Zscaler Mac Download
Find Zscaler Inc software downloads at CNET Download.com, the most comprehensive source for safe, trusted, and spyware-free downloads on the Web.
- Zscaler Mac Download
- Zscaler Vpn Client Download
- Zscaler App
- Zscaler Mac Install
- How To Download Zscaler
ZXPInstaller is a user-friendly installer for Adobe extensions. It replaces the Extension Manager which Adobe no longer supports as of CC 2015. Download Zscaler App for iOS to the Zscaler App for iOS includes both Zscaler Internet Access and Zscaler Private Access modules. Zscaler security research breaks down and analyzes the access we grant to our personal information and the security risks that result. Behaviours and tendencies when we download an App, and the security and privacy risks that result. A final option involves querying the MAC address of device. Apple is also now prohibiting the use of MAC. Zscaler SecureAgent notifies users of the Zscaler service about security incidents or policy compliance issues detected by the Zscaler service, originating from the users mobile apps.
This guide will cover deployment of a Nanolog Streaming Service (NSS) VM within Azure. NSS can also be deployed on-premise using an OVA file, or in AWS.
If you’re planning to integrate with Microsoft Cloud App Security (MCAS) or Azure Sentinel, you’ll require a healthy NSS deployment, and it is highly recommended that you use Azure.
Why do I need to deploy a VM to stream logs to a SIEM? Can’t Zscaler just send logs to my SIEM directly?
Your logs are stored in Zscaler’s Nanolog clusters in a highly compressed and encoded format. The NSS VM connects to both the Nanolog cluster and the Zscaler control plane, grabs the logs, decodes them, and forwards them to your SIEM over a TCP connection. Think of NSS as a log gateway!
Be aware of potential charges
You can’t follow this guide without an Azure subscription. If you’re deploying in as part of demo or lab environment, be careful: This guide WILL rack up some charges for VM and storage resources in Azure.
If you’re using the Azure Free Account, you should have US$200 of credit to use as part of your free subscription and may be able to avoid charges.
Proceed at your own risk.
You’ll need a subscription to the NSS feature
Not all Zscaler subscriptions allow you to use NSS. In the ZIA Portal, navigate the Administration tab. If you don’t see Nanolog Streaming Service listed as an option, then you are most likely not subscribed to the NSS feature and will need to chat to your account team.
- Log into the ZIA admin portal and navigate to Administration > Nanolog Streaming Service.
- Select Add NSS Server
- Give the server a name, select NSS for Web (or firewall, depending on your use case), set it to Enabled, then click Save. Activate your changes.
NSS VM System Requirements
CPU
2 vCPUs (one for the control plane, one for the data plane)
Memory
Depending upon whether this is a lab/demo or production deployment, memory requirements (and hence, the Azure instance type you deploy on) will be different. A production deployment depends on the number of users ZIA is/will be deployed to:
Scenario | Memory Required |
---|---|
Lab/Demo | 4GB |
<15,000 users | 8GB |
<40,000 users | 16GB |
<100,000 users | 32GB |
Note: If you are planning on integrating with Microsoft Cloud App Security (MCAS), you MUST deploy with at least 8GB of memory. Using 4GB for a Lab/Demo environment will not work.
You’ll need the following information handy to deploy NSS in Azure:
- Azure subscription (this can be the free tier - you’ll have access to US$200 credit with it which will help)
- Resource Group
- Virtual Network
- Storage Account with two containers/blobs
If you have some or all of these already, you can skip forward as needed.
1. Create an Azure Subscription
You need an Azure Subscription (even if it is part of the free tier) to continue. In the Azure Portal search bar (at the top of the page), search for “Subscriptions” and validate you have a valid subscription.
Ensure you have an existing subscription present, you click Add to create one if you need to.
Warning! You have the potential to rack up large charges if you aren’t careful! Proceed at your own risk!
2. Create a Resource Group
A Resource Group houses related resources and services for something deployed in Azure.
If you don’t have a usable Resource Group already, you’ll need to create one. In the Azure Portal search bar (at the top of the page), search for “Resource Groups'.
Click Add to create a new one. Associate it with your subscription, give it a name, and select your closest Azure region.
In the screenshot above, the Resource Group I’ll be using is called AzureLab
, which is linked to the Pay-As-You-Go
subscription in the Australia East
region.
3. Create a Virtual Network
You’ll need (ideally) two Virtual Network (vNet) subnets to deploy NSS. In the Azure Portal search bar (at the top of the page), search for “Virtual networks'.
Click Add to create a new vNet (or select an existing one). If you’re creating a new one:
- Under the Basics tab, associate the new vNet with your subscription and resource group from above. Give it a name and ensure it’s created in the same region.
- Under the IP Addresses tab, the default 10.X.X.X/16 IPv4 address space should be fine. This will give you 65536 usable addresses in the entire vNet which is more than enough!
- There should already be a
default
subnet - a /24 range which will be a subset of the /16 address space above. Leave this as it is and create a new /24 subnet. One of these will be for the management interface of the NSS VM, the other for the service interface.- When creating a new subnet, NAT Gateway, Security Group, Route table, and Services can all be left as None or their default values for now.
- Under the Security tab, leave DDoS protection and Firewall Disabled.
- When you are finished, click Review + create.
In the image below, I have an vNet called vNetLab
which has a global 10.0.0.0/16 address space; with two subnets:
default
= 10.0.0.0/24mgmt
= 10.0.1.0/24
4. Create a Storage Account
The Storage Account will house the VHD files for our NSS VM. In the Azure Portal search bar (at the top of the page), search for “Storage accounts'.
Click Add to create a new Storage Account.
Associate the Storage Account with your existing subscription and Resource Group. Provide it with a globally unique name. Ensure the location is the same as the one associated with your Resource Group.
For the cheapest option for a lab deployment, select the following:
- Performance = Standard
- Account kind = StorageV2 (general purpose v2)
- Replication = Locally-redundant storage (LRS)
- Access tier = Hot
Under the Networking tab, for a lab/demo deployment select Public endpoint (all networks): This will ensure you can immediately connect to the storage account. For a more secure deployment (ie: production), you might want to select either of the other two options.
Under the Data Protection tab, for a lab deployment, everything should be set to Disabled.
Under the Advanced tab, for a lab deployment, set everything as Disabled.
Click Review + create when you are done.
5. Create two Blob Containers
Open the Storage Account you just created, and in the left-side-menu, select Containers. Create two containers here: one will be used to copy the VHD files from Zscaler’s storage account, and the other will be used to deploy the NSS VM itself.
These are 32GB and 500GB respectively. Zscaler makes these available on their Storage Account which you can use to copy them across to your own to avoid transfer charges (not to mention the time of downloading & re-uploading that amount of data).
In this section, we will copy the two VHD images to the Storage Account and blob containers we created earlier, and then use these to initialize the NSS VM.
1. Download Azure Storage Explorer
You can also do this via PowerShell, but that is outside the scope of this guide.
Download link (all platforms): https://azure.microsoft.com/en-us/features/storage-explorer/
2. Sign in to your Azure Account
Open Azure Storage Explorer, click the “plug” icon in the sidebar, then select Add an Azure Account. Click Next and you will be redirected to sign in to Azure via Microsoft SSO. Sign in using your Azure admin credentials.
Once you have logged in, you should see your Azure subscription in the side panel.
3. Connect to the Zscaler Storage Account
Next, we need to connect to the Zscaler Storage Account to access the NSS VHDs.
Click the plug icon again in the sidebar (as you did above), but this time select Use a shared access signature (SAS) URI.
Stop! You will need a SAS URI token from Zscaler to proceed!
You need a SAS token to authenticate with the Zscaler Storage Account. To obtain one:
- If you are a Zscaler employee, click here to visit the Community forum and obtain a token directly.
- Otherwise, you will need to raise a support ticket requesting a SAS token for NSS deployment in Azure.
Once you have your SAS token, you can fill in the fields in Azure Storage Explorer as prompted:
- Display name = ZscalerNSS
- URI = This is region dependant (see the table below), and MUST contain the SAS token as a URL argument.
Region | URI |
---|---|
USA | https://zsprod.blob.core.windows.net/?[SAStoken] |
Europe | https://zsprodeu.blob.core.windows.net/?[SAStoken] |
Australia | https://zsprodau.blob.core.windows.net/?[SAStoken] |
For example, for deploying in Australia, my full URI would look like:
Pay close attention to the format above as it is important. If you have an issue with Azure Storage Explorer not accepting the URI, check the formatting. Do not use any of the URLs provided to you ending in.vhd
.
Click Next when done, followed by Connect.
4. Error: Unable to get local issuer certificate
If you receive this error, it is most likely because your connection is being SSL inspected, and Azure Storage Explorer does not like this. You will need to add an SSL inspection bypass for .blob.core.windows.net
to resolve the issue.
For ZIA, navigate to Policy > SSL Inspection in the ZIA admin portal. Add .blob.core.windows.net
to the list of URLs to bypass from SSL Inspection. Save and activate your changes.
Wait a moment, then right-click on the storage account and click Refresh. If you just try and load the storage account again, you’ll continuously get the same error as it is cached.
The error should be resolved.
5. Copy the VHD files
In the side panel of Azure Storage Explorer, expand the Zscaler NSS Storage (SAS) storage account, and select the nss blob container.
Select both of the VHD images listed and click Copy.
Next, under the Azure subscription you connected to earlier, expand the storage account you created earlier and select the blob container you created to store a copy of the VHD files. Click Paste and the files will begin to transfer. This is a 532GB file transfer so it may take a minute or two.
Note: You’re now consuming storage on Azure and there is a charge associated with this. Every region is different, but using the settings I selected above, my cost was estimated to be approx US$11 per month for a single blob container. This is just for storage. Using a 2nd blob container for the VM itself PLUS VM charges will get expensive quickly; particularly for a home lab deployment. You may wish to reconsider running this in a lab environment long-term.
6. Verify the Transfer & Copy URLs
In the Azure Portal, go to your storage account and look at the blob container you transferred the VHD files to. You’ll see them listed there.
Click on each file and copy the URL listed - we’ll need these later to deploy the NSS VM.
We need to use PowerShell to deploy the NSS VM via a script.
- If you’re on a Windows device, you should have PowerShell already installed.
- If you are on Mac OS, you’ll need to install PowerShell via Homebrew.
1. Install PowerShell on Mac OS
- Install Homebrew if you haven’t already. Open Terminal:
- Install PowerShell:
- Invoke PowerShell:
- You should now be on the PowerShell prompt:
2. Install & Import the Azure Modules
These modules let us perform tasks on Azure via PowerShell:
3. Connect to your Azure account
You’ll need to sign-in and authenticate using your Azure admin credentials:
Go to https://microsoft.com/devicelogin and enter the code provided.
Return to PowerShell and press Enter/Return. After a few moments your subscriptions will appear.
4. List all VM sizes for your Azure region
We need to grab the name of the Azure instance type we’ll be deploying the NSS VM on.
You can use the Azure Pricing Calculator to determine which instance type is best (and how much it will cost you). Be sure to select your region for accurate availability and pricing. Not every instance type is available in every region.
You’ll need an instance with 2 vCPUs and either:
- 4GB memory (lab deployment)
- 8GB memory (MCAS or typical production deployment)
- 16GB memory (15K-40K users - large enterprise)
- 32GB memory (40K-100K users - huge enterprise)
If you’re not sure, just find something with 8GB of memory + 2 vCPUs.
Next, list all of the VM sizes for your selected region in PowerShell:
NB: The table above has been trimmed to fit.
Locate your desired instance, and copy down the name as it’s printed in the terminal window. We’ll need this for our PowerShell script which will deploy the NSS VM.
In my case, I’ll be using Standard_A4_v2
which has 2 vCPUs and 8GB memory.
Be very careful! VM instances become expensive over a whole month! If left on for 30 days, the Standard_A4_v2
instance type would cost be ~US$153! Proceed at your own risk!
5. Enable Compatibility Mode for AzureRM
The current Zscaler deployment script uses the old AzureRM modules which have been depreciated. We need to enable compatibility for them:
If you get an error similar to:
You’ll need to create the powershell
directly under /Users/<YourUsername>/.config/
:
6. (Windows) Enable Unsigned Scripts
Allow powershell to run unsigned scripts (not needed/supported on macOS):
7. Create the Deployment Config File
Copy the following into a file called conf_file.txt
and replace with your data:
A description of each of these fields is below:
Field | Description |
---|---|
name | The name to be assigned to the NSS VM when deployed |
location | The Azure region to deploy the VM to. This should be in lowercase with no spaces. |
rgname | The name of the Resource Group to be used for VM deployment. |
createrg | y or n depending if you want the above RG to be created or not. Set it to n as it should exist already. |
storename | The name of the Storage Account to use. |
createstorage | y or n depending if you want the above RG to be created or not. Set it to n as it should exist already. |
vnetrg | The resource group that the vNet for the VM exists in. Will probably be the same as rgname above. |
vnetname | The Azure vNet to which the VM should be attached. |
vnetprefix | The IPv4 address space assigned to the vNet in CIDR form. This will probably be the 10.X.X.X/16 range. |
mgmtsubnetname | The name of the subnet you created within the vNet for the NSS management interface. |
mgmtsubnetprefix | The subnet address prefix (in CIDR) of the subnet you created within the vNet for the NSS management interface. Could be 10.X.Y.X/24. |
svcsubnetname | The name of the subnet you created within the vNet for the NSS service interface. |
svcsubnetprefix | The subnet address prefix (in CIDR) of the subnet you created within the vNet for the NSS service interface. Could be 10.X.Z.X/24. |
niccount | The number of NICs to assign to the VM. This should be set to 2 for NSS. |
mgmtdyn | Set this to n |
vmsize | The name of the Instance type/size to deploy the VM to (obtained above). Eg: Standard_A4_v2 |
dstStorageURI | The URI for your storage account. Remove the trailing / . This is typically in the format https://.blob.core.windows.net |
dstContainer | Name of the destination blob container within your storage account to create the VM disks. You would have created this in Part 2, Step 4. |
srcOsURI | The URI of the OS Disk .vhd file from your storage account that you copied in Part 3, Step 6. |
srcDataURI | The URI of the Data Disk .vhd file from your storage account that you copied in Part 3, Step 6. |
8. Download the Deployment Script
Download the NSS deployment script here:
Save the file as deployment_script.ps1
in the same folder as the conf_file.txt
configuration file.
9. Run the Deployment Script
From the PowerShell prompt, run the deployment script. You may be prompted to sign in again:
When prompted, select the subscription to use, and (optionally) whether or not to use Public IP addresses for the two NICs. If this is a lab environment and you want to immediately be able to SSH to the NSS VM after deployment, you might want to select y
for this part.
10. Verify the VM has been deployed
Check whether the NSS VM has been deployed in the Azure Portal. In the search bar at the top of the portal, search for “Virtual Machines'. Validate that your new NSS VM is present and running.
11. (Optional) Update Security Groups
If you chose to assign public IP addresses to your NSS VM during deployment, you may wish to lock this down with some rules to prevent anyone from being able to hit your VM.
As a start, you should only allow outbound connections to Zscaler’s required IP ranges. You can find these at the following URLs (depending on your Zscaler cloud):
You may also want to restrict inbound connectors to those on port 22 from your source IP only.
Apart from SSH management, NSS only requires connections to both the Zscaler Cloud and your SIEM/destination in the outbound direction. Not inbound connectivity is mandatory.
To create a security group, search for “Network security groups” in the Azure Portal. Click Add to create a new one.
You’ll need to then edit the security group, and apply it to the respective network interfaces created under the vNet in use by the VM.
For more information, see the Microsoft documentation, here.
Now that the NSS VM has been deployed, we need to configure it and associate it with our ZIA instance.
1. Connect to the VM
First, locate the IP address in use for the management interface. Under Virtual Machines in the Azure Portal, select the NSS VM, and on the Overview page, note either the Public or Private IP address assigned (under the Networking heading).
2. Review the initial NSS config
Review the NSS initial config to check whether the service interface has been configured correctly:
If the smnet_dev
and Default gateway for Service IP
fields are blank, check the Networking menu of the NSS VM you deployed in Azure:
Note down the private IP of the 2nd network interface <VMname>_nic_1
, then run the nss configure
command to set the service interface IPs:
When prompted, enter the IP address in CIDR format for the service interface (see above for formatting), and the IP address of the gateway for the service interface (if you use a /24 subnet, this will be the .1 IP address)
3. Download the SSL Certificate Package
Download the SSL Certificate package for your NSS VM from the ZIA portal under Administration > Nanolog Streaming Service.
WARNING: This package is different for each NSS VM you have listed. Sharing the same certificate between NSS deployments will cause connection flapping.
Copy this package to the NSS VM:
Install the certificate package on the NSS VM:
Check the configuration:
If the SSL package was installed correctly, you will see your cloud name referenced in the configuration (eg: zscaler.net).
4. Update the NSS Service
The NSS service on the fresh VM is probably out-of-date. To update it, run the nss update-now
command:
Updating may take some time…
You can check the current version with nss checkversion
:
5. Start the NSS Service
To start the NSS service, run nss start
:
This will NOT start NSS on boot by default. You should enable autostart:
6. Verify Connectivity
To check active connections from NSS, run the following command:
NSS only requires outbound connectivity to the Zscaler Cloud and your SIEM/destination. No inbound connectivity is necessary (unless you’ve enabled SSH).
A healthy NSS instance will have two TCP connections in the ESTABLISHED
state:
If you only see one connection, wait a few minutes and check again. If neither connection is in the ESTABLISHED
state, or you are still missing a connection, check your firewall and ensure you have reachability to the Zscaler infrastructure. You can check the network requirements for NSS using the links below (select the link corresponding to the Zscaler cloud you have been provisioned on):
Return to the ZIA portal, and under Administration > Nanolog Streaming Service, the NSS instance you just deployed should now read as Healthy:
NSS Feeds configured in the ZIA portal explicitly tell your NSS VM instance what data to stream, where to stream it, and in what format it is required.
Each NSS VM can be configured with up to 8 data feeds.
1. Configure an NSS Feed
To configure an NSS Feed, go to Administration > Nanolog Streaming Service, then select the NSS Feeds tab. Click Add NSS Feed.
Fill in the following data when prompted:
Field | Description |
---|---|
Name | The name of the NSS Feed |
NSS Server | Which NSS VM is responsible for streaming this feed. |
SIEM Destination Type | Select whether to use an IP or FQDN (domain) to specify the destination SIEM you would like to stream data to. |
SIEM TCP Port | The destination TCP port the SIEM expects to receive data on. |
Log Type | Typically you will want to select Web, but alerts can be streamed in RFC compliant Syslog as well. |
Feed Output Type | The format (as shown in the window) that the logs will be streamed to the SIEM in (see the note below) |
Filters | By default, the NSS feed will stream EVERYTHING. You can filter down the data stream to only specific data that you care about using the tabs at the bottom of the configuration window. |
Click Save when you are done and activate your changes.
Note that Zscaler has formal partnerships with several SIEM vendors, and in many cases has co-written deployment guides for them. If you don’t see your SIEM listed in the Feed Output Type, check to see if they don’t already have an article on Zscaler integration. Failing that, odds are they can probably ingest one of the existing formats; like QRadar LEEF, or Arcsight CEF.
Zscaler documentation covers how to configure feeds for a variety of features:
2. Configuring MCAS
If you’re looking to integrate with Microsoft Cloud App Security (MCAS), I’ve written a detailed guide here.
You should now have a healthy NSS deployment in Azure.
If you deployed this for lab or demo purposes, make sure you don’t forget about the running NSS VM! Ensure you stop and de-allocate resources after you’re done so you don’t continue to be charged.
The thoughts and opinions in this post are my own and do not necessarily reflect those of Zscaler.
In this guide, we’ll walkthrough how to configure Microsoft Intune from scratch and use it to deploy the Zscaler Client Connector agent (ZCC) - formerly known as Zscaler Client Connector (ZCC).
Due to length, I’ve split this into two posts (the orginal was over 8000 words):
- This post covers deployment on Windows and macOS.
- The other post, available here, covers iOS and Android.
I suggest you use the Table of Contents to jump to the section that you need.
According to Microsoft:
Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM).
With Intune, you can:
- Set rules and configure settings on personal and organization-owned devices to access data and networks.
- Deploy and authenticate apps on devices – on-premises and mobile.
- Be sure devices and apps are compliant with your security requirements.
In order to access Intune, you need to have either a Microsoft 365 or Enterprise & Mobility E3/E5 subscription. If you’re using a free Azure account, you’ll need to sign up to a trial, or pay per user (which can get costly).
Scott Bullock of Zscaler (@scottyb) has posted a great 10 minute video in their community forum that runs through the user experience of enrolling a fresh Windows 10 device into Intune. ZCC is automatically pushed out and transparently authenticated for both ZIA and ZPA.
When adding an app to Intune, you’ll be prompted to allocate the groups of users (or devices) that the app will be rolled out to. Hence before beginning, ensure you have the users of Zscaler inside of an AD or Azure AD group that you can assign the Zscaler Client Connector app to.
Depending on whether you want the ZCC app to be mandatory or optional for certain groups of users, you may want to divide your users into two groups:
- The users to which the app is MANDATORY. Any user in this group will have the app automatically pushed out to them.
- The users to which the app is OPTIONAL. The app will not be automatically pushed for users in this group, allowing them to go to the Company Portal and download it themselves if they choose.
In my examples below, I have 3 groups:
Group | Description |
---|---|
ZIA_Entitlement | This is the group of all users that are entitled to use Zscaler Internet Access (ZIA) |
ZPA_Entitlement | This is the group of all users that are entitled to use Zscaler Private Access (ZPA). In my case, this is a subset of users from the ZIA_Entitlement group as I might not want to roll ZPA out to every user in the organization. |
Zscaler - Mandatory | This group contains every user in the organization to which the ZCC app will be automatically rolled out to. Ie: The majority of users from the above two groups. If this is your organization, you might include the whole org in this group, except select users (eg: some from IT) for which the app will be optional. |
We’ll be using the Microsoft Endpoint Manager console (MEM) to orchestrate Intune. You can log in using the same Azure Portal credentials here: https://endpoint.microsoft.com
(Optional) Setting the MDM Authority
If you’re using an existing Office 365 account and have been using the Office 365 MDM, you’ll need to change the MDM authority from Office 365 to Intune. This Microsoft help article will guide you through it.
This section will cover deploying ZCC onto Windows using Intune.
1. Download the Zscaler Client Connector MSI
To start you’ll need the .MSI installer for ZCC from the Zscaler Client Connector Portal. Log into the portal (either through ZIA or ZPA) and navigate to Administration > Zscaler Client Connector Store.
In the Windows panel, download the MSI for the latest 2.X.X version. Do not use the older 1.X.X releases.
2. Add a new Line-of-Business App
Add a new Line of Business (LoB) App
Back in the Apps menu of the MEM portal, navigate to Apps > All Apps > Add. In the panel that appears, scroll to the bottom and under the Other heading, select Line-of-business app.
When prompted to select an app package file, upload the MSI of the Zscaler Client Connector you downloaded above and click OK.
Customize the App Details
Fill in the required details about the app:
Field | Content |
---|---|
Name | Enter Zscaler Client Connector 2.X.X.X (where 2.X.X.X is the version number of the app - this will help you distinguish what version is being distributed by Intune) |
Description | Enter Zscaler Client Connector |
Publisher | Enter Zscaler, Inc |
Ignore app version | Set to Yes. ZCC will automatically update itself once deployed, so Intune can safely ignore the version the user has installed after deployment. |
Category | (Optional) Select an app category to allocate the Zscaler Client Connector to. |
Command-line arguments | See below. |
For the Command-line arguments section, enter the following (substituting in your own cloud and domain info):
Important!
- When entering the cloud name, DO NOT enter the .net at the end. Eg: zscalertwo.net should be entered as
zscalertwo
- All command-line arguments should be on a single line with a space separating them. Do not linebreak each argument or they will fail.
Command-line arguments can be used for each platform to customize the install. For example, STRICTENFORCEMENT
can be used to block access to the internet until your users enroll in the Zscaler Client Connector.
For a list and description of all the MSI customization options, scroll down to point #5 in this help article.
Click Next when ready to move onto the Assignments tab.
Assign Users to the App
There are two different sections you can allocate users or groups to depending on how you want the app rolled out to users:
- Required = The app is MANDATORY for these users/groups. Any user or group in this section will have the App automatically pushed out to them.
- Available for enrolled devices = The app is OPTIONAL for these users/groups. The app will not be automatically pushed and the users can go to download the app themselves from within the Company Portal.
Assign your users or groups to the ZCC app accordingly.
Click Next to continue and then Create on the following screen. Your Line-of-Business application will be created and the MSI will upload - be sure to wait until it’s complete.
Done!
This section will cover deploying ZCC onto macOS using Intune. Tamil songs new hits.
macOS requires a little bit more effort to get going than Windows does. We will need to do the following on a local macOS machine:
- Download the Zscaler Client Connector installer for macOS (this is a
.app
file) - Create a post-installation script (to customize the install of ZCC with our chosen arguments)
- Convert the .app file and script to .pkg (Intune can only work with pkg files on macOS)
- Wrap the .pkg file using the Intune App Wrapping Tool (creates an
.intunemac
file)
If you’re using MacOS Catalina 10.15 or higher, you MUST use ZCC v2.1.X or above. Catalina introduced the requirement that apps are notarized by their developers. Only ZCC releases v2.1 and above are notarized by Zscaler.
Do I need an Apple Developer Account?
An Apple Developer Account is recommended.
You can proceed and deploy the agent without an Apple Developer account, however you will not be able to sign and notarize the .pkg
file created below without a valid Developer ID. This will result in your users receiving an error about an the software coming from an ‘Unidentified Developer’, and depending on security settings, the device may block the install altogether.
If you enroll in the Apple Developer program (US$99), you can sign and notarize your package which will make this error go away. If you’re an organization running a macOS deployment, you will most likely have a developer account for the company already.
But shouldn’t Zscaler have already signed the app I’m deploying?
Yes, Zscaler HAS both signed and notarized the .app package that will be installed. The problem with Intune is that it can only deploy .pkg
files to macOS; NOT .app
files. We need to wrap our .app file inside a .pkg file for it to work with Intune, and it is this pkg file that needs to be signed and notarized as well.
Obtaining Developer ID Certificates
To sign an notarize the .pkg
, you will need both the Developer ID Installer and Developer ID Application certificates. You can create these under the Certificates, Identifiers & Profiles section of your developer account, but will need a Certificate Signing Request (CSR) to do so: Apple have a brief guide on how to generate one using Keychain, here.
Download the certificates when you have them and click to open the .cer
files in Keychain. Add them as a login certificate.
You can check the certificates have been installed correctly by running the following command:
If you have the Developer ID Installer and Developer ID Application certificates, you’re good to proceed.
1. Download the Zscaler Client Connector .app
To start, you’ll need the .app
installer for ZCC from the Zscaler Client Connector Portal.
Log into the portal (either through ZIA or ZPA) and navigate to Administration > Zscaler Client Connector Store.
In the macOS panel, click the download link for the latest 2.X.X version. Do not use the older 1.X.X releases.
Unzip the file downloaded to obtain the .app installer.
2. Create the post-installation script
Intune will push out and install the .pkg
file - which is just our .app
file wrapped up as a .pkg
for the purposes of Intune deployment.
The problem is however, that when Intune deploys the .pkg
, it just saves the wrapped .app
to the user’s device without doing anything else. We need a way to run and install the .app
after Intune has deployed the .pkg
, PLUS a way to include arguments to customize the install. A post-installation script will do all of this for us.
To start, on a macOS device open Terminal:
Create a folder called scripts
. Inside this folder, create a file called postinstall
Note down the full path to the scripts
directory - we’ll need this later.
Open the postinstall file for editing:
Copy and paste the following into the Terminal window (modify the arguments as required):
To exit Nano, press Control + X
and then Y
to save.
This will do a silent installation of the Zscaler Client Connector (unattended mode) and automatically redirect the user to your company SSO page to sign in. Mbtt dlx 17 serial number free.
Important! When entering the cloud name (--cloudName
), DO NOT enter the .net at the end. Eg: zscalertwo.net should be entered as zscalertwo
Command-line arguments can be used for each platform to customize the install. For example, --strictEnforcement 1
can be used to block access to the internet until your users enroll in the Zscaler Client Connector.
For a list and description of all the .app customization options, scroll down to point #4 in this help article.
Zscaler Mac Download
As an example, the script for my installation looks like the following:
Lastly, we need to make the script executable. Run the following in Terminal:
3. Create the PKG file
Intune only supports pkg
files for macOS. A .pkg
file is analogous to an MSI for Windows. All we are essentially doing is wrapping the .app file inside a .pkg file so that it can be deployed by Intune.
We’ll be using the built-in pkgbuild
tool to do this. Open Terminal and run the following command (change the file paths before running):
Field | Description |
---|---|
--install-location | This should point to the tmp folder, or somewhere writeable on the user machine. The .pkg will unpack itself here, then run the .app installer; which will install ZCC to the /Applications directory as required. If you change this from /tmp , you’ll need to update the postinstall script as well. |
--scripts | This should be the path to the scripts folder you created in the step above. |
--component | This file path should point to the Zscaler Client Connector .app file you downloaded in Step #1. |
--identifier | Specify a unique identifier for this package. It is advisable to set a meaningful, consistent identifier, eg: com. zscaler. zscalerclientconnector |
--version | This has no relationship to the actual Zscaler Client Connector version. This is only used by Intune. If you ever deploy another pkg via Intune for a different version of ZCC, you’ll need to increment this (eg: Version 1.1) so that Intune can tell the pkg files apart. Note that ZCC has its own update mechanism, so you don’t need to worry about using Intune to push out updates to the Zscaler Client Connector software. |
--sign | If you don’t want your users to recieve an error that your package is from an ‘Unidentified Developer’ (which will prevent installation entirely), you will need to sign the package using a valid Apple Developer ID. To do this, you will need to enroll in the Apple Developer program (US$99). If you are an organization, you probably have already done this. Make sure you correctly substitute MY-DEV-NAME with your correct Developer name / org name. If you don’t care about the ‘Unidentified Developer’ error, you can remove the--sign argument. |
The last file path listed points to the location where you want to save the output pkg file.
If you’re signing the package and are not sure about your team / developer / org certificate name, you can check this under the Certificates, Identifiers & Profiles section of your Apple Developer account, here.
As an example, my completed pkgbuild
command is below:
If you signed your package, you can validate the signatures using pkgutil
:
For example:
4. Notorize the PKG
You only need to do this step if you signed the .pkg
file in the previous step. Otherwise you can skip to the next step.
What is notarization? According to Apple:
Notarization gives users more confidence that the Developer ID-signed software you distribute has been checked by Apple for malicious components. If there are no issues, the notary service generates a ticket for you to staple to your software; the notary service also publishes that ticket online where Gatekeeper can find it.
Beginning in macOS 10.14.5, software signed with a new Developer ID certificate and all new or updated kernel extensions must be notarized to run. Beginning in macOS 10.15 [Catalina], all software built after June 1, 2019, and distributed with Developer ID must be notarized.
Create an App Specific Password
We’re going to notarize the .pkg
file via the command-line. To do this, you’ll need to generate an App Specific Password for your the Apple ID of your Developer Account:
How to generate an app-specific password
Zscaler Vpn Client Download
- Sign in to your Apple ID account page.
- In the Security section, click Generate Password below App-Specific Passwords.
- Follow the steps on your screen.
Next, open Keychain and click the “+” icon to add a new Keychain Item.
- For Keychain Item Name, enter
notarization-tool
- For Account Name, enter the email associated with your Developer Account / Apple ID.
- For Password, copy and paste the app-specific password from your Apple ID account.
Request Notorization
To request notarization from Apple, run the following command (replacing the values with your own):
Field | Value |
---|---|
username | The Apple ID username associated with your Apple Developer Account |
password | Enter @keychain: followed by the name of the Keychain Item which you saved your app-specific password to. This will fetch the password from the keychain. |
asc-provider | This is the Team ID from your Developer Account. You can find this by logging into your Developer Account and reviewing your profile |
primary-bundle-id | This should match the identifier you specified when you created the pkg. |
file | The path to the .pkg file |
For example:
If you receive an error that the tool is not on your machine, ensure you have Xcode and Xcode Command-line Tools installed.
The command will take a while to run as it is uploading your .pkg
file to Apple. Once done, it will return a UUID which you can use to check the status of your notarization request:
Once the process is complete (mine took under 10 minutes), you’ll recieve a confirmation email as to whether your request was successful or not.
Staple the Notorization Ticket
The last step is to staple the notarization ticket to the .pkg
file. This ensures that a Mac device that is offline can still validate that the .pkg
file is notarized:
Note: If your command fails, wait a few minutes and try again. If your command continuously fails, and your traffic is going through ZIA or another proxy, you may need to bypass api.apple-cloudkit.com
from SSL inspection due to certificate pinning.
Validate the staple action was successful:
Zscaler App
5. Test the PKG
Before going further, test your PKG file by running it and seeing if it successfully installs the Zscaler Client Connector silently. Make sure you don’t already have ZCC installed when doing this however!
If you have an existing installation of ZCC, you can remove it under Applications/Zscaler/Uninstall-Zscaler-App
6. Create an .intunemac file
Once you’ve verified your PKG file functions correctly, we need to wrap it for use with Intune.
Download the Intune App Wrapping Tool for Mac (this is a Microsoft-owned repository).
Next:
- Unzip the source code folder
- Open Terminal
- Change directory to where the
IntuneAppUtil
file is located - Make the
IntuneAppUtil
file executable:
Locate the PKG file you created above and use the IntuneAppUtil
tool to wrap the .pkg
file to a .intunemac
file:
For example:
Zscaler Mac Install
If everything went well, you should see the .intunemac
file in your specified output directory.
7. Add a new Line-of-Business app in MEM
Add a new Line of Business (LoB) App
In the Apps menu of the MEM portal, navigate to Apps > All Apps > Add. In the panel that appears, scroll to the bottom and under the Other heading, select Line-of-business app.
When prompted to select an app package file, upload the.intunemac
file you created above and click OK.
Customize the App Details
Fill in the required details about the app:
How To Download Zscaler
Field | Content |
---|---|
Name | Enter Zscaler Client Connector 2.X.X.X - macOS 2.X.X.X (where 2.X.X.X is the version number of the app - this will help you distinguish what version is being distributed by Intune) |
Description | Enter Zscaler Client Connector for macOS |
Publisher | Enter Zscaler, Inc |
Minimum operating system | Select OS X Yosemite 10.10 (ZCC supports macOS 10.10+) |
Ignore app version | Set to Yes. ZCC will automatically update itself once deployed, so Intune can safely ignore the version the user has installed after deployment. |
Category | (Optional) Select an app category to allocate the Zscaler Client Connector to. |
Click Next to move to the Assignments tab.
Assign Users to the App
There are two different sections you can allocate users or groups to depending on how you want the app rolled out to users:
- Required = The app is MANDATORY for these users/groups. Any user or group in this section will have the App automatically pushed out to them.
- Available for enrolled devices = The app is OPTIONAL for these users/groups. The app will not be automatically pushed and the users can go to download the app themselves from within the Company Portal.
Assign your users or groups to the ZCC app for macOS accordingly.
Click Next to continue and then Create on the following screen. Your macOS Line-of-Business application will be created and the .intunemac
file will upload - be sure to wait until it’s complete.
Done!