Skip to main content

Started doing some initial testing with ZScaler ZCC and noticed that while the installer didn't prompt for it, under Security and Privacy > Full Disk Access there is a ZscalerTunnel binary that's unchecked.

 

Does anybody have a config profile for enabling that or is it okay to just have it disabled?

 

We've been running Zscaler for a little while and don't have that checked.  I did notice there are a LOT of apps that add themselves to that list and very few actually need full disk access.


I have used Zscaler for 2 years and never needed Full Disk Access control. My only Configuration Profile is the Zscaler cert, as since Big Sur it is required. I can't see a reason Zscaler would ever need Full Disk Access, but I guess they have just made the option there just in case.

 


I have used Zscaler for 2 years and never needed Full Disk Access control. My only Configuration Profile is the Zscaler cert, as since Big Sur it is required. I can't see a reason Zscaler would ever need Full Disk Access, but I guess they have just made the option there just in case.

 


@geoff_widdowson - do you have more info on the cert for ZScaler? I'm not seeing that piece in the docs...

Thank you 


@geoff_widdowson - do you have more info on the cert for ZScaler? I'm not seeing that piece in the docs...

Thank you 


If you're doing SSL inspection with Zscaler, the workstation needs to trust Zscaler with a cert lest it assume it's falling victim to a man-in-the-middle attack.


If you're doing SSL inspection with Zscaler, the workstation needs to trust Zscaler with a cert lest it assume it's falling victim to a man-in-the-middle attack.


Thanks, @tzeilstra - I'm just starting on this and don't see mention where/how to get the cert...

I've not even been given the config requirements yet so I'm trying to look at this before I get the formal request...


If you're doing SSL inspection with Zscaler, the workstation needs to trust Zscaler with a cert lest it assume it's falling victim to a man-in-the-middle attack.


For now, just assume you'll need a cert and work w/ vendor on that part if you move forward


For now, just assume you'll need a cert and work w/ vendor on that part if you move forward


OK, thanks.  Are you using any PPPC profiles for this? @tzeilstra 


@geoff_widdowson - do you have more info on the cert for ZScaler? I'm not seeing that piece in the docs...

Thank you 


The cert will be installed when Zscaler is installed, but won't be trusted in the keychain. Upload the cert into a Configuration Profile, using the certificate payload.

 


The cert will be installed when Zscaler is installed, but won't be trusted in the keychain. Upload the cert into a Configuration Profile, using the certificate payload.

 


Thank you @geoff_widdowson - I installed via Jamf and got the cert which appears to be trusted in my keychain without making a profile.  Wonder why?


Thank you @geoff_widdowson - I installed via Jamf and got the cert which appears to be trusted in my keychain without making a profile.  Wonder why?


Maybe newer versions of Zscaler has resolved the issue. I was using Zscaler 2.2.4.0 when Big Sur came out and thats when I had to deploy a cert using a configuration profile. I now have Zscaler 3.4, but never checked if it needed the cert from the config.


Maybe newer versions of Zscaler has resolved the issue. I was using Zscaler 2.2.4.0 when Big Sur came out and thats when I had to deploy a cert using a configuration profile. I now have Zscaler 3.4, but never checked if it needed the cert from the config.


Ah, possibly.  I'm using "Zscaler-osx-3.6.0.53-installer" at this moment...

I'll have to check on other Macs to see if this isn't a leftover from prior testing a while back.

Thanks for the replies.


We've been running Zscaler for a little while and don't have that checked.  I did notice there are a LOT of apps that add themselves to that list and very few actually need full disk access.


Fairly new to JAMF, how are you deploying ZSACLER on the MAC?  I have the cert installing fine, but not the program itself.  Thanks.

 


Fairly new to JAMF, how are you deploying ZSACLER on the MAC?  I have the cert installing fine, but not the program itself.  Thanks.

 


I created a new installer with composer, dropped the files into a temp folder, and created a post install script to run the installer command line and arguments we needed.

Then told composer to create a pkg.

iPhone. iTypos. iApologize. 