We are planning our ZIA rollout to the enterprise and have run into a bit of a snag. Our environment is:
-Full remote workforce
-GSuite as IDP et al
-Managed Chrome Browser (can only access Google and SSO apps via managed browser)
-Context aware (device authentication)
As described in Zscaler’s documentation, Firefox opens up to allow the user to authenticate with the IDP (Google). However, because we only allow access from a managed Chrome browser, the user cannot reach the authentication page. Additionally, as the user is not logged in, you cannot go into Chrome and login as all access is blocked.
Is there a way to have the agent open Chrome instead of Firefox? If not, what are out options?
You could use something like Finicky to do that
Looks like this is a viable, near term alternative to get us through the deployment. Was really hoping that Zscaler didn’t hard-code Firefox into being the default browser for the SSO login but if so, this may be our only hope. Much appreciated Thomas!
So I found this About Authentication Settings | Zscaler which points to exactly what I want to do. However, in my Client Connector Portal, I don’t have an Authentication Setting option.
As i understand the options in the portal it would mean that you have to set GC as your default browser; otherwise ZCC would use Safari for auth.
But in your case you want to have FF as default and GC to be used to (only) auth against your IDP - or?
There are btw other apps like Finicky; (non-free) Choosy or Browsersaurus
Actually, for this scenario Finicky will not work either as Zscaler is not looking to use the system default browser. All of our Macs have their system default browser set to Chrome. And, as that link shows, Zscaler used to allow you to select the use of the system default browser for authentication. However, they have apparently done away with that in the portal but do have 1/2 of that setting available via install options as shown here (Customizing Zscaler Client Connector with Install Options for macOS | Zscaler)…ExternalRedirect True. False used the embedded Zscaler browser, True uses Firefox. Very frustrating…
just checked; i do have the auth options as described in the article.
Which cloud are you using?
Zscalertwo. v 6.1 for the ZIA portal and 3.21.2 for the mobileadmin portal.
hmm… same here
As far as i know this is no ‘needs to be enabled for your tenant’ feature either. Maybe worth to talk to your TAM?
Only other idea i would have is that the portal only starts to show that option when you have at least one ZCC v3.6 or higher enrolled.
Gotcha. We’ve got two registered right now where we used the embedded browser. But, that is just not a good practice (entering your username and password in a non-managed, unknown browser).
I’ve also got a call in to support so we’ll see. Appreciate your help. I’ll post the solution when I have it.