[Guide] Zscaler Client Connector Deployment with JAMF Pro for iOS

The Zscaler Client Connector can be configured and deployed with JAMF Pro on iOS devices with a few simple steps. This guide uses a cloud hosted version of JAMF Pro v10.37.2 and deploys Zscaler Client Connector v1.8.x to an iOS 15 device.

High-Level Steps:

  1. Create a Configuration Profile to install and trust the Root CA certificate used for SSL inspection
  2. Create a Mobile Device App definition for Zscaler Client Connector for managed iOS devices

Before You Begin:

To customize the Zscaler Client Connector App install, a few key pieces of information will be required:

  • The Zscaler cloud name used for your organization
  • The primary domain used for SAML authentication by your organization

Determine your Zscaler Cloud Name:

If your organization is provisioned on more than one cloud, your users will normally be prompted to select the cloud to which their traffic will be sent during the enrollment process. In order to avoid this prompt, you can pre-configure the Zscaler Client Connector to automatically connect to the intended cloud automatically by using this installation option.

To determine your cloud name, you can follow the directions in this article

Determine your Primary Authentication Domain:

This installation option allows users to skip the app enrollment page. If SSO is enabled for your organization, users are taken directly to your organization’s SSO login page. If you’ve integrated SSO with the app, users can also skip the SSO login page and are automatically enrolled with the Zscaler service and logged in. If your instance has multiple domains associated with it, use the primary domain for your instance.

Step 1: Create a Configuration Profile in JAMF Pro

A Configuration Profile is required to deploy the Root CA certificate to managed iOS devices for SSL inspection. If using the default Zscaler certificate, the certificate will need to be downloaded from the Zscaler Internet Access Admin UI and added to a Configuration Profile in JAMF Pro by following the below directions.

Note: Steps 1 and 2 are only applicable when using the Zscaler default certificate. If the organization is using a custom Root CA certificate, use the custom certificate instead.

  1. To download the certificate, login to the Zscaler Internet Access Admin UI, select Policy from the left navigation bar and click on SSL Inspection in the Access Control section
    image

  2. Select Advanced SSL Inspection Settings and click on the “Download Zscaler Root Certificate” link to download the Zscaler Root CA certificate file in a zip archive. Unzip the downloaded Zscaler Root CA certificate archive and change the file extension from .crt to .cer.
    image

  3. In JAMF Pro, select Devices from the left navigation bar, select Configuration Profiles (under Content Management) and click on New to create a new Configuration Profile and name the profile.
    image

  4. Name the Profile and select Certificate from the list of options and click Configure. Name the certificate and select Upload from the certificate option from the dropdown to upload the Root CA certificate.
    image

image image

  1. Select Scope to determine iOS endpoints where the profile will be deployed. Select Add, and add the “All Managed iPhones” and “All Managed iPads” Smart Computer groups to target all managed iOS devices and Save the profile.
    image

Step 2: Create a Mobile Device App in JAMF Pro

Jamf Pro allows you to distribute App Store apps and apps purchased in volume (including custom apps and apps offered as a Universal Purchase) to mobile devices. After an app is distributed, Jamf Pro can be used to manage future updates to the Zscaler Client Connector. Create a Mobile Device App for Zscaler Client Connector by following the below directions in JAMF Pro.

  1. Create a new app by clicking on Devices from the left navigation bar and select Mobile Device Apps (under Content Management) and click on New

  2. Select “App Store app or apps purchased in volume” as the app type and click Next
    image

  3. Enter “Zscaler” in the Search bar select the App Store country from the drop-down and click Next
    image

  4. JAMF Pro will connect to the App Store and search for all Zscaler apps. Select iPhone and iPod touch Apps and click on Add, next to Zscaler Client Connector. If deploying to iPads, select iPad Apps.
    image

  5. JAMF Pro will automatically populate the App name, version number and Bundle Identifier from the App manifest in the App Store. There is no need to change any of this info. Select the checkbox to enable JAMF Pro to automatically check the App Store for updates as Zscaler releases new versions on a regular basis and JAMF Pro can automatically update the App on your managed iOS devices. You may want to disable the checkbox next to “Allow users to remove app (iOS 14 or later)” to prevent users from uninstalling the App
    image

  6. Select Scope to determine iOS endpoints where the policy will be deployed. In this case select the “All Managed iPhones” Smart Computer Group to target all managed iPhones.
    image

  7. Click on App Configuration to configure Zscaler Client Connector before distributing it to mobile devices. Managed App Configuration is a set of key-value pairs (in XML format) used to configure iOS applications. We will use the below key-value pairs for this deployment. See below table for deployed key-value details.

Key Description
userdomain Your organization’s domain name identified earlier. If your instance has multiple domains associated with it, enter the primary domain for your instance
cloudname The name of the cloud on which your organization is provisioned identified earlier. Example, if your cloud name is zscalertwo.net, you would enter zscalertwo To learn more, see What is my cloud name for ZIA?
ownership Used for device posture in Zscaler to identify an organization owned asset
strictenforcement Requires users to enroll with Client Connector before they can browse the Internet
excludeList This option allows you to exclude domains and IP addresses that should be bypassed from Zscaler (note that if you are using the strictEnforcement option, you must add the domains for your IdP, URL for Zscaler authentication services and your MDM using this option). JAMF Pro, Microsoft, OKTA and ZPA are shown in the example below.

Additional keys and details are available at Zscaler’s online help site

<dict>
	<key>cloudname</key>
	<string>zscalerthree</string>
	<key>ownership</key>
	<string>Dattalabz</string>
	<key>strictEnforcement</key>
	<string>0</string>
	<key>userDomain</key>
	<string>dattalabz.com</string>
	<key>excludeList</key>
	<string>dattalabz.jamfcloud.com, aadcdn.msftauth.net,login.microsoftonline.com,oktacdn.com,samlsp.prod.zpath.net</string>
</dict>

Zscaler Client Connector will now be downloaded and installed on managed iOS computers along with the Root CA certificate. After installation, Zscaler Client Connector will need to be manually launched to complete enrollment and if SSO is enabled, will enroll and login the user without any user intervention.

1 Like

Great write up - thank you!
In the first steps you cover Zscaler Root CA - but customers might also be using their custom Root CA. It’s worth covering that.

In the last section where you show the XML metadata - you say “Okta and JAMF Pro are shown in the example below”, but then it has JAMF and Azure. You’re also showing authsp for ZPA Dev Cloud. Can you change it to be more generic, or give specific examples.
For Azure, you’d need to add aadcdn.msftauth.net in addition to login.microsoftonline.com. For Okta you’d need to add oktacdn.com . For ZPA Prod, it’s samlsp.prod.zpath.net, and for beta it’s samlsp.zpabeta.net.

Thanks for the feedback Mark! The article has been updated with your input.