Zscaler for iPhone


(Ilya) #1

Is anyone using Zscaler App on iPhones? How is your experience? We are having a few issues:

  1. Zscaler app does not check in to get policy updates. App needs to be opened by the user to get checked-in.
  2. Zscaler app is not updating from within the app.
  3. Zscaler is blocking the sign-in connection to iCloud.

Thanks,


(David Creedy) #2

Hi Ilya,

We have a lot of deployments now, hopefully some of this can clarify your questions:

  1. The Policy update runs from the UI portion of the app. Most of the time this isn’t an issue, however if the OS decides to close the app, this can stop policy updates from happening. Note that user’s traffic will still be tunneled, this doesn’t stop. We are tracking an ER to move Policy update to the tunnel code so this can run whenever.
  2. Previously when we could do IPA distribution this worked, however now that Z App must be distributed from iTunes, we have no control over the application updates. Updates are handled completely by iTunes and will depend on the user’s settings (auto-update, or not). Unlike with Windows, we have no control over this.
  3. This is probably certificate pinning. I’d suggest bypassing the Apple domains from SSL inspection.

(Ilya) #3

Thanks for the quick reply. I will work on bypassing Apple domain which might resolve number 2. Question about the PAC file. I know I can use * as a wildcard, but can I use [N] as a wildcard for numbers. For example:

From:

ci5.example.com

ci6.example.com

To this:

ci[N].example

Also after a quick google search, for Apple there a few servers:

Can I just add the following to the PAC file bypass: .apple.com ?

Thanks,

The information contained in this transmission and any attachments may be confidential, proprietary or privileged, and may be subject to protection under applicable law. This transmission is intended for the sole use of the individual or entity to whom it is addressed. If you think you have received this transmission in error, please alert compliance@remedypartners.com and then delete this e-mail immediately. Thank you.


(Jones Leung) #4

Sorry to jump into the loop.

I have a prospect asking about the iphone zapp recently as well.

As now Zapp is with Apple Store, is there anyway to stop users to download the app there and complete manual SAML auth with their personal phones? The prospect wants to only allow corporate devices to be able to use the zapp and company Zscaler domain for internet access.

Best Regards,

Jones Leung

SE Manager, North Asia

Zscaler, Inc

HK: +852 94636204

TW: +886 983 904 288

CN: +86 186 8156 3905


(Scott Bullock) #5

Hi Jones,
Using cert based auth on the IDP could deliver this outcome.

Cheers,

Scott-


(Jones Leung) #6

Thx Scott!

I am also exploring this option, but as those company devices are not supervised iOS devices, and I believe the IT Dept still needs to send the cert through profile to those devices, would it be also a chance users can install the same profile in their persona devices to complete the cert based auth?

Best Regards,

Jones Leung

SE Manager, Greater China

Zscaler

HK: +852 9463 6204

TW: +886 983 904 288

China: +86 186 8156 3905


(Scott Bullock) #7

I understand the Cert cna he pushed as part of the MDM integration, hiding it from the user.

Never been able to test this and verify the client cert is a one way thing.


(Ilya) #8

Just a quick update. We use Jamf as our MDM solution. We resolved all the issues I originally stated by simply adding apple.com to ssl bypass. Now the iPhone is able to connect to iTunes and get all the app updates and sign into iCloud accounts.

Checking out the console, I see there is Mobile App Store Control section. Having tried it out yet since we use Jamf.