iPhone Users Unable to Authenticate to Zscaler When On-Demand VPN is Configured

First let me provide a background for easy understanding.

I am deploying Zcaler to our work iPhones, the configuration and deployment have been done to a test group and this seem to be working. The idea is to make sure that users are unable to access the internet without being singed in to Zscaler, this we have attempted to do by using Strict Enforcement in our configuration in our VPN profile in Microsoft Endpoint Manager. But we have however realized that a user can go to the phone setting and switch off VPN which then enable him to access the internet even without signing in to Zscaler.

In an attempt to prevent this from happening, we set the automatic VPN setting in our configuration in Microsoft Endpoint Manager to On-Demand VPN. This now automatically turn the device VPN back on when the user attempt to access the internet (if the device VPN was off).

The challenge I am now having is that despite adding login.microsoftonline.com and
authsp.prod.zpath.net to exclusion so the user can be able to authenticate and sign in to Zscaler, the login process is no longer going on successfully, it seem it is being blocked. I do not know if there is another url i need to exclude that is involved in the login process or if there is something else i need to do to ensure users are able to login successfully to zscaler.

Please I need help.



Did you ever get this working?

Hi Wasim,

Unfortunately I am still not able to get this to work, I have attempted to use Global Http Proxy as alternative to the On-demand VPN but still face similar challenge. As you may have imagined, this have almost brought the project to a halt sadly.

Samuel D.

Hi Samuel,

From reading your original post it sounds like you are using Azure AD as your Identity provider with Zscaler. If this is the case, in my experience you also need to ensure you allow access to the following domains for authentication to function:


If this is still not working, please refer to our config page which documents the required connectivity for Zscaler Client Connector….


Note, replace ‘zscaler.net’ with your assigned Zscaler cloud name (e.g. zscaler.net, zscloud.net, zscalertwo.net etc…)

I hope this helps.

Hi MarcDavis,

Thank you very much for this.

I will try it and let you know if this work well for me.


Hi MarcDavis,

Thank you very much for supplying the URLs there seem to be the missing piece in the puzzle and have been tremendously helpful.

We are having a challenge that I am hoping you will be able to help with.

The URLs you gave have resolved the issue with authentication and users are able to login, the two issues are

  1. When the configuration is pushed out to users with the global http proxy option configured, for some reasons it takes a couple of days for the user to be able to successfully login to Zscaler. Attempts to login immediately the configuration is pushed to the device present the user with a blank login.microsoftonline.com page
  2. With the On-Demand VPN option, the user is able to login immediately as expected but without login, the user is able to access sites like Facebook using Safari browser.

Do you have any idea why this is happening and how we can fix it? This is actually the last piece that we need to proceeed.

Thank you very much for your support.