Forwarding Profile in SDWAN : visibility or authentication?

Hello ZSC users and members;

I come here today to seek advice as we are heading to implement SDWAN as our new WAN standard. And we face a decision that is not easy to make. Let me explain.

Today : traditionnal internet access
RW, environnement is untrust, and we want full cybersecurity controll ==> ZCC running on all laptop + ZT2.0 to catch all internet trafic and manage it in our cloud.
For onsite users, all standard users have ZCC on their computer (laptop and desktop), and we’re using Tunnel with local proxy forwarding mode and hosted pac file. But there is also some servers and shared station that doesn’t. So we setup IPSec tunnel to catch all internet traffic.
This work quite fine.

Tomorrow : sdwan
RW : no change
onsite : here comes the big question.
Should we deactivate our ZCC when ontrusted network to offer the sdwan device full visibility of the url in order to allow classification, and app recognition (we keep the IPSec “catch all” tunnel from branch to Zscaler ) ? It seems at first try to also create auth issue, as the ZCC doesn’t provide the user ID.
Should we keep tunnel mode + IPSec for better security and accept that for the sdwan device, all our internet access is seen as “flow to zscaler” ?

I cannot put my hand on some documentation covering this case. It’s either “here is how the ZCC works” or “zscaler integrates within sdwan thanks to API tunnel creation”.

Hope I’ve made myself clear enough (sorry french guy here)

Cheers

UP, anybody facing the same question ? or my issue is not well described ?