icon-unified.svg
Experience Center

Enabling Private Applications for a Group of Users

You can use Zscaler Service Entitlement to select which users can enroll into Private Applications. Configuring Private Applications using a small subset of users allows for testing before rolling out the service to all users.

To enable Private Applications for only a select group of users, you must deploy Zscaler Client Connector 1.2.4 or later. However, earlier versions of Zscaler Client Connector always have Private Applications enabled, regardless of the Zscaler Service Entitlement setting.

  • For Private Applications instances created before July 2017, Private Applications is enabled for all users by default. This preserves the existing behavior of Private Applications enrollment prior to the addition of the selective entitlement feature.
  • For Private Applications instances created after July 2017, Private Applications is disabled by default. This allows you to determine when and how to provision Private Applications for your users.

If you’re using device groups, the user must belong to both the device group and user group to avoid disconnecting Private Applications services.

Enabling Private Applications for User Groups

To enable Private Applications for a group of users:

  1. In the Admin Portal, go to Administration > Entitlements > Private Access.
  2. To enable Private Applications for only a group of users, ensure that ZPA Enabled by Default for User Tunnel is disabled. If this setting is enabled, Private Applications is available for all users and you cannot assign Private Applications to a group.

Configure setting for ZPA Enabled by Default for User Tunnel

  1. Select a group of users from the drop-down menu and click Done. The default setting is None. This option means no groups have access to Private Applications. This allows users to keep their current settings.

These groups are defined in the Admin Portal. If you do not see your groups, ensure that the directory groups were synced properly between Internet & SaaS and Zscaler Client Connector. To learn more, see Syncing Directory Groups between the Internet & SaaS and Zscaler Client Connector.

  1. Click Save.

This updates your users' devices the next time they connect. If they are already connected, the devices automatically update in 60 minutes. To manually update their devices, users can go into Zscaler Client Connector and click Update Policy from the More window. After manually refreshing the device, they must reauthenticate on the Private Access page.

Possible Configurations for Private Applications

The following table provides possible configurations for the Zscaler Service Entitlement feature and the resulting behavior of the Private Applications service:

Enabled by Default for User TunnelGroups SpecifiedBehavior
EnabledN/APrivate Applications service is enabled for all users
DisabledNoPrivate Applications service is not enabled for any users
DisabledYesPrivate Applications service is enabled only for the specified group of users
Related Articles
About Zscaler Service EntitlementEnabling Private Applications for a Group of UsersConfiguring Private Applications Machine Tunnel for AllEnabling Digital Experience Monitoring for a Group of UsersEnabling Deception for a Group of UsersAbout Device GroupsCreating Device GroupsSearching for Device GroupsEnabling Private Applications for Device GroupsEnabling Zscaler Deception for Device GroupsEnabling Digital Experience Monitoring for Device GroupsEnabling Internet & SaaS for Device Groups