Zscaler Mac App Store



Originally posted @ https://nathancatania.com/posts/deploy-zapp-with-intune/
You can use the Table of Contents at this link to jump to the sections you need.

Apple begins showing a repair index for devices like the iPhone and Mac in France, due to local regulations set by the Minister of Ecological Transition — Apple surprisingly began to show a repair index for devices like the iPhone and Mac in the Apple Store app and the Apple Online Store in France this week. Christopher Hines – Head of Product Marketing – ZPA and Zscaler App; Let’s get started. Zscaler SSO Setup. First, we need to set up Zscaler with Azure so we can provide SSO as users access the app. Once the user accesses the the Zscaler App on their device, they’ll be passed through to Azure AD for sign-on. Connecting featured apps using app connectors. Setting up Conditional Access App Control in the Conditional Access and Cloud App Security portals to apply real time session controls. Deploying the Cloud App Security and Cloud Discovery dashboards. Customizing app risk scores based on your organization’s priorities.

In this guide, we’ll walkthrough how to configure Microsoft Intune from scratch and use it to deploy the Zscaler Client Connector agent (ZCC) - formerly known as Zscaler Client Connector (ZCC).

Zscaler mac app store for windows

Due to length, I’ve split this into two posts:

  • This post covers deployment on Windows and macOS.
  • The other post, available here, covers iOS and Android.

According to Microsoft:

Microsoft Intune is a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM).
With Intune, you can:

  • Set rules and configure settings on personal and organization-owned devices to access data and networks.
  • Deploy and authenticate apps on devices – on-premises and mobile.
  • Be sure devices and apps are compliant with your security requirements.

In order to access Intune, you need to have either a Microsoft 365 or Enterprise & Mobility E3/E5 subscription. If you’re using a free Azure account, you’ll need to sign up to a trial, or pay per user (which can get costly).

Scott Bullock (@scottyb) has posted a great 10 minute video that runs through the user experience of enrolling a fresh Windows 10 device into Intune. ZCC is automatically pushed out and transparently authenticated for both ZIA and ZPA.

When adding an app to Intune, you’ll be prompted to allocate the groups of users (or devices) that the app will be rolled out to. Hence before beginning, ensure you have the users of Zscaler inside of an AD or Azure AD group that you can assign the Zscaler Client Connector app to.

Depending on whether you want the ZCC app to be mandatory or optional for certain groups of users, you may want to divide your users into two groups:

  1. The users to which the app is MANDATORY. Any user in this group will have the app automatically pushed out to them.
  2. The users to which the app is OPTIONAL. The app will not be automatically pushed for users in this group, allowing them to go to the Company Portal and download it themselves if they choose.

In my examples below, I have 3 groups:

GroupDescription
ZIA_EntitlementThis is the group of all users that are entitled to use Zscaler Internet Access (ZIA)
ZPA_EntitlementThis is the group of all users that are entitled to use Zscaler Private Access (ZPA). In my case, this is a subset of users from the ZIA_Entitlement group as I might not want to roll ZPA out to every user in the organization.
Zscaler - MandatoryThis group contains every user in the organization to which the ZCC app will be automatically rolled out to. Ie: The majority of users from the above two groups. If this is your organization, you might include the whole org in this group, except select users (eg: some from IT) for which the app will be optional.

We’ll be using the Microsoft Endpoint Manager console (MEM) to orchestrate Intune. You can log in using the same Azure Portal credentials here: https://endpoint.microsoft.com

(Optional) Setting the MDM Authority

If you’re using an existing Office 365 account and have been using the Office 365 MDM, you’ll need to change the MDM authority from Office 365 to Intune. This Microsoft help article will guide you through it.

App

This section will cover deploying ZCC onto Windows using Intune.

1. Download the Zscaler Client Connector MSI

To start you’ll need the .MSI installer for ZCC from the Zscaler Client Connector Portal. Log into the portal (either through ZIA or ZPA) and navigate to Administration > Zscaler Client Connector Store.

In the Windows panel, download the MSI for the latest 2.X.X version. Do not use the older 1.X.X releases.

2. Add a new Line-of-Business App

Add a new Line of Business (LoB) App

Back in the Apps menu of the MEM portal, navigate to Apps > All Apps > Add. In the panel that appears, scroll to the bottom and under the Other heading, select Line-of-business app.

When prompted to select an app package file, upload the MSI of the Zscaler Client Connector you downloaded above and click OK.

Customize the App Details

Fill in the required details about the app:

FieldContent
NameEnter Zscaler Client Connector 2.X.X.X (where 2.X.X.X is the version number of the app - this will help you distinguish what version is being distributed by Intune)
DescriptionEnter Zscaler Client Connector
PublisherEnter Zscaler, Inc
Ignore app versionSet to Yes. ZCC will automatically update itself once deployed, so Intune can safely ignore the version the user has installed after deployment.
Category(Optional) Select an app category to allocate the Zscaler Client Connector to.
Command-line argumentsSee below.

For the Command-line arguments section, enter the following (substituting in your own cloud and domain info):

Important!

  1. When entering the cloud name, DO NOT enter the .net at the end. Eg: zscalertwo.net should be entered as zscalertwo

  2. All command-line arguments should be on a single line with a space separating them. Do not linebreak each argument or they will fail.

Command-line arguments can be used for each platform to customize the install. For example, STRICTENFORCEMENT can be used to block access to the internet until your users enroll in the Zscaler Client Connector.

For a list and description of all the MSI customization options, scroll down to point #5 in this help article.

Download

Click Next when ready to move onto the Assignments tab.

Assign Users to the App

There are two different sections you can allocate users or groups to depending on how you want the app rolled out to users:

  • Required = The app is MANDATORY for these users/groups. Any user or group in this section will have the App automatically pushed out to them.

  • Available for enrolled devices = The app is OPTIONAL for these users/groups. The app will not be automatically pushed and the users can go to download the app themselves from within the Company Portal.

Assign your users or groups to the ZCC app accordingly.

Click Next to continue and then Create on the following screen. Your Line-of-Business application will be created and the MSI will upload - be sure to wait until it’s complete.

Done!

This section will cover deploying ZCC onto macOS using Intune.

macOS requires a little bit more effort to get going than Windows does. We will need to do the following on a local macOS machine:

  1. Download the Zscaler Client Connector installer for macOS (this is a .app file)
  2. Create a post-installation script (to customize the install of ZCC with our chosen arguments)
  3. Convert the .app file and script to .pkg (Intune can only work with pkg files on macOS)
  4. Wrap the .pkg file using the Intune App Wrapping Tool (creates an .intunemac file)

Do I need an Apple Developer Account?

An Apple Developer Account is recommended.

You can proceed and deploy the agent without an Apple Developer account, however you will not be able to sign and notarize the .pkg file created below without a valid Developer ID. This will result in your users receiving an error about an the software coming from an ‘Unidentified Developer’, and depending on security settings, the device may block the install altogether.

If you enroll in the Apple Developer program (US$99), you can sign and notarize your package which will make this error go away. If you’re an organization running a macOS deployment, you will most likely have a developer account for the company already.

But shouldn’t Zscaler have already signed the app I’m deploying?

Yes, Zscaler HAS both signed and notarized the .app package that will be installed. The problem with Intune is that it can only deploy .pkg files to macOS; NOT .app files. We need to wrap our .app file inside a .pkg file for it to work with Intune, and it is this pkg file that needs to be signed and notarized as well.

Obtaining Developer ID Certificates

To sign an notarize the .pkg, you will need both the Developer ID Installer and Developer ID Application certificates. You can create these under the Certificates, Identifiers & Profiles section of your developer account, but will need a Certificate Signing Request (CSR) to do so: Apple have a brief guide on how to generate one using Keychain, here.

Download the certificates when you have them and click to open the .cer files in Keychain. Add them as a login certificate.

You can check the certificates have been installed correctly by running the following command:

If you have the Developer ID Installer and Developer ID Application certificates, you’re good to proceed.

1. Download the Zscaler Client Connector .app

To start, you’ll need the .app installer for ZCC from the Zscaler Client Connector Portal.

Log into the portal (either through ZIA or ZPA) and navigate to Administration > Zscaler Client Connector Store.

In the macOS panel, click the download link for the latest 2.X.X version. Do not use the older 1.X.X releases.

Unzip the file downloaded to obtain the .app installer.

2. Create the post-installation script

Intune will push out and install the .pkg file - which is just our .app file wrapped up as a .pkg for the purposes of Intune deployment.

Zscaler Mac App Store Among Us

The problem is however, that when Intune deploys the .pkg, it just saves the wrapped .app to the user’s device without doing anything else. We need a way to run and install the .appafter Intune has deployed the .pkg, PLUS a way to include arguments to customize the install. A post-installation script will do all of this for us.

To start, on a macOS device open Terminal:

Create a folder called scripts. Inside this folder, create a file called postinstall

Note down the full path to the scripts directory - we’ll need this later.

Open the postinstall file for editing:

Copy and paste the following into the Terminal window (modify the arguments as required):

To exit Nano, press Control + X and then Y to save.

This will do a silent installation of the Zscaler Client Connector (unattended mode) and automatically redirect the user to your company SSO page to sign in.

Important! When entering the cloud name (--cloudName), DO NOT enter the .net at the end. Eg: zscalertwo.net should be entered as zscalertwo

Command-line arguments can be used for each platform to customize the install. For example, --strictEnforcement 1 can be used to block access to the internet until your users enroll in the Zscaler Client Connector.

For a list and description of all the .app customization options, scroll down to point #4 in this help article.

As an example, the script for my installation looks like the following:

Lastly, we need to make the script executable. Run the following in Terminal:

3. Create the PKG file

Intune only supports pkg files for macOS. A .pkg file is analogous to an MSI for Windows. All we are essentially doing is wrapping the .app file inside a .pkg file so that it can be deployed by Intune.

We’ll be using the built-in pkgbuild tool to do this. Open Terminal and run the following command (change the file paths before running):

FieldDescription
--install-locationThis should point to the tmp folder, or somewhere writeable on the user machine. The .pkg will unpack itself here, then run the .app installer; which will install ZCC to the /Applications directory as required. If you change this from /tmp, you’ll need to update the postinstall script as well.
--scriptsThis should be the path to the scripts folder you created in the step above.
--componentThis file path should point to the Zscaler Client Connector .app file you downloaded in Step #1.
--identifierSpecify a unique identifier for this package. It is advisable to set a meaningful, consistent identifier, eg: com. zscaler. zscalerclientconnector
--versionThis has no relationship to the actual Zscaler Client Connector version. This is only used by Intune. If you ever deploy another pkg via Intune for a different version of ZCC, you’ll need to increment this (eg: Version 1.1) so that Intune can tell the pkg files apart. Note that ZCC has its own update mechanism, so you don’t need to worry about using Intune to push out updates to the Zscaler Client Connector software.
--signIf you don’t want your users to recieve an error that your package is from an ‘Unidentified Developer’ (which will prevent installation entirely), you will need to sign the package using a valid Apple Developer ID. To do this, you will need to enroll in the Apple Developer program (US$99). If you are an organization, you probably have already done this. Make sure you correctly substitute MY-DEV-NAME with your correct Developer name / org name. If you don’t care about the ‘Unidentified Developer’ error, you can remove the--signargument.

The last file path listed points to the location where you want to save the output pkg file.

If you’re signing the package and are not sure about your team / developer / org certificate name, you can check this under the Certificates, Identifiers & Profiles section of your Apple Developer account, here.

As an example, my completed pkgbuild command is below:

If you signed your package, you can validate the signatures using pkgutil:

For example:

4. Notarize the PKG

You only need to do this step if you signed the .pkg file in the previous step. Otherwise you can skip to the next step.

What is notarization? According to Apple:

Notarization gives users more confidence that the Developer ID-signed software you distribute has been checked by Apple for malicious components. If there are no issues, the notary service generates a ticket for you to staple to your software; the notary service also publishes that ticket online where Gatekeeper can find it.

Beginning in macOS 10.14.5, software signed with a new Developer ID certificate and all new or updated kernel extensions must be notarized to run. Beginning in macOS 10.15 [Catalina], all software built after June 1, 2019, and distributed with Developer ID must be notarized.

Create an App Specific Password

We’re going to notarize the .pkg file via the command-line. To do this, you’ll need to generate an App Specific Password for your the Apple ID of your Developer Account:

How to generate an app-specific password

  1. Sign in to your Apple ID account page.
  2. In the Security section, click Generate Password below App-Specific Passwords.
  3. Follow the steps on your screen.

Next, open Keychain and click the “+” icon to add a new Keychain Item.

  • For Keychain Item Name, enter notarization-tool
  • For Account Name, enter the email associated with your Developer Account / Apple ID.
  • For Password, copy and paste the app-specific password from your Apple ID account.

Request Notarization

To request notarization from Apple, run the following command (replacing the values with your own):

FieldValue
usernameThe Apple ID username associated with your Apple Developer Account
passwordEnter @keychain: followed by the name of the Keychain Item which you saved your app-specific password to. This will fetch the password from the keychain.
asc-providerThis is the Team ID from your Developer Account. You can find this by logging into your Developer Account and reviewing your profile
primary-bundle-idThis should match the identifier you specified when you created the pkg.
fileThe path to the .pkg file

For example:

If you receive an error that the tool is not on your machine, ensure you have Xcode and Xcode Command-line Tools installed.

The command will take a while to run as it is uploading your .pkg file to Apple. Once done, it will return a UUID which you can use to check the status of your notarization request:

Once the process is complete (mine took under 10 minutes), you’ll recieve a confirmation email as to whether your request was successful or not.

Staple the Notarization Ticket

The last step is to staple the notarization ticket to the .pkg file. This ensures that a Mac device that is offline can still validate that the .pkg file is notarized:

Note: If your command fails, wait a few minutes and try again. If your command continuously fails, and your traffic is going through ZIA or another proxy, you may need to bypass api.apple-cloudkit.com from SSL inspection due to certificate pinning.

Validate the staple action was successful:

5. Test the PKG

Before going further, test your PKG file by running it and seeing if it successfully installs the Zscaler Client Connector silently. Make sure you don’t already have ZCC installed when doing this however!

If you have an existing installation of ZCC, you can remove it under Applications/Zscaler/Uninstall-Zscaler-App

6. Create an .intunemac file

Once you’ve verified your PKG file functions correctly, we need to wrap it for use with Intune.

Download the Intune App Wrapping Tool for Mac (this is a Microsoft-owned repository).

Next:

  1. Unzip the source code folder
  2. Open Terminal
  3. Change directory to where the IntuneAppUtil file is located
  4. Make the IntuneAppUtil file executable:

Locate the PKG file you created above and use the IntuneAppUtil tool to wrap the .pkg file to a .intunemac file:

For example:

If everything went well, you should see the .intunemac file in your specified output directory.

7. Add a new Line-of-Business app in MEM

Add a new Line of Business (LoB) App

In the Apps menu of the MEM portal, navigate to Apps > All Apps > Add. In the panel that appears, scroll to the bottom and under the Other heading, select Line-of-business app.

When prompted to select an app package file, upload the.intunemacfile you created above and click OK.

Customize the App Details

Fill in the required details about the app:

FieldContent
NameEnter Zscaler Client Connector 2.X.X.X - macOS 2.X.X.X (where 2.X.X.X is the version number of the app - this will help you distinguish what version is being distributed by Intune)
DescriptionEnter Zscaler Client Connector for macOS
PublisherEnter Zscaler, Inc
Minimum operating systemSelect OS X Yosemite 10.10 (ZCC supports macOS 10.10+)
Ignore app versionSet to Yes. ZCC will automatically update itself once deployed, so Intune can safely ignore the version the user has installed after deployment.
Category(Optional) Select an app category to allocate the Zscaler Client Connector to.

Click Next to move to the Assignments tab.

Assign Users to the App

There are two different sections you can allocate users or groups to depending on how you want the app rolled out to users:

  • Required = The app is MANDATORY for these users/groups. Any user or group in this section will have the App automatically pushed out to them.
  • Available for enrolled devices = The app is OPTIONAL for these users/groups. The app will not be automatically pushed and the users can go to download the app themselves from within the Company Portal.

Assign your users or groups to the ZCC app for macOS accordingly.

Click Next to continue and then Create on the following screen. Your macOS Line-of-Business application will be created and the .intunemac file will upload - be sure to wait until it’s complete.

8. (Optional) Configure Intune for Apple Devices

Apple requires an MDM Push Certificate to enable management of iOS, iPadOS and macOS devices. If you haven’t used any macOS devices with Intune before, you’ll need to follow the steps outlined by Microsoft here before you can enroll and test any Apple devices. This involves generating an MDM certificate in your Apple Developer account and passing it to Intune.

Done!

Over 90% of websites now use TLS encryption (HTTPS) as the access method. Enterprises utilise TLS inspection for Advanced Threat Protection, Access controls, Visibility, and

In this directory structure, you can add the Zscaler certificate into the certs directory by simply copying the file in.

cp ZscalerRootCertificate-2048-SHA256.crt $(openssl version -d | cut -f2 -d ')/certs

Alternatively you can place the file into the anchors directory and run the update-ca-trust command to push the certificate into the CA-Trust files. This is more effective since the CA-Trust file could be directly referenced by other applications

cp ZscalerRootCertificate-2048-SHA256.crt /etc/pki/ca-trust/source/anchors/ && update-ca-trust

Python

Zscaler Mac App Store

Python will (again) typically use it’s own CA store. You can identify the store if certifi package is installed

python -m certifi

Which will output

/usr/lib/python2.7/site-packages/certifi/cacert.pem

You can update the Zscaler certificate into this CA Store by doing the following

cat ZscalerRootCertificate-2048-SHA256.crt >> $(python -m certifi)

Similarly, you can configure system variables to point to this CA Store (or point to the OpenSSL store you’ve updated previously)

export CERT_PATH=$(python -m certifi)
export SSL_CERT_FILE=${CERT_PATH}
export REQUESTS_CA_BUNDLE=${CERT_PATH}

Base Operating System

MacOS behaves very similar to Linux, but has it’s own configurations and directories. MacOS will mostly use the keychain, which should keep the OpenSSL CA Store in sync. Either import the certificate to the trusted root store using Keychain, or perform the following in the terminal.

sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain <CERTIFICATE>

Zscaler Mac App Store App

It may still be necessary to update the OpenSSL CA Store to include the Zscaler certificate for any application which reads it directly.

sudo cat ZscalerRootCertificate-2048-SHA256.crt >> /usr/local/etc/openssl/cert.pem

Python

Python will (again) typically use it’s own CA store. You can identify the store if certifi package is installed

python -m certifi

Which will output

~/Library/Python/3.7/lib/python/site-packages/certifi/cacert.pem

You can update the Zscaler certificate into this CA Store by doing the following

cat ZscalerRootCertificate-2048-SHA256.crt >> $(python -m certifi)

Similarly, you can configure system variables to point to this CA Store (or point to the OpenSSL store you’ve updated previously)

export CERT_PATH=$(python -m certifi)
export SSL_CERT_FILE=${CERT_PATH}
export REQUESTS_CA_BUNDLE=${CERT_PATH}

Docker – on Windows, MacOS, and Linux, will use the OpenSSL CA Trust for it’s connections – ensure these are configured to allow Docker to download packages as you instantiate them in your Dockerfile

Once the Dockerfile is loaded and being processed, containers will make their own connections which will need to trust the Zscaler certificate. It’s therefore important to combine the above approaches to ensure your Docker container has the Zscaler certificates installed.

This example uses three files. The .env file controls whether the build is being run in production (no-Zscaler) or development (Zscaler). The docker-compose.yaml file reads the BUILD_ENV variables and passes to the Dockerfile

Zscaler Mac App Store For Windows

.env

BUILD_ENV=production

OR

BUILD_ENV=development

docker-compose.yaml

Zscaler Mac App Store Download

version: '3.1'

services:

dotnetconf19:
image: dockersamples/dotnetconf:19
build:
context: .
args:
- BUILD_ENV=${BUILD_ENV:-production}
- CERT_FILE=${CERT_FILE:-/etc/ssl/certs/ca-certificates.crt}
environment:
- BUILD_ENV=${BUILD_ENV:-production}
- CERT_FILE=${CERT_FILE:-/etc/ssl/certs/ca-certificates.crt}

Dockerfile

App Store

FROM mcr.microsoft.com/dotnet/core/sdk:3.0.100-preview9 AS builder

#No need to install certificates here – no Internet requests made

WORKDIR /src
COPY src/WebRequests.csproj .
RUN dotnet restore

COPY src/ .
RUN dotnet publish -c Release -o /out WebRequests.csproj

FROM mcr.microsoft.com/dotnet/core/runtime:3.0.0-preview9

#Image runs internet requests over HTTPS – Install Certs if dev environment
#Set ARG BUILD_ENV default = production
ARG BUILD_ENV=production

#Assign the $BUILD_ENV the BUILD_ENV ENV so that it can be accessed
ENV BUILD_ENV $BUILD_ENV
#Add the CA Certificate to the container
ADD src/ZscalerRootCertificate-2048-SHA256.crt /tmp/ZscalerRootCertificate-2048-SHA256.crt
#Use BUILD_ENV variable within the container to copy the CA certificate into the certificate directory and update
RUN if [ '$BUILD_ENV' = 'production' ] ; then echo 'production env'; else echo 'non-production env: BUILD_ENV'; CERT_DIR=(openssl version -d | cut -f2 -d ')/certs ; cp /tmp/ZscalerRootCertificate-2048-SHA256.crt $CERT_DIR ; update-ca-certificates ; fi

#Continue the build where the HTTPS Connections are made
WORKDIR /app
ENTRYPOINT ['dotnet', 'WebRequests.dll']
ENV DotNetBot:Message='docker4theEdge!'

COPY --from=builder /out/ .