Remotely Triggered logout and re-enrollment for Zscaler Client Connector

We have zscaler implementation integrated with AD. we have configured a password to prevent users from logging-off. We are using Zscaler client connector version (
when we get a whitelist request we add the URL’s to an AD group and subsequently RDP to the user machine log-off(due to password control) from Zscaler and have the user login again and re-enroll for the whitelist to take effect. we are trying to automate this process need help with remotely logging-out and triggering re-enrollment in user machines. Has anyone tried this before.
Is this possible to trigger log-out and re-enrollment through Command Line (or) Script.

I’m not sure why you’re logging out the user from ZCC in order to log them back in. If the user is already in the group, then policy will take effect immediately.
However - if you’re adding the user to a group then you’d need to synchronise the groups to Zscaler. There are several ways to get group memberships into Zscaler.

  1. SCIM is the simplest mechanism since it will periodically push group updates, as well as adds/deletes/updates of users to ZScaler.
  2. SAML Authentication/re-authentication. When user authenticates the group membership is sent in the assertion.
  3. LDAP sync will pull users/groups from your directory periodically (but less frequent that SCIM). This requires an “inbound” connection to your directory.

I’m guessing you’re logging the user in/out to trigger #2, however this isn’t necessary. If you can’t implement SCIM (or LDAP, but I think that’s a step backwards), have you considered SAML IDP Authentication to update the group membership? I’ve posted an article on how to achieve it here ZIA - IDP Initiated SSO for Group Updates