ZDEW and ZAC Documentation

himeose · January 18, 2023, 3:56am

Hi, I’m wondering about the ZDEW concept. What if, in the future, the client cannot delete the identity (forget this identity)? Only the admin can delete it, or they might accidentally delete it. Is there any thought on it?
Besides, the ZAC documentation on how to use is not available yet, right?
Currently, I want to explore more on how security sides of OpenZiti.

TheLumberjack · January 18, 2023, 4:02am

I'm not sure what the problem is. All users should report the laptop as stolen/lost if that's the case so the admin can remove/revoke the identity. Alternatively, you can enable 2FA on the identity so that it can only be used with a successful 2FA.

There's no "how to use ZAC" yet, correct. The ZAC mirrors the concepts of the ziti CLI pretty closely. That, coupled with the doc, would hopefully be able to explain with enough details each screen/concept. We're always working on making doc better, if you have places you would like to see improvements, file and issue over on the repo.

Hope that helps

himeose · January 18, 2023, 8:13am

Let me restructure my question regarding the ZDEW. Is it possible only the admin can configure the client side like we want to restrict the client so that they cannot delete the identity, make their ZDEW stop, or something like that?

PhilipGriffiths · January 18, 2023, 9:14am

If you do not mind, let me construct what I understand into a use case example, and tell me if it needs editing.

We use Ziti to intercept all traffic on an endpoint as a business. Some traffic is microsegmented to access defined apps/services in our private DCs, and the rest of the traffic is routed to a Software Gateway/Firewall, which does inspection and rules - e.g., users cannot access gambling sites.

As a business, I do not want the user to be able to turn off ZDE and circumvent my security controls.

TheLumberjack · January 18, 2023, 10:53am

Oh, I see I misunderstood. No. At this time there's no way to prevent a logged in user from forgetting an identity. It's specifically designed to allow non administrators who are interactively logged in to perform that action. I am sure that this sort of feature could be implement, it's just not how it's currently implemented.

himeose · January 19, 2023, 12:48am

Yup, something like this

Topic		Replies	Views
ZAC - creating a second admin users Ziti Administration Console	0	390	April 12, 2022
Ziti Desktop Edge for Windows on a computer with more than one desktop user Ziti Desktop Edge for Windows	2	197	May 22, 2022
New "Quick Add" Features Ziti Administration Console	4	162	June 5, 2023
Change or create new "Default Admin" Ziti Administration Console	21	469	April 12, 2022
Enrolled identities lifespan General Questions	5	279	September 4, 2022

ZDEW and ZAC Documentation

Related Topics