Jamf Nation Community

The biggest challenge we had was reconfiguring firefox to use the certificates. I created a configuration profile that pushed out the necessary system certificates to the users keychains. We initially had an issue with Safari not being able to authenticate to zscaler but that issue has since been resolved. Do you guys have SSO setup in your shop? Our MAC's are binded to Active Directory so it uses domain username and password.

@asegura @osc-russell

We are just getting around to this on our shop. How did you guys deploy the Zscaler App?

We are about to roll it out also. Any tips would be appreciated.

I'm keen to see who others have approached the use of SSO for proxy related authentication.

@asegura @osc-russell @wmateo - it would be great to hear about your journey's specifically with this implementation and what you have learnt, and what you might do different given another go.

I'll start the ball rolling: - How did you set proxy configuration?
- Through Network Locations or a proxy configuration policy? - Do you support SSO? Are you using Kerberos? - What supporting tooling do you use / have you used to help support SSO? Nomad etc.
- What configuration elements might have caused you issue and what did you do to resolve?

Thanks for your input.

Zscaler has a pretty good integration with okta. User provisioning is done via SAML token. Once user is authenticated into SSO provider, the SAML token is granted and user can browse the internet. There are couple implementation scenarios with bringing web traffic to ZScaler Cloud. One method is pointing the web browser directly to ZScsler cloud (need to work with PAC file for the browser of choice) another is with creating an IPSec tunnel from on-prem customer owned firewalls to zscaler cloud.
For mobile devices need to use zscaler mobile app, which was recently updated.
ZScaler will have a user forum up (no need to be a customer) in a few weeks: community.zscaler.com
There is also a resource page https://www.okta.com/zscaler

Are anyone of you actively using the Zscaler app?

I am testing it on my Mac at the moment, but I am seeing issues with websites not loading in Safari.
Sometimes several refreshes will get the page loading, other times not.

Has anyone of you done any specific configurations to make it work properly?

Any tips are highly appreciated.

I am testing the zscaler install with a script but the zscaler app window keeps coming up blank.
Going off this link: https://help.zscaler.com/zia/customizing-zscaler-app-install-options-mac

When I run the plain installer, I get the attached blank window. When I make a script like the link shows, I still get the blank window. My traffic does not show up in the admin console.
I removed it and reinstalled to the same issue, even reimaged the Mac back to factory fresh and still get the error.

Any suggestions?

anyone did kerberos implementation with zscaler ?

The main question is how to push ZScaler root CA so it could be used by ZScaler app for ssl-decryption.
As long as the authentication method is SSO with Okta, there should be no issues with forwarding the traffic from IOS-devices to ZScaler.

How's everyone repackaging this? I was given a zip with the installer.app and a command to run the installbuilder.sh ... which is supposed to add the registrations/company info etc. Tried a few times and it doesn't appear to be working.

@swhps

@avshch add on the challenge of installing that root CA into FireFox since it does not use the root CA list in Keychain. I don't know this one and we are manually touching it.

@swhps since version 64 of FF you can now enable via policies:

Mozilla Policy Templates for Firefox

Specifically this key:

<key>Certificates</key>
    <dict>
        <key>ImportEnterpriseRoots</key>
        <true/>
    </dict>