Configuring Zscaler App Profiles


Configuring Zscaler App Profiles

Zscaler App profiles control the following key settings and behaviors:

  • Whether users must enter an admin-provided password in order to log out of, disable, or uninstall the app
  • The forwarding profile for the Internet Security service and Zscaler Private Access (ZPA)

Additionally, if you are using the app for Internet Security:

  • Whether the app can install the Zscaler SSL certificate on user's devices to allow SSL inspection on traffic forwarded by the app
  • How the app generates logs and the maximum size of its log files

In the Zscaler App portal, you can configure app profiles by adding policy rules to each profile. You can select the order of precedence among the rules as well as to whom each rule applies (i.e., to all users or to different groups of users). When a user enrolls the app with the Zscaler service, the app takes into account the order of precedence and the identity of the user in order to download an app profile with the appropriate policy rule. See an example.

The app checks regularly for updates to the app profiles to ensure it reflects any recent changes that were made. If users log out and back into the app, or restart their computers, the app checks for profile updates and downloads any changes.
 


For example, consider an organization that has configured 5 app profile policies for Windows (see image below). The rules are listed in the order of precedence (with the rule order value listed in Rule# column).

When a user who belongs to the Support user group enrolls with the Zscaler service, the Zscaler App begins by checking whether rule 1 applies for the user. In this example, it does not as rule 1 applies only to the Finance user group. The app moves on to rule 2, which likewise does not apply. It then moves on to rule 3, and upon determining it applies to the user, downloads the profile containing the appropriate policy rule.

Screenshot of an example of an organization's configured Zscaler App profile policies
 

Zscaler provides a default app profile policy rule for each platform. The default policy rule cannot be modified or deleted, and it will apply if you do not add additional policy rules. If you configure additional policy rules, the default rule is always the last in the rule order.

To view the default policy rule:

  1. In the Zscaler App portal, go to App Profiles
  2. From the menu on the left, go to Mobile Devices or Personal Computers.
  3. Select the platform. You will see the Default policy rule listed. If you have configured additional rules, it is always listed as the last rule in order of precedence.
  4. Click the View icon to see the default policy rule's settings.

Screenshot of the App Profiles page in the Zscaler App Portal

To add a new policy rule:

  1. In the Zscaler App portal, go to App Profiles
  2. From the menu on the left, go to Mobile Devices or Personal Computers.
  3. Select the platform.
  4. Click Add Policy for the platform.

Screenshot of the Add Windows Policy icon for Zscaler App

  1. Do the following:
  • Name: Enter a name for the policy.
  • Rule Order: Select the appropriate rule order value. The rule order reflects the order of precedence among configured profile policy rules, and it helps determine which rule the app downloads for a user upon enrollment. Precedence is based on ascending numerical order.
  • Enable: Enable the rule. If you do not enable the rule, the policy rule is not enforced.
  • Groups: Specify the user groups to which the rule applies. The groups you've configured in the admin portal are displayed in this menu. There is no limit to the number of groups you can select. When a user enrolls the app with the service, the app checks the group to which the user belongs and downloads the app profile with the appropriate rule. If no group is specified, the rule is applied to all users. 
  • Logout Password: (Optional) Provide the password that users must enter if they want to do any of the following actions:
    • Log out of the app
    • Exit the app from the system tray
    • Uninstall the app
  • Disable Password: (Optional) Provide the password that users must enter if they want to disable the Internet Security service. 
  • Custom PAC URL: (Optional. If you are using the app for ZPA only you can skip this step.) If you do not want the app to forward all Internet traffic to the Zscaler service and want to specify exceptions for certain types of traffic, you can do so by defining a custom PAC file here. To learn more about how the app forwards users' traffic to the Zscaler service, see How does the Zscaler App work?

If you want to allow the user to bypass the app when connecting to the VPN gateway, you can do so using the Hostname/IP Address Bypass for VPN Gateway option below.

  • Forwarding Profile: Select a forwarding profile. The forwarding profiles you configured in Administration > Forwarding Profiles appear in the menu. To learn more, see Configuring Forwarding Profiles for the Zscaler App.
  • Install Zscaler SSL Certificate: (If you are using the app for ZPA only you can skip this step.) Turn on this option to allow the app to automatically install the Zscaler SSL certificate on users' devices.

    You can also install your organization's custom certificate. Once you upload the custom certificate in the Zscaler App portal and turn on this option, the custom certificate is automatically installed on users' devices. 
    See how to upload the custom certificate. 

    The SSL certificate allows the Zscaler service to perform SSL inspection on user traffic forwarded by the app. Any SSL bypasses you configure in the admin portal also apply. You must enable SSL scanning for Zscaler App users on each relevant platform in the Zscaler admin portal. To learn more, see Define your policy for SSL inspection. If you wish to use a self-signed certificate for SSL inspection, ensure the certificate is installed in your users’ system certificate store.
  • Log Mode: The Zscaler App generates logs which users can send either to a designated support admin in your organization, or to Zscaler Support (in encrypted form). You can specify the scope of the logs by selecting one of the log modes below:
    • Error: Logs only when the app encounters an error and functionality is affected.
    • Warn: Logs when the app is functioning but is encountering potential issues, or when conditions for the Error log mode are met.
    • Info: Logs general app activity, or when conditions for the Warn log mode are met.
    • Debug: Logs all app activity that could assist Zscaler Support in debugging issues, or when conditions for the Info log mode are met.
  • Log File Size in MB: (If you are using the app for ZPA only you can skip this step.) You can specify the maximum size of the log file. Once logs reach the maximum file size, the oldest logs are truncated from the file to keep the file size below the maximum. You can enter a value between 10 and 1000. The default log file size is 100 MB.
  • Disable Loopback Restriction: (For Windows policies only, and applicable only if you've chosen Tunnel with Local Proxy for forwarding profiles.) By default, applications running in the AppContainer are forbidden from loopback communications, meaning they cannot connect to locally running processes external to their own package. Selecting this option disables the restriction against loopback communications and containerized applications can function properly with the app in Tunnel with Local Proxy mode.
  • Override WPAD: (For Windows policies only, and applicable only if you've chosen Tunnel with Local Proxy for forwarding profiles.) Enabling this feature allows the app to override the Web Proxy Autodiscovery Protocol (WPAD) setting on user devices. This ensures that Internet Explorer and Edge browsers can properly follow the Zscaler App proxy setting instead of the WPAD setting.
  • Restart WinHTTP Service: (For Windows policies only, and applicable only if you've chosen Tunnel with Local Proxy for forwarding profiles.) Enabling this feature allows the app to restart the WinHTTP service on user devices. This ensures that any cached WPAD setting is deleted, and Internet Explorer and Edge browsers can properly follow the Zscaler App proxy setting.
  • Hostname/IP Address bypass for VPN Gateway: (If you are using the app for ZPA only you can skip this step. Users cannot run a VPN client while they are using ZPA to connect to an internal application.) This option is applicable if:
    • Your users have a VPN client running on their devices in conjunction with the app
    • You've chosen Tunnel for forwarding profiles
    • Your VPN runs in split-tunnel mode so that it takes some, but not all, user traffic from the device

      If all of the above conditions are true, you can allow traffic destined for the VPN to bypass the app by entering the hostnames or IP addresses for all your VPN gateways. The app sets the routing table to exclude any traffic destined for the VPN gateway. To ensure against connectivity issues, include all VPN hostnames, or all IP addresses to which these hostnames might resolve. For the latter, you can enter a specific IP address (for example, 10.10.1.2) or a range in the following format: 10.10.0.0/16

  • Description: (Optional) Enter any notes regarding the policy.
  1. Click Save.
  1. In the Zscaler App portal, go to Administration.
  2. From the menu on the left, go to Zscaler App Support.
  3. Click the Advanced Configuration tab.
  4. Under Custom Certificate, click Upload.  

After you save your app profile, a policy token is automatically generated for the profile. You will need this policy token if you want to use the STRICTENFORCEMENT install option which requires users to enroll with the Zscaler App before accessing the Internet. The policy that corresponds with this policy token is enforced for the app until the user enrolls. Once the user enrolls, this policy is replaced with the app profile policy that matches the user based on their group affiliation.

To view the policy token for an app profile:

  1. In the Zscaler App portal, go to App Profiles.
  2. From the menu on the left, go to Mobile Devices or Personal Computers.
  3. Select the platform.
  4. Click the Edit icon. See image.

Screenshot of the policy token for the Zscaler App Profile policy rule