Is it possible to enforce client certificates when authenticating to ZIA/ZPA? I am finding that I can bypass some security controls by installing the Client Connector inside of a VM and connecting to the network. I cant find anything in the documentation about enforcing client certificates for authenticating. The Client Connector is configured with a Pre Login Machine Tunnel, so somehow i am able to register a new machine with ZScaler? Can anyone help me with this? I want to prevent people from signing in to ZScaler from personal devices.
The Zscaler posture check has options for machine client cert check or a hidden file or registry key and you can use this with ZPA or ZIA but it is an extra service. The other way is SAML authentication and for example to connect Zscaler to Azure and the Azure AD will check your device as you can also use Microsoft MDM Intune so that Azure will allow only compliant corporate devices to connect. With other SAML IdP vendors client ssl cert check in most cases can be used. Edit: I see now that Azure AD also supports Client Certificate authentication as it is new feature Overview of Azure AD certificate-based authentication (Preview) - Azure Active Directory - Microsoft Entra | Microsoft Docs
Also see this post to see what options are evailable to secure the machine tunnel itself with for example certificate Machine Tunnel implementations - best practices - #35 by Niokolay_Dimitrov
Hi David - here is the configuration screen you are looking for in the Mobile Portal (Client Connector in ZPA Admin), Administration, Device Posture, Add Device Posture Profile. Once created, you can select the posture profile in the appropriate policy ruleset in the ZPA Admin Console.