Not all clients work the same way. The following tables summarize the main differences between them all.
Remember, k8s service, Connector and Portal use versions of the Linux (headless) Client.
Windows
| Always-on | Windows lite | Windows SSO | Windows multi-user | |
|---|---|---|---|---|---|
Windows full | Windows headless | ||||
Client DNS set by | Policy or IdP | Policy or IdP | Policy or IdP | Policy or IdP | Windows |
DNS forwarder | Y | Y | Y | Y | N |
IdP - block local DNS requests | Y | Y | N/A | Y | N |
Managed profiles (by admin) | Y | Y | Y | N | Y |
SAML/OIDC IdP | Y | N | Y | N | Y |
Certificate authentication | Y | Y | Y | N | Y |
Built-in (formerly Fixed) device claims | Y | Y | Y | Y | Y |
Scripted (formerly On-demand) device claims | Y | No device scripts allowed | Y | Y | Y |
clientType claim | Full | Headless | Lite | SSO | Full |
IPv6 | Y | Y | Y | Y | Y |
Inactivity detection | Y | N | Y | N | Y |
PAC file enforcement | Y | Y | Y | Y | N |
Trusted network auto-suspend | Y | Y | Y | Y | N Warning: Do not do. |
FIPS mode | Y | Y | Y | Y | Y |
Number of Sites | Any | Any | Any | Any | Any |
Ringfence | Y | Y | N | Y | N |
Default route | Y | Y | Y | Y | N Warning: Do not do. |
Excluded subnets | Y | Y | N | Y | N Warning: Do not do. |
Auto-update (by admin) | Y (Triggers a-o auto-update) | Y (Triggers a-o auto-update) | N | N | N |
Protocols | All | All | HTTP(S) only | All | No SMB, ICMP (from system) |
macOS
| Always-on | |
|---|---|---|
macOS full | macOS headless | |
Client DNS set by | Policy or IdP | Policy or IdP |
DNS forwarder | Y | Y |
IdP - block local DNS requests | N | N |
Managed profiles (by admin) | Y | Y |
SAML/OIDC IdP | Y | N |
Certificate authentication | Smart card only | Saved to file only |
Built-in (formerly Fixed) device claims | Y | Y |
Scripted (formerly On-demand) device claims | Y | No device scripts allowed |
clientType claim | Full | Headless |
IPv6 | Y | Y |
Inactivity detection | Y | N |
PAC file enforcement | Y | N |
Trusted network auto-suspend | Y | Y |
FIPS mode | Y | Y |
Number of Sites | Any | Any |
Ringfence | Y | Y |
Default route | Y | Y |
Excluded subnets | Y | Y |
Auto-update (by admin) | Y (Triggers a-o auto-update) | N |
Protocols | All | All |
Linux
| Linux full | Linux headless |
|---|---|---|
Client DNS set by | Policy or IdP | Policy or IdP |
DNS forwarder | Y | Y |
IdP - block local DNS requests | N | N |
Managed profiles (by admin) | Y | Y |
SAML/OIDC IdP | Y | N |
Certificate authentication | Smart card only | Saved to file only |
Built-in (formerly Fixed) device claims | Y | Y |
Scripted (formerly On-demand) device claims | Y | No device scripts allowed |
clientType claim | Full | Headless |
IPv6 | Y | Y |
Inactivity detection | Y | N |
PAC file enforcement | N | N |
Trusted network auto-suspend | Y | Y |
FIPS mode | Y | Y |
Number of Sites | Any | Any |
Ringfence | Y | Y |
Default route | Y | Y |
Excluded subnets | Y | Y |
Auto-update (by admin) | Download only | N |
Protocols | All | All |
Kubernetes
| k8s service |
|---|---|
Client DNS set by | Policy or IdP |
DNS forwarder | N |
IdP - block local DNS requests | N |
Managed profiles (by admin) | N |
SAML/OIDC IdP | N |
Certificate authentication | N/A |
Built-in (formerly Fixed) device claims | |
Scripted (formerly On-demand) device claims | No device scripts allowed |
clientType claim | Headless |
IPv6 | Y |
Inactivity detection | N |
PAC file enforcement | N |
Trusted network auto-suspend | Y |
FIPS mode | Y |
Number of Sites | Any |
Ringfence | N Warning: Do not do. |
Default route | Y |
Excluded subnets | Y |
Auto-update (by admin) | N |
Protocols | All |
Appliance function
| Connector | Portal |
|---|---|---|
Client DNS set by | N/A | Policy using default (or IdP) |
DNS forwarder | N | N |
IdP - block local DNS requests | N | N |
Managed profiles (by admin) | N | N |
SAML/OIDC IdP | N | Y |
Certificate authentication | N/A | N |
Built-in (formerly Fixed) device claims | Always same (Linux Client) | Limited range + browser claims |
Scripted (formerly On-demand) device claims | N/A | N/A |
clientType claim | Connector | Web |
IPv6 | Y | Y |
Inactivity detection | N | N |
PAC file enforcement | N | N |
Trusted network auto-suspend | N Warning: Do not do. | N Warning: Do not do. |
FIPS mode | Y | Y |
Number of Sites | Any | Any |
Ringfence | N Warning: Do not do. | N Warning: Do not do. |
Default route | Y | Y |
Excluded subnets | Y | Y |
Auto-update (by admin) | With appliance update | With appliance update |
Protocols | All | HTTPS only |
Mobile
| Android | Chrome OS | iOS/iPad OS |
|---|---|---|---|
Client DNS set by | Policy using default (or IdP) | Policy using default (or IdP) | Policy using default (or IdP) |
DNS forwarder | Use default GW | Use default GW | Use default GW |
IdP - block local DNS requests | N | N | N |
Managed profiles (by admin) | Y | Y | Y |
SAML/OIDC IdP | Y | Y | Y |
Certificate authentication | N | N | N |
Built-in (formerly Fixed) device claims | No MAC address | No MAC address | No MAC address |
Scripted (formerly On-demand) device claims | No device scripts allowed | No device scripts allowed | N |
clientType claim | Full | Full | Full |
IPv6 | Y | No tunneled IPv6 | Y |
Inactivity detection | N | N | N |
PAC file enforcement | N | N | N |
Trusted network auto-suspend | Y | N | N |
FIPS mode | N | N | N |
Number of Sites | Any | Any | 4 |
Ringfence | N | N | N |
Default route | Y | Y | Y |
Excluded subnets | N | N | Y |
Auto-update (by admin) | N | N | N |
Protocols | All | All | All |