ZCC Deployment on iOS not Blocking Restricted Websites


I recently deployed ZCC Application to our cooperate iPhones. Today I decided to attempt accessing some of the restricted websites, to my surprise, I was able to access them on my work iPhone without them being blocked by Zscaler. It is worth mentioning that these apps are blocked by Zscaler when accessed using our cooperate laptops.

Is there something I did not do right?

The deployment was done using this guide
[Guide] Deploy Zscaler Client Connector with Intune (iOS & Android)


Hi Samuel,

  1. iPhones using the same Forwarding Profile as corporate laptops ?
  2. Results okay when visiting ip.zscaler.com using iPhone ?
  3. Roadwarrior logs visible in ZIA ?


There do not use the same forwarding profile.

ip.zscaler.com shows that the request did not come from a Zscaler IP and it did not show i am logged in (not sure why since the login should have be automatic)

Roadwarrior logs traffic is visible in ZIA.


I need to mention that both the iPhone and Corporate laptops are using the same PAC file

Just as a random idea…

Your corporate laptops use IPv4 while the mobiles use IPv6?

1 Like


Both uses IPv4, I can say that because of the client IP i see in the Zscaler App in the iPhone

Is http://speedtest.zscaler.com working from the iphone ?

It is not, unfortunately

Then something is indeed wrong config wise which explains why the block policies are not applying.
Speedtest only works for ZIA authenticated users.

In the mobile portal, are you receiving the correct IOS Policy profile ?
Maybe create another test IOS Policy profile and add yourself manually without any cloud PAC ?

Where do you suspect the error may be coming from, is it in the configuration from the MDM, the forwarding profile or the app profile?

In my work phone, it shows i am logged in to Zscaler. so i am confuse when you said the speedtest only work on authenticated users, but it did not work for me.

I think i really need some help here.


Zscaler Support ticket ?

  1. In the Zscaler mobile portal , how many IOS App profiles do you have ?
  2. In MDM are you in ‘Assign Groups to the VPN Profile’ ?

I have just one iOS App profile i am using for this deployment. Though there is another profile created for another purpose which is not being used for this.

I am part of the pilot test group assigned to the VPN profile.


Can you share the details on Forwarding Profile assigned to IOS App Profile ?


Under trusted network criteria, the condition is match any DNS Search Domains (our domain name is provided here).

In the trusted network evaluation section, everything is turned off.

In the Windows Driver Selection Section, i selected “Packet Filter Based”

Under FORWARDING PROFILE ACTION FOR ZIA, i selected Tunnel with Local Proxy, I disabled Block Unreachable domains Traffic.

VPN Trusted Network and Off Trusted Network are both set to Tunnel with Local Proxy

Thank you @G-Man8 for being so helpful.

I was able to figure out through your support that using “Tunnel with Local Proxy” was the reason this was not working.

I used “Tunnel” and “Tunnel 2.0”, everything seem to be working fine so far.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.