InTune - IOS and ZIA Strict Enforcement

We’re testing with distributing company-owned phones to some of our userbase. The phones are very locked down using InTune, but we’re hoping to further lock down this process using ZAPP. We are able to successfully push the app to the phone and enforce the VPN to always connect, we are concerned about software pushes from InTune being able to reach the device in an instance where ZAPP is not logged in / authenticated.

Does anybody know in InTune if the domains for the excluded URLs portion of the VPN setup have inherent wildcards? We’re concerned that we’ll not be able to reach our device and remotely wipe/control it because of missing the right excluded URL.

Hi @preston_curry, today there’s no automatic bypass for MDM and similar management URL’s from Zscaler App. We do however have different (general) fail-open/closed options which may help alleviate your concerns —> https://help.zscaler.com/z-app/configuring-fail-open-settings-zscaler-app

@skottieb thanks for the advice.

I forgot to update this that we ended up finding a solution. So in IntTune there’s some bypass url options along with other options for the VPN profile. I do not believe these options are actually working as intended on IOS. For example, there’s an option for a domain and it’s supposed to populate the ZAPP with it (per the inline help at least), that doesn’t work. Putting the bypass urls in there did not work.

We modified our Zscaler App profile with those bypass URLs in there and we were able to wipe the phones remotely again.

The URLs were found here: https://docs.microsoft.com/en-us/intune/fundamentals/intune-endpoints

1 Like

Awesome @preston_curry, thanks for sharing!