Company is installing zscaler on our laptops

We are a very small company with minimal infrastructure and they have never in the past installed software on to our computers (even though they were issued by the company)

I know in short zscaler allows them to see all our internet traffic. Does it allow them to see what I’ve done in the past? Like personal emails I’ve sent from my personal email account or my personal social media pages? Is cleaning my browser history pre install worth doing just to preserve my privacy?

Our company has been weird in the past keeping tabs on people, (writing down when they come in and leave, things like that) I’m not sure if I trust them to not be probing all of us.

DONT USE SOMEONE ELSE DEVICE IF YOU WANT PRIVACY.
use your phone.

I administer Zscaler for SMB’s and similar SASE or ZTNA products. While I agree with the general sentiment about not logging into personal accounts on a work machine, as long as you don’t do it in the same managed browser profile as your work account, we don’t care from the admin perspective.

Zscaler does install a root cert and does give admins the ability to decrypt all SSL traffic. That’s going forward though, and not retroactive. We can see all your browsing history though, so be cognizant of where you’re browsing.

This is not a keylogger though, and it doesn’t give us the ability to see your email contents, photos, documents, or file contents.

As long as you aren’t looking at child porn, or visiting malware ridden sites, IT really doesn’t care. It’s the meddling managers looking for a reason to fire someone you need to worry about.

I see that one of the things zscaler does is installing root certificates to decrypt tls connections; that does not allow them to decrypt older traffic, even in the extremely unlikely eventuality that they recorded it.

However being a company computer, probably part of an active directory domain or similar things, they in all likelihood already had ways to see and access everything you do (and maybe there even already were certificates for doing the same thing)

Yes, log out of any personal accounts, clear history and cache. They likely have access to all of that regardless but that’s the path I’d take at this point

Have Zscaler for 3 years at work and apart from blocking things it thinks are bad like Fantasy football website (I guess it classifies it as a gambling site) I never had any issues.

Its a work machine but we are allowed to use for reasonable personal use so not on Facebook all day but it’s more for blocking threats than watching every move.

I have installed and managed Zscaler as well as similar products.

It cannot see backward in time. It intercepts all of your browser-based traffic and sends it to their datacenters for filtering and analysis.

What sort of filtering and analysis? At the simplest level, it uses categories to determine what you’re doing. For example, Google is categorized as “search engines” tor will be categorized as “peer to peer”, a site to play poker is “gambling”, etc. Your administrator will usually set up a group of categories that are blocked. Easy stuff like malware, suspicious, porn, and similar stuff that has no purpose at work. They can also decrypt HTTPS (encrypted) traffic. Once this is done, they can see the contents of what you’re uploading, downloading, commenting on, posting on, browsing to with a high degree of fidelity. There are exceptions because some sites do things like certificate pinning or use custom ciphers so decryption is disabled else those sites will break. The stated goal of decryption is to scan for nasties as you browse. If your company pays enough, they can get a very good look at what you’re up to. While it is possible to steal passwords, that is rarely something with any value because they now take on an unnecessary liability of storing your stuff securely, but also because most passwords are not sent using HTTPS (transport layer security) as the only means to secure the credentials. I’ve also operated forensic network packet capture environments and I’ve gone password hunting; only a handful of shitty web apps will put the credentials in the HTTPS POST message without additional security.

Clearing your browser history will accomplish very little, but it won’t hurt anything. If you’ve done something shady with your work laptop, take this as a wake up call to stop doing that stuff in the future.

As others have said, don’t mix business with pleasure. Also, keep in mind if you’re a small org, it’s not likely that someone is following your every move. That takes significant resources and unless they’re out to fire you, it’s rarely worth it. Besides, if you’re in the US, they can fire you for anything, so why spend money on something you can do for free?

In the end, they probably bought it because they want to reduce the liability of someone doing something stupid with a corporate laptop and exposing their computing resources to malicious software. If they want to see what you’re doing, they’ll probably run a canned report that shows ring graphs of the categories of stuff you have looked at. If there’s nothing interesting, they won’t dig any further. They probably won’t even look at any individual unless they stand out against everyone else. If one guy is looking at dirty shit half the day, they’re TOTALLY gonna see what he did. Don’t be that guy.

Source: security dork for 15 years, tons of time spent with web content filtering.

I would highly recommend to not log in to any personal accounts in a work network. Even without zscaller, if your machine was ever connected to the network, they would be able to check your internet traffic as they have access to either the firewall or proxy server.
Someone with more experience might be able to correct me or add to this but if your infrastructure is managed by their own IT department, they would most likely have access to network traffic and emails.

Why would anyone use a company issued computer for personal shit. SMFH…

Never assume you have privacy on a device that is not your own.

It isn’t your laptop…

Don’t use your companies property to do personal business.

end of discussion.

It’s their equipment, nothing you can do except stop using it for personal use.

It’s not your laptop.

Its just a reverse proxy , forward proxy system that can’t time travel so don’t worry.

Also stop using your work laptop to do stupid stuff , buy yourself a laptop from dell for 300 quid and be happy.

No, it does not allow them to see back in time for most stuff. However if you sent personal emails via work email address they are certainly on company held server or email archive in any case without zscaler. It is good practice to wipe browser history, cookies and other web data at the end of everyday in any case.
If it is a work computer the best practice is to do nothing on it but work related stuff.

zscaler can’t look in the past, so your past transgressions are safe - from zscaler’s perspective. You might want to stop using work equipment for private stuff.

zscaler allows them to see all our internet traffic.

All your active network activity, yes. Put your ISP’s modem/router combo into bridged mode, get two consumer-grade routers installed behind the now-only-modem, hook your personal network into one and your work network into the other. This thoroughly isolates your work communication from your personal data. You can do the same thing with a single router and (if it has those capabilities) configuring custom vLans for each group of computers, but that’s a wee bit out of the wheelhouse of most any average computer user. Dual routers are a much simpler solution that achieves the same end result.

If you are so inclined, I would also recommend getting routers that can be re-flashed with third-party firmware, such as OpenWRT, for increased stability and security… most consumer routers are abandoned (no more firmware updates, massive security holes, etc.) long before the manufacturer actually ceases production. Honestly, as a security professional I find most consumer-grade routers to be terrifying. They’re equally as bad as most IoT devices, if not more so, due to greater specs giving more abilities to threat actors and being your primary gateway to the Internet leading to all traffic flowing through them.

Does it allow them to see what I’ve done in the past?

Nope. Network traffic exists only in the moment. Anything you did across that network in the past is no longer available to zScaler up to the moment it is installed.

Remove all personal data off of your work computer. Do only work on them. If you need the desk space, consider a KVM to consolidate your HID (monitors, keyboard, and mouse, hence KVM for Keyboard Video Mouse) down to a single group that is shared via the KVM among all computers. It also makes switching back-and-forth between work and home hardware as easy as hitting a single button. I strongly recommend Belkin for any KVM, just avoid their “secure” products, which have a tendency to irretrievably brick themselves if they think they’re being compromised.

Create a VLAN or a separate IP pool for your work-related activities if you’re doing it over your home internet. You can figure out some way to segment things so they can only see the traffic within that particular segment.

You can turn off DHCP and hook up a second router to your modem if there’s room and segment that way as well.

"they have never in the past installed software on to our computers (even though they were issued by the company) ”

Yes they have. I’ve worked IT for almost 2 decades and I can assure you they aren’t unboxing laptops off a pallet and handing them out with factory settings. Zscaler is the only one they need you to be aware of for legal reasons. IT will see EVERYTHING. even without software on your personal device, when you login to company resources information about the device is shared in logs. For instance, we can see which staff members logon from the same IP address in the evenings long before the rumor mill gets started.