How to Track Zscaler Blocking Company Portal Sync Using Wireshark?
Hi all,
I'm trying to troubleshoot why the Microsoft Company Portal app isn't syncing on an Intune-enrolled Azure AD-joined VM. I strongly suspect Zscaler is interfering with the traffic — but not at the network layer. Here’s what I’ve already checked:
Zscaler logs show no explicit blocks for Company Portal traffic
TCP connections to Microsoft endpoints (portal.manage.microsoft.com, enrollment.manage.microsoft.com, etc.) are open and resolving IPs properly
Wireshark is showing basic TCP handshakes (SYN, ACK), but nothing beyond that — no actual TLS handshake or HTTP payload
No traffic is classified or dropped visibly in Zscaler’s web logs
Device is using Zscaler Client Connector
What I'm looking for:
How can I configure Wireshark (filters or profiles) to specifically isolate and inspect traffic between the Company Portal and Microsoft Intune endpoints?
What signs would indicate Zscaler is intercepting or silently dropping packets (e.g. MITM attempts, reset flags, TLS handshake anomalies)?
Is there any effective way to trace the traffic path after Zscaler has processed it, or spot SSL interception attempts?
I’m capturing traffic during app launch and sync attempt. Any help filtering out the noise and exposing what’s going wrong would be huge. Happy to share .pcapng or screenshots if needed.
Thanks in advance.