To deploy Zscaler Client Connector to Workspace ONE UEM for iOS devices:

1. In the Workspace ONE UEM portal, go to Apps & Books > Applications > Native > Public and then click Add Application.

2. On the Add Application page, configure the following options and then click Next.

• Platform: Select Apple iOS from the Platform drop-down menu.
• Source: Click Search App Store.
• Name: Enter Zscaler Client Connector.

3. Click Select to select Zscaler Client Connector from the App Store.

4. On the Details tab, enter Zscaler Client Connector in the Name field and then click Save & Assign. The Zscaler Client Connector is added to your Workspace ONE UEM portal.

5. Select Zscaler Client Connector for the Apple iOS platform from the Workspace ONE UEM portal, and then click Assign.

6. On the Zscaler Client Connector - Assignments page, click Add Assignment.

7. On the Distribution tab:
   • Name: Enter Zscaler Client Connector.
   • Description: Enter a relevant description for the app.
   • Assignment Groups: Select a group for which you want to assign the app.
   • App Delivery Method: Select the app delivery method as Auto or On-Demand based on your requirements.

8. (Optional) On the Application Configuration tab:

You can use parameters to preconfigure Zscaler Client Connector. Preconfiguring Zscaler Client Connector allows you to remove steps from the user enrollment process (e.g., allowing users to skip the enrollment page or the cloud selection prompt on Zscaler Client Connector).

1. Enable Send Configuration.
2. Click Add and enter the following configuration keys and their corresponding configuration values. Set the value type as a string for all the configuration keys.

• userDomain: Your organization’s domain name (e.g., safemarch.com). If your instance has multiple domains associated with it, enter the primary domain for your instance.
• cloudname: The name of the cloud where your organization is provisioned. For example, if your cloud name is zscalertwo.net, enter zscalertwo. To learn more, see What is my cloud name for ZIA?
• strictEnforcement: This allows you to block internet traffic before the user enrolls in Zscaler Client Connector. Enter 1 to enable.
• excludeList: This allows you to exclude domains and IP addresses that should not be tunneled. If you are using strictEnforcement, this is critical because identity provider (IdP) domains and MDM connectivity must be bypassed to maintain connectivity. Enter a value, for example, apple.com, airwatch.com.
• newBindFlow: Enables multithreaded implementation of Zscaler Client Connector microservices binding with Zscaler Client Connector virtual interface. Enter 1 to enable.
• deviceToken: This option allows you to use the Zscaler Client Connector as an IdP. The Zscaler service silently provisions and authenticates users even if you don't have an authentication mechanism in place. Before adding this option, you must generate a device token in the Zscaler Client Connector and complete the full configuration detailed in Using the Zscaler Client Connector as an IdP.
• policyToken: This option specifies which app profile policy you want to enforce for the app before the user enrolls. This install option is only applicable and required if you enable the strictEnforcement option and want users to enroll with the app before accessing the internet. Retrieve the policy token from the iOS application profile located in the Zscaler Client Connector Portal.
• username: The username for the user. For example, if the username is j.doe@zscaler.com, you would enter j.doe.
• authByTunnel: The auto-enrollment settings for users when Zscaler Client Connector Portal is used as an identity provider (IdP) for authentication. Set it to 1 to always auto-enroll the users even if they are logged out manually or forcefully removed from the portal. Set it to 2 for one-time auto-enrollment. Set it to 0 to disable auto-enrollment.
• ownership: If you use the device posture type ownership Variable, add the key ownership. You can enter up to 32 alphanumeric characters in the Configuration value field. To learn more, see Configuring Device Posture Profiles for ZPA.
• SkipInterfaceInstallation: When enabled, Zscaler Client Connector doesn’t install a virtual interface if a user isn’t logged in. This prevents the VPN icon from displaying on the device when the user is not logged in. Enter 1 to enable or 0 to disable this option. By default, the value is 0.
• enableFips: Enabling this option indicates that Zscaler Client Connector uses FIPS-compliant libraries for communication with Zscaler infrastructure. Enter 1 to enable or 0 to disable this option.

Enable this option only if you require FIPS-level security within your organization.

9. Click Create.
10. On the Zscaler Client Connector - Assignment page, review the values and settings entered, and then click Save. Zscaler Client Connector gets pushed to the devices in the group that you selected.

After Zscaler Client Connector is installed on users’ devices, they must launch the app and log in to enroll in the Zscaler service.

Zscaler Client Connector automatically creates a VPN profile on the device if one is not already present. However, this means that the user is prompted to install the VPN profile and they can reject this installation. By pushing the VPN profile as Custom VPN, you can pre-deploy this VPN profile, which means not only is the user not prompted to install the profile, they also cannot remove the profile as it is pushed and managed by the MDM.

To configure custom settings payload with XML code for an iOS device profile:

1. In the Workspace ONE UEM portal, go to Devices > Profiles & Resources > Profiles > Add > Add Profile.

See image.

Close

2. On the Add Profile page, click iOS and then Device Profile.

3. Name your profile and add an optional description.

4. Scroll down to the VPN section. Click Add to add a new VPN profile.
5. Under Connection Info:
   • Connection Name: Enter a connection name. For example, VPN Configuration.
   • Connection Type: From the drop-down menu, select Custom.
   • Identifier: Enter com.zscaler.zscaler.
   • Server: Enter a server name. For example, VPN.

6. For Custom Data, add the keys and their values.

• userDomain: Your organization’s domain name (e.g., safemarch.com). If your instance has multiple domains associated with it, enter the primary domain for your instance.
• cloudname: The name of the cloud where your organization is provisioned. For example, if your cloud name is zscalertwo.net, enter zscalertwo. To learn more, see What is my cloud name for ZIA?
• strictEnforcement: This allows you to block internet traffic before the user enrolls in Zscaler Client Connector. Enter 1 to enable.
• excludeList: This allows you to exclude domains and IP addresses that should not be tunneled. If you are using strictEnforcement, this is critical because identity provider (IdP) domains and MDM connectivity must be bypassed to maintain connectivity. Enter a value, for example, apple.com, airwatch.com.
• newBindFlow: Enables multithreaded implementation of Zscaler Client Connector microservices binding with Zscaler Client Connector virtual interface. Enter 1 to enable.
• deviceToken: This option allows you to use the Zscaler Client Connector as an IdP. The Zscaler service silently provisions and authenticates users even if you don't have an authentication mechanism in place. Before adding this option, you must generate a device token in the Zscaler Client Connector and complete the full configuration detailed in Using the Zscaler Client Connector as an IdP.
• policyToken: This option specifies which app profile policy you want to enforce for the app before the user enrolls. This install option is only applicable and required if you enable the strictEnforcement option and want users to enroll with the app before accessing the internet. Retrieve the policy token from the iOS application profile located in the Zscaler Client Connector Portal.
• username: The username for the user. For example, if the username is j.doe@zscaler.com, you would enter j.doe.
• authByTunnel: The auto-enrollment settings for users when Zscaler Client Connector Portal is used as an identity provider (IdP) for authentication. Set it to 1 to always auto-enroll the users even if they are logged out manually or forcefully removed from the portal. Set it to 2 for one-time auto-enrollment. Set it to 0 to disable auto-enrollment.
• ownership: If you use the device posture type ownership Variable, add the key ownership. You can enter up to 32 alphanumeric characters in the Configuration value field. To learn more, see Configuring Device Posture Profiles for ZPA.
• SkipInterfaceInstallation: When enabled, Zscaler Client Connector doesn’t install a virtual interface if a user isn’t logged in. This prevents the VPN icon from displaying on the device when the user is not logged in. Enter 1 to enable or 0 to disable this option. By default, the value is 0.
• enableFips: Enabling this option indicates that Zscaler Client Connector uses FIPS-compliant libraries for communication with Zscaler infrastructure. Enter 1 to enable or 0 to disable this option.

Enable this option only if you require FIPS-level security within your organization.

7. Under the Authentication section:
   • User Authentication: From the drop-down menu, select Certificate.
   • Identity Certificate: Select None.
   • Include User PIN: Leave as disabled.
   • Enable VPN On Demand: Enable this setting.
   • User new on-demand keys: Enable this setting.
   • Prevent on demand override: Enable this setting.

Enabling the User new on-demand keys setting allows you to create an On-Demand Rule. When the end users access the internet, the traffic must go through Zscaler Client Connector. Therefore, as an admin, you should configure the On-Demand Rule settings. When the On-Demand Rule matches with the configured rules, the OS launches the Zscaler Client Connector VPN.

8. In the On Demand Rule section, configure the following settings:
   • Select interface type: Choose Any.
   • Action if network matches: Select Connect.
9. Click Next.
10. For the VPN on Demand section:
    • Match Domain or Host: Leave this setting as it is.
    • On Demand Action: From the drop-down menu, select Always Establish.

Under Proxy, for Gateway Platform, select None.

11. Click Next.
12. In the Assignment section:
    • Smart Group: From the drop-down menu, select All Devices (Zscaler).
    • Allow Exclusion: Exclude any groups, if required.
13. For Deployment, from the drop-down menu, select Managed.

For all of the other items in this section, choose settings as per your organization’s policies.

14. Click Save and Publish.