Machine Tunnel and App Profiles

A couple questions:

User A has Machine Tunnel enabled in their App Profile, logs into a machine, and the machine is then enrolled in Machine Tunnel. Then, User B logs into the same machine, but does NOT have Machine Tunnel enabled in their App Profile. How does that effect Machine Tunnel on that machine? (I’ve done some limited testing with this and it appears the machine remains enrolled in Machine Tunnel even if a different user logs in that does NOT have Machine Tunnel in their app profile, but I just wanted to confirm this is expected behavior as we have a use case for this functionality.)

Also, if we specify an App Profile during ZCC installation, and a user with a different App Profile logs into the machine, does the ZCC then use that user’s App Profile instead?

Thanks.

You need to install the zcc with machine tunnel enabled app profile policy token. Or you apply app profile policy based on user or group. Later machine tunnel details will be within the machine. Machine tunnel are active before the user login to zcc / user tunnel activated.

Hi Joe,

Yep, once machine tunnel has been enrolled it’s user agnostic unless you enable ‘Machine Authentication Required’ in the App Profile.

Yes, if your ZCC package includes the correct ‘Policy Token’ for the machine tunnel App Profile then it will be enrolled before the user logs into ZCC regardless of which App profile they’ve been assigned.

G

When a machine tunnel is removed from a registered machine, how can a new key be re-provisioned for the same machine?

Hi Raj,

I believe you are looking for the option ’ Allow Re-enrollment’ under Machine provisioning Key.
https://help.zscaler.com/zpa/edit-machine-provisioning-key

G

Hi Gerhard,

I have that option enabled, just wanted to confirm the process to re-enroll.

Hi Raj,

It should be just a case of assigning to a App Profile with Machine Token enabled unless I’m missing something. I assume you haven’t reached your ‘maximum reuse’ then ?

G

The account is already assigned to an App Profile with Machine Token enabled, it’s just the status shows as “Removed” and wondering how to get it to pull down a new key.

Restarting the service or updating policy doesn’t pull down new key as it still shows Removed. Turns out that once you logout of ZCC and log back in, the machine now shows machine tunnel status as Active/Inactive - confirmed in Diagnostics.

Thanks Gerhard

1 Like

Nice one Raj !
I should have asked if you are using a Policy token within your ZCC installation then a restart would have resolved it :wink:

All the best