Help

Zscaler 4.3 with Strict Enforcement

Go to solution
HuemonMike
New Contributor

2 weeks ago

I've recently taken over JAMF duties at my company and have been asked to enable Strict Enforcement on our Zscaler Version 4.3.1 Currently the Zscaler app is deployed and asks for a password to quit the app or to sign out but lets users browse the internet when not signed in which is what we want to remove.

 

- Looking at JAMF I only see a configuration policy for an expired zscaler certificate

- I attempted to push a configuration policy of com.zscaler.installparams that I found in the Zscaler documentation but when I reinstalled Zscaler from scratch nothing changed

- I attempted a com.zscaler.zscaler plist configuration policy push as well

- Tunnel version says 1.0 inside the app

- If you think of something even if it is obvious please let me know I am looking to learn

 

How do you enforce this at your company and is a socket filter policy needed as well? I saw that mentioned / possibly some settings on the cloud admin portal.

0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
AJPinto
Esteemed Contributor

2 weeks ago - last edited 2 weeks ago

Thankfully Zscaler is actually a fairly simple client, and their support is pretty good; at least once you get to their engineers who actually know the macOS product very well.

 

  • You need to deploy two configuration profiles for Zscaler to work.
    • com.zscaler.installparams
      • This one you already noticed, this configures how Zscaler is installed.
      • You need to use the Zscaler package from Zscaler Client Connector Portal; DO NOT DOWNLOAD AND PACKAGE THE APP as that does not use the scripting to read the com.zscaler.installparams domain.
      • Strict Enforcement has a Key Pair you can set in this domain
    • com.zscaler.socket-filter
      • This will configure the Zscaler firewall behavior, not technically mandatory and you can just deploy the template Zscaler gives you. However, you really want to work with your security department to get this one tuned right as this is the one you would block things like peer to peer device connections with as well as internet access for things not in the tunnel.
    • com.zscaler.zscaler
      • This domain does not exist, there is nothing to configure or deploy to it.

 

Zscaler is a security client, let your security team tell you how to configure it. If they are stumped, which is very likely, make them open a ticket with the vendor.

 

These profiles should get zscaler off the ground, you will need to add your policy token and domain. The socket-filter below is configured to block traffic, adjust it to your needs. There are plenty more key's you can add to the socket-filter.

Domain: com.zscaler.installparams

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>installation-parameters</key>
    <dict>
      <key>cloudName</key>
      <string>zscaler</string>
      <key>externalRedirect</key>
      <string>false</string>
      <key>hideAppUIOnLaunch</key>
      <string>0</string>
      <key>launchTray</key>
      <string>1</string>
      <key>policyToken</key>
      <string>Put your Policy Token Here</string>
      <key>strictEnforcement</key>
      <string>1</string>
      <key>userDomain</key>
      <string>Add your Domain here</string>
    </dict>
  </dict>

 

Domain: com.zscaler.socket-filter

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0">
    <dict>
        <key>VendorConfig</key>
        <dict>
            <key>general</key>
            <dict>
                <key>allowTrafficToDefaultGateway</key>
                <false/>
                <key>detectAltInterfaceTraffic</key>
                <false/>
            </dict>
            <key>inbound</key>
            <dict>
                <key>untrustednet</key>
                <array>
                    <dict>
                        <key>ips</key>
                        <string>lanlocal</string>
                        <key>action</key>
                        <string>block</string>
                    </dict>
                </array>
            </dict>
            <key>outbound</key>
            <dict>
                <key>untrustednet</key>
                <array>
                    <dict>
                        <key>ips</key>
                        <string>lanlocal</string>
                        <key>action</key>
                        <string>block</string>
                    </dict>
                </array>
            </dict>
        </dict>
    </dict>
</plist>

 

View solution in original post

Reply
8 REPLIES 8

Go to solution
AJPinto
Esteemed Contributor

2 weeks ago - last edited 2 weeks ago

Thankfully Zscaler is actually a fairly simple client, and their support is pretty good; at least once you get to their engineers who actually know the macOS product very well.

 

  • You need to deploy two configuration profiles for Zscaler to work.
    • com.zscaler.installparams
      • This one you already noticed, this configures how Zscaler is installed.
      • You need to use the Zscaler package from Zscaler Client Connector Portal; DO NOT DOWNLOAD AND PACKAGE THE APP as that does not use the scripting to read the com.zscaler.installparams domain.
      • Strict Enforcement has a Key Pair you can set in this domain
    • com.zscaler.socket-filter
      • This will configure the Zscaler firewall behavior, not technically mandatory and you can just deploy the template Zscaler gives you. However, you really want to work with your security department to get this one tuned right as this is the one you would block things like peer to peer device connections with as well as internet access for things not in the tunnel.
    • com.zscaler.zscaler
      • This domain does not exist, there is nothing to configure or deploy to it.

 

Zscaler is a security client, let your security team tell you how to configure it. If they are stumped, which is very likely, make them open a ticket with the vendor.

 

These profiles should get zscaler off the ground, you will need to add your policy token and domain. The socket-filter below is configured to block traffic, adjust it to your needs. There are plenty more key's you can add to the socket-filter.

Domain: com.zscaler.installparams

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>installation-parameters</key>
    <dict>
      <key>cloudName</key>
      <string>zscaler</string>
      <key>externalRedirect</key>
      <string>false</string>
      <key>hideAppUIOnLaunch</key>
      <string>0</string>
      <key>launchTray</key>
      <string>1</string>
      <key>policyToken</key>
      <string>Put your Policy Token Here</string>
      <key>strictEnforcement</key>
      <string>1</string>
      <key>userDomain</key>
      <string>Add your Domain here</string>
    </dict>
  </dict>

 

Domain: com.zscaler.socket-filter

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0">
    <dict>
        <key>VendorConfig</key>
        <dict>
            <key>general</key>
            <dict>
                <key>allowTrafficToDefaultGateway</key>
                <false/>
                <key>detectAltInterfaceTraffic</key>
                <false/>
            </dict>
            <key>inbound</key>
            <dict>
                <key>untrustednet</key>
                <array>
                    <dict>
                        <key>ips</key>
                        <string>lanlocal</string>
                        <key>action</key>
                        <string>block</string>
                    </dict>
                </array>
            </dict>
            <key>outbound</key>
            <dict>
                <key>untrustednet</key>
                <array>
                    <dict>
                        <key>ips</key>
                        <string>lanlocal</string>
                        <key>action</key>
                        <string>block</string>
                    </dict>
                </array>
            </dict>
        </dict>
    </dict>
</plist>

 

Reply

Go to solution
mvu
Valued Contributor III
In response to AJPinto

2 weeks ago

How has been your rollout for Zscaler? Do you use it for iOS?

0 Kudos
Reply

Go to solution
AJPinto
Esteemed Contributor
In response to mvu

a week ago

I have rolled it out for macOS, I did not handle the iOS rollout that was performed by a peer of mine. The macOS rollout of zscaler was painless, the dialing in of the rules was a chore but that is more organizational policy than Zscaler’s fault. Any specifc questions on the iOS side? I can ask. 


For macOS, Zscaler is honestly not a bad client, and it is simple and uses forward thinking methods of configuration management. Things like deploying client configuration with Configuration Profiles over xml’s make it easy and quick to adjust settings and wraps its configuration in SIP as well as keeping knuckhead security people from making some changes they don’t understand as they must come from the MDM.

The biggest head scratcher I have with Zscaler is the tamper protect does not protect the Zscaler.app, but it is contained within the app. If someone has admin access, they can use rm -rf to delete the app, then they can run the uninstaller without the antitamper code which blows my mind. If your users have admin access, don’t use Zscaler lol. The vendor knows about this, and has chosen to not fix it in 2 years.

0 Kudos
Reply

Go to solution
HuemonMike
New Contributor
In response to AJPinto

Friday

Thank you that worked great. My Zscaler now shows "internet access is blocked unless you sign into Zscaler"

My only issue now is that Safari is still able to be used to browse the internet when not signed in. I tried some of these keys. Would you have a suggestion?

 

 

<key>outbound</key>
<dict>
  <key>untrustednet</key>
  <array>
    <dict>
      <key>action</key>
      <string>block</string>
    </dict>
  </array>

 

 or

 

<key>outbound</key>
<dict>
  <key>untrustednet</key>
  <array>
    <dict>
      <key>apps</key>
      <array>
        <string>com.apple.Safari</string>
      </array>
      <key>action</key>
      <string>block</string>
    </dict>
  </array>

 

0 Kudos
Reply

Go to solution
Samstar777
Contributor III

2 weeks ago

@AJPinto Great Note 😀

0 Kudos
Reply

Go to solution
MemnochTheRed
New Contributor II

a week ago

Our Zscaler package is a combination of 2 composed packages. 

  • Compose an installer using your args and putting the installer app in the source folder (see below)
  • Compose an uninstaller (see below)
  • Compose an upgrade package that runs the uninstaller first then the installer.
#!/bin/sh
# ZScaler Installer

SOURCE_FOLDER="/Library/Application Support/COMPANYNAME/tmp"
INSTALLER="Zscaler-osx-4.3.0.240-installer.app"

## INSTALL ZSCALER WITH ARGS
"${SOURCE_FOLDER}"/"${INSTALLER}"/Contents/MacOS/installbuilder.sh --cloudName zscaler --mode unattended --unattendedmodeui none --userDomain COMPANYNAME.com --policyToken XXXXXXXXXXXXXXXXXX --strictEnforcement 1

## PARSE AND WORK WITH THE CAPTURE
OIFS=$IFS		# CAPTURE OLD SYSTEM DELIMITER
IFS=$'\n'		# IN FIELD DELIMITER IS SET TO CARRIAGE RETURN

## SET LINK LOCAL FOR IPv6
Z_LIST=$(networksetup -listallnetworkservices 2>&1)

if [[ -z $Z_LIST ]]; then
	echo "Query for adapters resulted in null. Setting LinkLocal for Wi-Fi"
	networksetup -setv6linklocal Wi-Fi
else
	for Z in ${Z_LIST};
	do
		if [[ "${Z}" == '*'* ]]; then
			echo "...${Z} is disabled... Skipping"
		elif [[ "${Z}" != "An asterisk (*) denotes that a network service is disabled." ]]; then
			echo "...Setting LinkLocal for ${Z}"
			networksetup -setv6linklocal "${Z}"
		fi
	done
fi

IFS=$OIFS		# RETURN SYSTEM DELIMITER TO OLD

## CLEAN UP INSTALLER
Z_LIST=$(ls "${SOURCE_FOLDER}" | grep Zscaler)
for Z in ${Z_LIST};
do
	rm -rf "${SOURCE_FOLDER}/$Z"
done

exit 0		## Success

  

#!/bin/sh
## UNINSTALLER

pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3


if [[ -f "/Applications/Zscaler/.Uninstaller.sh" ]]; then
	/Applications/Zscaler/.Uninstaller.sh 'XXXXXXXXXXXXX'
else
	echo "Zscaler uninstall script not found"
	exit 1
fi



exit 0		## Success
exit 1		## Failure

 

#!/bin/sh
## UPGRADE

pathToScript=$0
pathToPackage=$1
targetLocation=$2
targetVolume=$3

INSTALL="/Library/Application Support/COMPANYNAME/tmp/Zscaler Private Access Client 4.3.0.240.pkg"
UNINSTALL="/Library/Application Support/COMPANYNAME/tmp/Zscaler Private Access Client Uninstaller.pkg"

# UNINSTALL CLIENT - Checks if /Applications/Zscaler/.Uninstaller.sh exists and runs with uninstall code
installer -target / -pkg "${UNINSTALL}"
sleep 5

# INSTALL CLIENT
installer -target / -pkg "${INSTALL}"

## CLEANUP
rm -rf "${UNINSTALL}"
rm -rf "${INSTALL}"

exit 0		## Success
exit 1		## Failure
0 Kudos
Reply

Go to solution
MemnochTheRed
New Contributor II
In response to MemnochTheRed

a week ago

For strict enforcement to be enabled, existing Zscaler has to be uninstalled first.

0 Kudos
Reply

Go to solution
AJPinto
Esteemed Contributor
In response to MemnochTheRed

a week ago

Why are you doing this with scripts? Zscalers package contains all the scripts it needs, you just deploy the vendor provided package from Jamf and the configuration profiles to configure zscaler itself.

0 Kudos
Reply