iOS strict enforcement

(Marty Calvert) #1

We are working on distributing the Zscaler app among our iOS users and running into some issues trying to figure out how strict enforcement works. I’ve looked through the 7/31 release notes here: and using the sample .mobileconfig file, deployed the vpn settings through our MDM with strictenforcement set to 1. Once deployed, I see the vpn establish on the phone, and opening the zscaler app for the first time, a message is presented saying internet access is blocked until you sign in, however it is not actually blocked. You can browse just like normal. I’m wondering if something has changed in iOS since these notes were released. I haven’t been able to find any more recent documentation…I’ve played around with globalproxy as well, but haven’t had satisfactory results there thus far.

TLDR: we want to block all web traffic on iPhones until users are signed into the Zapp… how do you guys accomplish this?

(David Creedy) #2

Hi Marty, Welcome to the community!

Yes the behavior has changed slightly. The only way to achieve this behavior is to use a Global HTTP Proxy (requires device supervision), deployed with the MDM solution. We are currently working on documentation for this.

This essentially sets a global system proxy that routes traffic to Z App locally on the device, if Z App isn’t tunneling because the user isn’t logged in, that traffic goes no where.

Are your devices supervised?

(Marty Calvert) #3

We do have supervised devices. I had a feeling the solution was what you have mentioned with the global proxy, but I wasn’t able to figure it out by trial and error. What proxy do I need to return in the pac file to route it to the Z App?

(David Creedy) #4

Hi Marty,

You’d basically set the proxy return statement to

Make sure you bypass anything you need to function in the pac file or it will go no where (e.g. your MDM endpoint).



(Marty Calvert) #5

Success! Thank you for the quick responses and advice! This is exactly what we are looking for.