- Jamf Nation Community
- Products
- Jamf Pro
- Re: Zscaler 4.3 with Strict Enforcement
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a week ago
I've recently taken over JAMF duties at my company and have been asked to enable Strict Enforcement on our Zscaler Version 4.3.1 Currently the Zscaler app is deployed and asks for a password to quit the app or to sign out but lets users browse the internet when not signed in which is what we want to remove.
- Looking at JAMF I only see a configuration policy for an expired zscaler certificate
- I attempted to push a configuration policy of com.zscaler.installparams that I found in the Zscaler documentation but when I reinstalled Zscaler from scratch nothing changed
- I attempted a com.zscaler.zscaler plist configuration policy push as well
- Tunnel version says 1.0 inside the app
- If you think of something even if it is obvious please let me know I am looking to learn
How do you enforce this at your company and is a socket filter policy needed as well? I saw that mentioned / possibly some settings on the cloud admin portal.
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a week ago - last edited a week ago
Thankfully Zscaler is actually a fairly simple client, and their support is pretty good; at least once you get to their engineers who actually know the macOS product very well.
- You need to deploy two configuration profiles for Zscaler to work.
- com.zscaler.installparams
- This one you already noticed, this configures how Zscaler is installed.
- You need to use the Zscaler package from Zscaler Client Connector Portal; DO NOT DOWNLOAD AND PACKAGE THE APP as that does not use the scripting to read the com.zscaler.installparams domain.
- Strict Enforcement has a Key Pair you can set in this domain
- com.zscaler.socket-filter
- This will configure the Zscaler firewall behavior, not technically mandatory and you can just deploy the template Zscaler gives you. However, you really want to work with your security department to get this one tuned right as this is the one you would block things like peer to peer device connections with as well as internet access for things not in the tunnel.
- com.zscaler.zscaler
- This domain does not exist, there is nothing to configure or deploy to it.
- com.zscaler.installparams
Zscaler is a security client, let your security team tell you how to configure it. If they are stumped, which is very likely, make them open a ticket with the vendor.
These profiles should get zscaler off the ground, you will need to add your policy token and domain. The socket-filter below is configured to block traffic, adjust it to your needs. There are plenty more key's you can add to the socket-filter.
Domain: com.zscaler.installparams
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>installation-parameters</key>
<dict>
<key>cloudName</key>
<string>zscaler</string>
<key>externalRedirect</key>
<string>false</string>
<key>hideAppUIOnLaunch</key>
<string>0</string>
<key>launchTray</key>
<string>1</string>
<key>policyToken</key>
<string>Put your Policy Token Here</string>
<key>strictEnforcement</key>
<string>1</string>
<key>userDomain</key>
<string>Add your Domain here</string>
</dict>
</dict>
Domain: com.zscaler.socket-filter
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0">
<dict>
<key>VendorConfig</key>
<dict>
<key>general</key>
<dict>
<key>allowTrafficToDefaultGateway</key>
<false/>
<key>detectAltInterfaceTraffic</key>
<false/>
</dict>
<key>inbound</key>
<dict>
<key>untrustednet</key>
<array>
<dict>
<key>ips</key>
<string>lanlocal</string>
<key>action</key>
<string>block</string>
</dict>
</array>
</dict>
<key>outbound</key>
<dict>
<key>untrustednet</key>
<array>
<dict>
<key>ips</key>
<string>lanlocal</string>
<key>action</key>
<string>block</string>
</dict>
</array>
</dict>
</dict>
</dict>
</plist>
Reply
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a week ago - last edited a week ago
Thankfully Zscaler is actually a fairly simple client, and their support is pretty good; at least once you get to their engineers who actually know the macOS product very well.
- You need to deploy two configuration profiles for Zscaler to work.
- com.zscaler.installparams
- This one you already noticed, this configures how Zscaler is installed.
- You need to use the Zscaler package from Zscaler Client Connector Portal; DO NOT DOWNLOAD AND PACKAGE THE APP as that does not use the scripting to read the com.zscaler.installparams domain.
- Strict Enforcement has a Key Pair you can set in this domain
- com.zscaler.socket-filter
- This will configure the Zscaler firewall behavior, not technically mandatory and you can just deploy the template Zscaler gives you. However, you really want to work with your security department to get this one tuned right as this is the one you would block things like peer to peer device connections with as well as internet access for things not in the tunnel.
- com.zscaler.zscaler
- This domain does not exist, there is nothing to configure or deploy to it.
- com.zscaler.installparams
Zscaler is a security client, let your security team tell you how to configure it. If they are stumped, which is very likely, make them open a ticket with the vendor.
These profiles should get zscaler off the ground, you will need to add your policy token and domain. The socket-filter below is configured to block traffic, adjust it to your needs. There are plenty more key's you can add to the socket-filter.
Domain: com.zscaler.installparams
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>installation-parameters</key>
<dict>
<key>cloudName</key>
<string>zscaler</string>
<key>externalRedirect</key>
<string>false</string>
<key>hideAppUIOnLaunch</key>
<string>0</string>
<key>launchTray</key>
<string>1</string>
<key>policyToken</key>
<string>Put your Policy Token Here</string>
<key>strictEnforcement</key>
<string>1</string>
<key>userDomain</key>
<string>Add your Domain here</string>
</dict>
</dict>
Domain: com.zscaler.socket-filter
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0">
<dict>
<key>VendorConfig</key>
<dict>
<key>general</key>
<dict>
<key>allowTrafficToDefaultGateway</key>
<false/>
<key>detectAltInterfaceTraffic</key>
<false/>
</dict>
<key>inbound</key>
<dict>
<key>untrustednet</key>
<array>
<dict>
<key>ips</key>
<string>lanlocal</string>
<key>action</key>
<string>block</string>
</dict>
</array>
</dict>
<key>outbound</key>
<dict>
<key>untrustednet</key>
<array>
<dict>
<key>ips</key>
<string>lanlocal</string>
<key>action</key>
<string>block</string>
</dict>
</array>
</dict>
</dict>
</dict>
</plist>
Reply
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a week ago
How has been your rollout for Zscaler? Do you use it for iOS?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Friday
I have rolled it out for macOS, I did not handle the iOS rollout that was performed by a peer of mine. The macOS rollout of zscaler was painless, the dialing in of the rules was a chore but that is more organizational policy than Zscaler’s fault. Any specifc questions on the iOS side? I can ask.
For macOS, Zscaler is honestly not a bad client, and it is simple and uses forward thinking methods of configuration management. Things like deploying client configuration with Configuration Profiles over xml’s make it easy and quick to adjust settings and wraps its configuration in SIP as well as keeping knuckhead security people from making some changes they don’t understand as they must come from the MDM.
The biggest head scratcher I have with Zscaler is the tamper protect does not protect the Zscaler.app, but it is contained within the app. If someone has admin access, they can use rm -rf to delete the app, then they can run the uninstaller without the antitamper code which blows my mind. If your users have admin access, don’t use Zscaler lol. The vendor knows about this, and has chosen to not fix it in 2 years.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a week ago
@AJPinto Great Note 😀
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thursday
Our Zscaler package is a combination of 2 composed packages.
- Compose an installer using your args and putting the installer app in the source folder (see below)
- Compose an uninstaller (see below)
- Compose an upgrade package that runs the uninstaller first then the installer.
#!/bin/sh
# ZScaler Installer
SOURCE_FOLDER="/Library/Application Support/COMPANYNAME/tmp"
INSTALLER="Zscaler-osx-4.3.0.240-installer.app"
## INSTALL ZSCALER WITH ARGS
"${SOURCE_FOLDER}"/"${INSTALLER}"/Contents/MacOS/installbuilder.sh --cloudName zscaler --mode unattended --unattendedmodeui none --userDomain COMPANYNAME.com --policyToken XXXXXXXXXXXXXXXXXX --strictEnforcement 1
## PARSE AND WORK WITH THE CAPTURE
OIFS=$IFS # CAPTURE OLD SYSTEM DELIMITER
IFS=$'\n' # IN FIELD DELIMITER IS SET TO CARRIAGE RETURN
## SET LINK LOCAL FOR IPv6
Z_LIST=$(networksetup -listallnetworkservices 2>&1)
if [[ -z $Z_LIST ]]; then
echo "Query for adapters resulted in null. Setting LinkLocal for Wi-Fi"
networksetup -setv6linklocal Wi-Fi
else
for Z in ${Z_LIST};
do
if [[ "${Z}" == '*'* ]]; then
echo "...${Z} is disabled... Skipping"
elif [[ "${Z}" != "An asterisk (*) denotes that a network service is disabled." ]]; then
echo "...Setting LinkLocal for ${Z}"
networksetup -setv6linklocal "${Z}"
fi
done
fi
IFS=$OIFS # RETURN SYSTEM DELIMITER TO OLD
## CLEAN UP INSTALLER
Z_LIST=$(ls "${SOURCE_FOLDER}" | grep Zscaler)
for Z in ${Z_LIST};
do
rm -rf "${SOURCE_FOLDER}/$Z"
done
exit 0 ## Success
#!/bin/sh
## UNINSTALLER
pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3
if [[ -f "/Applications/Zscaler/.Uninstaller.sh" ]]; then
/Applications/Zscaler/.Uninstaller.sh 'XXXXXXXXXXXXX'
else
echo "Zscaler uninstall script not found"
exit 1
fi
exit 0 ## Success
exit 1 ## Failure
#!/bin/sh
## UPGRADE
pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3
INSTALL="/Library/Application Support/COMPANYNAME/tmp/Zscaler Private Access Client 4.3.0.240.pkg"
UNINSTALL="/Library/Application Support/COMPANYNAME/tmp/Zscaler Private Access Client Uninstaller.pkg"
# UNINSTALL CLIENT - Checks if /Applications/Zscaler/.Uninstaller.sh exists and runs with uninstall code
installer -target / -pkg "${UNINSTALL}"
sleep 5
# INSTALL CLIENT
installer -target / -pkg "${INSTALL}"
## CLEANUP
rm -rf "${UNINSTALL}"
rm -rf "${INSTALL}"
exit 0 ## Success
exit 1 ## Failure
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thursday
For strict enforcement to be enabled, existing Zscaler has to be uninstalled first.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Friday
Why are you doing this with scripts? Zscalers package contains all the scripts it needs, you just deploy the vendor provided package from Jamf and the configuration profiles to configure zscaler itself.
