[Guide] Zscaler Client Connector Deployment with JAMF Pro for MacOS

The Zscaler Client Connector can be configured and deployed with JAMF Pro on macOS devices with a few simple steps. This guide uses a cloud-hosted version of JAMF Pro v10.37.2 and deploys Zscaler Client Connector v3.6.x to a macOS computer running Monterey.

Note: JAMF Pro is required for the initial installation only. Zscaler Client Connector upgrades thereafter can be managed from within the Zscaler Client Connector Portal.

High-Level Steps:

  1. Create a script in JAMF Pro with the below sample script
  2. Create a Computer Management Policy referencing the above script and deployment scope
  3. Create a Configuration Profile to install and trust the Root CA certificate used for SSL inspection in the System Keychain

Before You Begin:

A few key pieces of information will be required to create the script:

  • The download URL for release of Zscaler Client Connector you will deploy
  • The Zscaler cloud name used for your organization
  • The primary domain used for SAML authentication by your organization

Determine the download URL:

When the macOS endpoint executes the script, it will download the Zscaler Client Connector directly from Zscaler using the URL. You can determine the download URL for the Zscaler Client Connector to be deployed by following the below steps:

  1. From the Zscaler Internet Access Admin UI, select Policy from the left navigation bar and click on Zscaler Client Connector Portal in the Mobile section

  2. Select Administration from the top navigation bar in the Zscaler Client Connector Portal and click on Client Connector App Store from the navigation bar on the left

  3. Select the Personal Computer tab and select macOS from the list of Platforms

  4. Right-click on the Download Link icon and copy the download link address. You don’t need to download the actual installer, just the download link address.

Determine your Zscaler Cloud Name:

If your organization is provisioned on more than one cloud, your users will normally be prompted to select the cloud to which their traffic will be sent during the enrollment process. To avoid this prompt, you can pre-configure the Zscaler Client Connector to automatically connect to the intended cloud automatically by using this installation option.

To determine your cloud name, you can follow the directions in this article

Determine your Primary Authentication Domain:

This installation option allows users to skip the app enrollment page. If SSO is enabled for your organization, users are taken directly to your organization’s SSO login page. If you’ve integrated SSO with the app, users can also skip the SSO login page and are automatically enrolled with the Zscaler service and logged in. If your instance has multiple domains associated with it, use the primary domain for your instance.

Step 1: Create the install script in JAMF Pro

Create an installation script by following the below directions in JAMF Pro.

  1. In JAMF Pro, go to Settings and select Computer Management and click on Scripts
  2. Create a new script called “Zscaler Client Connector macOS”
  3. Select Script and make sure the Mode is set to Shell/Bash
  4. Paste the below script into the script window and edit the script if additional installation options are required. A complete list of installation options are available here.

## This script will download the version of Zscaler specified in the Download URL

## last updated April 2022
## version 2, revision 1 for Jamf

## Parameters
# $4 = Download URL for Client Connector
# $5 = cloudName
# $6 = userDomain

## Set variables

## Download client zip archive to /tmp
curl -L -s -k -o  /tmp/zscaler.zip $4 || { echo "`date` Download failed. Exiting" >&2; exit 1; }

cd /tmp
## unzip zip into /private/tmp/
sudo unzip -q zscaler.zip || { echo "`date` Cannot decompress dad archive. Exiting" >&2; exit 1; }

# Cleanup by removing downloaded archive
sudo rm -rf /tmp/zscaler.zip

# Get the installer string
binary=$(ls | grep "Zscaler-osx")

echo "`date` installing Zscaler"
# Execute the install script. Add additional install options if needed.
sudo sh /tmp/$binary/Contents/MacOS/installbuilder.sh --cloudName $5  --unattendedmodeui none \
--userDomain $6 --mode unattended || { echo "`date` Client Connector install failed. Exiting" >&2; exit 1; }

exit 0

5. Select options and enter Download URL, Cloud Name and Primary Authentication Domain as the Parameter labels for the script and click save.

Step 2: Create a Computer Management Policy in JAMF Pro

  1. Create a new Computer Management Policy, by clicking on Computers from the left navigation bar, select Policies (under Content Management) and click on New
  2. Name the policy “Zscaler Client Connector Install Policy” and select “Login” as the Trigger
  3. Select Script and click on Configure to add the Script created previously to this policy by clicking on Add
  4. Enter the Parameter values with the Download URL, Cloud Name and Authentication Domain values determined earlier
  5. Select Scope to determine macOS endpoints where the policy will be deployed. In this case select the “All Managed Clients” Smart Computer Group to target all managed macOS computers and click to Save the policy.

Step 3: Create a Configuration Profile in JAMF Pro

A Configuration Profile is required to deploy the Root CA certificate to managed macOS computers for SSL inspection. If using the default Zscaler certificate, the certificate will need to be downloaded from the Zscaler Internet Access Admin UI and added to a Configuration Profile in JAMF Pro by following the below directions.

Note: Steps 1 and 2 are only applicable when using the Zscaler default certificate. If the organization is using a custom Root CA certificate, use the custom certificate instead.

  1. To download the certificate, login to the Zscaler Internet Access Admin UI, select Policy from the left navigation bar and click on SSL Inspection in the Access Control section

  2. Select Advanced SSL Inspection Settings and click on the “Download Zscaler Root Certificate” link to download the Zscaler Root CA certificate file in a zip archive. Unzip the downloaded Zscaler Root CA certificate archive and change the file extension from .crt to .cer.

  3. In JAMF Pro, select Computers from the left navigation bar, select Configuration Profiles (under Content Management) and click on New to create a new Configuration Profile

  4. Name the Profile and select Certificate from the list of options and click on Configure. Name the certificate and select Upload from the certificate option from the dropdown to upload the Root CA certificate.

image image

  1. Select Scope to determine macOS endpoints where the profile will be deployed. In this case, select the “All Managed Clients” Smart Computer Group to target all managed macOS computers and click to Save the profile

Zscaler Client Connector will now be downloaded and installed on managed macOS computers along with the Root CA certificate. After installation, Zscaler Client Connector will auto-launch and if SSO is enabled, will enroll and login the user without any user intervention.


Hi Niladri, Is there a Mosyle Business (JAMF competitor) version of this guide? Some of the steps differ from JAMF.

Hi Bryant

Unfortunately, directions for Mosyle Business MDM isn’t available. However the directions in our help article should work with your MDM. If you need a PKG specifically for Mosyle, please open a case with support and they will send you the PKG for Client Connector.


Can someone provide me some insight. Perhaps I need to try a different URL.

I am receiving the following error on the latest download.
It is exiting here on macOS running Monterrey.
cd /tmp

unzip zip into /private/tmp/

sudo unzip -q zscaler.zip || { echo “date Cannot decompress dad archive. Exiting” >&2; exit 1; }

No credit for taking the script I wrote and removing my name?

Thanks for the document it helped steer me in the right direction in getting the agent to be deployable via Jamf. (I’ve limited exposure to using Jamf).

I would suggest making the screenshots a little bigger, would avoid having to try to zoom in to figure out pixelated text.

That asides it gave me a good idea of how to get the client deployed. So thank you for the guidance.

Thanks for this document! all is going fine with Jamf but it’s asking to enter the credentials to user. i am using domain name as well but still SSO is not passed. Am i missing something?

This is a great guide. Any thought on how to add the ZCC whitelist to JAMF Pro?


Richard -
I am assuming you are referring to configuring firewall rules in macOS to support incoming connections to ZSATunnel. This isn’t required as macOS will automatically open inbound connections for signed binaries.