Zscaler Client Connector provides tunnel settings for Zscaler Private Access (ZPA) in the Zscaler Service Entitlement page.

The user tunnel settings determine which users can access ZPA when logged in to Zscaler Client Connector. If ZPA Enabled by Default for User Tunnel is enabled, the ZPA service is available for all users. If this setting is disabled, you can enable the ZPA service for a select group of users or for device groups.

You can also configure a machine tunnel to establish a connection to ZPA before users log in to Zscaler Client Connector on a Windows or macOS device. If Enable Machine Tunnel For All is enabled, all users with a Machine Token configured in the app profile can establish a connection to ZPA without being logged in. To learn more, see About Machine Tunnels.

If Enable Machine Tunnel For All is disabled, any existing machine tunnels remain connected until a user’s app profile policy is updated and the user logs out.

To configure the machine tunnel for all devices:

1. In the Zscaler Client Connector Portal, go to Administration.
2. From the left-side navigation, select Zscaler Service Entitlement.
3. On the Zscaler Private Access (ZPA) tab, enable or disable Enable Machine Tunnel for All.

4. Click Save.