In ZIA, user traffic is first forwarded to a Zscaler Enforcement Node (ZEN), where security and access policies are enforced and transaction logs are generated. Those logs are then sent from the ZEN to the cloud- based Nanolog cluster, which is the highly scalable logging and storage layer used by Zscaler. Nanolog compresses and stores the logs for reporting, analytics, and long-term retention.
To deliver logs to a customer's SIEM, the Nanolog Streaming Service (NSS) is deployed in the customer environment. NSS establishes a secure, outbound tunnel to the Nanolog service in the Zscaler cloud and subscribes to that customer's log stream. Nanolog then continuously streams a copy of relevant logs over this secure connection to NSS. NSS receives the logs, converts them into the required output format (for example, syslog or CEF), and forwards them on to the configured SIEM or log receiver.
Option C is the only answer that correctly represents the logical sequence: user traffic through ZEN, ZEN to Nanolog, secure tunnel from NSS, Nanolog streaming to NSS, and finally NSS forwarding to the SIEM.

Zscaler's Device Posture framework in Client Connector supports a broad set of posture checks on both Windows and macOS, such as Certificate Trust, Client Certificate, Firewall status, Full Disk Encryption, Domain Joined, and multiple EDR detections. These are listed in Zscaler technical training material as common capabilities for "Windows und macOS." However, Zscaler's advanced integration with CrowdStrike introduces additional posture signals based on Zero Trust Assessment (ZTA). In the same material, CrowdStrike ZTA Score is explicitly annotated with a Windows-specific minimum version ("CrowdStrike ZTA Score (Win v.3.4.0+)"), highlighting that this ZTA- based posture is implemented for Windows only in the current releases, while the shared list for macOS does not include its own ZTA-specific version.
The newer ZTE/EDU-202 engineer materials build on this by describing separate ZTA Device OS and Sensor scores, and the exam maps this Windows-only ZTA enforcement to the CrowdStrike ZTA Sensor Setting Score option. In contrast, Client Certificate, Full Disk Encryption, and Domain Joined are documented as cross-platform posture types, not restricted to Windows.

The ZIdentity documentation on external identity providers explains that Zscaler supports various third-party IdPs over SAML and OIDC, and then provides specific configuration guides for each provider. For PingOne, Auth0, and OneLogin, the ZIdentity help explicitly describes configuring each as an OpenID Provider (OP) for ZIdentity, clearly stating that they are used to provide SSO via OpenID Connect (OIDC).
By contrast, the ZIdentity guides for Microsoft AD FS consistently describe configuring AD FS "as the SAML Identity Provider (IdP) for ZIdentity," and the examples focus on SAML assertions, claim rules, and certificate bindings-not OIDC flows. In other words, AD FS is supported in a SAML mode with ZIdentity, but it is not listed among the IdPs configured as OpenID Providers for OIDC-based integrations.
The Digital Transformation Engineer identity modules reinforce this differentiation by mapping external IdPs to either OIDC or SAML in the ZIdentity configuration, and the hands-on labs use Azure/Microsoft Entra ID or PingOne for OIDC examples, while AD FS is shown only in SAML scenarios.
Therefore, among the options listed, Microsoft AD FS is the external IdP that is unsupported by OIDC with Zscaler ZIdentity, making option C the correct answer.

Within the Zscaler Client Connector administration portal, an App Profile defines how the client behaves for a set of users or devices. A key element of any App Profile is the associated Forwarding Profile. The Forwarding Profile tells the Zscaler Client Connector how to handle traffic in different network conditions:
for example, whether to send traffic through Z-Tunnel 2.0 to ZIA and/or ZPA, rely on a PAC file, or bypass Zscaler when on trusted networks.
When you create or edit an App Profile, selecting a Forwarding Profile is mandatory because it determines how user traffic will actually reach the Zscaler cloud. Without a Forwarding Profile, the App Profile would not know which forwarding mode to use, and the client would have no consistent instructions on when and how to tunnel or bypass traffic. In practice, customers often define multiple Forwarding Profiles (for example,
"ZIA-only," "ZPA-only," or "ZIA and ZPA") and then bind them to different App Profiles for different user groups or device types.
"Bypass," "authentication," or "exception" profiles are not separate required profile objects in the ZCC policy model. Any bypass or exception behavior is defined inside the forwarding and app profile logic, not as standalone mandatory profiles. Therefore, a Forwarding Profile is the one element that every ZCC App Profile must include.