Help

Self Service admin rights (Zscaler)

kdpk
New Contributor II

‎01-19-2023 02:14 AM - edited ‎01-19-2023 03:51 AM

Hello , 

I want to deploy Zscaler app using self service , but when standard user want to install it , need to type admin password for modify system keychain. Do you know some way how to solve this? or add more admin privileges to this app?

kdpk_0-1674123272929.png


Thank for help 

0 Kudos
11 REPLIES 11

DBrowning
Valued Contributor II

Posted on ‎01-19-2023 04:44 AM

Are you able to share what your policy looks like?  I don't remember ever seeing that prompt.

0 Kudos

kdpk
New Contributor II
In response to DBrowning

Posted on ‎01-19-2023 05:16 AM

kdpk_0-1674133950871.png

kdpk_1-1674133966132.png

kdpk_2-1674134000585.png

Policy is quit simple , only installing app from Self Service , but when I open Zscaler file in Composer , it was a script to modify keychain 

kdpk_3-1674134099540.png

 

0 Kudos

DBrowning
Valued Contributor II
In response to kdpk

Posted on ‎01-19-2023 05:19 AM

I would push the Root CA from zscaler via a config profile instead of post script.  It will make it so you don't get the prompt.  

AJPinto
Honored Contributor II
In response to DBrowning

‎01-19-2023 05:29 AM - edited ‎01-19-2023 05:30 AM

You don't want to install certificates with a script. MacOS will want authentication to trust the certificate, and Apple removed the ability to bless that authentication with CLI back in 2021 so it will prompt the user.

 

Since it is a keychain authentication and not an app authentication, I would start by deploying the certificate with the configuration profile. I would wager this would solve our certificate keychain auth prompt problem. Its also a lot easier to manage a certificate with a configuration profile. 

AJPinto
Honored Contributor II

Posted on ‎01-19-2023 05:14 AM

Are you deploying the Root CA Certificate for zscaler with a Configuration Profile?

0 Kudos

kdpk
New Contributor II
In response to AJPinto

Posted on ‎01-19-2023 05:31 AM

no , I have only this pkg file with cert included in installer. This is special installer from our client. 

0 Kudos

scottb
Honored Contributor
In response to kdpk

Posted on ‎01-19-2023 10:52 AM

As the guys above stated, use a Config Profile.  I just did it and it works great.

It imports into the user's keychain and is trusted that way...

0 Kudos

mschroder
Valued Contributor
In response to kdpk

Posted on ‎01-20-2023 08:57 AM

You can extract the cert from the PKG or ask the 'vendor' for it and then install it via a Config Profile.

0 Kudos

nachiket_s
New Contributor III

‎01-19-2023 11:15 PM - edited ‎01-19-2023 11:16 PM

You can create a package with zscaler root certificate and drop the package somewhere on user system which will be accessible by any logged in user when policy is executed. certificate will be trusted automatically

When creating the package for zscaler root certificate, add the following post install script

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <filepath/xxxx.cer>

(Filepath at the end of the command should match with the filepath where you will be placing your root certificate)

For more ref. please find another thread related to discussion on same topic.

https://community.jamf.com/t5/jamf-nation/how-to-make-a-cert-trust-through-jamf/m-p/268672#M459.

0 Kudos

AJPinto
Honored Contributor II
In response to nachiket_s

Posted on ‎01-20-2023 03:34 AM

-k no longer works to trust a certificate in the keychain. If you use -k it will prompt the user to enter admin credentials to trust the certificate. This change happed with macOS Monterey. To trust a certificate it must be deployed with a configuration profile, you cannot build from source either.

cc_rider
New Contributor III

Posted on ‎04-24-2023 06:45 AM

Does anyone know how can I suppress this popup, when I'm deploying the v.3.9? I've added the Config Profile with Zscaler cert, but this "com.zscaler.Zscaler" entry is coming up and I don't know how can I deal with it.

Screenshot 2023-04-24 at 9.43.27 AM.png

0 Kudos