ZIA Intune iOS Deployment

I’m working on getting ZIA deployed to iOS via Intune. The phones are supervised. My goal is that users should not be able to access the internet from their iOS device without traffic being routed through Zscaler.

Have followed these directions:

[Guide] Deploy Zscaler Client Connector with Intune (iOS & Android) - Client Connector - Zenith

It all works. I can log in to ZScaler using our SAML IDP and traffic is routed and inspected correctly. However, I can just go into settings on the iPhone and turn off VPN and traffic no longer goes via ZScaler.

I have also followed these instructions:

iOS strict enforcement - Client Connector - Zenith (zscaler.com)

I’ve set up a Global HTTP Proxy on the phone, also via Intune, with a https-hosted PAC file that directs all traffic via This doesn’t solve the problem though.

Two questions:

  1. Is what I’m trying to do (basically mimicking ‘always on’ VPN using Zscaler) actually possible? Some posts on this forum seem to suggest that it is but I can’t find complete instructions.

  2. If it is possible, what additional configuration might I need to do to make it work?

Thank you for your help!


Hi folks, just bumping this as I’m a bit stuck on our deployment.

At the very least does anybody know if what we’re trying to do is actually possible (always-on ZScaler - or no internet access if not via ZScaler - on iOS via Intune)?


In case this is helpful for anyone, I figured out what I was doing wrong. In order for this to work, you need to set “ProxyPACFallbackAllowed” to false in the iOS GlobalHTTPProxy configuration.

After doing that, it all worked as expected. Internet access is blocked unless going through ZIA.

I had previously set that to true as I had not wanted to block access if the pac file was inaccessible.


1 Like