Zscaler app deploy via jamf , but found root cert is trust in keychain access

Laura7878
New Contributor II

anyone has issue on deploy the zscaler app with the root cert not trust ? 

I recently deploy Zscaler , but root trust show red "x" on the keychain access. anyway to get it around by putting command in jamf policies ? 

1 ACCEPTED SOLUTION

arnoldtaw
New Contributor III

@Laura7878 we went with the Configuration Profile approach. 

Added the Zscaler cert as Configure Profile.

Made sure profile is scoped to appropriate devices. 

Deploy Zscaler. 

 

Screen Shot 2022-05-18 at 1.18.19 PM.png

View solution in original post

12 REPLIES 12

arnoldtaw
New Contributor III

@Laura7878 we went with the Configuration Profile approach. 

Added the Zscaler cert as Configure Profile.

Made sure profile is scoped to appropriate devices. 

Deploy Zscaler. 

 

Screen Shot 2022-05-18 at 1.18.19 PM.png

Hi, thanks for this solution. Do you know why the Zscaler certificate was deployed as an Untrusted certificate?

The problem is that the certificate has been issued for too long.
TLS server certificates must have a validity period of 825 days or less (as specified in the NotBefore and NotAfter fields of the certificate).
Connections to TLS servers that violate these new requirements will fail and can cause network outages and app failures. Also, websites may not load in Safari in iOS 13 and macOS 10.15.

Laura7878
New Contributor II

can you please tell me where to get the root cert from the zscaler portal? 

someone is manage this and they have no idea where to get 

arnoldtaw
New Contributor III

Same here. I do not have access to the portal itself. I just requested the team to send me the certs. They were able to figure it out.

Also, have you try exporting that cert from your keychain? 

Laura7878
New Contributor II

Just got the cert from the team by letting them know they have to figure out. great help there :)

I have not be able to , This is the first Mac that i deploy via jamf , not sure how to get it form the keychain.

by the way , this happen , do i need to convert ? 

Laura7878_0-1652906011788.png

 

arnoldtaw
New Contributor III

Keychain Access > Zscaler Root CA > Export "Zscaler Root CA" > defaults to .cer format. 

Laura7878
New Contributor II

super helpful . thank you . that save  tons of time to trying convert the root CA . 

one last question please. how do you setup upgrade/patch the Zscaler ? I tried to go patch managment seems not able to find Zscaler. 

arnoldtaw
New Contributor III

If we need to update the Zscaler application, we just create a policy to push out the new package. We have no issues overriding the Zscaler. We don't disable/uninstall it. We just deploy the new version to the computer via a policy. 

Laura7878
New Contributor II

i thought for the upgrade is : 

1. upload package

2. set up policies

3. go to patch management , select the new definition and create new patch policies also setup the immediate push

4. end user got the new version upgrade

arnoldtaw
New Contributor III

Well, that's if the application is listed in Patch Management. 

Applications which are not part of Patch Management can still be updated by using Jamf Policy alone. Just have to scope and define frequency and trigger appropriately. 

Laura7878
New Contributor II

thank you very much to clear this up . 

the Jamf trainer didn't tell us that , i thought there is no way to update the version if it is not list.