Z-APP SSL inspection on Android

When we have SSL inspection enabled for Android we find it seems to break most apps on the Android mobile device. The browsers seem to be fine as we push the Zscaler CA from our MDM and we have the Z-APP AKA zscaler client connector checked to install the Zscaler CA. Still many apps lose internet connectivity when Android SSL inspection is enabled. Example apps Garmin Connect, Pandora, Amazon Music and many others. I have confirmed manually the zscaler cert is in the User store and trusted to network and apps. Is there a fix for this or is this issue just due to cert pinning of the Android apps themself? I am wondering if there is possibly a fix to this? We cannot possibly disable ssl inspection for these domain as that would impact our ability to inspect SSL on our windows devices etc. THe only fix I have found is disable SSL inspection for Android in the Z-app settings.

Additionally we tested with ChromeOS and it has this same issue I presume due to it’s android apps.

Hi @Pspearsjr, most of the mobile apps pin certs like this, there’s not much the industry can do about this from an inline gateway perspective. IMO the mobile OS manufactures could enforce enterprise customer-roots into fully-managed enterprise-owned devices, and app-author would have to honour, but that opens a privacy can-of-worms.

For now, you’ve already identified the possible solutions. There will be more granular options which @lpergament could talk to you about.

Cheers,
@skottieb

Hi @Pspearsjr, in an upcoming release we will allow you to SSL bypass applications/domains/URL categories based on the device OS type from which the traffic is originating. That would help you workaround the android/chrome OS certificate pinning challenge, while ensuring security and visibility for browser based access on Windows.

@lpergament that sound like that would be a workable solution allowing me to maximize ssl inspection where possible. Any release date on this new feature?

(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)