Currently Zscaler support has no clue how this is possible and seems to not have even addressed the ZCC logs I have attached to the case. I hope others are able to detect this quickly so Zscaler can fix a new extremely worrisome error.
I recently noticed some new machines popping up into my Admin console, this is not super alarming as we are an ever growing department and I was able to verify that the accounts existed and were in fact a part of our customer care team. I targeted their workstations for upgrades and successfully pushed to 3/4 identified users. When meeting with the 4th user I noticed they were on a policy for a different tenant that was not under my control…
These members of our customer care team are external to our company and managed by a completely different Zscaler admin team. They are on zscalerthree while I am on zscalertwo. They are on ABC policy while I am pushing XYZ policies.
THE ONLY safe haven I see here is that it appears that Zscaler is working on some sort of partner device functionality for 4.1++. None of my users are at this version. I can confirm the users popping up in my environment were not as well.
I really need any sort of assurance that the right department at Zscaler is seeing this so that they can look into why this would have happened. It should not be possible for other company users to just pick up my policy and be under my control. That is a massive error and I am not being asked how I can confirm that all my users are still under my control.
It doesn’t help that this happens a week after a massive AT&T outage that amplified an issue my field agents experience with Captive Portal detections.
If other users are experiencing this please open tickets!
Partner Logins is a function where you can allow contractors/partners that are also Zscaler customers to login to your ZPA applications. You can enable/disable this from the Partner Logins setting in the Administrator tab in the Client Connector portal, but note that this is disabled by default, so someone must have enabled this for your tenant (you should be able to see this in the Audit Logs).
These devices will stay logged into their primary tenant for ZIA/ZPA/ZDX, and can switch between ZPA tenants (only one ZPA tenant can be connected at a time). This allows for quick switching, without the need for the user to completely logout and login each time.
These partner users require IDP credentials for your configured IDP. Adding a Partner Tenant, process wise; The user is logged into their primary tenant, they click to add partner tenant. They enter a username from your domain, e.g. Jane.doe@company.com, they are taken to your configured IDP and they authenticate. If successful, they have added the partner tenant.
They will stay logged into their primary tenant for ZIA/ZDX etc, but will have access to your ZPA apps.
Hopefully this clarifies how it should work. If a device is showing up in Partner Devices, they would have to be running 4.1 or later, and their tenant would have to allow for their users to add partners, and your tenant would have to allow partner devices to log in.
The 4 devices that showed up in my mobile admin portal were running running 3.6.1.23 and 3/4 were running 3.7.1.53.
I do not have ZPA. And just confirmed that partner logins is still disabled as is by default.
They did not remain in their primary ZIA tenant as I visualized logs of them failing trying to reach their gateway.zscalerthree and successfully reaching my gateway.zscalertwo.
Taking users form one tenant to another tenant should not be possible and raises the question that I now may need to verify that every single corporate user I expect to be under my administration is in fact under my administration.
Normal Enrolled Devices tab. Partner Devices list is still empty. I would assume this is because there are no 4.1+ Client connectors in my environment.
I imagine these users have credentials for your doman as well as the partner domain? If the partner does not prepopulate a domain when deploying ZCC, the users will be prompted to enter their userid before the authentication screen which is how it decides which IDP to use. Sounds like they mistakenly entered their email / ID from your tenant which led them to login to ZCC using your IDP which would cause their machines to register in your tenant.
Sorry for my unresponsiveness. This looks to have been the case. The users were logging in with our domains instead of theirs as they were new hires to the partner company and nobody showed them how to log in I guess. I force removed their devices and requested their IT continue with the users to get them on the intended policies.