How to enforce tenant control with Google application

Hi,

[1.] I want to apply the tenant control settings to a desktop application such as Google Drive, but I found a statement that SSL inspection needs to be enabled in order to apply the tenant profile.
●[Tenant Profile] Settings
image

●[URL&Cloud App Control] Settings
image

[2.] I also found a statement on the following Zscaler site that SSL inspection needs to be disabled in order to sync Google Drive.


[Certificate Pinning and SSL Inspection | Zscaler](Pinning and SSL Inspection)

Is it not possible to implement tenant control from the above two to the Google Drive application?

Please let me know if anyone has implemented tenant control for Google applications.

I have went round and round with support and I have actually figured out a solution, by only bypassing SSL on a couple of the google sites while tenant control is in place. Zscaler support provided zero help FYI. A few questions:

  1. Are you using google drive for desktop?
  2. Which FORWARDING PROFILE ACTION are you using in your forwarding profile?

Let me know and I can assist you in getting this fixed.

thank you for your reply.

I will answer below.
[1.] The Google application uses the desktop version. In addition, Google Drive also synchronizes with the cloud.
[2.] Forwarding Profile uses Z-tunnnel 2.0.

I would be grateful if you could reply.
regards,

So first you need to go here Sign in - Google Accounts and look at the TrustedRootCertsFile setting. You will need to take the roots.pem file and add the zscaler root cert pem to this file. I ended up moving it to a different location because I wasn’t sure if the application updated if it would erase the file. Once you move it to a different location you will need to put in a registry key to tell the application where you put the file (On Windows, but I would assume its the same for Mac). After you have set this you will need to reboot for the registry key to take effect. This portion will fix files syncing up to the cloud.

To fix downloading and logging in you will need to put in the following SSL bypasses.

accounts.google.com/o/oauth2/

accounts.google.com/signin/oauth/

device-provisioning.googleapis.com

fcmconnection.googleapis.com

fcmtoken.googleapis.com

googleapis.com/auth/

googleapis.com/batch/

googleapis.com/drive/

play.googleapis.com

update.googleapis.com