Isolation (CBI)
Creating Isolation Profiles for ZPA
Watch a video about creating a ZPA Isolation Profile for Isolation.
To configure browser isolation for your application, you must use a Zscaler Private Access (ZPA) isolation profile. These profiles determine certain attributes and specifications of the isolation browser. They also define how the isolation browser handles web requests, as well as the level of interaction with the user's native browser. You can use isolation profiles to create policies in ZPA to isolate specific web applications. To learn more, see About Isolation Policy and Configuring Isolation Policies.
Prerequisites
Before creating an isolation profile for ZPA, make sure Isolation is enabled for your organization in ZPA.
Creating a ZPA Isolation Profile
To create a new ZPA isolation profile:
- Go to Configuration & Control > Browser Isolation > Isolation Profiles.
- Click Add Isolation Profile.
The Add Isolation Profile window appears.
- In the Add Isolation Profile window:
- On the General tab:
- Name: Create a name for the ZPA isolation profile.
- Turbo Mode: Enable or disable Turbo Mode. To learn more, see Using Turbo Mode for Isolation.
- Description: (Optional) Enter a description.
- On the General tab:
Click Next.
- On the Company Settings tab:
- Enable or disable Forward Internet Traffic via ZIA. To learn more, see Forwarding Traffic from ZPA Profiles to ZIA in Isolation.
- Enter the Organization ID and Cloud Name.
- Select to use either a recommended or custom PAC file.
- Enable at least one Root Certificate to deploy. The Zscaler Root Certificate is applied by default, and you cannot disable it. To learn more, see About Root Certificates for Isolation in ZPA.
- Enable or disable Debug Mode. If you enable it, you must set a password for the ZIP file that is created at the end of a debug troubleshoot. Make sure to share the password with the user associated with the isolation profile. To learn more, see Using Debug Mode for Isolation.
Click Next.
- On the Security tab, enable or disable the following settings:
- Allow copying and pasting between your computer and the isolation browser.
- Allow file transfers between your computer and the isolation browser. If you enable this feature, select whether the file transfer will be a Flattened PDF or the Original File.
- Allow printing of web pages and inline content from isolation.
- Restrict keyboard/text input to isolated web pages.
- Allow viewing Office files while in isolation.
- Allow local browser rendering while in isolation.
- Enabling Mic and Camera means the user can access their device's microphone and camera functionality while in an isolated session. This option can only be enabled if Turbo Mode is also enabled.
- Enabling Application Deep Linking allows users to open applications from their local machine via the rendered deep link data on an isolated web page. From there, the user can click the rendered link in the isolated browser, and open the application for use on their machine. If you enable this feature, add the specific links for the allowed applications to the list. If you disable this feature for the isolation profile, or an application is not on the list in the isolation profile, the user sees an error message explaining that the application isn't allowed by policy.
Click Next.
- On the Regions tab, from the drop-down menu, select at least two regions where the isolation profile should be available.
Click Next.
- On the Isolation Experience tab:
- From the drop-down menu, select an Isolation Banner. The option you choose shows a preview banner in the window. Choose from existing banners, or create custom isolation banners to use for your isolation profiles. To learn more, see Adding a Banner Theme for the Isolation End User Notification in ZPA.
- Enable or disable the option to have a persisting isolation URL bar.
- Select the Isolation Experience mode:
- Native browser experience: This mode provides the user with a browsing experience similar to accessing the native web page with a typical browser. Admins can also customize this view.
- Browser-in-browser experience: This mode provides the user with the complete look and feel of an isolated session experience. To learn more, see User Experience Modes in Isolation.
See image.
- (Optional) Enable Persistent State: Enabling this option causes the data from a user's active session to carry over to their new session each time they begin an isolated session. If you enable this feature, the Enable Persistent State window displays a consent message for you to read before confirming enablement. Click Enable. If you do not enable it, the data does not persist, meaning it is destroyed with the container when the user logs out or exceeds the session timeout. To learn more, see Using Persistent State for Isolation.
- Enable or disable the option to use a watermark while in isolation. Admins can enable watermarking per isolation profile and choose to display the user ID, date and timestamp (in UTC), and a custom message.
- (Optional) Enable Language Translation: This allows the user to translate any text from isolated web pages to the language of the user's choice. To learn more, see Using the Isolation Bar in Native Browser Experience.
- Click Save.
When saved, your new profile appears in the list of ZPA isolation profiles. You can edit or delete a profile directly from the list. However, you cannot delete ZPA isolation profiles used in ZPA isolation policies. To learn more, see Editing Your Isolation Profile for ZPA and Deleting an Isolation Profile for ZPA.
You can use this isolation profile to create policies in ZPA to isolate specific web applications. To learn more, see Configuring Isolation Policies.