I’ve deployed a pilot of Zscaler on both iOS and Android. iOS is of course going as intended but Android is always confusing as it’s not configured the same. I am trying to now enable strict enforcement as well as Automatic VPN/On-demand VPN. But I don’t see how, documentation is chaotic at best.
Both settings on iOS are enabled via the configuration profile for VPN. Android has no such policy (unless I missed it but it’s working so I doubt it). So I am trying to figure where I can deploy those settings from.
Help! I have 24 hours before deployment.
EDIT: I’m deploying via InTune
Thanks, I’ve already done all those steps from the initial setup. Am I to assume always on is on by default? Because nowhere is it mentioned in that guide and I’ve read it over numerous times.
Unless I’m that blind. Also, I’m not the zScaler admin, just the InTune guy so it’s not obvious to me lol
It’s under “as an apk” then “configure always on vpn”
That’s it! You da man! Odd place to put it. Doh!
Any chance you know about strict enforcement as well?
Part of the VPN profile “Enable strict enforcementIf enabled, Strict Enforcement blocks internet access on the device until the user signs into ZCC. Strict Enforcement requires a device be in Supervised Mode, which in turn, is only possible with corporate owned devices (those configured with Apple Configurator or DEP/Apple Business Manager) - BYOD or employee-owned devices can’t be put into Supervised Mode and hence, won’t work with Strict Enforcement (even if it’s enabled)”
On iOS I’m given that option. On Android I only see “lockdown mode”. Is that the same thing?
Ah sorry forgot we were doing android.
So android actually enforces strict enforcement if you configure always on.
Zscaler Client Connector can restrict the traffic and secure the device before enrollment if Always ON VPN is enabled on your organization’s MDM for Zscaler app. After the app is enrolled, it intercepts the traffic and forwards it according to the policies in
I appreciate you pointing out what I missed. Thanks again!
I’m still stuck on this. Always on VPN is turned on and it’s passive. You get notifications that basically recommends using Zscaler but it doesn’t block any traffic. I turned on lockdown mode which does block traffic but then it blocks logging into Zscaler. I don’t have an excluded URL like the iOS side of the house does. Uggggh
Yeah so you have to make sure to exclude the urls and make sure you aren’t doing ssl inspection on allllllllll of androids nonsense they have out there. Do you have access to Web Insights to see exactly what is being blocked? Typically that’s how I troubleshoot. You can also DM me and we can talk a bit more about it.
Thanks I’ll DM you later today. Was planning to work on it over the weekend to have it operational by Monday before the status emails start up lol
Hello did you ever get this resolved? I am having the same issue where turning on lockdown mode prevents evening logging into Zscaler
Yes mines worked. I believe there was a part I missed that was oddly nested in the .apk part of the instructions even though I wasn’t deploying a .apk
Whats are you using for authentication and are you getting a specific error? We use MFA that has been changing since deployment and it’s still been working with minor user behavior adjustments.
We are using Entra ID for authentication however with lockdown mode enabled when clicking sign in on the ZCC application it redirects to login.zscaler.net and then we receive a name not resolved error presumably as DNS requests are being blocked as part of lockdown mode.
The error message on the webpage is ERR_NAME_NOT_RESOLVED.
As soon as I disabled lockdown mode this works, the page redirects to login.zscaler.net and then to login.microsoft.com where clients can then authenticate, the VPN profile then works after reboots etc.
I suspect we need to get some bypasses in somewhere for specific endpoints.
Do you have the Intune bypasses added in the policy?
I can’t see any where to add bypasses.
The policy only has a checkbox to enable lockdown mode or not. It’s not like the IOS policy where you can add URLs into it which can bypass
In your VPN policy for Always on there is a section for “Excluded URLs”. I currently have 8 in there now. One was needed to allow iOS to pull OS updates. Rest were Zscaler/Microsoft bypasses.
This section only exists for IOS.
I am having issues with Android where unfortunately there is no section for excluded URLs
Ha! Sorry…forgot my own thread was Android. My apologies.