This is the second of four posts where I will describe how to deploy Zscaler Client Connector (aka the app) to the different OS platforms Zscaler and Intune support. The goal is to deploy the app and prepopulate all required information to the app to create as little user friction as possible. I continue with macOS. This is what it will look like.

Well that was silent wasn’t it? So let’s see how to deploy Zscaler with Intune - without notarization or an Apple Developer Account.

To achieve this, we need to configure a few things

1. Push Zscaler Root Certificate to device
2. Build installation script
3. Deploy script through Intune
4. Enable Microsoft Enterprise SSO plugin

How To

First of all create a user group that

1. is assigned to ZIA / ZPA enterprise applications in Azure AD
2. has an Intune license
3. can install the company portal on macOS and enroll their device You may already have that.

Push Zscaler Root Certificate to device

If your using SSL Inspection (which I recommend) you may have noticed that you can install the Zscaler Root CA Certificate through the App Profile in Zscaler Mobile Portal. Yes, there is a switch, but no. Because the certificate will not be trusted if it’s installed by the Zsaler installer

SSL Inspection will fail with error.

So we need to deploy that through Intune.

First we need to download the Zscaler Root Certificate from ZIA Portal. Go to Policy > SSL Inspection > Advanced SSL Inspection Settings and download the Zscaler Certificates. Unzip the file.

Create a configuration profile in Intune to push the certificat to the device. Go to Devices > macOS > Configuration Profiles > + Create Profile > Select Profile Type: Template > Trusted Certificate. Upload the previously downloaded certificate. Assign the profile to the user group!

Build installation script

We will use a script to deploy Zscaler. You can find it on my GitHub or below. It is based on a post on emm.how by user daniil_michine. I modified it to enable Single Sign on and disable autoupdate.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69

#!/bin/bash
#set -x

############################################################################################
##
## Script to install zScaler to macOS Devices 
##
###########################################
## Based of https://github.com/microsoft/shell-intune-samples/blob/master/Apps/Visual%20Studio%20Code/installVSCode.sh
## Based of https://emm.how/t/deploying-zscaler-on-macos-with-intune/1363
## Modified by Simon Goltz 

# Define variables

cloudName="" #Your ZIA Cloud Name without TLD? zscloud.net = zscloud zscaler.net = zscaler
userDomain="" #Your Sign in Domain, multiple domains may need multiple scripts
weburl="https://***.cloudfront.net/Zscaler-osx-3.6.1.19-installer.app.zip" #Retreive latest version from Zscaler Portal

tempfile="/tmp/zscaler/zscaler.zip"
appname="Zscaler"
appfile="Zscaler.app"
log="/var/log/installzscaler.log"
autoUpdate="true"


## Is the app already installed?
if [ -d "/Applications/$appname/$appfile" ]; then

# App is installed, if it's updates are handled by MAU we should quietly exit
if [[ $autoUpdate == "true" ]]; then
    echo "$(date) | [$appname] is already installed and handles updates itself, exiting"
    exit 0
fi

waitForCurl () {
    while ps aux | grep curl | grep -v grep; do
        echo "$(date) | Another instance of Curl is running, waiting 60s for it to complete"
        sleep 60
    done
    echo "$(date) | No Curl's running, let's start our download"
}

# start logging
exec 1>> $log 2>&1

# Begin Script Body
echo ""
echo "##############################################################"
echo "# $(date) | Starting install of $appname"
echo "############################################################"
echo ""

rm -rf /tmp/zscaler
mkdir /tmp/zscaler

echo "$(date) | Downloading $appname"
waitForCurl
curl -L -f -o $tempfile $weburl

cd /tmp/zscaler
echo "$(date) | Unzipping $tempfile"
unzip -q $tempfile > /dev/null
app=$(ls -1 /tmp/zscaler/ | grep .app | head -1)

echo "$(date) | Executing installbuilder.sh from ${app}"
sudo sh "/tmp/zscaler/${app}/Contents/MacOS/installbuilder.sh" --hideAppUIOnLaunch 1 --mode unattended --unattendedmodeui none --cloudName $cloudName --userDomain $userDomain

echo "$(date) | Cleaning up tmp files"
rm -rf "/tmp/zscaler"

What does this script do?

1. Download the app from Zscaler
2. Do fancy stuff like wait for curl
3. Install Zscaler with arguments

You only need to modify lines 15-17 to customize it for your environment

15
16
17

cloudName=" " 
userDomain=" " 
weburl="***.cloudfront.net/Zscaler....installer.app.zip"

The webUrlcan be copied from the Zscaler Mobile portal because the Zscaler installer is more or less publicly available.

The variable autoUpdate="true" tells the script that Zscaler handles application updates. If a version of Zscaler Client Connector is already installed, it won’t reinstall.

Troubleshooting

You may want to test the script locally before uploading it to Intune.

1. Save the script to folder
2. Open Terminal, go to folder
3. Run sudo chmod u+x yourScript.sh to make the script executable
4. Run sudo sh yourScript.sh if it’s successful Zscaler will open in the tray

Deploy script through Intune

Once you have the script ready, deploy it to our macOS devices using Intune.

Go to Devices > macOS > Shell scripts > + Add

Give it a proper name, upload your script and configure as shown on the screenshot.

Assign the script to the User Group

If your want to dive deeper, I recommend this article Deploying macOS apps with the Intune scripting agent. It also provides info how to obtain logs remotely in case you need to troubleshoot.

Enable Microsoft Enterprise SSO plugin

We have a username, but what about passwords? To achieve this we need to enable the Microsoft Enterprise SSO plugin for Apple devices.

The Microsoft Enterprise SSO plug-in for Apple devices provides single sign-on (SSO) for Azure Active Directory (Azure AD) accounts on macOS, iOS, and iPadOS across all applications that support Apple’s enterprise single sign-on feature.

This extension enables you to SSO into Zscaler App. No password required. The only requirement is that you use the Company Portal App. It is currently in public preview, so it’s officially not production ready, but works great. More details can be found on docs.microsoft.com. This extension also helps you if you have timeout policies in ZPA and need silent reauthentication.

Create a new configuration profile: Devices > macOS > Configuration Profiles > Create Profile > Select Profile Type Template > Device Features, give it a proper name.

We need to configure settings as per below screenshot

We can also configure two additional configuration keys that are recommended by Microsoft

Assign the policy to the user group. That’s it.

Check in device

Now go to the company portal an check in the device. Zscaler should install automatically. To check SSO you can open the app, while it’s white in the tray. Should look something like this.

You may want to check the logfiles in /Library/Logs/Microsoft/Intune/ run tail -f *IntuneDaemon current*.log to see the progress.

Why can’t I install a real app?

Well you can. There is a great article in the Zscaler Community by Nathan Catania about how to do that. From my point of view the proposed method has some tradeoffs.

• You need an Apple Developer Account
• If you don’t have one, it can take some time until it’s activated, it’s 100$ a year
• You need to notarize the App and every version you deploy
• You need to notarize it for every authentication domain you have

Done

I hope you found this post useful. If you have questions or feedback, the best option to reach me is Twitter