You can use Zscaler Service Entitlement to select which users can enroll into Zscaler Deception. To enable Deception for only a select group of users, you must deploy Zscaler Client Connector for Windows 3.9 or later.

Enabling Deception for User Groups

To enable Deception for a group of users:

1. In the Zscaler Client Connector Portal, go to Administration.
2. In the left menu, select Zscaler Service Entitlement.
3. Click the Zscaler Deception (Deception) tab.
4. To enable Deception for only a group of users, ensure that Zscaler Deception Enabled by Default is disabled. If this setting is enabled, Deception is available for all users and you cannot assign Deception to a group.
5. Select a group of users from the User Groups drop-down menu and click Done. The default setting is None. This option means no groups have access to Deception and allows users to keep their current settings.

Groups are defined in the ZIA Admin Portal. If you do not see your groups, ensure that groups were synced to the Zscaler Client Connector Portal. To learn more, see Syncing Directory Groups between the ZIA Admin Portal and App Portal.

6. Select Logout Zscaler Client Connector when Zscaler Deception Entitlement is Enabled to automatically log users out of Zscaler Client Connector when Deception is enabled for a device group. Users can then log in again to enable the Deception service. This applies to customers using ZPA only or ZPA and Zscaler Deception. When disabled, Zscaler Client Connector runs without the ZDX service until the next Zscaler Client Connector login.

7. Click Save.

Your users' devices are updated the next time they connect. If users are already connected, devices automatically update in 60 minutes. To manually update devices, users can go into Zscaler Client Connector and click Update Policy from the More window. After manually refreshing, users must reauthenticate in the Zscaler Deception Service Status window.

Possible Configurations for Deception

The following table provides possible configurations for the Zscaler Service Entitlement feature and the resulting behavior of the Zscaler Deception service: