Local user authentication

Hello community,

is there any way to enable ZIA on an existing device for a LOCAL machine account? To be more specific:

  1. All our users get ZCC pre-deployed on their laptop during setup and ZCC authenticates with the particular AzureAD UPN during windows login
  2. On some laptops we need a secondary, local account (lets call it “localuser1”) created for user/app/project-reasons
  3. When the user signs in with “localuser1” ZCC pops up but has no useraccount pre-configured and the user has to enter his credentials manually
  4. If no credentials in ZCC are entered the user can just close ZCC which then stays in “disabled” state. Therefore e.g. browsing the web is possible without any restrictions/ZIA protection.

We think about some way to always have ZIA somehow connected regardless of the signed-in user e.g. by fetching the owner for the particular device from Zscaler portal fingerprint and activate ZIA this way.

Machine tunnel would not help here because it only enables ZPA for machine group access but not for ZIA (as far as I have understood machine tunnel doc). And requirements and functionality of device token seems also not sufficient for this scenario.

There was a similar request in ZIA & machine authentication, but it seems there is no solution so far.

Any ideas/hints? Did I miss something?


Manuel, if your concern is that a corporate resource has unfiltered access to the Internet, it sounds more like a requirement for ZCC to be installed with the -strictenforcement option rather than a machine tunnel for ZIA issue.


you are right, just completely forgot strictenforcement-option.
Thanks for the hint!

1 Like