Authentication vs Always on Zapp client

According to our system audit report we should change authentication from our current setting to once and not have it challenge until the cookie expires (2 years). Besides not blocking a person no longer employed, what are security risks if any exist? Also, where does having Zapp on full time instead of using on trusted network come into play? Is turning Zapp on full time still a advised way to go? The issue i have with this is bypasses needed where our external IP is needed will have to be added to both Zapp and Network infrastructure.

Our clients always have the ZApp client enabled. In the office, at home, in an airport, on a ship or wherever they are. As we move to Internet only and dynamic network infrastructure we don’t have a static corporate IP address any more.

Do you currently have an infrastructure connected to Zscaler via IPSec or GRE tunnel in the office?

Some are GRE but most just egress via our firewalls at the moment.
GRE deployment is ongoing at pace though.

To add to the original question, the general deployment thats recommended is to have it always on. Primarily because this means that users will not need Cookie auth when egressing through a GRE/IPSEC tunnel, as Z App will handle that auth. This means user’s don’t get prompted in their browser when the cookie expires, or when they switch to a new browser etc.

With that said, it is a common deployment to also have Z App set to ‘none’ on trusted network and let the existing GRE take the traffic. There’s nothing stopping you from doing either of these. But just keep in mind that if Z App is failing open, the user’s will get prompted to auth in their browsers with the cookie expire.