icon-zapp.svg
Client Connector

Deploying Zscaler Client Connector with Microsoft Intune for iOS

This guide is for admins only. If you are an end user, contact your organization’s administrator for deployment-related details.

With Microsoft Intune, you can deploy Zscaler Client Connector for your iOS devices and configure a custom settings profile. The version used for the following steps is Microsoft Intune Service release version 2048.

  • To deploy Zscaler Client Connector using the Microsoft Intune Portal:

    1. In the Microsoft Intune Portal, from the menu on the left, select Apps.

    2. Click iOS/iPadOS apps, and then click Add.

    3. From the App type drop-down menu, select iOS store app, and then click Select.

    4. To add the app from the iOS store app:
      1. On the App information tab, click Search the App Store.

      2. Search for and select Zscaler Client Connector, and then click Select.

        Zscaler Client Connector details are automatically populated.

      3. In the Minimum operating system field, select iOS 9.0.

      4. In the Show this as a featured app in the Company Portal field, select Yes, and then click Next.

    5. On the Assignments tab, select the group assignments for which you want to deploy Zscaler Client Connector, and then click Next.

    6. (Optional) Click Included and edit the Assignment Settings:

      • To automatically uninstall Zscaler Client Connector if the device is removed from Intune, select Yes for Uninstall on device removal.
      • To ensure that the user can’t remove Zscaler Client Connector from the device, select No for Install as removable.

    7. On the Review + create tab, review the values and settings, and then click Create.
    Close

  • You must configure custom policy settings in the Microsoft Intune Portal using either a device configuration profile or an app configuration policy.

    Zscaler recommends that you use a device configuration profile to configure custom policy settings, but you can use an app configuration policy instead. If you use a device posture check of the Ownership Variable, you can use a device configuration profile for all settings except the ownership setting (which you must set using an app configuration policy). To learn more about setting up a device posture, see Configuring Device Posture Profiles.

    • To configure a device configuration policy for On-demand VPN:

      1. In the Microsoft Intune for iOS Admin Portal, from the menu on the left, click Devices.

      2. Select Manage devices > Configuration.

      3. Click Create and select New Policy.

      4. In the Create a profile section:

        • Platform: Select iOS/iPadOS.
        • Profile type: Select Templates.
        • Template name: Select VPN.

      5. Click Create.

      6. In the Basics section:

        • Name: Enter a name.
        • Description: (Optional) Enter a description.

      7. Click Next.

      8. In the Configuration settings section, for Connection type, select Zscaler.

      9. Enter the following parameters:

        • Connection name: The label for the profile.
        • Custom domain name: Enter your Zscaler tenant domain. This allows you to configure the user domain so that users can skip the Zscaler Client Connector enrollment page and go directly to the single sign-on (SSO) login page.

        • Enable strict enforcement: Enabling this option blocks internet traffic before a user enrolls in Zscaler Client Connector when:

          • The user has not logged in after a new install.
          • The user logs in and then logs out.
          • An administrator removes the device from the Zscaler Client Connector Portal.

          If you enable strict enforcement, you must use Excluded URLs in a device configuration policy or an excludeList in an app configuration policy. There are also additional configuration settings required. To learn more, see Configure Additional Strict Enforcement Settings

        • Organization’s cloud name: The name of the cloud where your organization is provisioned. For example, if your cloud name is zscalertwo.net, enter zscalertwo. To learn more, see What is my cloud name for ZIA?
        • Excluded URLs: Enter any URLs you want to bypass. For example, enter your identity provider (IdP), MDM (Mobile Device Management) server, or anything else the user should have access to before enrollment. If you use the Zscaler Private Access (ZPA) service, you must enter authsp.prod.zpath.net. For a list of additional Intune requirements, refer to the Microsoft documentation.

      10. (Optional) Click Add and enter one or more configuration keys and their corresponding configuration values:

        • The appropriate device token from the Zscaler Client Connector Portal if you want to use the Zscaler Client Connector Portal as an IdP.

          Close

        • The username of the user. For example, if the username is j.doe@zscaler.com, enter j.doe.

          To use the same username used for enrolling into Intune, you can use the {{partialupn}} token. To view a complete list of available Intune tokens, refer to the Microsoft documentation.

          Close

        • The auto-enrollment settings for users when Zscaler Client Connector Portal is used as an identity provider (IdP) for authentication. To have users always auto-enroll even if they are logged out manually or forcefully removed from the portal, set this configuration key to 1. For one-time auto-enrollment, set it to 2. To disable auto-enrollment, set it to 0.

          Close

        • If you enable this option, Zscaler Client Connector uses FIPS-compliant libraries for communication with Zscaler infrastructure. Enter 1 to enable or 0 to disable this option.

          Enable this option only if you require FIPS-level security within your organization.

          Close

        • Enables multithreaded implementation of Zscaler Client Connector microservices binding with Zscaler Client Connector virtual interface. Enter 1 to enable or 0 to disable this option.

          Close

        • Drops traffic without routes. Enter 1 to enable or 0 to disable this option.

          Close

        • When enabled, Zscaler Client Connector doesn’t install a virtual interface if a user isn’t logged in. This prevents the VPN icon from displaying on the device when the user is not logged in. Enter 1 to enable or 0 to disable this option. By default, the value is 0.

          Close

      11. For Type of automatic VPN, select On-demand VPN.

      12. In the On-demand rules section, click Add, select Connect VPN, restrict to All domains as the primary rule, and click Save.

      13. If you are using supervised devices, you can block users from disabling automatic VPN. To enable this option, select Yes from the drop-down menu.

      14. Click Next.
      15. In the Assignments section, choose the users, groups, and devices for the profile, and click Next.
      16. In the Review + create section, review the summary, and click Create.
      Close

    • To add the policy:

      1. Go to Apps > App configuration policies > Add > Managed devices.

      2. On the Basics tab, configure the following parameters, and then click Next.

        • Name: Enter Zscaler Client Connector.
        • Description: (Optional) Enter a relevant description for Zscaler Client Connector.
        • Platform: Select iOS/iPadOS.
        • Targeted app: Click Select app. From the Associated app window, select Zscaler Client Connector, and then click OK.

        The Device enrollment type field is automatically set to Managed devices. You cannot edit it.

      3. On the Settings tab, for Configurations settings format, select Use configuration designer.

      4. Enter the configuration keys and their corresponding configuration values. Set the value type as string for all, and then click Next.

        • The appropriate device token from the Zscaler Client Connector Portal if you want to use the Zscaler Client Connector Portal as an IdP.

          Close

        • The username of the user. For example, if the username is j.doe@zscaler.com, enter j.doe.

          To use the same username used for enrolling into Intune, you can use the {{partialupn}} token. To view a complete list of available Intune tokens, refer to the Microsoft documentation.

          Close

        • The auto-enrollment settings for users when Zscaler Client Connector Portal is used as an identity provider (IdP) for authentication. To have users always auto-enroll even if they are logged out manually or forcefully removed from the portal, set this configuration key to 1. For one-time auto-enrollment, set it to 2. To disable auto-enrollment, set it to 0.

          Close

        • If you enable this option, Zscaler Client Connector uses FIPS-compliant libraries for communication with Zscaler infrastructure. Enter 1 to enable or 0 to disable this option.

          Enable this option only if you require FIPS-level security within your organization.

          Close

        • Enables multithreaded implementation of Zscaler Client Connector microservices binding with Zscaler Client Connector virtual interface. Enter 1 to enable or 0 to disable this option.

          Close

        • Delays making the per-app VPN connection until Zscaler Client Connector is connected. Enter 1 to enable or 0 to disable this option.

          Close

        • Drops traffic without routes. Enter 1 to enable or 0 to disable this option.

          Close

        • Your organization’s domain name (e.g., safemarch.com). If your instance has multiple domains associated with it, enter the primary domain for your instance.

          Close

        • The name of the cloud where your organization is provisioned. For example, if your cloud name is zscalertwo.net, enter zscalertwo. To learn more, see What is my cloud name for ZIA?

          Close

        • If you use the device posture type Ownership Variable, add the key ownership. You can enter up to 32 alphanumeric characters in the Configuration value field. To learn more, see Configuring Device Posture Profiles.

          Close

        • Enable this option if you want to block internet traffic before the user enrolls in Zscaler Client Connector when:

          • The user has not logged in after a new install.
          • The user logs in and then logs out.
          • An administrator removes the device from the Zscaler Client Connector Portal.

          If you enable strict enforcement, you must use Excluded URLs in a device configuration policy or an excludeList in an app configuration policy. There are also additional configuration settings required. To learn more, see Configure Additional Strict Enforcement Settings.

          Close

        • Enter any URLs you want to bypass. Enter your IdP, MDM server, or anything else the user should have access to before enrollment. If you use the Zscaler Private Access (ZPA) service, you must enter authsp.prod.zpath.net. For a list of additional Intune requirements, refer to the Microsoft documentation.

          Close

        • When enabled, Zscaler Client Connector doesn’t install a virtual interface if a user isn’t logged in. This prevents the VPN icon from displaying on the device when the user is not logged in. Enter 1 to enable or 0 to disable this option. By default, the value is 0.

          Close

      5. On the Assignments tab, select the group assignments for which you want to assign the app configuration policy, and click Next.
      6. On the Review + create tab, review the values and settings, and then click Create. Intune pushes Zscaler Client Connector to the devices in the group that you selected.

      After Zscaler Client Connector is installed on users’ devices, they must launch the app and log in to enroll in the Zscaler service.

      Close
    Close

  • If you use Zscaler Internet Access (ZIA) and you want to perform SSL inspection, you must configure a certificate profile to push the Certificate Authority (CA) certificate required for SSL inspection. You can use the default Zscaler CA certificate or a custom Root CA certificate.

    To learn more, see Choosing the CA Certificate for SSL Inspection and Certificate Pinning and SSL Inspection.

    • To download the certificate:

      1. In the Zscaler Internet Access (ZIA) Admin Portal, go to Policy > SSL Inspection > Intermediate CA Certificates.

      2. Click the Edit icon corresponding to the Zscaler Intermediate CA Certificate.

        The View Zscaler Intermediate CA Certificate window appears.

      3. In the View Zscaler Intermediate CA Certificate window, under the Root Certificate field, click Download.

        The root certificate is downloaded as a ZIP file.

      4. Navigate to the ZscalerRootCerts.zip file and unzip it.
      Close

    • To configure the profile:

      1. In the Microsoft Intune for iOS Admin Portal, from the menu on the left, select Devices.
      2. Click Manage Devices > Configuration.
      3. Click Create and select New Policy.

      4. In the Create a profile section:

        • Platform: Select iOS/iPadOS.
        • Profile type: Select Templates.
        • Template name: Select Trusted Certificate.

      5. Click Create.
      6. In the Basics section:
        • Name: Enter a name.
          Description: (Optional) Enter a description.
      7. On the Configuration Settings tab, upload the .crt file to Intune and click Next.
      8. In the Assignments section, choose the users, groups, and devices for the profile, and click Next.
      9. In the Review + create section, review the summary, and click Create.
      Close
    Close

  • You can add a specific application to Microsoft Intune and associate the application with a per-app VPN configuration profile to ensure that selected applications are protected by ZIA and can access other applications. For example, you can allow access to private applications only from a specific browser.

    • To add the application:

      1. In the Microsoft Intune Portal, from the menu on the left, select Apps.
      2. Click iOS/iPadOS apps, and then click Add.

      3. From the App type drop-down menu, select iOS store app and then click Select.

      4. To add the app from the iOS store app:

        1. On the App information tab, click Search the App Store.
        2. Search for the application and click Select.

      5. On the Assignments tab, select the group assignments for which you want to deploy the application, and then click Next.
      6. On the Review + create tab, review the values and settings, and then click Create.
      Close

    • To configure a device configuration profile for per-app VPN:

      1. In the Microsoft Intune for iOS Admin Portal, from the menu on the left, select Devices.

      2. Click Manage devices > Configuration.

      3. Click Create and select New Policy.

      4. In the Create a profile section:

        • Platform: Select iOS/iPadOS.
        • Profile type: Select Templates.
        • Template name: Select VPN.

      5. Click Create.

      6. On the Basics tab:

        • Name: Enter a name.
        • Description: (Optional) Enter a description.

      7. Click Next.

      8. On the Configuration settings tab, for Connection type, select Zscaler.

      9. Enter the following parameters:

        • Connection name: The label for the profile.
        • Custom domain name: Enter your Zscaler tenant domain. This allows you to configure the user domain so that users can skip the Zscaler Client Connector enrollment page and go directly to the SSO login page.

        • Enable strict enforcement: Enable this option if you want to block internet traffic before the user enrolls in Zscaler Client Connector when:

          • The user has not logged in after a new install.
          • The user logs in and then logs out.
          • An administrator removes the device from the Zscaler Client Connector Portal.

          If you enable strict enforcement, you must use Excluded URLs in a device configuration policy or an excludeList in an app configuration policy.. There are also additional configuration settings required. To learn more, see Configure Additional Strict Enforcement Settings.

        • Organization’s cloud name: The name of the cloud where your organization is provisioned. For example, if your cloud name is zscalertwo.net, enter zscalertwo. To learn more, see What is my cloud name for ZIA?
        • Excluded URLs: Enter any URLs you want to bypass. Enter your IdP, MDM server, or anything else the user should have access to before enrollment. If you use the Zscaler Private Access (ZPA) service, you must enter authsp.prod.zpath.net. For a list of additional Intune requirements, refer to the Microsoft documentation.

      10. (Optional) Click Add and enter one or more configuration keys and their corresponding configuration values. Set the value type as string for all the configuration keys:

        • The appropriate device token from the Zscaler Client Connector Portal if you want to use the Zscaler Client Connector Portal as an IdP.

          Close

        • The username of the user. For example, if the username is j.doe@zscaler.com, enter j.doe.

          To use the same username used for enrolling into Intune, you can use the {{partialupn}} token. To view a complete list of available Intune tokens, refer to the Microsoft documentation.

          Close

        • The auto-enrollment settings for users when Zscaler Client Connector Portal is used as an identity provider (IdP) for authentication. To have users always auto-enroll even if they are logged out manually or forcefully removed from the portal, set this configuration key to 1. For one-time auto-enrollment, set it to 2. To disable auto-enrollment, set it to 0.

          Close

        • If you enable this option, Zscaler Client Connector uses FIPS-compliant libraries for communication with Zscaler infrastructure. Enter 1 to enable or 0 to disable this option.

          Enable this option only if you require FIPS-level security within your organization.

          Close

        • Enables multithreaded implementation of Zscaler Client Connector microservices binding with Zscaler Client Connector virtual interface. Enter 1 to enable or 0 to disable this option.

          Close

        • Delays making the per-app VPN connection until Zscaler Client Connector is connected. Enter 1 to enable or 0 to disable this option.

          Close

        • Drops traffic without routes. Enter 1 to enable or 0 to disable this option.

          Close

        • When enabled, Zscaler Client Connector doesn’t install a virtual interface if a user isn’t logged in. This prevents the VPN icon from displaying on the device when the user is not logged in. Enter 1 to enable or 0 to disable this option. By default, the value is 0.

          Close

      11. In the Automatic VPN section:

        • For Type of automatic VPN, select Per-app VPN.
        • If you want Safari to selectively send traffic to specific destinations via Zscaler Client Connector, enter domains in Safari URLs that will trigger this VPN.
        • If you want to exclude traffic to specific domains, enter domains in Excluded Domains .
        • If you are using supervised devices, you can block users from disabling automatic VPN. To enable this option, select Yes from the drop-down menu.

      12. Click Next.
      13. On the Assignments tab, choose the users, groups, and devices for the profile, and click Next.
      14. In the Review + create section, review the summary, and click Create.
      Close

    • To associate the application:

      1. In the Microsoft Intune Portal, from the menu on the left, select Apps.

      2. Click All apps, select the application to forward using Zscaler Client Connector, and select Properties.

      3. Next to Assignments, click Edit and then click Included to access the Assignment Settings.

      4. Select the Per-app VPN profile you created in the previous step to associate the application with the profile.

      Close
    Close

  • If you use Entra ID (Azure AD) as your IdP, you can integrate Zscaler Client Connector with the Microsoft Enterprise SSO plug-in so that users do not need to log in to Zscaler Client Connector during enrollment or reauthentication.

    To integrate with the plug-in, the device configuration profile you create must exclude specific URLs for the plug-in and ensure that the VPN profile includes the username Key with the Value set to {{partialupn}}. To learn more, see Configure Required Policy Settings. For a list of URLs, refer to the Microsoft documentation.

    To configure the plug-in:

    1. In the Microsoft Intune for iOS Admin Portal, from the menu on the left, select Devices.
    2. Click Manage Devices > Configuration.
    3. Click Create and select New Policy.
    4. In the Create a profile section:
      • Profile type: Select Templates.
      • Template name: Select Device features.
    5. Click Create.
    6. On the Basics tab:
      • Name: Enter a name.
      • Description: (Optional) Enter a description.
    7. Click Next.
    8. On the Device features tab:
      1. Click Single sign-on app extension.
      2. For SSO app extension type, select Microsoft Entra ID.
      3. Enter the App bundle IDs allowed to use SSO:
        • com.apple.: Allows all Apple apps to use SSO (required).
        • com.microsoft.: Allows all Microsoft apps to use SSO (required).
        • com.zscaler.: Allows all Zscaler apps to use SSO (required).
      4. Enter the additional configuration parameters:
        • browser_sso_interaction_enabled: Enter a value of 1 with a type of integer so that Zscaler Client Connector can use Safari to authenticate.
        • disable_explicit_app_prompt: Enter a value of 1 with a type of integer to reduce end-user prompts. Some apps might incorrectly enforce end-user prompts at the protocol layer, resulting in users being prompted to sign in, even though the Microsoft Enterprise SSO plug-in works for other apps.
        • AppPrefixAllowList: Enter a list of prefixes for apps that are allowed to use SSO. The following prefixes are required:
          • com.zscaler.
          • com.microsoft.
          • com.apple.
    10. On the Assignments tab, select the group assignments for which you want to assign the policy, and click Next.
    11. On the Review + create tab, review the values and settings, and then click Create.
    Close

  • If you are installing Zscaler Client Connector with Strict Enforcement, you must complete additional configuration steps:

    1. Ensure that the device configuration profile you created previously includes the following:

      • Enable Strict Enforcement is selected on the Configuration Settings tab.

      • The list of Excluded URLs includes the following hostnames:

        • Hosts required for ZPA:
          • authsp.prod.zpath.net
          • samlsp.private.zscaler.com
          • samlsp-pdx2.private.zscaler.com
        • Hosts required for Intune. To learn more, refer to the Microsoft documentation.
        • Hosts required for Apple. To learn more, refer to the Apple documentation.
        • Hosts required for your organization's IdP. To learn more, refer to the IdP documentation.

        When deploying Strict Enforcement, the Excluded URLs list must contain at least one entry.

    If Zscaler Client Connector blocks sites after being installed with strict enforcement, you can inspect the ZSATunnel_[DATETIME].log file for the string Proxy=PROXY. If the file includes a "Local captive mode! Droping Https request" message for a hostname, you can resolve the issue by adding the hostname to the Excluded URLs field in the device configuration profile.

    Close

Related Articles
Understanding Zscaler Client Connector App DownloadsConfiguring Zscaler Client Connector for Microsoft 365 Cloud PCsCustomizing Zscaler Client Connector with Install Options for MSICustomizing Zscaler Client Connector with Install Options for EXECustomizing Zscaler Client Connector with Install Options for macOSCustomizing Zscaler Client Connector with Install Options for LinuxCustomizing Zscaler Client Connector with Install Options for AndroidCustomizing Zscaler Client Connector with Install Options for iOSDeploying Zscaler Client Connector with Active Directory for WindowsDeploying ZDX With Workspace ONE UEM for iOSDeploying ZDX with Jamf Pro for iOSDual Tunnel Feature Configuration with Jamf Pro for iOSDual Tunnel Feature Configuration with Microsoft Intune for iOSDeploying Zscaler Client Connector with MaaS360 for AndroidDeploying Zscaler Client Connector with MaaS360 for iOSDeploying Zscaler Client Connector with Microsoft Intune for AndroidDeploying Zscaler Client Connector with Microsoft Intune for macOSDeploying Zscaler Client Connector with Microsoft Intune for iOSDeploying Zscaler Client Connector with Google WorkspaceDeploying Zscaler Client Connector with MobileIron for iOSDeploying Zscaler Client Connector with MobileIron for AndroidDeploying Zscaler Client Connector with JAMF Pro for macOSDeploying Zscaler Client Connector with Jamf Pro for iOSDeploying Zscaler Client Connector with Workspace ONE UEM for AndroidDeploying Zscaler Client Connector with Workspace ONE UEM for iOSBlocking LAN AccessBest Practices for Zscaler Client Connector DeploymentBest Practices for Updating Latest Versions of Zscaler Client Connector ApplicationUninstalling Zscaler Client ConnectorReverting Zscaler Client Connector to the Previous VersionUpgrading Zscaler Client Connector