1. In the Microsoft Intune Portal, click Apps in the left-side navigation.

2. Click All apps, and then click Add.

3. Select Managed Google Play app from the Select app type drop-down menu, and then click Select.

4. In the Managed Google Play app store, search for and select Zscaler Client Connector.

5. Click Approve to accept Zscaler Client Connector permissions in the Managed Google Play page.
6. Select Keep approved when app requests new permissions in the Approval Settings tab, and then click Done.
7. Click Select, and then click Sync to add Zscaler Client Connector to your Intune Portal.

8. To configure the app for Android devices:
   1. Navigate to Client apps > App configuration policies > Add > Managed devices.
   2. On the Basics tab, configure the following parameters, and then click Next.

• Name: Enter Zscaler Client Connector.
• Description: (Optional) Enter a relevant description for Zscaler Client Connector.
• Platform: Select Android Enterprise.
• Profile Type: Select a relevant profile type based on your requirements. In this example, it's Work Profile Only.
• Targeted app: Click Select app, select Zscaler Client Connector from the Associated app window, and then click OK.

The Device enrollment type field is automatically set to Managed devices and is not editable.

3. On the Settings tab, select Use configuration designer as the Configurations settings format.
4. Click Add. The following parameters are available to configure:

• Ownership: If you use the device posture type Ownership Variable, add the key Ownership. You can enter up to 32 alphanumeric characters in the Configuration value field. To learn more, see Configuring Device Posture Profiles for ZPA.
• userDomain: Your organization's domain name (e.g., safemarch.com). If your instance has multiple domains associated with it, enter the primary domain for your instance.
• cloudName: The name of the cloud on which your organization is provisioned. For example, if your cloud name is zscalertwo.net, you would enter zscalertwo. To learn more, see What is my cloud name for ZIA?
• deviceToken: The appropriate device token from the Zscaler Client Connector Portal, if you want to use the Zscaler Client Connector Portal as an IdP.
• userName: The username of the user. For example, if the username is j.doe@zscaler.com, you would enter j.doe.

To use the same username used for enrolling into Intune, you can use the {{partialupn}} token. To view a complete list of available Intune tokens, refer to the Microsoft documentation.

• enableFips: Enabling this option indicates that Zscaler Client Connector uses FIPS-compliant libraries for communication with Zscaler infrastructure. Enter 1 to enable or 0 to disable this option.

Enable this option only if you require FIPS-level security within your organization.

• autoEnrollWithMDM: Use this parameter to determine auto-enrollment without user interaction when using the Zscaler Client Connector Portal as an IdP. Select from the following options:
  • Enter 0 to disable auto-enrollment.
  • Enter 1 to have users always auto-enroll, even if they log out.
  • Enter 2 for one-time auto-enrollment.

This option applies to only the ZIA-enabled accounts that are using Zscaler Client Connector Portal as an IdP. You must specify the parameters deviceToken, cloudName, and userDomain before enabling the autoEnrollWithMDM option.

• customDNS: By default, Zscaler Client Connector uses the device's DNS server. You can change the value to another DNS server using this setting. Enter the DNS IP address.
• allowRunningOnRootedDevice: This is set to 0 by default to restrict users from running Zscaler Client Connector on a rooted device. Enter 1 to allow users to run Zscaler Client Connector on a rooted device.
• externalDeviceId: Use this ID to associate devices in an MDM solution with devices in the Zscaler Client Connector Portal. By default, the value is 0. Enter a custom value to identify the device.

5. After you enter the appropriate values for the configuration keys that you selected, click Next.

6. On the Assignments tab, select the group assignments for which you want to assign the app configuration policy, and then click Next.

7. On the Review + create tab, review the values and settings entered, and then click Create. Zscaler Client Connector is pushed to the devices in the group that you selected.

After Zscaler Client Connector is installed on users' devices, they must launch the app and log in to enroll in the Zscaler service.

1. In the Microsoft Intune Portal, click Apps from the left-side navigation.
2. Click Add.
3. Select Managed Google Play app from the Select app type drop-down menu, and then click Select.

4. In the Managed Google Play app section, click the Lock icon in the left-side navigation.
5. Click the + icon located at the bottom-right of the screen.

6. In the Private app section:

• Title: Enter a title for your file.
• APK file: Upload the APK file. Contact Zscaler Support for a private APK file.

7. Click Create.

The app can take up to 10 minutes to publish and appear in private apps.

8. Select the app you have created from the Android apps list.
9. (Optional) Click Edit next to App information and Assignments to make any changes to these sections.

10. On the Review + create tab, review the values and settings entered and save your settings.

To configure Always on VPN device restrictions for private apps, see Configure Always On VPN.