icon-zapp.svg
Client Connector

Enabling ZPA for a Group of Users

You can use Zscaler Service Entitlement to select which users can enroll into Zscaler Private Access (ZPA). Configuring ZPA using a small subset of users allows for testing before rolling out the service to all users.

To enable ZPA for only a select group of users, you must deploy Zscaler Client Connector 1.2.4 or later. However, earlier versions of Zscaler Client Connector always have ZPA enabled, regardless of the Zscaler Service Entitlement setting.

  • For ZPA instances created before July 2017, ZPA is enabled for all users by default. This preserves the existing behavior of ZPA enrollment prior to the addition of the selective entitlement feature.
  • For ZPA instances created after July 2017, ZPA is disabled by default. This allows you to determine when and how to provision ZPA for your users.

If you’re using device groups, the user must belong to both the device group and user group to avoid disconnecting ZPA services.

Enabling ZPA for User Groups

To enable ZPA for a group of users:

  1. In the Zscaler Client Connector Portal, go to Administration.
  2. In the left menu, select Zscaler Service Entitlement.
  3. To enable ZPA for only a group of users, ensure that ZPA Enabled by Default for User Tunnel is disabled. If this setting is enabled, ZPA is available for all users and you cannot assign ZPA to a group.

Configure setting for ZPA Enabled by Default for User Tunnel

  1. Select a group of users from the drop-down menu and click Done. The default setting is None. This option means no groups have access to ZPA. This allows users to keep their current settings.

These groups are defined in the ZIA Admin Portal. If you do not see your groups, ensure that groups were synced to the Zscaler Client Connector Portal. To learn more, see Syncing Directory Groups between the ZIA Admin Portal and App Portal.

  1. Click Save.

This updates your users' devices the next time they connect. If they are already connected, the devices automatically update in 60 minutes. To manually update their devices, users can go into Zscaler Client Connector and click Update Policy from the More window. After manually refreshing the device, they must reauthenticate on the Private Access page.

Possible Configurations for ZPA

The following table provides possible configurations for the Zscaler Service Entitlement feature and the resulting behavior of the ZPA service:

ZPA Enabled by Default Groups Specified Behavior
Enabled N/A ZPA service is enabled for all users
Disabled No ZPA service is not enabled for any users
Disabled Yes ZPA service is enabled only for the specified group of users
Related Articles
About Zscaler Service EntitlementEnabling ZPA for a Group of UsersConfiguring ZPA Machine Tunnel for AllEnabling ZDX for All UsersEnabling ZDX for a Group of UsersEnabling Deception for a Group of UsersAbout Device GroupsCreating Device GroupsSearching for Device GroupsEnabling ZPA for Device GroupsEnabling Zscaler Deception for Device GroupsEnabling ZDX for Device GroupsEnabling ZIA for Device Groups