I am starting a thread for Machine Tunnel Best Practices, and I’m making it a new thread because the old one here for Machine Tunnel is long, and is primarily about “when will this feature be available”. This thread is more about implementation methods, what works well/best, and what to avoid.
For example, it seems to me that setting it up can open a security concern. If I create Machine Tunnel (“MT” from here onwards) access to a particular set of (minimal) internal services, then that policy is entirely dependent on having the string of characters from the Windows Application Policy Token. If that Token gets leaked, Bad People can get access to my sensitive services.
Has anyone played with combining this with ZCC Posture features, such as a cert or a registry key?
I just tried combining Posture (specifically, the Domain Joined option), but the Access Policy won’t accept a combination of Machine Tunnel and Posture. Perhaps my approach to this idea is incorrect.
Thanks for pointing this out. I just noticed this in the Help information last Friday. I’ll ask for an ER, because this seems like a worrisome security gap.
Hi Roberto. ERs can be raised by your account team (SE or CSM, or even TAM if you have one). For an existing ER, these same people can attach your company name to the existing ER (i.e. no need for a duplicate ER). Usually, Zscaler prioritizes ERs based on the level of customer interest, so more customers, more priority. Having the ER number (in this case ER-8758) makes this easier.
Hello Gerhard,
No, I’ve not been aware of that capability until now. Reading the release notes for 3.4.1,I find the detail for this feature to be rather opaque, and a quick search of Help didn’t point to anything. Is there some documentation on how this IdP Prompt might be configured and used? Are the associated ZCC and ZPA console changes (if any) rolled out to production as well (my client is on ZS3, if that matters)?
Hi Paul, IDP for Machine Tunnel needs to be requested for your instance of ZS3. We are waiting for it to be enabled within our BetaCloud environment. I’ll share info once enabled & tested but I’m still hoping to compliment this feature with Posture Checks
Apologies for the crap quality pics but sharing in case you haven’t had time.
IDP prompt using ZCC 3.5 is once off until the device is enrolled. Still hoping for posture check on machine tunnel like ‘domain joined’ and Certificate Trust.
Same here then ‘Domain Joined’.
We are hoping for a new Posture for 'Intune managed by “yourCompany” but we do understand these request are challenging while keeping security in mind.
I’ve heard rumours that certificate posture check for machine tunnel is very close to release.
I cant say the same for Domain joined or registry but here’s hoping.