Customizing Zscaler Client Connector with Install Options for MSI | Zscaler

Zscaler Client Connector Help
Downloading & Deployment
Customizing Zscaler Client Connector with Install Options for MSI

Client Connector

Customizing Zscaler Client Connector with Install Options for MSI

You can use the MSI file to manually install Zscaler Client Connector on a device or if you're deploying the app to your users using GPO, SCCM, or other device management methods that support MSI files. After downloading the Zscaler Client Connector MSI installer file in the Zscaler Client Connector Portal, you can deploy the file as is with your device management method.

You can also add to the file install options to customize the app for your organization using one of the following methods:

Creating an MST and Deploying It Using GPO or a Compatible Device Management Tool
Orca.exe is available in the Microsoft Windows Software Development Kit (SDK). To learn more, refer to the Microsoft documentation.
To create an MST file using Orca:
1. Open Orca and go to File > Open.
2. Locate and double-click the MSI file.
3. Go to Transform > New Transform.
4. In the Tables column, click Property.
5. Edit the values for the following install options or add more options:
  - CLOUDNAME
    If your organization is provisioned on more than one cloud, your users are asked to select the cloud where their traffic is sent during the enrollment process.
    See image.
    Close
    With this install option, you can specify the cloud where the app sends user traffic so your users don't have to make the selection during enrollment. This option is not needed if your organization is provisioned on one cloud. The app automatically sends traffic to the proper cloud and your users don't need to make a selection during enrollment.
    This install option is required if you enable the STRICTENFORCEMENT option.
    To add the CLOUDNAME install option:
    Click Tables from the top menu, and then click Add Row.
    In the Add Row window:
    For Property, enter CLOUDNAME.
    Press Enter or click the Value field.
    For Value, enter the name of the cloud where your organization is provisioned in lowercase letters. For example, if your cloud name is zscalertwo.net, you'd enter zscalertwo. To learn more, see What Is My Cloud Name for ZIA?
    Click OK.
    The install option appears on a new line.
    Close
  - DEVICETOKEN
    The DEVICETOKEN install option only applies to Zscaler Internet Access (ZIA). It is not supported by Zscaler Private Access (ZPA).
    This install option allows you to use the Zscaler Client Connector Portal as an IdP. The Zscaler service silently provisions and authenticates users even if you don't have an authentication mechanism in place. Before adding this option, you must generate a device token in the Zscaler Client Connector Portal and complete the full configuration described in Using the Zscaler Client Connector Portal as an IdP.
    To add the DEVICETOKEN install option:
    Click Tables from the top menu, and then click Add Row.
    In the Add Row window:
    For Property, enter DEVICETOKEN.
    Press Enter or click the Value field.
    For Value, enter the appropriate device token from the Zscaler Client Connector Portal. To learn more, see Using the Zscaler Client Connector Portal as an IdP.
    See image.
    Close
    Click OK.
    The install option appears on a new line.
    Close
  - HIDEAPPUIONLAUNCH
    This install option forces the app window to stay hidden before users enroll. Users can always open the window by clicking the app icon in the system tray.
    To enable the HIDEAPPUIONLAUNCH install option:
    In the table, double-click on the HIDEAPPUIONLAUNCH value.
    Enter 1 as the value. By default, the value is 0 (i.e., disabled).
    Close
  - POLICYTOKEN
    This install option allows you to specify which app profile policy you want to enforce for the app before the user enrolls. All relevant settings associated with the policy apply, including the bypass of the IdP login page. After the user enrolls, this policy is replaced with an app profile policy that matches the user based on group affiliation.
    Prerequisites:
    This install option is only applicable and required if you enable the STRICTENFORCEMENT option and want users to enroll with the app before accessing the internet.
    In the Zscaler Client Connector Portal, you must configure the app profile policy that you want to enforce and ensure that the custom PAC file associated with that policy includes a bypass for your IdP login page. This allows the user to access the IdP page to log in as necessary before enrolling with the app.
    To add the POLICYTOKEN install option:
    Click Tables from the top menu, and then click Add Row.
    In the Add Row window:
    For Property, enter POLICYTOKEN.
    Press Enter or click the Value field.
    For Value, enter the policy token associated with the policy you want to enforce before enrollment. To learn more, see Configuring Zscaler Client Connector App Profiles.
    See image.
    Close
    Click OK.
    The install option appears on a new line.
    Close
  - REINSTALLDRIVER
    This install option forces a reinstallation of the driver, even if you already have a driver installed. Use this option if you're having issues with your current driver.
    To enable the REINSTALLDRIVER install option:
    In the table, double-click the REINSTALLDRIVER value.
    Enter 1 as the value. By default, the value is 0 (i.e., disabled).
    Close
  - STRICTENFORCEMENT
    This install option only works when the forwarding profile action for Zscaler Client Connector is Tunnel or Tunnel with Local Proxy. To learn more, see Configuring Forwarding Profiles for Zscaler Client Connector.
    This install option allows you to require users to enroll with the app before accessing the internet and blocks traffic in the following situations:
    The user has not yet logged in after a new install.
    A user logs in and logs out.
    An administrator removes a device.
    This install option does not affect users that remain logged in and disable the ZIA service.
    If you enable this install option, the --cloudName and --policyToken options are required.
    To enable this option using the CLI, enter --strictEnforcement 1. By default, the value is 0 (i.e., disabled).
    Close
  - UNINSTALLPASSWORDCMDLINE
    This install option allows you to silently uninstall the app from users' devices using device management methods like GPO. This option is only available when using MSI. The password you add for this option must match the uninstall Password configured for access in unattended mode. Using the password, you can uninstall the app from your users' devices by removing the MST file from the GPO.
    Prerequisites:
    Your users must be enrolled in the app. If users have the app installed on their devices but have not enrolled, you cannot uninstall the app using this method.
    You must have an Uninstall Password enabled and an unexpired uninstall password generated. To learn more, see Configuring Passwords for Access in Unattended Mode.
    To add the UNINSTALLPASSWORDCMDLINE install option:
    Click Tables from the top menu, and then click Add Row.
    In the Add Row window:
    For Property, enter UNINSTALLPASSWORDCMDLINE.
    Press Enter or click the Value field.
    For Value, enter the uninstall Password configured for access in unattended mode.
    Click OK.
    The install option appears on a new line.
    The uninstall password for unattended mode is available only in Zscaler Client Connector version 4.2.1 or later for Windows. If you use an earlier version or you prefer to use the password configured in the app profile, enter the following in the Add Row window:
    A Property of UNINSTALLPASSWORD
    A Value of the Uninstall Password configured in the app profile.
    Close
  - USERDOMAIN
    This install option allows users to skip the app enrollment page. If SSO is enabled for your organization, users are taken directly to your organization's SSO login page. If you've integrated SSO with the app (i.e., using a mechanism like Integrated Windows Authentication [IWA]), users can also skip the SSO login page and are automatically enrolled with Zscaler service and logged in.
    See image.
    Close
    To add the USERDOMAIN install option:
    Click Tables from the top menu, and then click Add Row.
    In the Add Row window:
    For Property, enter USERDOMAIN.
    Press Enter or click the Value field.
    For Value, enter your organization's domain name. If your instance has multiple domains associated with it, enter the primary domain for your instance.
    Click OK
    .
    The install option appears on a new line.
    Close
  - UNAME
    You can specify a unique username for each device using the UNAME parameter in the CLI.
    The following conditions apply:
    The UNAME parameter requires the userDomain parameter to be non-empty.
    The UNAME parameter can have a maximum of 255 alphanumeric and special characters.
    To add the UNAME install option:
    Click Tables from the top menu, and then click Add Row.
    In the Add Row window:
    For Property, enter UNAME.
    Press Enter or click the Value field.
    For Value, enter test.
    Click OK.
    The install option appears on a new line.
    Close
  - ENABLEANTITAMPERING
    This install option prevents end users from stopping, modifying, and deleting Zscaler products and services.
    To add the ENABLEANTITAMPERING install option:
    Click Tables from the top menu, and then select the ENABLEANTITAMPERING property.
    For Value, replace the 0 with a 1.
    Close
  - ENABLEIMPRIVATAINTEGRATION
    This install option enables integration with Imprivata OneSign. If enabled, Zscaler Client Connector silently logs in an Imprivata OneSign user to Zscaler Client Connector, applies security policies, and logs the end user activity in Zscaler Client Connector.
    In the table, double-click the ENABLEIMPRIVATAINTEGRATION value.
    Enter 1 as the value. By default, the value is 0 (i.e., disabled).
    Close
  - BCPCONFIGFILEPATH
    This install option allows you to install Zscaler Client Connector to enroll new users during a ZPA-related cloud outage or Internet Service Provider (ISP) outage. You can pass a predownloaded configuration file with Business Continuity settings from the ZPA Admin Portal. To learn more, see About Business Continuity.
    If you pass this install option, you must also pass the BCPMAPUBKEYHASH option.
    To add the BCPCONFIGFILEPATH install option:
    Click Tables from the top menu, and then click Add Row.
    In the Add Row window:
    For Property, enter BCPCONFIGFILEPATH.
    Press Enter or click the Value field.
    For Value, enter the path to the configuration file.
    Click OK.
    The install option appears on a new line.
    Close
  - BCPMAPUBKEYHASH
    This install option allows you to install Zscaler Client Connector to enroll new users during a ZPA-related cloud outage or Internet Service Provider (ISP) outage. You can pass a public key provided by ZPA and copied from the Zscaler Client Connector Portal. To learn more, see About Business Continuity.
    If you pass this install option, you must also pass the BCPCONFIGFILEPATH option.
    To add the BCPMAPUBKEYHASH install option:
    Click Tables from the top menu, and then click Add Row.
    In the Add Row window:
    For Property, enter BCPMAPUBKEYHASH.
    Press Enter or click the Value field.
    For Value, enter the public key.
    Click OK.
    The install option appears on a new line.
    Close
6. To save your changes after adding the options you want, go to Transform > Generate Transform...
7. In the Save Transform As window, enter a file name and click Save.
After creating the MST, you can use it when deploying Zscaler Client Connector to your users with Active Directory.
Close
Running the MSI with CLI Options
Zscaler recommends using the MST file to install Zscaler Client Connector with custom options. However, if you have a device management tool that does not support MST (e.g., SCCM or PSEXEC) or you are manually installing the MSI file, you can run the MSI file using the CLI and add the options needed.
To run the MSI file using CLI options:
1. Start a command prompt as an administrator:
  1. Click Start.
  2. In the Start Search box, enter cmd, then press CTRL+SHIFT+ENTER.
  3. If the User Account Control (UAC) window appears, confirm that you want to continue.
1. Enter the following command:
```
msiexec /i "<complete path>" /quiet <install options>
```
- Replace <complete path> with the absolute pathname to the MSI install file. For example, C:\Users\User\Downloads\Zscaler-windows-1.0.2.000018-installer.msi
- Use the /quiet switch to install the app in silent mode.
- Replace <install options> with one or more of the following install options:
  - CLOUDNAME
    If your organization is provisioned on more than one cloud, your users are asked to select the cloud where their traffic is sent during the enrollment process.
    See image.
    Close
    With this install option, you can specify the cloud where the app sends user traffic so that your users do not have to make the selection during enrollment. Do not use this option if your organization is provisioned on one cloud. The app automatically sends traffic to the proper cloud and your users do not need to make a selection during enrollment.
    This install option is required if you enable the STRICTENFORCEMENT option.
    To add this option using the CLI, enter CLOUDNAME=<organization's cloud name in lowercase>. For example, if your cloud name is zscalertwo.net, you would enter zscalertwo. To learn more, see What Is My Cloud Name for ZIA?
    Close
  - DEVICETOKEN
    The DEVICETOKEN install option only applies to Zscaler Internet Access (ZIA). It is not supported by Zscaler Private Access (ZPA).
    This install option allows you to use the Zscaler Client Connector Portal as an IdP. The Zscaler service silently provisions and authenticates users even if you don't have an authentication mechanism in place. Before adding this option, you must generate a device token in the Zscaler Client Connector Portal and must have completed the full configuration detailed in Using the Zscaler Client Connector Portal as an IdP.
    To add this option using the CLI, enter DEVICETOKEN=<device token from the Zscaler Client Connector Portal>.
    Close
  - HIDEAPPUIONLAUNCH
    This install option forces the app window to stay hidden before users enroll. Users can always open the window by clicking the app icon in the system tray.
    To enable this option using the CLI, enter HIDEAPPUIONLAUNCH=1. By default, the value is 0 (i.e., disabled).
    Close
  - POLICYTOKEN
    This install option allows you to specify which app profile policy you want to enforce for the app before the user enrolls. All relevant settings associated with the policy apply, including the bypass of the IdP login page. After the user enrolls, this policy is replaced with the app profile policy that matches the user based on group affiliation.
    Prerequisites:
    This install option is only applicable, and required, if you enable the STRICTENFORCEMENT option and want users to enroll with the app before accessing the internet.
    In the Zscaler Client Connector Portal, you must configure the app profile policy that you want to enforce and ensure that the custom PAC file associated with that policy includes a bypass for your IdP login page. This allows the user to access the IdP page to log in as necessary before enrolling with the app.
    
    To add this option using the CLI, enter POLICYTOKEN=<policy token from the Zscaler Client Connector Portal>.
    Close
  - REINSTALLDRIVER
    This install option forces a reinstallation of the driver, even if you already have a driver installed. Use this option if you are having issues with the currently installed driver.
    To enable this option using the CLI, enter REINSTALLDRIVER=1. By default, the value is 0 (i.e., disabled).
    Close
  - STRICTENFORCEMENT
    This install option only works when the forwarding profile action for Zscaler Client Connector is Tunnel or Tunnel with Local Proxy. To learn more, see Configuring Forwarding Profiles for Zscaler Client Connector.
    This install option allows you to require users to enroll with the app before accessing the internet and blocks traffic in the following situations:
    The user has not yet logged in after a new install.
    A user logs in and logs out.
    An administrator removes a device.
    This install option does not affect users that remain logged in and disable the ZIA service.
    If you enable this install option, the --cloudName and --policyToken options are required.
    To enable this option using the CLI, enter --strictEnforcement=1. By default, the value is 0 (i.e., disabled).
    Close
  - USERDOMAIN
    This install option allows users to skip the app enrollment page. If SSO is enabled for your organization, users are taken directly to your organization's SSO login page. If you've integrated SSO with the app (i.e., using a mechanism like Integrated Windows Authentication [IWA]), users can also skip the SSO login page and are automatically enrolled with Zscaler service and logged in.
    See image.
    Close
    To add this option using the CLI, enter USERDOMAIN=<organization's domain name>. If your instance has multiple domains associated with it, enter the primary domain for your instance.
    Close
  - UNAME
    You can specify a unique username for each device using the UNAME parameter in the CLI.
    The following conditions apply:
    The UNAME parameter requires the userDomain parameter to be non-empty.
    The UNAME parameter can have a maximum of 255 alphanumeric and special characters.
    Close
  - ENABLEIMPRIVATAINTEGRATION
    This install option enables integration with Imprivata OneSign. If enabled, Zscaler Client Connector silently logs in an Imprivata OneSign user to Zscaler Client Connector, applies security policies, and logs the end-user activity in Zscaler Client Connector.
    Close
  - ENABLEANTITAMPERING
    This install option prevents end users from stopping, modifying, and deleting Zscaler products and services. To enable this option using the CLI, enter ENABLEANTITAMPERING=1. By default, the value is 0 (i.e., disabled).
    Close
  - BCPCONFIGFILEPATH
    This install option allows you to install Zscaler Client Connector to enroll new users during a ZPA-related cloud outage or Internet Service Provider (ISP) outage. You can pass a predownloaded configuration file with Business Continuity settings from the ZPA Admin Portal. To learn more, see About Business Continuity.
    If you pass this install option, you must also pass the BCPMAPUBKEYHASH option.
    To add this option using the CLI, enter BCPCONFIGFILEPATH=<path to the configuration file>.
    Close
  - BCPMAPUBKEYHASH
    This install option allows you to install Zscaler Client Connector to enroll new users during a ZPA-related cloud outage or Internet Service Provider (ISP) outage. You can pass a public key provided by ZPA and copied from the Zscaler Client Connector Portal. To learn more, see About Business Continuity.
    If you pass this install option, you must also pass the BCPCONFIGFILEPATH option.
    To add this option using the CLI, enter BCPMAPUBKEYHASH=<public key from the Zscaler Client Connector Portal>.
    Close
  - IMPORTSEFAILCLOSECONFIG
    This install option allows you to pass a predownloaded configuration file with fail-close settings to use when Zscaler Client Connector is in strict enforcement mode.
    If you pass this install option, you must also pass the STRICTENFORCEMENT and SEFAILCLOSECONFIGTHUMBPRINT options.
    To add this option using the CLI, enter IMPORTSEFAILCLOSECONFIG=<path to the configuration file>.
    Close
  - SEFAILCLOSECONFIGTHUMBPRINT
    This install option allows you to pass the public key for a predownloaded configuration file with fail-close settings to use when Zscaler Client Connector is in strict enforcement mode.
    If you pass this install option, you must also pass the STRICTENFORCEMENT and IMPORTSEFAILCLOSECONFIG options.
    To add this option using the CLI, enter SEFAILCLOSECONFIGTHUMBPRINT=<public key from the Zscaler Client Connector Portal>.
    Close
The following image is an example of a CLI where:
- The absolute path to the MSI file is C:\Users\User\Downloads\Zscaler-windows-1.2.0.000311-installer.msi.
- The /quiet switch is used to install the app in silent mode.
- The cloud on which the organization is provisioned is zscalertwo.
- The device token value is 4e36647447326e5a553335303232416e6279784b51513d3d.
- The policy token value is 32343A343A312E31204D6967726174696F6E.
- The organization's domain name is safemarch.com.
- The UNAME is test.
Close
Deploying Zscaler Client Connector with Non-Persistent Citrix VDIs
Zscaler Client Connector only supports a dedicated, single-user virtual desktop infrastructure (VDI) model. Multi-session VDIs are not supported.
Follow these best practices when using Zscaler Client Connector in a (VDI):
- Zscaler recommends that you don't log in to Zscaler Client Connector on the master VM.
- To use the STRICTENFORCEMENT install option, you must have the HIDEAPPUIONLAUNCH install option disabled. This allows Zscaler Client Connector to remind users to enroll with Zscaler Client Connector before accessing the internet.
- To use the USERDOMAIN install option, you must use Integrated Windows Authentication (IWA).
Install Zscaler Client Connector on the master VM using the following parameters:
1. Configure Citrix UPM to backup and restore to the following folder: {UserProfileFolder}\AppData\Roaming\Zscaler
2. Run your installer:
  - For the .exe installer, run the installer executable file: --vdi 1 --configTimeout 300 --installLWFDriver 1 –hideAppUIOnLaunch
  - For the .msi installer, run the MSI installer: msiexec/i ZCC_installer.msi USERDOMAIN=<AD domain> CLOUDNAME=<cloudname> VDI=1 CONFIGTIMEOUT=300 INSTALLLWFDRIVER=1
Close

Was this article helpful? Click an icon below to submit feedback.