With the proliferation of mobile devices, both corporate and user owned, security for mobile devices has become increasingly critical. The Zscaler iOS solution extends the Zscaler security service to Apple iOS devices, whether they’re connected to Wi-Fi or cellular networks. It enforces the policies that you set in the Admin portal to protect web and mobile traffic, and provides the ability to define policies that protect mobile devices as well. For example, you can control whether users can use the camera or install apps on the mobile device. This comprehensive solution secures every aspect of your user’s mobile usage, covering the device and its browser and app traffic as well.
From the Zscaler admin portal where you define administrative settings and policies for web and mobile traffic, you can go to the Zscaler App Portal to manage mobile devices. On the Zscaler App Portal, you can define policies that control how a device forwards traffic to the Zscaler service and which apps, functionality and content can be accessed from a device. The portal also has a Dashboard where you can monitor the mobile devices and view their compliance status. Additionally, you can define an Acceptable Use Policy (AUP) and notifications specifically for mobile devices.
Zscaler SecureAgent is an app that is installed on mobile devices to authenticate the mobile device users and forward their traffic to the Zscaler service. When you run SecureAgent, it installs the policy that you configured on the Mobile portal as a profile on your mobile device. Additionally, it enrolls the device to the Zscaler service. Once the device is enrolled, the device establishes a VPN tunnel to the Zscaler gateway “on demand” whenever the user surfs the Internet. As the browser retrieves web pages, the service scans all inbound and outbound traffic to protect devices from malware and malicious apps that can compromise the security of your data.
The Zscaler iOS solution offers an enforceable, intelligent on-demand IPsec VPN through which users can forward all mobile traffic (browser and apps) over cellular or Wi-Fi networks to the Zscaler service. The VPN can be used by both supervised and non-supervised iOS devices.
Apple iOS devices support the ability to configure devices as supervised. Supervising devices is a useful option for corporate-owned devices because it provides tighter control over devices. Admins configure supervised devices over the air using the Apple Device Enrollment program or by using Apple Configurator. (For more information on supervising devices, refer to the Apple iOS documentation.)
Supervised devices support Global HTTP Proxy, a feature that redirects all mobile traffic to a proxy server. You can leverage the Global HTTP Proxy feature to ensure that Internet connectivity over Wi-Fi or cellular networks is always redirected to the Zscaler service, when the IPsec VPN is not in use.
You can use the following traffic forwarding mechanisms for supervised devices:
NOTE: The Global HTTP Proxy + Surrogate IP forwarding mechanism can only be used in Wi-Fi networks. It cannot be used in cellular networks.
You can configure non-supervised devices to use the IPsec VPN to forward traffic to the Zscaler service. If your organization has an existing MDM solution, Zscaler recommends that you work with your MDM solution provider to define a profile to push SecureAgent on mobile devices for enforceability.
Note: Bypasses defined in a PAC file will not work with a VPN.
You will need the following:
In addition, configure your firewall to allow the following necessary connections:
Below are the tasks necessary to secure the mobile devices of current Zscaler users. It assumes that the users have been provisioned on the service, an authentication mechanism has been installed, and the policies have been configured on the admin portal.
See below for instructions on each task. After you complete these tasks, you can view the status of devices by going to the dashboard. See About the Dashboard below.
In addition to the admin portal where you manage users and policies that control web and mobile traffic, the service also provides the Zscaler App Portal where you manage mobile devices.
The Zscaler App Portal provides the following:
The SecureAgent app profile policy controls the functions, apps, and media content that a device can access and controls how the device forwards traffic to the Zscaler service. The policy is installed as a profile on a mobile device when the Secure Agent app is installed.
The SecureAgent policy specifies the following:
The service provides a default policy that specifies the default PAC file hosted on the Zscaler cloud for mobile devices. This default policy applies to all groups and cannot be changed or deleted.
To add a new policy for iOS devices:
You can create an Acceptable Use Policy (AUP) statement specifically for mobile devices and require users to accept it before the Zscaler service allows them to browse the Internet from their mobile devices. To configure:
You can send reminders on demand or schedule reminders to users who turn off the Zscaler VPN or who need to update their SecureAgent profile.
To schedule reminders:
To send a reminder to a user:
You can supervise devices and deploy a Global HTTP Proxy over the air using Apple's Device Enrollment Program or by using Apple Configurator.
The Zscaler SecureAgent app is used in conjunction with the Zscaler service to secure every aspect of your users’ mobile usage. SecureAgent is required on all mobile devices that forward traffic to the Zscaler service.
When a user installs SecureAgent on a mobile device, SecureAgent authenticates the user using your corporate authentication mechanism and does the following:
The device then establishes a VPN tunnel to the Zscaler gateway “on demand” whenever the user surfs the Internet. The Zscaler service can now enforce group and user policies and provide per-user and per-department logging and reporting.
Additionally, SecureAgent displays notifications to users when the service blocks transactions due to policy or malware that it detected. The service issues notifications to mobile devices via the Apple Push Notification Service. Zscaler SecureAgent then displays the notifications and stores them until the user clears them. These notifications inform the user about the transactions blocked from specific apps, including the reasons. You can customize the notifications that are displayed to the user on the Zscaler Admin Portal.
Users can download and install SecureAgent from the iTunes App store. If your organization has an MDM, Zscaler recommends that you use your MDM solution provider to define a profile to push SecureAgent to mobile devices.
Zscaler SecureAgent for Apple iOS devices is available for download on the iTunes App store.
When you download it, ensure that SecureAgent is allowed to push notifications to your iOS device.
SecureAgent starts the registration process.
SecureAgent displays a page similar to the one shown below after the profile is successfully installed.
For non-supervised devices, Zscaler recommends that you work with your MDM solution provider to push SecureAgent to mobile devices.
Your MDM provider will need to do the following:
The admin must complete the following tasks:
On the iOS device, users must do the following:
This document assumes that the Airwatch MDM is already deployed and user/group configuration and other related configurations required to enroll the device to the MDM are already completed. Please contact Airwatch Support for the deployment instructions.
This section provides guidelines on how to push the SecureAgent app using the Airwatch MDM. For additional information on the steps and questions related to Airwatch MDM, please contact Airwatch Support.
The Zscaler service can push notifications to users when it blocks or restricts mobile apps from accessing certain sites, files, or Internet applications. For example, the Zscaler service will send a notification when an app tries to access a site that has certain vulnerabilities or when an app is blocked because it is known to leak information to third parties. The Zscaler service can send notifications when it blocks or restricts known apps as well as those that it cannot identify. After the initial notification, you can suppress subsequent notifications for a selected number of minutes, to avoid users receiving multiple successive notifications from a single app. You can specify the number of minutes per app and per user.
To configure notifications for the SecureAgent app:
If you are using the Global HTTP Proxy + Surrogate IP traffic forwarding mechanism, go to the Admin Portal and enable Surrogate IP for the location.
You can enable SSL inspection to allow the Zscaler service to decrypt and inspect HTTPS traffic to and from the browser on a mobile device, and to and from the destination server. SecureAgent installs the Zscaler intermediate certificate by default. If you would like to use an intermediate certificate signed by your own CA, install that certificate on the mobile devices. For more information on SSL inspection, see How do I deploy SSL inspection?
To enable SSL inspection for mobile devices:
To exempt specific URLs from SSL inspection, add them to the Bypassed URLs list. The service does not decrypt transactions to sites in this list. The following instructions describe how to create a custom category for the URLs and how to add the custom category to the Bypassed URLs list. If you already have a custom category for bypassed URLS, edit the category and add the URLs.
To create a custom URL category:
To add the custom category to the Bypassed URL Categories list:
The dashboard provides information about the mobile devices that have SecureAgent in your corporate network. The dashboard provides multiple views so you can monitor the status of the mobile devices and take action when you see unregistered devices or devices with outdated profiles.
To learn more about the dashboard, see About the Zscaler App Portal.
You can remove a profile from a device if, for example, an employee leaves the company.
To remove a profile: