[Guide] Zscaler Client Connector Deployment with WorkspaceONE UEM Pro for Windows

The Zscaler Client Connector can be configured and deployed with Workspace ONE UEM on Windows devices with a few simple steps. This guide is based on Workspace ONE UEM running version 22.3.0.2 (2203) and deploys Zscaler Client Connector v3.7.2.18 to a Windows computer running Windows 10.

Note: Workspace ONE UEM is required for the initial installation only. Zscaler Client Connector upgrades thereafter can be managed from within the Zscaler Client Connector Portal.

High-Level Steps:

  1. Download the Zscaler Client Connector MSI from Zscaler Client Connector Portal
  2. Create an Internal Native App in Workspace ONE UEM for Client Connector and assign to managed Windows endpoints

Before You Begin:

A few key pieces of information will be required to setup the Native App in Workspace ONE UWM

  • The Zscaler cloud name used for your organization
  • The primary domain used for SAML authentication by your organization

Determine your Zscaler Cloud Name:

If your organization is provisioned on more than one cloud, your users will normally be prompted to select the cloud to which their traffic will be sent during the enrollment process. To avoid this prompt, you can pre-configure the Zscaler Client Connector to automatically connect to the intended cloud automatically by using this installation option.
To determine your cloud name, you can follow the directions in this article

Determine your Primary Authentication Domain:

This installation option allows users to skip the app enrollment page. If SSO is enabled for your organization, users are taken directly to your organization’s SSO login page. If you’ve integrated SSO with the app, users can also skip the SSO login page and are automatically enrolled with the Zscaler service and logged in. If your instance has multiple domains associated with it, use the primary domain for your instance.

Step 1: Download the Zscaler Client Connector MSI
The Zscaler Client Connector will need to be downloaded from Zscaler before the Native App can be created. The client can be downloaded by following the below steps:

  1. From the Zscaler Internet Access Admin UI, select Policy from the left navigation bar and click on Zscaler Client Connector Portal in the Mobile section

image

  1. Select Administration from the top navigation bar in the Zscaler Client Connector Portal and click on Client Connector App Store from the navigation bar on the left
  2. Select the Personal Computer tab, select Windows from the list of Platforms and click on the download icon under the Download MSI 32-bit column to download

Picture1

Step 2: Create the Workspace ONE UEM Native Internal App

  1. In the Workspace ONE UEM admin console, select Resources and Native under Apps and click on Add and select Application File to add the app

Picture2

  1. In the Add Application page select Upload and upload the downloaded software from the previous step and click Continue

Picture3

  1. Name the App “Zscaler Client Connector-3.7.2.18” and click on Files to upload a MST with installation options. Directions to generate a MST for Zscaler Client Connector are available at Customizing Zscaler Client Connector with Install Options for MSI | Zscaler
    MST file used in this example was created with the following install options
Property Value Description
USERDOMAIN myauthdomain.com Your organization’s domain name identified earlier. If your instance has multiple domains associated with it, enter the primary domain for your instance
REINSTALLDRIVER 1 This install option forces a reinstallation of the driver, even if you already have a driver installed. Use this option if you are having issues with the currently installed driver.
cloudname zscalerthree The name of the cloud on which your organization is provisioned identified earlier. Example, if your cloud name is zscalertwo.net, you would enter zscalertwo To learn more, see What is my cloud name for ZIA?

Additional installation options are available at https://help.zscaler.com/z-app/customizing-zscaler-app-install-options-msi#RunZAppMSICmdLine

Picture4

  1. Select Add to add your MST file to the App

Picture5

  1. Select Deployment Options and ensure that the Install Command references the uploaded MST. Select Save & Assign to select endpoints for deployment. For example:
    msiexec /i "Zscaler-windows-3.7.2.18-installer.msi" TRANSFORMS={transform files} /qn

Picture6

  1. Select the appropriate Assignment Group to use, name the Distribution and click on Save and Publish to start the deployment

Picture7

Zscaler Client Connector will now be downloaded and installed on managed Windows computers along with the Zscaler Root CA certificate (if using the default Zscaler certificate). If your organization plans to deploy a custom Intermediate Root certificate, then you must make sure that your certificate is already installed on the Windows endpoint for SSL inspection to work. After installation, Zscaler Client Connector will auto-launch.

1 Like