Group | Description |
---|---|
ZIA_Entitlement | This is the group of all users that are entitled to use Zscaler Internet Access (ZIA) |
ZPA_Entitlement | This is the group of all users that are entitled to use Zscaler Private Access (ZPA). In my case, this is a subset of users from the ZIA_Entitlement group as I might not want to roll ZPA out to every user in the organization. |
Zscaler - Mandatory | This group contains every user in the organization to which the ZCC app will be automatically rolled out to. Ie: The majority of users from the above two groups. If this is your organization, you might include the whole org in this group, except select users (eg: some from IT) for which the app will be optional. |
Field | Content |
---|---|
Name | Enter Zscaler Client Connector 2.X.X.X (where 2.X.X.X is the version number of the app - this will help you distinguish what version is being distributed by Intune) |
Description | Enter Zscaler Client Connector |
Publisher | Enter Zscaler, Inc |
Ignore app version | Set to Yes. ZCC will automatically update itself once deployed, so Intune can safely ignore the version the user has installed after deployment. |
Category | (Optional) Select an app category to allocate the Zscaler Client Connector to. |
Command-line arguments | See below. |
zscalertwo
STRICTENFORCEMENT
can be used to block access to the internet until your users enroll in the Zscaler Client Connector..app
file).intunemac
file).pkg
file created below without a valid Developer ID. This will result in your users receiving an error about an the software coming from an ‘Unidentified Developer’, and depending on security settings, the device may block the install altogether..pkg
files to macOS; NOT .app
files. We need to wrap our .app file inside a .pkg file for it to work with Intune, and it is this pkg file that needs to be signed and notarized as well..pkg
, you will need both the Developer ID Installer and Developer ID Application certificates. You can create these under the Certificates, Identifiers & Profiles section of your developer account, but will need a Certificate Signing Request (CSR) to do so: Apple have a brief guide on how to generate one using Keychain, here..cer
files in Keychain. Add them as a login certificate..app
installer for ZCC from the Zscaler Client Connector Portal..pkg
file - which is just our .app
file wrapped up as a .pkg
for the purposes of Intune deployment..pkg
, it just saves the wrapped .app
to the user’s device without doing anything else. We need a way to run and install the .app
after Intune has deployed the .pkg
, PLUS a way to include arguments to customize the install. A post-installation script will do all of this for us.scripts
. Inside this folder, create a file called postinstall
scripts
directory - we’ll need this later.Control + X
and then Y
to save.--cloudName
), DO NOT enter the .net at the end. Eg: zscalertwo.net should be entered as zscalertwo
--strictEnforcement 1
can be used to block access to the internet until your users enroll in the Zscaler Client Connector.pkg
files for macOS. A .pkg
file is analogous to an MSI for Windows. All we are essentially doing is wrapping the .app file inside a .pkg file so that it can be deployed by Intune.pkgbuild
tool to do this. Open Terminal and run the following command (change the file paths before running):Field | Description |
---|---|
--install-location | This should point to the tmp folder, or somewhere writeable on the user machine. The .pkg will unpack itself here, then run the .app installer; which will install ZCC to the /Applications directory as required. If you change this from /tmp , you’ll need to update the postinstall script as well. |
--scripts | This should be the path to the scripts folder you created in the step above. |
--component | This file path should point to the Zscaler Client Connector .app file you downloaded in Step #1. |
--identifier | Specify a unique identifier for this package. It is advisable to set a meaningful, consistent identifier, eg: com. zscaler. zscalerclientconnector |
--version | This has no relationship to the actual Zscaler Client Connector version. This is only used by Intune. If you ever deploy another pkg via Intune for a different version of ZCC, you’ll need to increment this (eg: Version 1.1) so that Intune can tell the pkg files apart. Note that ZCC has its own update mechanism, so you don’t need to worry about using Intune to push out updates to the Zscaler Client Connector software. |
--sign | If you don’t want your users to recieve an error that your package is from an ‘Unidentified Developer’ (which will prevent installation entirely), you will need to sign the package using a valid Apple Developer ID. To do this, you will need to enroll in the Apple Developer program (US$99). If you are an organization, you probably have already done this. Make sure you correctly substitute MY-DEV-NAME with your correct Developer name / org name. If you don’t care about the ‘Unidentified Developer’ error, you can remove the--sign argument. |
pkgbuild
command is below:pkgutil
:.pkg
file in the previous step. Otherwise you can skip to the next step..pkg
file via the command-line. To do this, you’ll need to generate an App Specific Password for your the Apple ID of your Developer Account:notarization-tool
Field | Value |
---|---|
username | The Apple ID username associated with your Apple Developer Account |
password | Enter @keychain: followed by the name of the Keychain Item which you saved your app-specific password to. This will fetch the password from the keychain. |
asc-provider | This is the Team ID from your Developer Account. You can find this by logging into your Developer Account and reviewing your profile |
primary-bundle-id | This should match the identifier you specified when you created the pkg. |
file | The path to the .pkg file |
.pkg
file to Apple. Once done, it will return a UUID which you can use to check the status of your notarization request:.pkg
file. This ensures that a Mac device that is offline can still validate that the .pkg
file is notarized:api.apple-cloudkit.com
from SSL inspection due to certificate pinning.Applications/Zscaler/Uninstall-Zscaler-App
IntuneAppUtil
file is locatedIntuneAppUtil
file executable:IntuneAppUtil
tool to wrap the .pkg
file to a .intunemac
file:.intunemac
file in your specified output directory..intunemac
file you created above and click OK.Field | Content |
---|---|
Name | Enter Zscaler Client Connector 2.X.X.X - macOS 2.X.X.X (where 2.X.X.X is the version number of the app - this will help you distinguish what version is being distributed by Intune) |
Description | Enter Zscaler Client Connector for macOS |
Publisher | Enter Zscaler, Inc |
Minimum operating system | Select OS X Yosemite 10.10 (ZCC supports macOS 10.10+) |
Ignore app version | Set to Yes. ZCC will automatically update itself once deployed, so Intune can safely ignore the version the user has installed after deployment. |
Category | (Optional) Select an app category to allocate the Zscaler Client Connector to. |
.intunemac
file will upload - be sure to wait until it’s complete.