Authentication Issues during deployment of ZCC

We are deploying the ZCC in 1000 users batches via Altiris, for most of the users its getting installed smoothly and user logged in automatically and all works fine, but 10% of the user we are facing issues in their auto-login.

During deployment user goes in specific aap-profile which is call Global and then once successfully logged in it takes it own specific profile. XXX-USA

Can anyone suggest what could be the issue during first attempt? we are using the strictenforcement so Internet stopped working for user bcoz user in not logged in and they face outage.

Hi @Bhisham ,

We are using the the same technique without any issues.

For those 10%, are they connected via VPN during the deployment/install ?
If so split or full tunnel VPN ?
Does the “Global” App profile contain ALL the VPN GW bypasses ?
Which Idp are you using ?


That’s not sure as users are spread across the country and may be many are Road warriors. Yes! there is a possible that users are connected on VPN while app got deployed for them. VPN is split VPN and i have bypassed the VPN url in Global app profile VPN bypass section.

IDP is Azure AD, I am not using any pac file in Global-Profile, although have added MS Authentication IP range & URL in VPN bypass section.

Are you using MFA? To me this looks to be related to MFA.

Yes we are using MFA but with split DNS.
Does the 10% get the MFA page or “cannot reach from here” ?

Silly question but you are deploying ZCC with ZIA only right ?


We are first deploying the ZIA only and then will move in ZPA.
Need to check with users at exactly the what stage they faced the issue, may in sometime i will let you know.

Are you using pac file in your global profile?
also what do you mean by MFA but split DNS?