TTechclick ⚡ XP 0% All lessons
Zscaler · Onboarding · Deployment ScenariosInteractive · L1 / L2 / L3

How to Onboard Zscaler: Every Scenario — Managed, Unmanaged & the ZIdentity Deadline

Two devices, two completely different onboarding paths. A company laptop gets the Zscaler Client Connector agent; a contractor's personal laptop never can. This lesson walks every Zscaler onboarding scenario end-to-end — who installs what, how many user licenses each path burns, and how to land the mandatory ZIdentity migration before Zscaler's March 2026 deadline.

📅 2026-06-13 · ⏱ 16 min · 2 live demos · 5 infographics · 2 console walk-throughs · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

A hands-on guide to every Zscaler onboarding scenario: managed laptops with Zscaler Client Connector (ZCC), unmanaged/BYOD devices via Browser Access & Cloud Browser Isolation, per-user licensing math, and the mandatory 2026 ZIdentity + Experience Center migration — with worked examples.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Managed laptops (ZCC)

Push the agent, enrol, tunnel everything. The gold path.

 2

Unmanaged & BYOD

No agent allowed? Browser Access, PRA or isolation instead.

 3

How many users?

Licensing math — why 9,000 devices can be 3,000 seats.

 4

The ZIdentity deadline

Zscaler's mandatory 2026 migration — and the local-admin trap.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. What does the Zscaler Client Connector actually forward from a managed laptop?

Answered in Managed laptops (ZCC).

2. 3,000 employees, ~3 devices each, all on ZCC. How many Zscaler seats?

Answered in How many users?.

3. A contractor on a personal laptop won't install any agent. Can they still reach an internal web app securely?

Answered in Unmanaged & BYOD.

Most engineers think…

Most engineers think onboarding Zscaler means one thing: push the Client Connector agent to every device and you're done.

Wrong — and that assumption quietly breaks two of your biggest user groups. Contractors and BYOD users often can't install the agent at all, and in 2026 Zscaler is forcing a second onboarding you may not have noticed: the mandatory ZIdentity migration that changes how every admin even logs in. Miss either one and your rollout stalls. Let's map all of it.

Picture two people on their first day. Sneha joins Infosys and is handed a company laptop. Priya is an external auditor at HDFC Bank who shows up with her own personal laptop and zero patience for installing software. Both need to work securely through Zscaler today — but the way you onboard them could not be more different.

Onboarding Zscaler is really the art of answering one question for every person: can I put my agent on this device, or not? That single fork decides everything — the access method, the security you can enforce, and even how the licence is counted. Let's build the whole map.

👉 So far: Zscaler onboarding splits into a managed path (your agent goes on the device) and an unmanaged path (it can't). Next we'll name the moving parts, then walk each scenario.

First, the vocabulary — tap to flip

Four terms show up in every Zscaler onboarding conversation. Learn these and the rest of the lesson reads easily.

💻
ZCC (Client Connector)
tap to flip

The lightweight agent you install on a managed device. It captures the device's traffic and forwards it to Zscaler — web + DNS to ZIA, private apps to ZPA. So what: no ZCC = no full tunnel.

☁️
Zero Trust Exchange
tap to flip

Zscaler's global cloud where every policy decision happens, per identity. Both managed and unmanaged devices connect to it. So what: users get access to apps, never to a network.

🛡️
Device Posture
tap to flip

Checks that prove a device is trustworthy — domain-joined, encrypted, running approved EDR. Needs the agent to run. So what: unmanaged devices fail posture by definition, so they get restricted access.

🎫
Seat (the licence)
tap to flip

One subscription for one authenticated user, counted as unique users over a rolling 90-day window. So what: a person with a laptop + phone + tablet is still one seat.

Here's the whole architecture on one page. One cloud, two front doors — keep this picture in your head for the rest of the lesson.

Figure 1 — One Exchange, two front doors
Hub-and-spoke architecture. On the left, a managed laptop running the ZCC agent (trusted/blue) connects to the central Zscaler Zero Trust Exchange over a solid Z-Tunnel 2.0, while an unmanaged BYOD laptop with only a browser (untrusted/amber) connects over a dashed clientless link. On the right the Exchange forwards to Internet and SaaS via ZIA and to private internal apps via ZPA. Trusted (agent tunnel) Untrusted (browser) Key insight Endpoints Managed laptop ZCC agent installed Wipro corporate-issued Unmanaged / BYOD browser only — no agent contractor / personal device Zscaler Zero Trust Exchange (ZTE) policy decided per identity Z-Tunnel 2.0 (full) clientless / browser Internet & SaaS forwarded via ZIA Private / Internal apps forwarded via ZPA No agent = browser-only isolated access, no full tunnel
One Zero Trust Exchange, two front doors: managed laptops ride a full ZCC Z-Tunnel 2.0; unmanaged devices get browser-only, isolated access.

① Scenario 1 — Managed laptops with the ZCC agent

This is the gold path, and it's the one Sneha runs at Infosys for 5,000 employees. A Zscaler Client Connector (ZCC) agent goes on every company laptop, the device proves it's trustworthy, and from then on all traffic is tunnelled and inspected.

ZCC forwards traffic using Z-Tunnel 2.0, which sends all ports and protocols over DTLS on UDP 443 (falling back to TLS on TCP 443 if UDP is blocked). The old Z-Tunnel 1.0 was proxy-style and only handled ports 80/443 — fine for web, useless for everything else.

👉 So far: managed = ZCC agent + Z-Tunnel 2.0 = everything tunnelled. Now let's see the six onboarding steps that get a bare laptop there.
Figure 2 — Six steps to a protected laptop
Six-step onboarding chain wrapping across two rows. Step 1 IdP SAML login, step 2 SCIM provisions the user, step 3 MDM/Intune pushes ZCC with CLOUDNAME and POLICYTOKEN, step 4 the user enrolls and the device gets a token plus a unique fingerprint, step 5 forwarding plus app profile plus device posture apply, step 6 the Z-Tunnel 2.0 comes up over DTLS on UDP 443. A callout marks step 4 as clone-proof because of the device fingerprint. Managed-laptop onboarding — bare device → full protection 1 IdP login SAML authentication user proves who they are 2 SCIM provisions user identity synced to Zscaler user + groups created automatically 3 MDM / Intune pushes ZCC silent install CLOUDNAME + POLICYTOKEN 4 User enrolls device token issued + unique device fingerprint 5 Profiles apply Forwarding + App Profile + Device Posture checks 6 Z-Tunnel 2.0 up protected ✓ DTLS / UDP 443 fingerprint = clone-proof a copied token won't auth on another box
Six steps turn a bare laptop into a protected one — and the device fingerprint at step 4 is what makes the enrolment clone-proof.

Identity comes first. You wire your SAML identity provider (Okta or Microsoft Entra ID) for login, and SCIM to auto-provision users and groups. Then you build the policy in the Client Connector Portal: an App Profile and a Forwarding Profile, plus Device Posture profiles.

Here's the screen Sneha actually fills in — the App Profile and its Forwarding Profile for a managed Windows laptop.

🖥️ Recreated for clarity — your console matches this. (Client Connector Portal, App & Forwarding Profile for a managed laptop.)

admin-mobile.zscaler.net · App Profiles

Administration App Profiles Add App Profile

App Profile Name
Infosys-Windows-Managed
Platform
Windows
Enable ZIA
Enable ZPA
Enable ZDX
ZIA Posture Profile
Corp-Win-Compliant
Install Zscaler SSL Certificate
ON
Install WFP Driver
ON

Forwarding Profile

Action (Off-Trusted Network)
Tunnel (Packet Filter-Based)
Tunnel Driver
Z-Tunnel 2.0
Primary Transport
DTLS
Save
 ZIA + ZPA + ZDX on = one agent does web egress, private apps, and digital-experience monitoring.  The Zscaler SSL cert must be trusted, or HTTPS inspection breaks every site.  Packet-Filter + Z-Tunnel 2.0 is what makes it a real tunnel (full L3/L4), not just a proxy.
These are the exact toggles that turn a freshly-installed ZCC into a fully-forwarding, SSL-inspecting agent on a managed Windows laptop.

With the policy ready, you push the agent silently with your MDM. The two parameters that matter most: CLOUDNAME (which Zscaler cloud you're on, e.g. zscalertwo) and — if you enforce strict mode — POLICYTOKEN. Here's a real Intune/SCCM command line for a managed Infosys laptop:

Push ZCC via MSI (Windows, managed laptop)
msiexec /i ZSAInstaller.msi ^
  CLOUDNAME=zscalertwo ^
  USERDOMAIN=infosys.com ^
  POLICYTOKEN=8f3c-strict-d21a ^
  INSTALLLWFDRIVER=1 LWFBOOTSTART=1 /qn
Expected output
MSI (s) ... Installation completed successfully.
ZSATray service: Running
ZCC: awaiting user login (SAML)  ·  Cloud: zscalertwo
Z-Tunnel 2.0: connecting (DTLS udp/443)
Quick check · Q4 of 10

Ananya at HDFC Bank is packaging ZCC in Intune, and policy requires Strict Enforcement (no network unless ZCC is enrolled and policy-bound). Which parameters must she include?

Correct: d. A managed push needs CLOUDNAME + USERDOMAIN, and Strict Enforcement specifically requires the POLICYTOKEN. CLOUDNAME alone won't bind the device (a); you never hardcode credentials — ZCC enrols via SAML (b); and POLICYTOKEN doesn't replace the other two (c).

When the user logs in, ZCC issues a device token and computes a unique device fingerprint. That fingerprint is the clever bit: copy the install to another machine and enrolment fails, because the fingerprint won't match. Finally the profiles and posture apply, and Z-Tunnel 2.0 comes up.

🏛 Architect note: on Windows, Zscaler recommends Tunnel (Packet Filter-Based); on macOS, Tunnel with Local Proxy. Keep DTLS primary but allow TLS fallback (needs ZCC 3.4+ on Windows, 3.9+ on macOS) so users behind UDP-hostile ISPs don't degrade.

▶ Live: a managed laptop's traffic path

Watch a packet leave Sneha's enrolled laptop and reach an app. Press Play for the healthy path, then Break it to see the classic failure.

① captureZCC grabs the traffic as it leaves the laptop — web, DNS and private-app flows.
② tunnelZ-Tunnel 2.0 wraps it (DTLS / udp 443) to the nearest Zero Trust Exchange edge.
③ inspectThe Exchange checks identity + policy, decrypts and inspects.
④ forwardClean traffic is forwarded — internet/SaaS via ZIA, private apps via ZPA.
Press Play to step through the healthy path. Then press Break it.
Quick check · Q1 of 10

Karthik, a junior engineer at Infosys, deployed ZCC with default settings and wants to confirm in the firewall logs which transport and port the primary tunnel uses. What should he expect by default?

Correct: c. Z-Tunnel 2.0 is the default and forwards over DTLS on UDP 443, falling back to TLS on TCP 443 when UDP is blocked. TLS-only is just the fallback (a); 80/443-only proxy behaviour is the legacy Z-Tunnel 1.0 (b); ZCC is not an IPSec client (d).

Pause & Predict

Sneha rolls ZCC out to 5,000 employees. Each gets a managed laptop and a managed phone, both running ZCC under the same login. How many ZIA licenses does Infosys need? Type your guess.

Answer: 5,000 — not 10,000. Licensing is per named user, not per device. We prove the math in How many users? below.

Sneha at Infosys faces this

Rollout day: 200 laptops install ZCC fine, but several never finish enrolling and show "Strict Enforcement" with no network.

Likely cause

The MSI was pushed without POLICYTOKEN. With Strict Enforcement on, ZCC refuses to let the device on the network until it's policy-bound — and it can't bind without the token.

Diagnosis

Check the install command the MDM actually ran and the ZCC enrolment log.

Client Connector Portal → Administration → Windows Policy → copy Policy Token
Fix

Repackage the MSI with the correct POLICYTOKEN from the Windows policy and re-push; or temporarily relax Strict Enforcement during pilot.

Verify

ZCC tray shows Authenticated and Z-Tunnel 2.0 Connected; the device appears under Client Connector Portal → Enrolled Devices.

② Scenario 2 — Unmanaged & BYOD devices (no ZCC)

Now Priya, the external HDFC auditor on her own laptop. She cannot install ZCC — it's not your device, and she'd refuse anyway. So she fails device posture by definition. The answer isn't "force the agent" — it's clientless access, and the destination app type picks the door.

👉 So far: managed laptops get the agent + full tunnel. Unmanaged devices get one of four clientless methods. Here's how to choose.
Figure 3 — No agent? The app type picks the door
Decision tree for an unmanaged BYOD device without ZCC. From the root, an internal web app goes to ZPA Browser Access using a certificate and CNAME; an RDP, SSH or VNC console goes to Privileged Remote Access which is pixel-streamed; a need for zero data on the device or DLP goes to Cloud Browser Isolation; and plain internet or SaaS egress goes to a hosted PAC file, which is marked as the weak option because it is proxy-only with no Z-Tunnel and no posture. Strong / recommended Weak — last resort Key insight Unmanaged / BYOD device no ZCC — what kind of app? internal WEB app RDP / SSH / VNC zero data on device just internet / SaaS ZPA Browser Access cert + CNAME browse the internal web app, no client Privileged Remote Access (PRA) pixel-streamed console in the tab — no native client Cloud Browser Isolation (CBI) renders remotely, streams pixels — DLP, nothing lands Hosted PAC file ⚠ weak option proxy-only no Z-Tunnel no posture / no DLP easily bypassed Three doors give real Zero Trust; the PAC file is just a proxy hint. Pick the door by the app type, not by habit — PAC has no identity-aware enforcement.
With no ZCC, the destination app type picks the access door — ZPA Browser Access, PRA, or CBI for real control; the hosted PAC file is the weak, proxy-only fallback.

For Priya's internal web app, the answer is Browser Access: you publish the app with a server certificate and a DNS CNAME, and she reaches it in her normal browser. For a server console (RDP/SSH/VNC) you'd use PRA. When the rule is "no sensitive data may touch the device", you wrap the session in Cloud Browser Isolation (CBI).

▶ Live: a clientless Browser Access request

Follow Priya reaching an internal app from her own browser. Press Play, then Break it for the most common setup mistake.

① openPriya opens the app's external URL in her own browser — no agent involved.
② CNAMEA DNS CNAME points that hostname at Zscaler, so the request lands on ZPA.
③ authShe authenticates (SAML); ZPA stitches her browser to the app via an App Connector.
④ renderThe web app renders in her tab. Clientless, identity-checked, zero install.
Press Play to step through the healthy path. Then press Break it.
Quick check · Q3 of 10

Rahul at TCS must give an external auditor access to one internal web-based reconciliation app. She's on her own laptop and refuses to install anything. Access must be clientless and expose only that one app. Best method?

Correct: a. Browser Access is clientless and built to publish internal web apps to unmanaged browsers. She refuses an agent, so ZCC is out (b); a PAC file only handles internet/SaaS egress, not a private app (c); PRA is for RDP/SSH/VNC consoles, not a web app in the browser (d).

Pause & Predict

A different contractor needs RDP into a jump server from his personal laptop — no client allowed. Which clientless method fits? Type your guess.

Answer: Privileged Remote Access (PRA). The RDP session runs between Zscaler and the server and is pixel-streamed to his browser tab — nothing installs, and no RDP traffic ever touches his device.

Priya at HDFC Bank faces this

External auditor on her own laptop opens the internal app URL and gets a browser certificate error — she never reaches the login page.

Likely cause

The Browser Access app was created without a valid server certificate, or its DNS CNAME was never published — so her browser can't trust or even resolve the app to Zscaler.

Diagnosis

Confirm the BA certificate and the external domain's CNAME.

ZPA Admin Portal → Application Segments → Browser Access → Certificate & Domain
Fix

Issue a valid BA server certificate (or use Zscaler-Managed Certificates, which auto-renew and publish the CNAME) and add the CNAME at your DNS provider.

Verify

From any off-network browser, the app URL loads the SAML login and then the app — no cert warning.

🔧 Engineer note: for BYOD that also needs SaaS, redirect the SaaS app's SSO to Zscaler so the session opens inside CBI with download/upload/copy/paste/print blocked — and apply different controls to BYOD vs corporate devices. The hosted PAC file is a last resort: it only proxies web/SaaS egress, gives no Z-Tunnel 2.0 and no posture, and a user can edit it out.

③ How many users? Licensing every scenario

This is the question every onboarding plan trips on. Zscaler licenses a Seat = one authenticated user, counted as unique users over a rolling 90-day window. Per person, never per device. Admin accounts don't consume end-user seats. Contractors who authenticate do count.

Figure 4 — Zscaler counts the person, not the laptop
Two side-by-side panels contrasting licensing. The left red panel shows wrong per-device thinking: 3,000 users times about 3 devices each equals 9,000 licenses, marked with a cross. The right blue and green panel shows the right per-named-user model: the same 3,000 identities equal 3,000 seats, marked with a check. A person named Ananya with four device icons collapses down to one seat. A footnote explains licensing is on unique authenticated users over a rolling 90-day window. ✗ WRONG — per-device thinking 3,000 Wipro users × ~3 devices each (laptop + phone + tablet) 9,000 licenses? over-buying — you'd pay 3× too much ✗ Not how Zscaler licenses ✓ RIGHT — per named user 3,000 identities one human = one seat, however many devices Ananya 1 seat 3,000 seats ✓ exactly how Zscaler licenses Licensed on unique authenticated users over a rolling 90-day window — devices are free, identities are counted.
Per-device math (9,000) is wrong; Zscaler licenses the named user — 3,000 identities, however many devices, are 3,000 seats over a rolling 90-day window.

Let's run the four worked examples students get asked in interviews:

Quick check · Q2 of 10

Sneha rolls ZIA to all 5,000 Infosys employees — each with a managed laptop and phone under the same login — plus 50 dedicated Zscaler admin accounts. How many ZIA end-user seats are needed?

Correct: b. A seat is one unique authenticated user; multiple devices still count as one. Per-device math is the classic mistake (a, c), and dedicated admin accounts don't consume end-user seats (d).

🏛 Architect note: if the rolling-90-day unique-user count exceeds your contract by >10%, Zscaler triggers a true-up — buy prorated seats or upgrade Light Users. Scrub stale identities (Reports → Users → last-login) before renewal so you don't over-buy, and negotiate the contractor/Light-User band up front.

④ The new requirement — the ZIdentity migration

Here's the onboarding most teams haven't noticed. In 2025–2026 Zscaler is retiring how admins log in and manage everything. Each product used to have its own console and its own local logins. That's being replaced by two linked things: ZIdentity (one centralized login, formerly ZSLogin) and the Experience Center (one unified admin console).

This is not optional. Three dates decide your 2026.

Figure 5 — Three dates decide your 2026 ZIdentity migration
Horizontal roadmap. Now: engage the Zscaler account team (SE, TAM, CS). Then migrate admins to ZIdentity, where only IdP-federated accounts migrate and local accounts do not. Then migrate end users with a 14-day rollback window. The dated milestones pop: March 2026 migration becomes mandatory (amber), April 2026 new features arrive only in the Experience Center, and September 2026 legacy admin UIs are deprecated (red). ZIdentity migration roadmap — 2026 Prep step (do now) Hard deadline Legacy switched off Now engage Zscaler team SE · TAM · CS Migrate ADMINS only IdP-federated accounts migrate — local accounts do NOT Migrate end users 14-day rollback window MARCH 2026 migration is MANDATORY APRIL 2026 new features ONLY in Experience Center SEPT 2026 legacy admin UIs DEPRECATED Local admin accounts won't move — recreate them in your IdP before you start.
Three 2026 dates drive the ZIdentity migration — March (mandatory), April (features only in Experience Center), September (legacy admin UIs deprecated). Local admin accounts never migrate.

The trap that bites teams: only IdP-federated admin accounts migrate automatically. Any local admin account (credentials stored in the old portal) does not carry over — you must recreate it in your IdP first. Here's the migration screen, with the local account flagged.

🖥️ Recreated for clarity — your console matches this. (ZIdentity admin migration in the Experience Center.)

console.zscaler.com · ZIdentity · Admins

ZIdentity Administration Admins & Roles

E
Identity Provider: Microsoft Entra ID
Connected ✓ · SCIM provisioning ON
Federated
Admin Source MFA Status
ravi.menon@bank.example Entra ID (SAML) Migrated
anita.rao@bank.example Entra ID (SAML) Migrated
legacy_admin Local — portal-stored ⚠ Will NOT migrate
Migrate Admins
 Local accounts don't migrate — recreate this admin in your IdP (Entra ID) first, then re-run the migration.
Only IdP-federated admins move to ZIdentity automatically; any portal-stored local account must be recreated in your IdP before the deadline or it is left behind.

The compliance steps, in order:

  1. Inventory admin accounts — separate IdP-federated from local (portal-stored). Local ones won't migrate.
  2. Connect your IdP to ZIdentity — SAML/OIDC SSO + SCIM provisioning from Okta/Entra/Ping.
  3. Recreate the local admins in your IdP, then re-run migration so they're federated.
  4. Plan MFA — ZIdentity has built-in MFA; decide whether to enforce at Zscaler or rely on the IdP.
  5. Migrate admins first, validate console + MFA access in the Experience Center.
  6. Then phase end users — remember the rollback window is only 14 days.
  7. Finish before March 2026 to keep new features and stay ahead of the September 2026 legacy shutdown.
Why identity hardening matters

In August 2025, CVE-2025-54982 (CVSS 9.6) showed a SAML signature-verification flaw in Zscaler's auth server — a forged assertion could impersonate any user. Zscaler remediated it cloud-side with no known exploitation, but it's exactly why ZIdentity centralizes auth and bakes in MFA: identity is the new perimeter.

Pause & Predict

After the migration, one Zscaler admin can no longer log in — every IdP-federated admin is fine. What kind of account was the broken one? Type your guess.

Answer: A local admin account (credentials stored in the old portal). Local accounts don't migrate to ZIdentity — they must be recreated in the IdP first, or they're simply left behind.

⑤ Field notes — the mistakes that page you at 2 a.m.

Onboarding rarely fails at "install" — it fails at the edges. Here are the four most common production bites, each with the symptom you'll actually see.

Priya at Wipro faces this

On hotel Wi-Fi her ZCC laptop has zero internet; the usual "click to accept" page never appears and ZCC reads "Captive Portal Detected."

Likely cause

ZCC's tunnel comes up before the OS finishes its captive-portal probe, so the hotel's login redirect never reaches her.

Fix

Enable fail-open captive-portal detection; bypass captive.apple.com and msftncsi.com; or have the user open http://neverssl.com to force the portal.

Teams / Zoom calls drop after rollout

Symptom: voice/video drops or one-way audio while web browsing is fine. Cause: real-time UDP media was tunnelled or inspected — and VoIP over ZPA is unsupported. Fix: add the UCaaS bypass for Teams/Zoom domains + media IP ranges so the media goes direct.

Duo, git, npm throw certificate errors

Symptom: Duo Desktop dies; git/npm/pip fail with SELF_SIGNED_CERT_IN_CHAIN; websites load fine. Cause: SSL inspection re-signs TLS with the Zscaler cert, but pinned apps and tools with their own trust stores reject it. Fix: add SSL-inspection bypass for pinned apps and install the Zscaler root CA into each tool's trust store.

Pro tip — watch the Trusted Network rule

If your Trusted-Network conditions are loose, ZCC can wrongly decide an untrusted café network is "trusted" and stop tunnelling — traffic then egresses raw. Tighten the criteria and keep ZCC current (a DNS CNAME+A edge case was fixed in 4.8.0.115).

Verify it worked — from the logs, not the config screen

A green tray icon isn't proof. Confirm enrolment and the live tunnel from the device and the portal:

Windows — confirm ZCC tunnel + reachability
C:\> nslookup gateway.zscalertwo.net
C:\> curl -s https://ip.zscaler.com
# In ZCC: ⚙ → More → Export Logs ; tray → "Z-Tunnel 2.0 Connected"
Expected output
ip.zscaler.com  →  Your request is arriving via the Zscaler cloud: zscalertwo
Location: Mumbai III  ·  Z-Tunnel 2.0: Connected (DTLS)
Portal → Enrolled Devices: this device = Authenticated ✓
👉 So far: you've mapped managed onboarding, the four unmanaged methods, the per-user licensing math, the 2026 ZIdentity deadline, and the field gotchas. Lock it in with the tutor and the assessment below.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from Zscaler docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Analyze

Priya at Wipro connects to hotel Wi-Fi on her ZCC laptop. The usual login page never appears and she has zero internet; ZCC shows "Captive Portal Detected." Root cause?

Correct: a. The ZCC tunnel masks the OS captive-portal probe, so the sign-in redirect never surfaces. An expired license doesn't trigger this state (b); blocked UDP 443 just falls back to TCP 443 (c); posture failure changes access tier, not captive-portal detection (d).
Q6 · Analyze

After ZCC rollout at Flipkart, Teams and Zoom calls keep dropping or have one-way audio, while web browsing is fine. Most likely cause?

Correct: b. Real-time UDP media must be bypassed, not tunnelled; tunnelling it (or routing VoIP over ZPA) causes drops and one-way audio. The fix is bypass vs tunnel, not a tunnel-version change (a); SSL inspection targets TLS web traffic, not UDP RTP media (c); posture doesn't selectively pass "only audio" (d).
Q7 · Analyze

Ravi, a developer at Infosys, finds that after ZCC went live, Duo Desktop plus git, npm and pip all fail with TLS/certificate errors — but normal websites load fine. Underlying cause?

Correct: c. SSL inspection swaps in the Zscaler cert, but pinned / private-trust-store apps reject it; fix with an SSL bypass and/or installing the Zscaler root CA. A blocked UDP path just falls back to TCP (a); licensing has nothing to do with cert validation (b); the tunnel version doesn't cause pinning rejections (d).
Q8 · Analyze

After HDFC Bank's ZIdentity migration, one Zscaler admin can no longer log in, though all IdP-federated admins migrated fine. The broken account was a local admin whose credentials were stored in the legacy portal. Why?

Correct: a. ZIdentity auto-migrates only IdP-federated admins; local accounts must be recreated in the IdP. ZIdentity does include built-in MFA (b); admin accounts don't consume end-user seats (c); the 14-day window is the end-user rollback, not an admin-login mechanism (d).
Q9 · Evaluate

Ananya is planning HDFC Bank's ZIdentity migration ahead of the March 2026 deadline (April 2026 = features only in Experience Center; Sept 2026 = legacy UIs deprecated). Best sequencing, and why?

Correct: d. Admins-first (recreating non-federated local admins) keeps control of the console, then a staged end-user rollout aware of the 14-day limit. Users-first risks losing admin control (a); waiting forfeits the March mandate and April feature freeze (b); ignoring local admins guarantees lockouts — they never auto-sync (c).
Q10 · Evaluate

Karthik must design access for contractors at Flipkart on their own unmanaged laptops who need a sensitive internal web app, zero-data-on-device. He weighs "push full ZCC" vs "ZPA Browser Access + CBI." Which is correct, and why?

Correct: b. Unmanaged BYOD fails posture by definition, so the right design is clientless Browser Access + CBI for isolated, zero-data access — and each authenticating contractor still consumes a per-user seat (use the Light-User tier). You don't push full ZCC to contractor-owned devices (a); a PAC file is proxy-only with no posture (c); any contractor who authenticates DOES consume a seat (d).
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: Why can't an unmanaged BYOD laptop just install ZCC and get the same access as a corporate laptop? Then compare to the expert version.

Expert version: Because trust comes from device posture, not the agent alone. An unmanaged device can't prove it's domain-joined, encrypted or running approved EDR, so it fails posture by definition. Even if you installed ZCC, policy wouldn't grant it full-tunnel access — so Zscaler skips the agent and gives these users clientless, isolated access (Browser Access / CBI), where nothing sensitive ever lands on the untrusted device.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

ZCC — Zscaler Client Connector
The lightweight agent on a managed device that forwards web/DNS to ZIA and private-app traffic to ZPA.
Zero Trust Exchange (ZTE)
Zscaler's global cloud where every access decision is made per identity; users reach apps, never a network.
Z-Tunnel 2.0
The modern tunnel — DTLS over UDP 443 (fallback TLS over TCP 443) — carrying all ports and protocols. Z-Tunnel 1.0 was proxy-style, 80/443 only.
Forwarding Profile
Decides how ZCC captures traffic per network state (On-Trusted, VPN-Trusted, Off-Trusted) and the tunnel driver used.
App Profile
Per-platform policy in the Client Connector Portal that enables ZIA/ZPA/ZDX and controls cert + driver install.
Device Posture
Checks that prove a device is trustworthy (domain-joined, encrypted, approved EDR). Needs the agent — so unmanaged devices fail by definition.
Device Token + Fingerprint
Issued at enrolment to bind ZCC to one device; the unique fingerprint makes a copied install fail elsewhere (clone-proof).
SAML
The standard your IdP (Okta, Entra ID) uses to log a user into Zscaler.
SCIM
Auto-provisions users and groups into Zscaler from your IdP.
Browser Access (BA)
Clientless ZPA access to internal web apps from any browser, using a server certificate + DNS CNAME. No agent.
Privileged Remote Access (PRA)
Clientless RDP/SSH/VNC to servers, pixel-streamed to the browser; nothing lands on the device.
Cloud Browser Isolation (CBI)
Renders a session in a cloud browser and streams only pixels; blocks download/upload/copy/paste/print. The BYOD zero-data control.
PAC file
A hosted proxy-config the browser follows for internet/SaaS egress without ZCC. Weak: proxy-only, no Z-Tunnel 2.0, no posture.
ZIdentity
Zscaler's centralized identity service (formerly ZSLogin) at console.zscaler.com — ties admin login to your IdP with built-in MFA.
Experience Center
The single unified admin console that replaces the separate ZIA/ZPA/ZDX portals.
Seat
One Zscaler subscription = one authenticated user, counted as unique users over a rolling 90-day window. Per person, not per device.

📚 Sources

  1. Zscaler Help — Zscaler Client Connector: forwarding profiles, app profiles, Z-Tunnel 1.0 vs 2.0, device posture, MSI parameters. help.zscaler.com
  2. Zscaler Help — ZIdentity: Migrating Zscaler Service Admins & End Users; Managing Entitlements. help.zscaler.com/zidentity
  3. Zscaler Blog — "Embracing the Future of Zero Trust Administration with ZIdentity and Experience Center" (3 Nov 2025). zscaler.com/blogs
  4. Zscaler — ZPA Browser Access, Privileged Remote Access & Cloud Browser Isolation product docs. help.zscaler.com/zpa
  5. Zscaler Legal — Light Users product sheets / ZIA Licensing & Fair Use (Seat = per named user, rolling 90-day count). zscaler.com/legal
  6. AmberWolf / NVD — CVE-2025-54982: Zscaler SAML authentication bypass (CVSS 9.6, Aug 2025).
  7. Zscaler — Long-Term Support for Zscaler Client Connector + 2026 Release/Upgrade Summary. help.zscaler.com
  8. Microsoft Entra & Google Workspace — Zscaler SAML + SCIM provisioning tutorials; Zscaler Community onboarding threads. learn.microsoft.com / community.zscaler.com

What's next?

Your users are onboarded — now control what they can reach. Next we open the ZIA firewall policy and walk its real evaluation order: DNS → NAT → Firewall → FTP → IPS.

Next · Zscaler ZIA Firewall, DNS, FTP & IPS Control → Practice on exam.techclick.in →