We do a hybrid approach. We've found that major upgrades from ZScaler (even 4.2 to 4.3 is considered a major upgrade) are disruptive to the network connection, so we deploy those with ConfigMgr/PMPC while no user is logged on. And we use those packages for our build process also, so it's up to date.
Point releases are updated via the ZScaler console.
Point releases are updated via the ZScaler console.