Zscaler app for IOS

This topic is strictly about iphones.
I’m currently using a PAC file to send traffic to Zscaler for content filtering and policies, I’m having quit a few issues with this option,
I did a test with installing Zapp from iTunes store and it seems to work fine.
My question is how can I deploy the app to my devices so that my employees are forces to log into the app in order to be able to browse.
I also noticed that even when I do log into the Zscaler app I can just go into setting and turn the VPN off then I can browse freely again.
I did see some info about strict enforcement that seemed like what I was looking for…
I’m currently using Airwatch as my MDM and my devices are supervised.
I’m a small business owner with 25 employees, I don’t have a IT person on staff.
if somebody could explain this to me as you would a five your old it would be greatly appreciated.

Hi,

If you want to enforce traffic going through ZScaler app for supervised phone, you can use tunnel with local proxy, so that you phone will be configured to use global proxy sending traffic 127.0.0.1:9000 or 9001. If the zapp is on the tunnel will listen to this port no and IP, if the user turns the tunnel off the traffic will not reach this ip and port and get dropped.

Best Regards,

Jones Leung

Hi

I need some guidance how to get this set up, is this a PAC file that I need to create and then send to my devices with a global proxy policy that I configured with my MDM? Or should this be configured in the Zscaler app portal?

Is it possible to get a copy of a PAC file that I can use to create this policy?

I did try to contact support with this issue a couple months ago but the person who I had contact with was totally clueless about this. He had never heard about strict enforcement. I simply gave up, but I’m getting very frustrated with
the PAC file that I’m currently using.

image002.jpg

What you need is to create a forwarding profile with forwarding method as tunnel with local proxy and add it to the an iOS app profile.

Global http proxy in iOS supports proxy server ip/host + port no but no pac file, you need to leverage MDM to push 127.0.0.1 port no 9000 or 9001 to the device.

Best Regards,

Jones Leung

Does strict enforcement have to be active on the device for this to work?

image002.jpg

That should not be required as without ZAPP the loop back address at port 8000 will not be listened to process traffic

Thanks for the info, this works for me now!
Do you know if it possible to use a pac file instead,?
That way I could bypass my MDM server so that I don’t lose connectivity on my devices if something goes wrong.
I could push the pac file to the devices with my MDM.

Hi Roland,

Not as far as I know, as it seems the iOS Global HTTP Proxy only supports proxy IP/hostname + port number. But that should not introduce dependency with MDM. MDM is only used to ensure the proxy is configured in the iOS, if MDM is not reachable I think the setting should be there- suggest you to confirm it with the MDM provider.

Best Regards,

Jones Leung

Hi,

Just to add to this, you can push a pac file URL for Global HTTP Proxy settings. In Airwatch if you set this to Auto, you should get the pac URL field:

And as you mentioned, you can then bypass items in that PAC file by sending direct.

Regards

David

Thanks for the info, I did try this and was able to deploy the pac file to my device, but I instantly lost all connectivity on my iPhone. I guess the pac file was not configured properly, does anybody have a sample of what the base pac file should look like, or am I on my own to create a pac file?