Exceptions to Strict Enforcement


Hello, I’m looking for a solution to a problem we are having. We use Strict enforcement on the ZSCaler Client Connector because we want users to be logged into ZCC while using the computer. We are still doing our initial deployment across the company. Occasionally we deploy it and the SSO doesn’t work either because of MFA or the user wasn’t provisioned or whatever. In these situations where ZCC is blocking internet access, we have to get the user on the phone and have them click through exiting the application from the system tray. We then uninstall it, troubleshoot, and redeploy.

My question is: Is there a way to remotely unblock access to the internet while still using Strict Enforcement? Maybe not all of the internet, but at least our remote tool. We could then see that the SSO authentication failed and then remotely send an uninstall command to remove ZScaler. Currently Strict Enforcement blocks ALL internet traffic so we cannot send a remote command to uninstall it. I know there are onetime passwords people can use to not authenticate, but I’d like for this deployment to be completely in the background without any user involvement.

Hi Dave,

Sure is. When you deploy with Strict Enformcent, point to a specific App Policy for the user to get before they login. From there either point to a PAC file that includes all of the locations you want to allow Internet Access to, or use the VPN Host Bypass.

You could open up access to your remote support tools as well as O365, but block everything else with Strict Enforcement.