Machine Tunnel implementations - best practices

I am starting a thread for Machine Tunnel Best Practices, and I’m making it a new thread because the old one here for Machine Tunnel is long, and is primarily about “when will this feature be available”. This thread is more about implementation methods, what works well/best, and what to avoid.

For example, it seems to me that setting it up can open a security concern. If I create Machine Tunnel (“MT” from here onwards) access to a particular set of (minimal) internal services, then that policy is entirely dependent on having the string of characters from the Windows Application Policy Token. If that Token gets leaked, Bad People can get access to my sensitive services.

Has anyone played with combining this with ZCC Posture features, such as a cert or a registry key?


I just tried combining Posture (specifically, the Domain Joined option), but the Access Policy won’t accept a combination of Machine Tunnel and Posture. Perhaps my approach to this idea is incorrect.

@paul: Device posture is not supported on Machine tunnel. There is an ER which you can get by reaching out to support or acocunt management.

Thanks for pointing this out. I just noticed this in the Help information last Friday. I’ll ask for an ER, because this seems like a worrisome security gap.

1 Like

Is there any forecast to support the Machine Tunnel and Postures? As others this is a sec matter and Posture will nail any sec concerns about it.

Hi Roberto,
This is marked as an enhancement request(ER-8758) and is in progress.
I can only suggest you raise the ER too

How can I raise the ER?

Hi Roberto. ERs can be raised by your account team (SE or CSM, or even TAM if you have one). For an existing ER, these same people can attach your company name to the existing ER (i.e. no need for a duplicate ER). Usually, Zscaler prioritizes ERs based on the level of customer interest, so more customers, more priority. Having the ER number (in this case ER-8758) makes this easier.

1 Like

Hi Paul, have you tried the ‘IDP prompt’ for Machine tunnel using ZCC 3.4.1 ?

Hello Gerhard,
No, I’ve not been aware of that capability until now. Reading the release notes for 3.4.1,I find the detail for this feature to be rather opaque, and a quick search of Help didn’t point to anything. Is there some documentation on how this IdP Prompt might be configured and used? Are the associated ZCC and ZPA console changes (if any) rolled out to production as well (my client is on ZS3, if that matters)?

Hi Paul, IDP for Machine Tunnel needs to be requested for your instance of ZS3. We are waiting for it to be enabled within our BetaCloud environment. I’ll share info once enabled & tested but I’m still hoping to compliment this feature with Posture Checks :slight_smile:


1 Like

Hey Paul,

Apologies for the crap quality pics but sharing in case you haven’t had time.
IDP prompt using ZCC 3.5 is once off until the device is enrolled. Still hoping for posture check on machine tunnel like ‘domain joined’ and Certificate Trust.

Ah, this info is very helpful. If it works as I think it does, it should at least keep out the riffraff. :slight_smile:

I’ll see if I can test it on our dev environment.

1 Like

Hi, is there any update on predicted date for the release of this?

Hi Roberto,

I’ve been told early CY 22 which I’m really hoping for.
Any specific posture check you have in mind ?

Check that the machine has a certificate issued by the internal AD CA would be a good one to start with.

1 Like

Same here then ‘Domain Joined’.
We are hoping for a new Posture for 'Intune managed by “yourCompany” but we do understand these request are challenging while keeping security in mind.

Lets see what 2022 brings


I’d be happy with a Cert or a registry key. Any idea yet on availability?

Would also like to know when this feature will be released.

Hi Guys,

I’ve heard rumours that certificate posture check for machine tunnel is very close to release.
I cant say the same for Domain joined or registry but here’s hoping.