Help

Zscaler, the nonsensical adventure of configuration

AJPinto
Honored Contributor

‎04-07-2023 06:33 AM - edited ‎04-07-2023 06:35 AM

I recently had to configure Zscaler for my environment and I figured I would share incase it helps anyone.

  • The Zscaler app can be provided in 2 ways. The non-managed app which will not respect any configuration profiles, and a deployable .pkg which is what you want to use. Build the policy to deploy the package as usual, nothing screwy here.

Configuration profiles:

  • The install parameters configuration profile. The bread and butter of configuring Zscaler is the com.zscaler.intallparams Configuration Profile. Most of the values are common sense, the userDomain is unique to your organization, and you will get the policyToken from Zscaler. The cloudName will likely be zscaler unless you are doing something specific at which is could be zscaler2 or beta.

 

Preference Domain: com.zscaler.installparams
 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>installation-parameters</key>
    <dict>
        <key>strictEnforcement</key>
            <string>1</string>
        <key>userDomain</key>
            <string>SomeValueHere</string>
        <key>cloudName</key>
            <string>zscaler</string>
        <key>hideAppUIOnLaunch</key>
            <string>0</string>
        <key>launchTray</key>
            <string>1</string>
        <key>policyToken</key>
            <string>SomeValueHere</string>
        <key>externalRedirect</key>
            <string>false</string>
    </dict>
</dict>
</plist>

 

 

AJPinto_2-1680873846294.png

 

  • Socket Filter

AJPinto_0-1680873743841.png

  • System Extension

AJPinto_1-1680873779979.png

  • Firewall configuration

Zscailers documentation specifically says you need to modify this for your organizations need, so I am just providing the example they give.

 

Preference Domain: com.zscaler.socket-filter
 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0">
    <dict>
        <key>VendorConfig</key>
        <dict>
            <key>inbound</key>
            <dict>
                <key>untrustednet</key>
                <array>
                    <dict>
                        <key>ips</key>
                        <string>lanlocal</string>
                        <key>action</key>
                        <string>allow</string>
                    </dict>
                </array>
            </dict>
            <key>outbound</key>
            <dict>
                <key>untrustednet</key>
                <array>
                    <dict>
                        <key>ips</key>
                        <string>lanlocal</string>
                        <key>action</key>
                        <string>allow</string>
                    </dict>
                </array>
            </dict>
        </dict>
    </dict>
</plist>

 

 

AJPinto_3-1680873966195.png

 

  • Root Certificate

Zscaler will also need a root certificate to be deployed with JAMF.

 

2 REPLIES 2

Mafr
New Contributor

Posted on ‎10-12-2023 05:01 AM

@AJPinto Thanks for this post. 
We have also implemented zscaler and it seems to work good for us. I am wondering where I can find the Zscaler documentation regarding Firewall Rules and Socket Filter. In our environment we haven´t configured this, we only allowed incoming traffic for zscaler.
Do you have the links to firewall and socket filter samples
Thanks in Advance



0 Kudos

AJPinto
Honored Contributor
In response to Mafr

Posted on ‎10-12-2023 06:22 AM

The firewall configuration (com.zscaler.socket-filter) is provided by zscaler as a template, what we use is in the examples above. You will need to work with the zscaler team to determine what keys you want to use and what they need to be set to based on your organizations needs.

 

Blocking/filtering all traffic works very poorly, especially if you want things like Apple (OS Updates, MDM Commands, etc) and JAMF to work when zscaler is not authenticated. The more heavy handed the configuration, the more bypasses/exemptions will be needed. We are similar in requiring all traffic to flow through zscaler, over the past 6 months I have had hundreds of hosts and ports exempted in the pac file for things to actually work correctly.