QuickZTNA Admin Guide

This is the operator’s manual for running a QuickZTNA organization — the work that happens in the admin dashboard, not on an individual device. If you’re setting up a device, start with the user guide; if you’re scripting, the CLI reference and REST API are the contract.

QuickZTNA is a managed cloud service. You administer your organization through the dashboard at login.quickztna.com; the ztna CLI and the REST API expose the same surface for inspection and automation. Every feature below has its own deep-dive page with a how-it-works diagram, enable steps, worked API/CLI examples, a configuration reference, enforcement and verification, honest limits, and the audit events it emits.

Identity & access

• Identity & onboarding — connect OIDC/SAML/Google/GitHub, provision with SCIM, issue auth keys, approve and retire devices.
• Access control: ACLs & ABAC — priority-ordered rules over users/tags/groups, ABAC conditions, threat-intel deny, subnet routes and exit nodes.
• Device posture & compliance — require a security baseline (disk encryption, firewall, AV, patch age) in enforce/monitor/disabled modes, with auto-quarantine.

Network security

• DNS filtering & threat feeds — block malware/phishing/C2 and content categories with free feeds plus custom allow/blocklists.
• CASB & Shadow IT discovery — discover SaaS from DNS logs, score risk, enforce per-app policy, and run an approval workflow.

Workforce security

• Workforce security overview — the map of the optional workforce layer and what ships today.
• Data Loss Prevention (DLP) — file-content scanning for secrets/PII, masked events, SIEM emission (detect-and-alert).
• Workforce analytics & user-risk — opt-in, consent-gated session/productivity analytics, software inventory and patches, seven-factor user-risk.
• Remote access: shell & desktop — free consent-aware SSH/shell over the mesh, and paid WebRTC remote desktop.

Operate

• AI Operator — natural-language ACLs, event summaries, incident response, and tool-calling chat — every write goes through preview → confirm → revert.
• Observability: audit, compliance, metrics — audit log and SIEM export, compliance drift + signed reports, threat intel, Prometheus metrics, secrets vault.
• Plans & billing — the tiers, the feature-flag reference, how gating works, the 60-day trial, and billing.

Plans at a glance

QuickZTNA’s Free plan covers 100 devices and 3 users, forever, including the WireGuard mesh, MagicDNS, ABAC policies, device posture, DNS filtering, the AI assistant, and remote SSH. Paid plans add more users, unlimited devices, SCIM, continuous posture, workforce analytics, DLP, CASB, and remote desktop. Full breakdown on Plans & billing and the pricing page.

A note on what’s shipped

This guide describes what the product does today. Where a capability is on the roadmap rather than shipped (for example post-quantum key exchange, or self-hosting), it’s marked as such — the data plane today is classical WireGuard, and QuickZTNA is managed cloud only.