Jamf Nation Community

ImAMacGuy · ‎03-08-2022

We're beginning to rollout ZScaler in our environment with Strict Enforcement enabled. I'm curious how others have integrated that with your provisioning process? If we deploy Zscaler with SE enabled, then it locks down the network connectivity and the software loads don't complete until a user signs into ZScaler. Any recommendations? I was thinking just maintaining a 2nd install pkg that doesn't incl strict enforcement, but then we're relying on the deployment team and/or user to 'remember' to enable it.

Thanks!

DBrowning · ‎03-09-2022

I would suggest having the installer run as a "first login" kind of process. We are just starting our deployment of Zscaler. For our systems it will not be installed until after the normal setup process is complete.

swapple · ‎03-09-2022

I am looking for an EA that can determine if the user logged in vs just the app is installed to try and help with this, then scope it to enrollment older than 2 days. No luck yet on the EA

DBrowning · ‎03-09-2022

@swapple Try this: Someone just sent it to me. Haven't tested yet.

#!/bin/sh

# Get Current User
loggedInUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )

# Query and save the value; suppress any error message, if key not found.
checkZscaler=$(/usr/libexec/PlistBuddy -c 'print ":lZts"' /Users/$loggedInUser/Library/Preferences/com.zscaler.Zscaler.plist 2>/dev/null)

# Save the exit code, which indicates success v. failure
exitCode=$?

if (( exitCode == 0 )) 
then
	echo "<result>Authenticated</result>"
else
	echo "<result>Not Authenticated</result>"
fi

scottb · ‎03-09-2022

I found this one as well...starting a ZScaler setup myself:

#!/bin/sh
#
# Jamf EA to determine Zscaler logged in status
# 
# For version 3.4 Logs are stored in /Library/Application Support/Zscaler
#
ztstatus=(/private/var/log/zscaler/ztstatus*)
if [[ -f "$ztstatus" ]]; then
  echo "<result>Logged Into Zscaler</result>"
else
  echo "<result>Not Logged Into Zscaler</result>"
fi

swapple · ‎04-28-2022

that folder is not appearing in some of our deployments where we know the user is logged in.

scottb · ‎03-09-2022

I also think based on limited testing that not having it install at enrollment might be a good idea. If they don't sign in, they don't get anything - and I saw this when I had a recon run at the end of the install for ZScaler - I got SSH errors trying to run recon.

So I took that out of the policy and it seems to at least install OK, but having to login s*cks...

ImAMacGuy · ‎04-14-2022

@scottb Thank you for this, I was able to get it to work with the 3.4 version, but for 2.1 neither path seems to have any ztstatus files.

@DBrowning I tried yours too, it always returns false. Did you have to do any tweaks to it?

scottb · ‎04-14-2022

@ImAMacGuy - looks like only "3.6, 3.4, 3.2, 3.0" are supported in macOS. It's working here on 3.6.0.53.

Zscaler Supported Versions

ImAMacGuy · ‎04-15-2022

yeah, the 3.x one is working, but we have a smaller subset of users on 10.13 that we are deploying to, but if there's no easy way to tweak, then so be it. Just wasn't sure if anybody had an older version laying around.

swapple · ‎06-21-2022

has anyone had success with curl? Seems macOS generic.

curl https://ip.zscaler.com <does not return desired output>

this seems a little over kill

curl -f https://ipinfo.io/json 2>&1 | grep org

CyBrejendra · ‎06-29-2022

Anyone find anything useful..

Jamf Nation Community

ZScaler Deployment with Strict Enforcement