by

Download Zscaler For Mac



Use the Zscaler Analyzer app to analyze the path between your location and the Zscaler Enforcement Node (ZEN), or to analyze the time it takes for your browser to load a web page, so the Zscaler Support team can detect potential issues. The app performs an MTR (Z-Traceroute) and a full web page load test (Z-WebLoad).

  • .Note: zScaler SSL certificate install steps only need to be done once when initially connecting the device to the CSMN wireless network. The following information details how to setup Apple Mac OS desktops and laptops (e.g. IMacs and MacBooks) for connection to.
  • Zscaler: Redefining Network Security Zscaler enables the world’s leading organizations to securely transform their networks and applications for a mobile and cloud-first world.
  • How to navigate to the Zscaler Client Connector Portal and manually download Zscaler Client Connector from Zscaler Client Connector Store page.

Use the Zscaler Analyzer app to analyze the path between your location and the Zscaler Enforcement Node (ZEN), or to analyze the time it takes for your browser to load a web page, so the Zscaler Support team can detect potential issues. The app performs an MTR (Z-Traceroute) and a full web page load test (Z-WebLoad). The results provide the Zscaler Support team with all the information they need to debug network issues quickly. You can run the app multiple times at different intervals, for a more comprehensive view of your network path and performances. For example, you can run configure the app to run every hour for five hours.

The results are designed to be sent to the Zscaler Operations Team through Zscaler Support for analysis. Their experience and overall view of the entire cloud allow them to interpret the data and identify potential issues in the network path. Zscaler highly recommends that you do not try to interpret the results without consulting Zscaler Support.

By downloading Zscaler Analyzer, You agree to the terms and conditions for Zscaler Software available at https://www.zscaler.com/legal/license-agreement-for-zscaler-software/. In addition, You also acknowledge and agree that Zscaler will
(i) use the information that You provide in order to troubleshoot Your networking issues; and
(ii) store such information in its cloud (which will only be accessible by a unique URL).

YOUR USE OF THE ZSCALER ANALYZER IS EXPRESSLY CONDITIONED ON YOUR AGREEMENT TO THESE TERMS AND CONDITIONS. IF YOU DO NOT AGREE, DO NOT DOWNLOAD AND/OR OTHERWISE USE THE ZSCALER ANALYZER.

Requirements

You can run the app from a device that has the following:

  • Java (JRE) 1.8 update 40 or higher
  • Microsoft Windows 7 or higher
  • Mac OS X
Installation

Do the following to install the Zscaler Analyzer app:

  1. Download the latest version of the app at https://zmtr.zscaler.com/.
  2. Click either Windows or Mac OS to download the app.
  3. Do one of the following:
    • From a Windows machine:
      1. Run ZscalerAnalyzer-windows-installer.exe.
      2. Complete the steps in the wizard.
        Ensure that you install the app in a directory similar to Libraries/Documents to facilitate installation. If you install it in the Program Files directory, you may need additional permissions.
        OR
    • From a device running Mac OS X or higher:
      1. Run ZscalerAnalyzer-osx-installer.dmg.
      2. Complete the steps in the wizard.

      NOTE: If your security settings prevent the you from installing the app on your Mac, do the following:
      1. Launch System Preferences from the Apple menu authentication.
      2. Choose Security and Privacy, click the General tab, and then click the lock icon in the corner to unlock the settings.
      3. From the Allow applications downloaded from list, choose Mac App Store and Identified Developers.
      4. Accept any security warning, if presented.
      5. Install the app.

Zscaler Analyzer TraceRoute

Use the Zscaler Analyzer app to analyze the path between your location and the Zscaler Enforcement Node (ZEN), so the Zscaler Support team can detect potential network issues. The app performs an MTR (My Traceroute) and the results provide the Zscaler Support team with all the information they need to debug network issues quickly. You can run the app multiple times at different intervals, for a more comprehensive view of your network path. For example, you can run configure the app to run every hour for five hours

The results are designed to be sent to the Zscaler Operations Team through Zscaler Support for analysis. Their experience and overall view of the entire cloud allow them to interpret the data and identify potential issues in the network path. Zscaler highly recommends that you do not try to interpret the results without consulting Zscaler Support.

If you are using a GRE or IPSEC tunnel to send traffic to the ZEN, the MTR must run from a PC that does NOT go through the tunnel. An MTR done through a tunnel will not show useful information.

Running Z-TraceRoute

When you launch the app, click the Z-TraceRoute tab to see a window similar to the following.

Do the following to run the Zscaler Network Analyzer app:

  1. Define the settings:
    • Host: If your computer is connected to a ZEN, this field displays the host name of the ZEN. You can specify a different host name, for example, if you want to analyze the path to another ZEN.
    • Run Every: The app can run automatically at different intervals. For example, to configure the app to run every hour, 10 times, change Repeat to 10, and then choose the interval to Repeat every 1 hour. These 10 tests are called a group.
    • Packet Count: Number of packets to send.
    • Hop Limit: The maximum number of network hops measured.
  1. To define the following settings, click the Advanced Settings button to see the Z-Traceroute - Advanced Settings window.
    • Data: Packet size in bytes
    • Timeout: The maximum number of seconds to wait for a reply
    • Command: You can configure advanced settings from this field if Zscaler Support requests that you override the default settings in order to better troubleshoot certain issues. To get the list of all options, run:
      Example:
  1. Click Start Test.
    • The app displays the geolocation of the client and the ZEN on the map, as shown below. Note that the locations shown may not be accurate. This is useful in determining if the client is geolocalized correctly or if its traffic is not going to the nearest ZEN.
    • The application updates the Host Latency and the Latency per Hop widgets, and the results table.
    • The Stop Test button replaces the Start Test button, as shown below. If you click the Stop Test button at any time, the app cancels all the other tests in the group.

You can minimize the Zscaler Performance Analyzer app before it completes all the configured runs. When the tool completes all the runs, the Start Test button replaces the Stop Test button.

Viewing the Results

If you configured the Zscaler Analyzer app to perform multiple runs, you can view the results for each completed run in the group by selecting it from the results list, as shown below.

  • The Host Latency widget shows the latency that occurred when the device reached the ZEN.
  • The Latency per Hop widget shows the latency for each intermediate network hop.
  • The results table provides an overview of the results. It shows the following:
    • #: Hop number
    • Host: IP address of the intermediate host
    • P. Sent: The number of packets sent to the intermediate host
    • P. Recv: The number of packets sent back by the host
    • P. Loss: Percentage of packet loss
    • Best T.: Smallest latency of all tests in seconds
    • Last T.: Latency of the last packet sent
    • Avg. T.: Average latency
    • Worst T.: Highest latency of all tests

Exporting the Results

When the app completes all the configured runs, export the results so you can send it to Zscaler Support.

  1. Click the Export All Results button and navigate to the folder to which you want to save the results. All results of the runs in a group are saved into a CSV file with a filename similar to za_results_12_15_2015_12_56_53_PM_PST.

The geolocation shown in the export file is likely to be incorrect. For example, the intermediate hops in the U.S. might be shown to be in Europe.

The following is the information displayed for each group (repetitions of the same test) in the CSV file:

  • Result Import Time: Time of the data export
  • ZA Version: Version number of the app
  • Group Number: Group ID
  • ZA Settings: The defined settings for the test
  • Host: Name of the host from which the test was run
  • Internal Source IP: Local IP address of the device
  • Public Source IP: Public IP address of the outbound traffic
  • Protocol: Protocol selected for the test.
  • Number of Runs: Number of tests run

The following is the information displayed for each run inside a group:

  • Run Number: Run ID
  • Start Time: Time when the test started
  • End Time: Time when the test ended
  • Test Finished in: Duration of the test
  • SNo: Results of the test for each intermediate host:
    • Host: IP address of the intermediate host
    • Longitude: GeoIP coordinate of the intermediate host
    • Latitude: GeoIP coordinate of the intermediate host
    • Location Name: GeoIP country of the intermediate host
    • Packet Sent: Number of packets sent to the intermediate host
    • Packet Received: Number of packets sent back by the host
    • Loss: Number of packets lost
    • Last Time: Latency of the last packet sent
    • Best Time: Smallest latency of all tests
    • Worst Time: Highest latency of all tests
    • Avg Time: Average latency
    • St Dev: Standard deviation
Zscaler Analyzer WebLoad

Use the Zscaler Analyzer app to analyze the time it takes for your browser to load a web page, so the Zscaler Support team can detect potential issues. The app performs a web page load test and the results provide the Zscaler Support team with all the information they need to debug issues quickly. Depending on your environment, the tool can compare the load time through a ZEN and load time going direct to Internet. You can run the app multiple times at different intervals, for a more comprehensive view of your network. For example, you can configure the app to run every hour for five hours.

Do the following to run WebLoad on the Zscaler Analyzer:

  1. Define the settings:
    • Load: The app can test up to ten URLs at a time. The app provides a default list of URLs to run. You can choose to run the tests for all URLs or just one. To remove or add a URL, click on the Advanced Settings button.
    • Every: The app can run automatically at different intervals. For example, to configure the app to run every hour, 10 times, change Repeat to 10, and then choose the interval to run Every 1 hour. These 10 tests are called a group.
    • Use: The Page Load Time widget provides different results depending on your environment when you first open the app.
      • If your traffic is going through the Zscaler service when you first start the app, you are running the app with the Zscaler Enforced Proxy. If you are not authenticated to the service, you may be asked to authenticate when the app is first opened. The authentication page is displayed in the Current Site Preview on the left.
      • If your traffic is not going through the Zscaler service when you first start the app, you can choose the following options in the list:
        • System Proxy: Choose this option if you want to use your Internet browser settings. For example, if you have configured your browser to use a PAC file or a ZEN, the app will use those settings.
        • Custom PAC File: Choose this option if you want to use a PAC file to forward your traffic to the Zscaler service. The Zscaler service hosts default PAC files which are configured to automatically forward all browser traffic to the nearest ZEN. To learn how to retrieve the default PAC file URL, see How do I use PAC files to forward traffic to the Zscaler service?
        • Custom Gateway: Choose this option if you want to specify a ZEN to which you want to forward your traffic.
          • To specify a ZEN, enter the following:
            • Gateway: Enter gateway.<cloud_name>. To learn how you can find your cloud name, see What is my cloud name?
            • Port: Enter the port number.

If you choose to run the app with a Custom PAC File or Custom Gateway, you will be prompted to authenticate before you can start the test. The results table will provide results in the following categories:

  • With Proxy: Your traffic is going through the Zscaler service
  • Without Proxy: Your traffic is not going through the Zscaler service

To define the following settings, click the Advanced Settings button to see the ZWebload - Advanced Settings window.

  • Edit Website(s): To remove a URL, choose a URL, then click the minus sign.
  • Type New URL: To add a URL, enter a valid URL into the field, then click Add Website.
  • Website Download Count: The number of times each website is downloaded.
  1. Click Start Test.
    • The app displays the web pages of the URLs in the list, as shown below.
    • The application updates the Page Load Time widget, and the results table.
    • The Stop Test button replaces the Start Test button, as shown below. If you click the Stop Test button at any time, the app cancels all the other tests in the group.

You can minimize the Zscaler Analyzer app before it completes all the configured runs. When the tool completes all the runs, the Start Test button replaces the Stop Test button.

Viewing the Results

If you configured the Zscaler Analyzer app to perform multiple runs, you can view the results for each completed run in the group by selecting it from the results list, as shown below.

If you configured the Zscaler Analyzer app to test multiple URLs, you can view the results for each URL in the group by choosing Website from the Show Results For list.

  • The Page Load Time widget shows how long it took your browser to load a web page.
  • The results table provides an overview of the results. It shows the following:
    • Time Stamp: The time when the test started
    • Website: The tested URL
    • Response Time: The average time it took the browser to load the main web page

Exporting the Results

When the app completes all the configured runs, export the results so you can send it to Zscaler Support.

  1. 1. Click the Export All Results button and navigate to the folder to which you want to save the results. All results of the runs in a group are saved into a CSV file with a filename similar to za_results_12_04_2015_09_49_51_AM_PST.
  2. Attach this file to a support ticket and submit it. The export file contains all the information required by the Zscaler Support team to interpret the results correctly. Please do not modify the file before sending it to Zscaler.

The following is the information displayed for each group (repetitions of the same test):

  • Result Import Time: Time of the data export
  • Tool Version: Version number of the app
  • Group Number: Group ID
  • WebLoad Settings: The defined settings for the test
  • Number of Runs: Number of tests run
  • Proxy Type: Name of the proxy from which the test was run
  • Gateway Name: Name of the gateway from which the test was run
  • Gateway IP: IP address of the gateway from which the test was run
  • ZEN: The Zscaler Enforcement Node from which the test was run

The following is the information displayed for each run inside a group:

  • Run Number: Run ID
  • Start Time: Time when the test started
  • End Time: Time when the test ended
  • Test Finished in: Duration of the test
  • SNo: Results of the test for each immediate host:
    • URL: The tested URL
    • URL IP: IP address of the URL tested
    • Load Count: The number of times the URL was repeated
    • Response Code: The HTTP response code for successful or failed requests
    • DNS Time: The time it took client to contact DNS server
    • Connect Time: The time it took browser to connect to the server
    • Full Page Time: The time it took the browser to load the entire web page and all its assets, such as images, scripts, etc.

The thoughts and opinions in this post are my own and do not necessarily reflect those of Zscaler.

In this guide, we’ll walkthrough how to configure Microsoft Intune from scratch and use it to deploy the Zscaler Client Connector agent (ZCC) - formerly known as Zscaler Client Connector (ZCC).

Due to length, I’ve split this into two posts (the orginal was over 8000 words):

  • This post covers deployment on Windows and macOS.
  • The other post, available here, covers iOS and Android.

I suggest you use the Table of Contents to jump to the section that you need.

According to Microsoft:

Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM).

With Intune, you can:

  • Set rules and configure settings on personal and organization-owned devices to access data and networks.
  • Deploy and authenticate apps on devices – on-premises and mobile.
  • Be sure devices and apps are compliant with your security requirements.

In order to access Intune, you need to have either a Microsoft 365 or Enterprise & Mobility E3/E5 subscription. If you’re using a free Azure account, you’ll need to sign up to a trial, or pay per user (which can get costly).

Scott Bullock of Zscaler (@scottyb) has posted a great 10 minute video in their community forum that runs through the user experience of enrolling a fresh Windows 10 device into Intune. ZCC is automatically pushed out and transparently authenticated for both ZIA and ZPA.

When adding an app to Intune, you’ll be prompted to allocate the groups of users (or devices) that the app will be rolled out to. Hence before beginning, ensure you have the users of Zscaler inside of an AD or Azure AD group that you can assign the Zscaler Client Connector app to.

Depending on whether you want the ZCC app to be mandatory or optional for certain groups of users, you may want to divide your users into two groups:

  1. The users to which the app is MANDATORY. Any user in this group will have the app automatically pushed out to them.
  2. The users to which the app is OPTIONAL. The app will not be automatically pushed for users in this group, allowing them to go to the Company Portal and download it themselves if they choose.

In my examples below, I have 3 groups:

GroupDescription
ZIA_EntitlementThis is the group of all users that are entitled to use Zscaler Internet Access (ZIA)
ZPA_EntitlementThis is the group of all users that are entitled to use Zscaler Private Access (ZPA). In my case, this is a subset of users from the ZIA_Entitlement group as I might not want to roll ZPA out to every user in the organization.
Zscaler - MandatoryThis group contains every user in the organization to which the ZCC app will be automatically rolled out to. Ie: The majority of users from the above two groups. If this is your organization, you might include the whole org in this group, except select users (eg: some from IT) for which the app will be optional.

We’ll be using the Microsoft Endpoint Manager console (MEM) to orchestrate Intune. You can log in using the same Azure Portal credentials here: https://endpoint.microsoft.com

(Optional) Setting the MDM Authority

If you’re using an existing Office 365 account and have been using the Office 365 MDM, you’ll need to change the MDM authority from Office 365 to Intune. This Microsoft help article will guide you through it.

This section will cover deploying ZCC onto Windows using Intune.

1. Download the Zscaler Client Connector MSI

To start you’ll need the .MSI installer for ZCC from the Zscaler Client Connector Portal. Log into the portal (either through ZIA or ZPA) and navigate to Administration > Zscaler Client Connector Store.

In the Windows panel, download the MSI for the latest 2.X.X version. Do not use the older 1.X.X releases.

2. Add a new Line-of-Business App

Add a new Line of Business (LoB) App

Back in the Apps menu of the MEM portal, navigate to Apps > All Apps > Add. In the panel that appears, scroll to the bottom and under the Other heading, select Line-of-business app.

When prompted to select an app package file, upload the MSI of the Zscaler Client Connector you downloaded above and click OK.

Customize the App Details

Fill in the required details about the app:

Download Zscaler For Mac
FieldContent
NameEnter Zscaler Client Connector 2.X.X.X (where 2.X.X.X is the version number of the app - this will help you distinguish what version is being distributed by Intune)
DescriptionEnter Zscaler Client Connector
PublisherEnter Zscaler, Inc
Ignore app versionSet to Yes. ZCC will automatically update itself once deployed, so Intune can safely ignore the version the user has installed after deployment.
Category(Optional) Select an app category to allocate the Zscaler Client Connector to.
Command-line argumentsSee below.

For the Command-line arguments section, enter the following (substituting in your own cloud and domain info):

Important!

  1. When entering the cloud name, DO NOT enter the .net at the end. Eg: zscalertwo.net should be entered as zscalertwo
  2. All command-line arguments should be on a single line with a space separating them. Do not linebreak each argument or they will fail.

Command-line arguments can be used for each platform to customize the install. For example, STRICTENFORCEMENT can be used to block access to the internet until your users enroll in the Zscaler Client Connector.

For a list and description of all the MSI customization options, scroll down to point #5 in this help article.

Click Next when ready to move onto the Assignments tab.

Assign Users to the App

There are two different sections you can allocate users or groups to depending on how you want the app rolled out to users:

  • Required = The app is MANDATORY for these users/groups. Any user or group in this section will have the App automatically pushed out to them.
  • Available for enrolled devices = The app is OPTIONAL for these users/groups. The app will not be automatically pushed and the users can go to download the app themselves from within the Company Portal.

Assign your users or groups to the ZCC app accordingly.

Click Next to continue and then Create on the following screen. Your Line-of-Business application will be created and the MSI will upload - be sure to wait until it’s complete.

Done!

This section will cover deploying ZCC onto macOS using Intune.

macOS requires a little bit more effort to get going than Windows does. We will need to do the following on a local macOS machine:

  1. Download the Zscaler Client Connector installer for macOS (this is a .app file)
  2. Create a post-installation script (to customize the install of ZCC with our chosen arguments)
  3. Convert the .app file and script to .pkg (Intune can only work with pkg files on macOS)
  4. Wrap the .pkg file using the Intune App Wrapping Tool (creates an .intunemac file)

If you’re using MacOS Catalina 10.15 or higher, you MUST use ZCC v2.1.X or above. Catalina introduced the requirement that apps are notarized by their developers. Only ZCC releases v2.1 and above are notarized by Zscaler.

Do I need an Apple Developer Account?

An Apple Developer Account is recommended.

You can proceed and deploy the agent without an Apple Developer account, however you will not be able to sign and notarize the .pkg file created below without a valid Developer ID. This will result in your users receiving an error about an the software coming from an ‘Unidentified Developer’, and depending on security settings, the device may block the install altogether.

If you enroll in the Apple Developer program (US$99), you can sign and notarize your package which will make this error go away. If you’re an organization running a macOS deployment, you will most likely have a developer account for the company already.

But shouldn’t Zscaler have already signed the app I’m deploying?

Yes, Zscaler HAS both signed and notarized the .app package that will be installed. The problem with Intune is that it can only deploy .pkg files to macOS; NOT .app files. We need to wrap our .app file inside a .pkg file for it to work with Intune, and it is this pkg file that needs to be signed and notarized as well.

Obtaining Developer ID Certificates

To sign an notarize the .pkg, you will need both the Developer ID Installer and Developer ID Application certificates. You can create these under the Certificates, Identifiers & Profiles section of your developer account, but will need a Certificate Signing Request (CSR) to do so: Apple have a brief guide on how to generate one using Keychain, here.

Download the certificates when you have them and click to open the .cer files in Keychain. Add them as a login certificate.

You can check the certificates have been installed correctly by running the following command:

If you have the Developer ID Installer and Developer ID Application certificates, you’re good to proceed.

1. Download the Zscaler Client Connector .app

To start, you’ll need the .app installer for ZCC from the Zscaler Client Connector Portal.

Log into the portal (either through ZIA or ZPA) and navigate to Administration > Zscaler Client Connector Store.

In the macOS panel, click the download link for the latest 2.X.X version. Do not use the older 1.X.X releases.

Unzip the file downloaded to obtain the .app installer.

Zscaler Client Download

2. Create the post-installation script

Intune will push out and install the .pkg file - which is just our .app file wrapped up as a .pkg for the purposes of Intune deployment.

The problem is however, that when Intune deploys the .pkg, it just saves the wrapped .app to the user’s device without doing anything else. We need a way to run and install the .appafter Intune has deployed the .pkg, PLUS a way to include arguments to customize the install. A post-installation script will do all of this for us.

To start, on a macOS device open Terminal:

Create a folder called scripts. Inside this folder, create a file called postinstall

Note down the full path to the scripts directory - we’ll need this later.

Open the postinstall file for editing:

Copy and paste the following into the Terminal window (modify the arguments as required):

To exit Nano, press Control + X and then Y to save.

This will do a silent installation of the Zscaler Client Connector (unattended mode) and automatically redirect the user to your company SSO page to sign in.

Important! When entering the cloud name (--cloudName), DO NOT enter the .net at the end. Eg: zscalertwo.net should be entered as zscalertwo

Command-line arguments can be used for each platform to customize the install. For example, --strictEnforcement 1 can be used to block access to the internet until your users enroll in the Zscaler Client Connector.

For a list and description of all the .app customization options, scroll down to point #4 in this help article.

As an example, the script for my installation looks like the following:

Lastly, we need to make the script executable. Run the following in Terminal:

3. Create the PKG file

Intune only supports pkg files for macOS. A .pkg file is analogous to an MSI for Windows. All we are essentially doing is wrapping the .app file inside a .pkg file so that it can be deployed by Intune.

We’ll be using the built-in pkgbuild tool to do this. Open Terminal and run the following command (change the file paths before running):

FieldDescription
--install-locationThis should point to the tmp folder, or somewhere writeable on the user machine. The .pkg will unpack itself here, then run the .app installer; which will install ZCC to the /Applications directory as required. If you change this from /tmp, you’ll need to update the postinstall script as well.
--scriptsThis should be the path to the scripts folder you created in the step above.
--componentThis file path should point to the Zscaler Client Connector .app file you downloaded in Step #1.
--identifierSpecify a unique identifier for this package. It is advisable to set a meaningful, consistent identifier, eg: com. zscaler. zscalerclientconnector
--versionThis has no relationship to the actual Zscaler Client Connector version. This is only used by Intune. If you ever deploy another pkg via Intune for a different version of ZCC, you’ll need to increment this (eg: Version 1.1) so that Intune can tell the pkg files apart. Note that ZCC has its own update mechanism, so you don’t need to worry about using Intune to push out updates to the Zscaler Client Connector software.
--signIf you don’t want your users to recieve an error that your package is from an ‘Unidentified Developer’ (which will prevent installation entirely), you will need to sign the package using a valid Apple Developer ID. To do this, you will need to enroll in the Apple Developer program (US$99). If you are an organization, you probably have already done this. Make sure you correctly substitute MY-DEV-NAME with your correct Developer name / org name. If you don’t care about the ‘Unidentified Developer’ error, you can remove the--signargument.

The last file path listed points to the location where you want to save the output pkg file.

Cached

If you’re signing the package and are not sure about your team / developer / org certificate name, you can check this under the Certificates, Identifiers & Profiles section of your Apple Developer account, here.

As an example, my completed pkgbuild command is below:

If you signed your package, you can validate the signatures using pkgutil:

For example:

4. Notorize the PKG

You only need to do this step if you signed the .pkg file in the previous step. Otherwise you can skip to the next step.

What is notarization? According to Apple:

Notarization gives users more confidence that the Developer ID-signed software you distribute has been checked by Apple for malicious components. If there are no issues, the notary service generates a ticket for you to staple to your software; the notary service also publishes that ticket online where Gatekeeper can find it.

Beginning in macOS 10.14.5, software signed with a new Developer ID certificate and all new or updated kernel extensions must be notarized to run. Beginning in macOS 10.15 [Catalina], all software built after June 1, 2019, and distributed with Developer ID must be notarized.

Create an App Specific Password

We’re going to notarize the .pkg file via the command-line. To do this, you’ll need to generate an App Specific Password for your the Apple ID of your Developer Account:

How to generate an app-specific password

  1. Sign in to your Apple ID account page.
  2. In the Security section, click Generate Password below App-Specific Passwords.
  3. Follow the steps on your screen.

Next, open Keychain and click the “+” icon to add a new Keychain Item.

  • For Keychain Item Name, enter notarization-tool
  • For Account Name, enter the email associated with your Developer Account / Apple ID.
  • For Password, copy and paste the app-specific password from your Apple ID account.

Request Notorization

To request notarization from Apple, run the following command (replacing the values with your own):

FieldValue
usernameThe Apple ID username associated with your Apple Developer Account
passwordEnter @keychain: followed by the name of the Keychain Item which you saved your app-specific password to. This will fetch the password from the keychain.
asc-providerThis is the Team ID from your Developer Account. You can find this by logging into your Developer Account and reviewing your profile
primary-bundle-idThis should match the identifier you specified when you created the pkg.
fileThe path to the .pkg file

For example:

If you receive an error that the tool is not on your machine, ensure you have Xcode and Xcode Command-line Tools installed.

The command will take a while to run as it is uploading your .pkg file to Apple. Once done, it will return a UUID which you can use to check the status of your notarization request:

Once the process is complete (mine took under 10 minutes), you’ll recieve a confirmation email as to whether your request was successful or not.

Staple the Notorization Ticket

The last step is to staple the notarization ticket to the .pkg file. This ensures that a Mac device that is offline can still validate that the .pkg file is notarized:

Note: If your command fails, wait a few minutes and try again. If your command continuously fails, and your traffic is going through ZIA or another proxy, you may need to bypass api.apple-cloudkit.com from SSL inspection due to certificate pinning.

Validate the staple action was successful:

5. Test the PKG

Before going further, test your PKG file by running it and seeing if it successfully installs the Zscaler Client Connector silently. Make sure you don’t already have ZCC installed when doing this however!

If you have an existing installation of ZCC, you can remove it under Applications/Zscaler/Uninstall-Zscaler-App

6. Create an .intunemac file

Once you’ve verified your PKG file functions correctly, we need to wrap it for use with Intune.

Download the Intune App Wrapping Tool for Mac (this is a Microsoft-owned repository).

Next:

  1. Unzip the source code folder
  2. Open Terminal
  3. Change directory to where the IntuneAppUtil file is located
  4. Make the IntuneAppUtil file executable:

Locate the PKG file you created above and use the IntuneAppUtil tool to wrap the .pkg file to a .intunemac file:

For example:

If everything went well, you should see the .intunemac file in your specified output directory.

7. Add a new Line-of-Business app in MEM

Add a new Line of Business (LoB) App

Zscaler

In the Apps menu of the MEM portal, navigate to Apps > All Apps > Add. In the panel that appears, scroll to the bottom and under the Other heading, select Line-of-business app.

When prompted to select an app package file, upload the.intunemacfile you created above and click OK.

Customize the App Details

Fill in the required details about the app:

FieldContent
NameEnter Zscaler Client Connector 2.X.X.X - macOS 2.X.X.X (where 2.X.X.X is the version number of the app - this will help you distinguish what version is being distributed by Intune)
DescriptionEnter Zscaler Client Connector for macOS
PublisherEnter Zscaler, Inc
Minimum operating systemSelect OS X Yosemite 10.10 (ZCC supports macOS 10.10+)
Ignore app versionSet to Yes. ZCC will automatically update itself once deployed, so Intune can safely ignore the version the user has installed after deployment.
Category(Optional) Select an app category to allocate the Zscaler Client Connector to.

Click Next to move to the Assignments tab.

Assign Users to the App

There are two different sections you can allocate users or groups to depending on how you want the app rolled out to users:

  • Required = The app is MANDATORY for these users/groups. Any user or group in this section will have the App automatically pushed out to them.
  • Available for enrolled devices = The app is OPTIONAL for these users/groups. The app will not be automatically pushed and the users can go to download the app themselves from within the Company Portal.

Assign your users or groups to the ZCC app for macOS accordingly.

Click Next to continue and then Create on the following screen. Your macOS Line-of-Business application will be created and the .intunemac file will upload - be sure to wait until it’s complete.

Done!