable the rule.
    • The service automatically sets the rule order, which you can change, as necessary.
    • Enter the passwords that users need to enter before they can log out of the service or uninstall SecureAgent from their device.
    • Enter the URL from which the device fetches the PAC file.
    • Select Install Zscaler SSL Certificate to install the Zscaler intermediate certificate, if SSL interception is enabled for your organization.
Configuring a SecureAgent App Profile
  1. Optionally, define cellular quota enforcement settings.
    You can define a monthly cellular quota to ensure that cellular bandwidth is used for business apps. As shown in the following diagram, before the quota is exceeded, users can use cellular data for both personal and business apps. See image.
    But after the quota is exceeded, users can only access cellular data for your corporate apps. Personal apps are not allowed to access the cellular data network, but they can still be used on Wi-Fi. The quota affects cellular data only. It does not affect Wi-Fi. See image.
    • Enable quote enforcement.
    • Select whether to enforce the quota only when users are roaming.
    • Specify the quota in MB.
    • Optionally, enter the SSID of your internal wireless local-area network (WLAN). When the device uses this SSID, then it will not send the traffic through the VPN.
    • Optionally, list the apps that are excluded from the quota calculation.
    • Type in or paste text for the notification. You can enter HTML tags as well as images, as long as the image files are accessible from the Internet.

Image 1

Image 1

Image 2

Image 2
  1. Click Save.

Configuring the Acceptable Use Policy  (AUP)

You can create an Acceptable Use Policy (AUP) statement specifically for mobile devices and require users to accept it before the Zscaler service allows them to browse the Internet from their mobile devices. To configure:

  1. Go to Policy > Zscaler App Portal.
  2. From the Zscaler App Portal, go to Administration.
  3. Go to Zscaler App Notifications from the menu on the left.
  4. In the Acceptable Usage Policy (AUP) Settings tab, complete the following:
    • Choose how often the service displays the AUP page. You can choose one of the predefined intervals or select Custom and enter the number of days, between 1 and 180 inclusive. The service tracks the AUP acceptance time and expiration for each user.
    • Type in or paste an "Acceptable Use" statement. You can enter HTML tags as well as images, as long as the image files are accessible from the Internet. You can click Preview AUP Message to view the AUP as your users would see it.
  5. Click Save.

Configuring Reminder Notifications

You can schedule reminders to users who turn off the Zscaler VPN or who need to update their SecureAgent profile. You can also send reminders on demand to users who have not been active.

To schedule reminders:

  1. Go to Policy > Zscaler App Portal.
  2. From the Zscaler App Portal, go to Administration.
  3. Go to Zscaler App Notifications from the menu on the left.
  4. In the Reminder Notification Settings tab, complete the following:
    • Choose how often the service sends reminders.
    • Type in or paste text for the reminder. You can enter HTML tags as well as images, as long as the image files are accessible from the Internet.
  5. Click Save to exit the dialog.

To send a reminder to a user:

  1. Go to Policy > Zscaler App Portal.
  2. From the Zscaper App Portal, go to Enrolled Devices.
  3. Choose Device Overview from the menu on the left.
  4. Point to the user and click the Device Details icon.
  5. Click Send Reminder.

B. Install SecureAgent and Ztunnel on a mobile device and register the mobile device on the Zscaler service.

Installing SecureAgent and Ztunnel

This section describes how to install SecureAgent and Ztunnel on a device and how to deploy both with an MDM.

NOTE: If you already have SecureAgent on your device, but not Ztunnel, see Installing Ztunnel on a Device.

Installing SecureAgent on a Device

Users can download and install SecureAgent from the Google Play Store: https://play.google.com/store/apps/details?id=com.zscaler.zsecureagent

  1. Click ‘Install’ to begin the installation.
Installing SecureAgent on a Device
  1. When Google Play prompts for app permission, click Accept.

Installing Ztunnel on a Device

After installing SecureAgent, download and install Ztunnel from the Zscaler website: https://mobileapps.zscaler.com/public/index.php

  1. Click Install Application to download the Ztunnel Android Application Package (APK).
Installing Ztunnel on a Device
  1. Open the Ztunnel APK file.
  1. Click INSTALL to install Ztunnel.
  1. Click DONE to finish the installation.

Registering the Device

  1. After Google Play downloads SecureAgent, click OPEN.
Registering the Device
  1. Activate SecureAgent.
  1. Click Confirm to accept Samsung’s enterprise license management agreement.
  2. Enter your Zscaler username and password.
  3. Click Agree when the Acceptable Use Policy appears.

SecureAgent displays the Enforcement Status screen after the device is successfully enrolled.

Users can later use the Policy Notification and Quota Notification tabs to see whenever an app or URL is blocked.

Installing with an MDM

Zscaler recommends that you work with your MDM solution provider to push SecureAgent to mobile devices. You can push Ztunnel to mobile devices with MDM as well.

Configuration Example: Airwatch

The admin must complete the following tasks:

  1. Configure SecureAgent policies on the Zscaler App Portal. See Configuring a SecureAgent App Profile.
  2. Configure Airwatch Profiles to push the Zscaler SecureAgent app and Ztunnel. See Configure Airwatch Profiles to Push SecureAgent and Ztunnel.

On the Android device, users must do the following:

  1. Enroll the device to Airwatch. For information about this task, refer to the Airwatch documentation.
  2. When you enroll the device to the Airwatch MDM, it automatically installs Zscaler SecureAgent. You can then register the device to the Zscaler service, as described in Registering the Device.

Configure Airwatch Profiles to Push SecureAgent and Ztunnel

This document assumes that the Airwatch MDM is already deployed and user/group configuration and other related configurations required to enroll the device to the MDM are already completed. Please contact Airwatch Support for the deployment instructions.

This section provides guidelines on how to push SecureAgent and Ztunnel using the Airwatch MDM. For additional information on the steps, please contact Airwatch Support.

  1. Configure 'Apps & Books' profile for 'Zscaler SecureAgent' Android App and Ztunnel:
  2. Create an Internal app profile on the Airwatch MDM and upload SecureAgent.
  3. Assign SecureAgent to groups that need the Zscaler service and select “auto push.”
  4. Create an Internal app profile on the Airwarch MDM and upload Ztunnel.
  5. Assign Ztunnel to groups that need the Zscaler service and select "auto push."

C. Enable SecureAgent to push notifications to users.

The Zscaler service can push notifications to users when it blocks or restricts mobile apps from accessing certain sites, files, or Internet applications. For example, the Zscaler service will send a notification when an app tries to access a site that has certain vulnerabilities or when an app is blocked because it is known to leak information to third parties. The Zscaler service can send notifications when it blocks or restricts known apps as well as those that it cannot identify. After the initial notification, you can suppress subsequent notifications for a selected number of minutes, to avoid users receiving multiple successive notifications from a single app. You can specify the number of minutes per app and per user.

To configure notifications for the SecureAgent app:

  1. From the admin portal, go to Administration > Resources > Secure Agent Notifications.
  2. Complete the following:
    • Enable Send Push Notifications.
    • You can enable the service to suppress the notification for a certain time period so the user sees the notification at certain intervals only and not after every blocked transaction.
    • Enable Send Notifications for Unknown Apps to allow the service to send notifications when it blocks or restricts access to apps that it cannot identify.
    • Enter the text for the Notification Message (up to 128 bytes).
  3. Click Save and activate the change.

About the Dashboard

The Dashboard provides information about the mobile devices that have SecureAgent in your corporate network. The Dashboard provides multiple views so you can monitor the status of the mobile devices and take action when you see unregistered devices or devices with outdated profiles.

To learn more about the Dashboard, see About the Zscaler App Portals.

 

About the Dashboard

Removing a Profile

You can remove a profile from a device if, for example, an employee leaves the company. To remove a profile:

  1. Go to the Zscaler App Portal, go to  the Enrolled Devices tab.
  2. Choose Device Overview from the menu on the left.
  3. Point to the user and click the Device Details icon.
  4. Click Remove.