Zero Trust | Zscaler | M365
About Posts
Zero Trust | Zscaler | M365

Contents

Deploy Zscaler Client Connector to Windows with Intune

   738 words   4 minutes 
/2022/deploy-zscaler-to-windows/zscaler-to-windows.png

This is the third of four posts where I will describe how to deploy Zscaler Client Connector (aka the app) to the different OS platforms Zscaler and Intune support. The goal is to deploy the app and prepopulate all required information to the app to create as little user friction as possible. Topic of today is Windows.

For Windows it’s a relatively simple task if you have an AAD joined or Hybrid AAD joined device. Here is how it will look like.

/2022/deploy-zscaler-to-windows/zscaler-desktop.gif#center

How To

To achieve that the following needs to be done

  1. Download Zscaler Client Connector from Zscaler Portal
  2. Create Win32 App
  3. Deploy with Intune

Download Zscaler Client Connector

We first need to download the Zscaler MSI file. As of now it doesn’t matter if you use 32 or 64 bit. Currently I use the 32 bit since it’s more mature.

/2022/deploy-zscaler-to-windows/download-zscaler.png

Next we have to package it as a Win32 App.

Create Win32 App

We will use the Win32 App to deploy Zscaler. You can also use the Line of Business app (which is MSI only) if you don’t use Autopilot. Mixing line of business and Win32 Apps can lead to problems during Autopilot as per Microsoft Docs. This one of the main reasons why I decided to use Win32 apps only.

First we need the Win32 Content Prep Tool from Microsoft. Create a source folder with only the downloaded MSI file and an empty destination folder and run IntuneWinAppUtil -c <setup_folder> -s <source_setup_file> -o <output_folder> <-q>.

/2022/deploy-zscaler-to-windows/create-win32-app.gif#center

Next we have to upload the App to Intune.

Deploy with Intune

In the Intune Portal go to Apps > Windows and click Add and select Win32 App. On the next page upload the previously created .intunewin file. Once it’s finished, Intune will fill out the basic App information. Do not modify the app version even though it’s not the correct Zscaler Version. Fill in the publisher.

/2022/deploy-zscaler-to-windows/app-information.png#center

Click next. In the Program section Intune will also fill out return codes, MSI codes, uninstall commands etc. The only thing we have to modify is the MSI install command. We need to tell the client where to connect to and which userdomain to use for authentication.

/2022/deploy-zscaler-to-windows/program-modify-msi.png#center

Add userdomain=yourdomain.com cloudname=zscloudright after the installer file. The userdomain is the authentication domain. Multiple authentication domains require multiple apps in Intune. The cloudnameis your Zscaler cloudname without the top level domain. zscloud.net = zscloud, zscaler.net = zscaler.

There are more options available which can be found at help.zscaler.com

Click next. Fill in the requirements as per your needs. Click next.

/2022/deploy-zscaler-to-windows/requirements.png#center

In the requirements section select Manually configure detection rules, lick +Add and select MSI. It will automatically insert the MSI product code Intune discovered. There is no need to check the product version as every Zscaler version has it’s own product code. Click OK and Next.

/2022/deploy-zscaler-to-windows/detection.png#center

On the next pages you can create depenencies and supersedence. Zscaler has no dependencies.One use case for supersendence may be to switch from 32 to 64 bit. As of this writing it is in preview so handle with care. On the last page, you can add an assignment to a device or usergroup for manual (available) or automatic (required) install.

If you use Win32 App you can find logs in %ProgramData%\Microsoft\IntuneManagementExtension\Logs to monitor download and installation. If you want to read them in realtime, I recommend CMTrace, which comes with every SCCM Server installation or can be downloaded on microsoft.com

SSL Inspection

We didn’t install the SSL certificate. If you use SSL inspection make sure to install it through the Zscaler Client Connector. It needs to be done in the App Profile.

/2022/deploy-zscaler-to-windows/install-ssl.png#center

Updates

Do I have to do this for every version? No! Zscaler has one of the best update routines I’ve ever seen. It literally updated during a teams meeting without any interruption. So use it. Update the App in Intune from time to time so that freshly installed devices don’t need skip to many versions.

Zscaler & Patch My PC

Zscaler can be deployed with PatchMyPC. It does the same as described above and you can also add install arguments. Be careful to create the app once and unselect it after the sync. Patch my PC is usually very fast deploying updates. It will update Zscaler before the Zscaler update routine. And it will cause interruption.

Done

I hope you found this post useful. If you have questions or feedback, the best option to reach me is Twitter

Updated on 2022-05-11
Read Markdown
 ZscalerClient ConnectorWindowsSSOSingle Sign OnDeploymentAzure ADMEMIntune
Back | Home