ZScaler Deployment with Strict Enforcement

We're beginning to rollout ZScaler in our environment with Strict Enforcement enabled. I'm curious how others have integrated that with your provisioning process? If we deploy Zscaler with SE enabled, then it locks down the network connectivity and the software loads don't complete until a user signs into ZScaler. Any recommendations? I was thinking just maintaining a 2nd install pkg that doesn't incl strict enforcement, but then we're relying on the deployment team and/or user to 'remember' to enable it.

Thanks!

Page 1 / 1

I would suggest having the installer run as a "first login" kind of process. We are just starting our deployment of Zscaler. For our systems it will not be installed until after the normal setup process is complete.

I am looking for an EA that can determine if the user logged in vs just the app is installed to try and help with this, then scope it to enrollment older than 2 days. No luck yet on the EA

@swapple Try this: Someone just sent it to me. Haven't tested yet.

#!/bin/sh



# Get Current User

loggedInUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name  && ! /loginwindow/ { print $3 }' )



# Query and save the value; suppress any error message, if key not found.

checkZscaler=$(/usr/libexec/PlistBuddy -c 'print ":lZts"' /Users/$loggedInUser/Library/Preferences/com.zscaler.Zscaler.plist 2>/dev/null)



# Save the exit code, which indicates success v. failure

exitCode=$?



if (( exitCode == 0 )) 

then

	echo "<result>Authenticated</result>"

else

	echo "<result>Not Authenticated</result>"

fi

I found this one as well...starting a ZScaler setup myself:

#!/bin/sh

#

# Jamf EA to determine Zscaler logged in status

# 

# For version 3.4 Logs are stored in /Library/Application Support/Zscaler

#

ztstatus=(/private/var/log/zscaler/ztstatus*)

if [[ -f "$ztstatus" ]]; then

  echo "<result>Logged Into Zscaler</result>"

else

  echo "<result>Not Logged Into Zscaler</result>"

fi

I also think based on limited testing that not having it install at enrollment might be a good idea. If they don't sign in, they don't get anything - and I saw this when I had a recon run at the end of the install for ZScaler - I got SSH errors trying to run recon.

So I took that out of the policy and it seems to at least install OK, but having to login s*cks...

@scottb Thank you for this, I was able to get it to work with the 3.4 version, but for 2.1 neither path seems to have any ztstatus files.

@DBrowning I tried yours too, it always returns false. Did you have to do any tweaks to it?

@scottb Thank you for this, I was able to get it to work with the 3.4 version, but for 2.1 neither path seems to have any ztstatus files.

@DBrowning I tried yours too, it always returns false. Did you have to do any tweaks to it?

@ImAMacGuy - looks like only "3.6, 3.4, 3.2, 3.0" are supported in macOS. It's working here on 3.6.0.53.

Zscaler Supported Versions

yeah, the 3.x one is working, but we have a smaller subset of users on 10.13 that we are deploying to, but if there's no easy way to tweak, then so be it. Just wasn't sure if anybody had an older version laying around.

I found this one as well...starting a ZScaler setup myself:

#!/bin/sh

#

# Jamf EA to determine Zscaler logged in status

# 

# For version 3.4 Logs are stored in /Library/Application Support/Zscaler

#

ztstatus=(/private/var/log/zscaler/ztstatus*)

if [[ -f "$ztstatus" ]]; then

  echo "<result>Logged Into Zscaler</result>"

else

  echo "<result>Not Logged Into Zscaler</result>"

fi

that folder is not appearing in some of our deployments where we know the user is logged in.

has anyone had success with curl? Seems macOS generic.

curl https://ip.zscaler.com <does not return desired output>

this seems a little over kill

curl -f https://ipinfo.io/json 2>&1 | grep org

Anyone find anything useful..

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded