ZScaler Deployment with Strict Enforcement

jwojda
Valued Contributor II

We're beginning to rollout ZScaler in our environment with Strict Enforcement enabled.  I'm curious how others have integrated that with your provisioning process?  If we deploy Zscaler with SE enabled, then it locks down the network connectivity and the software loads don't complete until a user signs into ZScaler.  Any recommendations?  I was thinking just maintaining a 2nd install pkg that doesn't incl strict enforcement, but then we're relying on the deployment team and/or user to 'remember' to enable it.

 

Thanks!

 

11 REPLIES 11

DBrowning
Valued Contributor II

I would suggest having the installer run as a "first login" kind of process.  We are just starting our deployment of Zscaler.  For our systems it will not be installed until after the normal setup process is complete.

swapple
Contributor III

I am looking for an EA that can determine if the user logged in vs just the app is installed to try and help with this, then scope it to enrollment older than 2 days.  No luck yet on the EA

DBrowning
Valued Contributor II

@swapple Try this:  Someone just sent it to me.  Haven't tested yet.  

#!/bin/sh

# Get Current User
loggedInUser=$( scutil <<< "show State:/Users/ConsoleUser" | awk '/Name :/ && ! /loginwindow/ { print $3 }' )

# Query and save the value; suppress any error message, if key not found.
checkZscaler=$(/usr/libexec/PlistBuddy -c 'print ":lZts"' /Users/$loggedInUser/Library/Preferences/com.zscaler.Zscaler.plist 2>/dev/null)

# Save the exit code, which indicates success v. failure
exitCode=$?

if (( exitCode == 0 )) 
then
	echo "<result>Authenticated</result>"
else
	echo "<result>Not Authenticated</result>"
fi

scottb
Honored Contributor

I found this one as well...starting a ZScaler setup myself:

 

#!/bin/sh
#
# Jamf EA to determine Zscaler logged in status
# 
# For version 3.4 Logs are stored in /Library/Application Support/Zscaler
#
ztstatus=(/private/var/log/zscaler/ztstatus*)
if [[ -f "$ztstatus" ]]; then
  echo "<result>Logged Into Zscaler</result>"
else
  echo "<result>Not Logged Into Zscaler</result>"
fi

 

swapple
Contributor III

that folder is not appearing in some of our deployments where we know the user is logged in.

scottb
Honored Contributor

I also think based on limited testing that not having it install at enrollment might be a good idea.  If they don't sign in, they don't get anything - and I saw this when I had a recon run at the end of the install for ZScaler - I got SSH errors trying to run recon.

So I took that out of the policy and it seems to at least install OK, but having to login s*cks...

jwojda
Valued Contributor II

@scottb Thank you for this, I was able to get it to work with the 3.4 version, but for 2.1 neither path seems to have any ztstatus files.

 

@DBrowning I tried yours too, it always returns false.  Did you have to do any tweaks to it?

 

 

scottb
Honored Contributor

@jwojda - looks like only "3.6, 3.4, 3.2, 3.0" are supported in macOS.  It's working here on 3.6.0.53.

Zscaler Supported Versions 

jwojda
Valued Contributor II

yeah, the 3.x one is working, but we have a smaller subset of users on 10.13 that we are deploying to, but if there's no easy way to tweak, then so be it.  Just wasn't sure if anybody had an older version laying around.  

 

swapple
Contributor III

has anyone had success with curl? Seems macOS generic.

curl https://ip.zscaler.com <does not return desired output>

this seems a little over kill

curl -f https://ipinfo.io/json 2>&1 | grep org

 

CyBrejendra
New Contributor

Anyone find anything useful..