A financial services firm is deploying Zscaler Private Access (ZPA) and must ensure that developers connecting from unmanaged personal devices (BYOD) can only access a specific set of non-sensitive development tools. Access from corporate-managed devices should be unrestricted. The firm uses Okta for identity management. Which ZPA feature is the most precise and secure mechanism to enforce this policy?
A global logistics company is using Zscaler Internet Access (ZIA) with SSL inspection enabled. The finance department uses a legacy desktop application that communicates with a third-party payment processing service. This application ceases to function correctly for all finance users. Initial troubleshooting reveals the application uses certificate pinning. What is the most appropriate and secure way to restore functionality without compromising the company's overall security posture?
A manufacturing company wants to prevent engineers from accidentally leaking proprietary CAD designs to their personal cloud storage accounts (e.g., Google Drive, Dropbox) while still allowing them to access corporate-sanctioned cloud applications. Which combination of Zscaler features should an administrator configure to enforce this policy effectively? (Select TWO)
A DevOps engineer is troubleshooting a ZPA deployment where an application segment for a new microservice is unreachable. The App Connector group has been provisioned in AWS and shows as healthy in the ZPA Admin Portal. The Server Group is configured with the correct FQDN of the microservice. The engineer confirms that the security groups in AWS allow traffic from the App Connector's IP to the microservice. What is the most likely remaining cause of the connectivity failure?
A security team observes alerts from Zscaler's Deception feature indicating that a user workstation has attempted to connect to a decoy server configured as a file share. This action is a strong indicator of a compromised host attempting lateral movement. What Zscaler feature can provide the most immediate, rich context about the user's other recent activities, both malicious and benign, across internet and SaaS applications to aid the investigation?
True or False: When configuring SCIM for user and group provisioning from an IdP like Azure AD to Zscaler, the SCIM bearer token generated in the Zscaler admin portal must be stored securely in the IdP, as it grants administrative privileges to manage Zscaler's user database.
A helpdesk team receives multiple complaints from remote users about poor performance with a critical SaaS application. The team needs to determine if the issue is with the users' local network, the internet path, or the Zscaler cloud. Which ZDX feature provides a hop-by-hop network path visualization and performance metrics from the user's device to the application to pinpoint the source of latency?
An organization wants to fully automate the process of adding newly discovered malicious domains from its threat intelligence platform (TIP) into a ZIA custom URL category used in a block policy. Which Zscaler component is required to achieve this programmatic update?
A healthcare organization needs to provide secure, clientless access to a legacy electronic health record (EHR) system for external auditors. The EHR is a web application hosted in a private data center. The auditors must not be required to install any software on their machines. Which Zscaler components and configurations are required to meet this requirement? (Select THREE)
During a security audit, an administrator needs to demonstrate how Zscaler prevents access to newly registered domains (NRDs), which are often used in phishing campaigns. Which ZIA policy setting directly addresses this threat?