Deployment with Strict Enforcement switch creating issues!

We are deploying the ZCC with strict enforcement switch On via SCCM/Tanium and its working as expected but sometimes we faced issues when user is not logged in properly with IWA and Internet stops working and IT team is not able to take remote etc…to solve the problem and its a outage as well for end user. Although we have bypassed the Teams app from ZCC still sometimes it not easy to troubleshoot with teams.

Is there any way where we can deploy ZCC first without Strict enforcement switch and then enable it later with some options from GPO etc…?

You can navigate to Zscaler Client Connector registry keys by using the following path: Computer\HKEY_CURRENT_USER\Software\Zscaler\App.

There is registry value PRE_ENROLMENT_PROXY_ENFORCEMENT. Try to update the values through GPO . I never tested this.

Hello @Bhisham

we had the same situation where we deployed first ZCC without strict enforcement, then planned to change it to enable strict enforcement. We used profession services to consult this and it turned out that there is no other way to enable strict enforcement for already deployed ZCC clients unless it is completely re-deployed with with strict enforcement, cloud name and policytoken switches. Here is the reference: Viewing the Policy Token for a Zscaler Client Connector Profile | Zscaler

The registry key option can be used for confirming status of the agent, however it will not work until client is re-deployed with above mention switches. Only for reference here is a link with all registry keys: Zscaler Client Connector: Windows Registry Keys | Zscaler

Kind Regards

Thanks for your response Pavel!
i have also checked the same with PS and they said re-deploy is the only option but it will not install the full client if the version is same then in while redeployment process it will just go and update the Strict Enforcement switch.
I have not tried it yet but this is what i got from Zscaler PS.