Jamf Nation Community

kdpk · ‎01-19-2023

Hello ,

I want to deploy Zscaler app using self service , but when standard user want to install it , need to type admin password for modify system keychain. Do you know some way how to solve this? or add more admin privileges to this app?

Thank for help

DBrowning · ‎01-19-2023

Are you able to share what your policy looks like? I don't remember ever seeing that prompt.

kdpk · ‎01-19-2023

Policy is quit simple , only installing app from Self Service , but when I open Zscaler file in Composer , it was a script to modify keychain

DBrowning · ‎01-19-2023

I would push the Root CA from zscaler via a config profile instead of post script. It will make it so you don't get the prompt.

AJPinto · ‎01-19-2023

You don't want to install certificates with a script. MacOS will want authentication to trust the certificate, and Apple removed the ability to bless that authentication with CLI back in 2021 so it will prompt the user.

Since it is a keychain authentication and not an app authentication, I would start by deploying the certificate with the configuration profile. I would wager this would solve our certificate keychain auth prompt problem. Its also a lot easier to manage a certificate with a configuration profile.

AJPinto · ‎01-19-2023

Are you deploying the Root CA Certificate for zscaler with a Configuration Profile?

kdpk · ‎01-19-2023

no , I have only this pkg file with cert included in installer. This is special installer from our client.

scottb · ‎01-19-2023

As the guys above stated, use a Config Profile. I just did it and it works great.

It imports into the user's keychain and is trusted that way...

mschroder · ‎01-20-2023

You can extract the cert from the PKG or ask the 'vendor' for it and then install it via a Config Profile.

nachiket_s · ‎01-19-2023

You can create a package with zscaler root certificate and drop the package somewhere on user system which will be accessible by any logged in user when policy is executed. certificate will be trusted automatically

When creating the package for zscaler root certificate, add the following post install script

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <filepath/xxxx.cer>

(Filepath at the end of the command should match with the filepath where you will be placing your root certificate)

For more ref. please find another thread related to discussion on same topic.

https://community.jamf.com/t5/jamf-nation/how-to-make-a-cert-trust-through-jamf/m-p/268672#M459.

AJPinto · ‎01-20-2023

-k no longer works to trust a certificate in the keychain. If you use -k it will prompt the user to enter admin credentials to trust the certificate. This change happed with macOS Monterey. To trust a certificate it must be deployed with a configuration profile, you cannot build from source either.

cc_rider · ‎04-24-2023

Does anyone know how can I suppress this popup, when I'm deploying the v.3.9? I've added the Config Profile with Zscaler cert, but this "com.zscaler.Zscaler" entry is coming up and I don't know how can I deal with it.

Jamf Nation Community

Self Service admin rights (Zscaler)