ZScaler Full Disk Access?

jwojda
Valued Contributor II

Started doing some initial testing with ZScaler ZCC and noticed that while the installer didn't prompt for it, under Security and Privacy > Full Disk Access there is a ZscalerTunnel binary that's unchecked.

 

Does anybody have a config profile for enabling that or is it okay to just have it disabled?

 

2 ACCEPTED SOLUTIONS

tzeilstra
New Contributor III

We've been running Zscaler for a little while and don't have that checked.  I did notice there are a LOT of apps that add themselves to that list and very few actually need full disk access.

View solution in original post

geoff_widdowson
Contributor II

I have used Zscaler for 2 years and never needed Full Disk Access control. My only Configuration Profile is the Zscaler cert, as since Big Sur it is required. I can't see a reason Zscaler would ever need Full Disk Access, but I guess they have just made the option there just in case.

 

View solution in original post

13 REPLIES 13

tzeilstra
New Contributor III

We've been running Zscaler for a little while and don't have that checked.  I did notice there are a LOT of apps that add themselves to that list and very few actually need full disk access.

Fairly new to JAMF, how are you deploying ZSACLER on the MAC?  I have the cert installing fine, but not the program itself.  Thanks.

 

jwojda
Valued Contributor II
I created a new installer with composer, dropped the files into a temp folder, and created a post install script to run the installer command line and arguments we needed.

Then told composer to create a pkg.

iPhone. iTypos. iApologize. 

geoff_widdowson
Contributor II

I have used Zscaler for 2 years and never needed Full Disk Access control. My only Configuration Profile is the Zscaler cert, as since Big Sur it is required. I can't see a reason Zscaler would ever need Full Disk Access, but I guess they have just made the option there just in case.

 

@geoff_widdowson - do you have more info on the cert for ZScaler? I'm not seeing that piece in the docs...

Thank you 

tzeilstra
New Contributor III

If you're doing SSL inspection with Zscaler, the workstation needs to trust Zscaler with a cert lest it assume it's falling victim to a man-in-the-middle attack.

scottb
Honored Contributor

Thanks, @tzeilstra - I'm just starting on this and don't see mention where/how to get the cert...

I've not even been given the config requirements yet so I'm trying to look at this before I get the formal request...

tzeilstra
New Contributor III

For now, just assume you'll need a cert and work w/ vendor on that part if you move forward

scottb
Honored Contributor

OK, thanks.  Are you using any PPPC profiles for this? @tzeilstra 

The cert will be installed when Zscaler is installed, but won't be trusted in the keychain. Upload the cert into a Configuration Profile, using the certificate payload.

 

Thank you @geoff_widdowson - I installed via Jamf and got the cert which appears to be trusted in my keychain without making a profile.  Wonder why?

Maybe newer versions of Zscaler has resolved the issue. I was using Zscaler 2.2.4.0 when Big Sur came out and thats when I had to deploy a cert using a configuration profile. I now have Zscaler 3.4, but never checked if it needed the cert from the config.

Ah, possibly.  I'm using "Zscaler-osx-3.6.0.53-installer" at this moment...

I'll have to check on other Macs to see if this isn't a leftover from prior testing a while back.

Thanks for the replies.