+23Started doing some initial testing with ZScaler ZCC and noticed that while the installer didn't prompt for it, under Security and Privacy > Full Disk Access there is a ZscalerTunnel binary that's unchecked.
Does anybody have a config profile for enabling that or is it okay to just have it disabled?
Best answer by tzeilstra
We've been running Zscaler for a little while and don't have that checked. I did notice there are a LOT of apps that add themselves to that list and very few actually need full disk access.
+10We've been running Zscaler for a little while and don't have that checked. I did notice there are a LOT of apps that add themselves to that list and very few actually need full disk access.
+8I have used Zscaler for 2 years and never needed Full Disk Access control. My only Configuration Profile is the Zscaler cert, as since Big Sur it is required. I can't see a reason Zscaler would ever need Full Disk Access, but I guess they have just made the option there just in case.
+18I have used Zscaler for 2 years and never needed Full Disk Access control. My only Configuration Profile is the Zscaler cert, as since Big Sur it is required. I can't see a reason Zscaler would ever need Full Disk Access, but I guess they have just made the option there just in case.
@geoff_widdowson - do you have more info on the cert for ZScaler? I'm not seeing that piece in the docs...
Thank you
+10@geoff_widdowson - do you have more info on the cert for ZScaler? I'm not seeing that piece in the docs...
Thank you
If you're doing SSL inspection with Zscaler, the workstation needs to trust Zscaler with a cert lest it assume it's falling victim to a man-in-the-middle attack.
+18If you're doing SSL inspection with Zscaler, the workstation needs to trust Zscaler with a cert lest it assume it's falling victim to a man-in-the-middle attack.
Thanks, @tzeilstra - I'm just starting on this and don't see mention where/how to get the cert...
I've not even been given the config requirements yet so I'm trying to look at this before I get the formal request...
+10If you're doing SSL inspection with Zscaler, the workstation needs to trust Zscaler with a cert lest it assume it's falling victim to a man-in-the-middle attack.
For now, just assume you'll need a cert and work w/ vendor on that part if you move forward
+18For now, just assume you'll need a cert and work w/ vendor on that part if you move forward
OK, thanks. Are you using any PPPC profiles for this? @tzeilstra
+8@geoff_widdowson - do you have more info on the cert for ZScaler? I'm not seeing that piece in the docs...
Thank you
The cert will be installed when Zscaler is installed, but won't be trusted in the keychain. Upload the cert into a Configuration Profile, using the certificate payload.
+18The cert will be installed when Zscaler is installed, but won't be trusted in the keychain. Upload the cert into a Configuration Profile, using the certificate payload.
Thank you @geoff_widdowson - I installed via Jamf and got the cert which appears to be trusted in my keychain without making a profile. Wonder why?
+8Thank you @geoff_widdowson - I installed via Jamf and got the cert which appears to be trusted in my keychain without making a profile. Wonder why?
Maybe newer versions of Zscaler has resolved the issue. I was using Zscaler 2.2.4.0 when Big Sur came out and thats when I had to deploy a cert using a configuration profile. I now have Zscaler 3.4, but never checked if it needed the cert from the config.
+18Maybe newer versions of Zscaler has resolved the issue. I was using Zscaler 2.2.4.0 when Big Sur came out and thats when I had to deploy a cert using a configuration profile. I now have Zscaler 3.4, but never checked if it needed the cert from the config.
Ah, possibly. I'm using "Zscaler-osx-3.6.0.53-installer" at this moment...
I'll have to check on other Macs to see if this isn't a leftover from prior testing a while back.
Thanks for the replies.
+3We've been running Zscaler for a little while and don't have that checked. I did notice there are a LOT of apps that add themselves to that list and very few actually need full disk access.
Fairly new to JAMF, how are you deploying ZSACLER on the MAC? I have the cert installing fine, but not the program itself. Thanks.
+23Fairly new to JAMF, how are you deploying ZSACLER on the MAC? I have the cert installing fine, but not the program itself. Thanks.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.