Yes I've done this for Zscaler. Upload the cert you have installed on a device, into a Configuration Profile, on the certificatate payload. I have the tick box 'Allow all apps access' ticked. The cert will be deployed to any scoped devices and will show as Always Trust.

I have done this through a custom package using jamf composer

1) Push the zscalar root certificate through package which puts the certificate in x location on user system accessible to logged in user

2) Use the following post install script when you create the package for pushing

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <filepath/xxxx.cer>

I, too have used Composer to build a pkg to distribute and install .cer.  My sudo script is a bit different but basically the same as above.  My issue is that upon installation, I get the following error in /var/log/install.log

./postinstall: ***Error reading file /Library/Application Support/JAMF/Waiting Room/CA.cer

How do i get the pkg to extract the .cer from the .pkg into the "/Library/Application\\ Support/JAMF/Waiting\\ Room/" directory so i can run the sudo command?

Gave up on distribution with pkg.  Used Configuration Profile and it worked great.

Thank you,

Dont put it in the waiting room, you can put it in private/tmp directory and use this path in the script.

Since I'm stuck here this my non-functionnal process and I dont know where I'm wrong. My ISE profile is always displayed as non trusted on end users keychains

1 > adding the certificate to my computer on Sytem level, everything is set to Trust

2 > Creating a signed profile with the certificate that will be deployed on the computer lever

3 > Creating a Configuration profile on Jamf and its properly sent to end users but as non trusted.

Anyone one got that solved for ISE.

Seems that it will be the same circus for the next certificate ! 

It seems I'm in the same boat. Did you ever get this working?