You can use Zscaler Service Entitlement to enroll Device Groups in Private Applications. Configuring Private Applications using device groups allows you to assign entitlements and policy settings based on ownership through device posture profiles. For example, one user can have two devices, one personal and one employer-provided. The personal device can be enrolled in Private Applications, and the employer-provided device can be enrolled in Private Applications and Internet & SaaS.

To enable Private Applications for device groups, you must deploy Zscaler Client Connector 3.9 or later.

Enabling Private Applications for Device Groups

To enable Private Applications for device groups:

1. In the Admin Portal, go to Administration > Entitlements > Private Access.
2. To enable Private Applications for device groups, ensure that ZPA Enabled by Default for User Tunnel is disabled. If this setting is enabled, Private Applications is available for all users and you cannot assign Private Applications to a group.
3. Select one or more groups from the Device Groups drop-down menu.

Groups are defined in the Device Groups section in the Admin Portal under Infrastructure. For more information, see About Device Groups.

6. Click Save.

Your users' devices are updated the next time they connect. If they're already connected, devices automatically update in 60 minutes. Users can manually update their devices in Zscaler Client Connector. On the More page, click Update Policy. After manually refreshing the device, they must reauthenticate on the Private Access page.