Customizing Zscaler Client Connector with Install Options for MSI | Zscaler

Experience Center Help
Administration
Client Connector
Identity
Downloading and Deployment
Customizing Zscaler Client Connector with Install Options for MSI

Experience Center

Customizing Zscaler Client Connector with Install Options for MSI

You can use the MSI file to manually install Zscaler Client Connector on a device or if you're deploying the app to your users using GPO, SCCM, or other device management methods that support MSI files. After downloading the Zscaler Client Connector MSI installer file in the Admin Portal, you can deploy the file as is with your device management method.

You can also add to the file install options to customize the app for your organization using one of the following methods:

Creating an MST and Deploying it Using GPO or a Compatible Device Management Tool
Orca.exe is available in the Microsoft Windows Software Development Kit (SDK). To learn more, refer to the Microsoft documentation.
To create an MST file using Orca:
1. Open Orca and go to File > Open.
2. Locate and double-click the MSI file.
3. Go to Transform > New Transform.
1. In the Tables column, click Property.
1. Edit the values for the following install options or add more options:
- CLOUDNAME
  If your organization is provisioned on more than one cloud, your users are asked to select the cloud where their traffic is sent during the enrollment process.
  See image.
  Close
  With this install option, you can specify the cloud where the app sends user traffic so your users don't have to make the selection during enrollment. This option is not needed if your organization is provisioned on one cloud. The app automatically sends traffic to the proper cloud and your users don't need to make a selection during enrollment.
  This install option is required if you enable the STRICTENFORCEMENT option.
  To add the CLOUDNAME install option:
  1. Click Tables from the top menu, and then click Add Row.
  2. In the Add Row window:
    For Property, enter CLOUDNAME.
    Press Enter or click the Value field.
    For Value, enter the name of the cloud where your organization is provisioned in lowercase letters. For example, if your cloud name is zscalertwo.net, you'd enter zscalertwo.
  3. Click OK.
    The install option appears on a new line.
  Close
- DEVICETOKEN
  The DEVICETOKEN install option only applies to Internet & SaaS. It is not supported by Private Applications.
  This install option allows you to use Zscaler Client Connector as an IdP. The Zscaler service silently provisions and authenticates users even if you don't have an authentication mechanism in place. Before adding this option, you must generate a device token in the Admin Portal and complete the full configuration described in Using Zscaler Client Connector as an IdP.
  To add the DEVICETOKEN install option:
  1. Click Tables from the top menu, and then click Add Row.
  2. In the Add Row window:
    For Property, enter DEVICETOKEN.
    Press Enter or click the Value field.
    For Value, enter the appropriate device token from the Admin Portal. To learn more, see Using Zscaler Client Connector as an IdP.
  See image.
  Close
  1. Click OK.
    The install option appears on a new line.
  Close
- HIDEAPPUIONLAUNCH
  This install option forces the app window to stay hidden before users enroll. Users can always open the window by clicking the app icon in the system tray.
  To enable the HIDEAPPUIONLAUNCH install option:
  1. In the table, double-click on the HIDEAPPUIONLAUNCH value.
  2. Enter 1 as the value. By default, the value is 0 (i.e., disabled).
  Close
- POLICYTOKEN
  This install option allows you to specify which app profile policy you want to enforce for the app before the user enrolls. All relevant settings associated with the policy apply, including the bypass of the IdP login page. After the user enrolls, this policy is replaced with an app profile policy that matches the user based on group affiliation.
  Prerequisites:
  - This install option is only applicable and required if you enable the STRICTENFORCEMENT option and want users to enroll with the app before accessing the internet.
  - In the Admin Portal, you must configure the app profile policy that you want to enforce and ensure that the custom PAC file associated with that policy includes a bypass for your IdP login page. This allows the user to access the IdP page to log in as necessary before enrolling with the app.
  To add the POLICYTOKEN install option:
  1. Click Tables from the top menu, and then click Add Row.
  2. In the Add Row window:
    For Property, enter POLICYTOKEN.
    Press Enter or click the Value field.
    For Value, enter the policy token associated with the policy you want to enforce before enrollment. To learn more, see Configuring Zscaler Client Connector App Profiles.
  See image.
  Close
  1. Click OK.
    The install option appears on a new line.
  Close
- REINSTALLDRIVER
  This install option forces a reinstallation of the driver, even if you already have a driver installed. Use this option if you're having issues with your current driver.
  To enable the REINSTALLDRIVER install option:
  1. In the table, double-click the REINSTALLDRIVER value.
  2. Enter 1 as the value. By default, the value is 0 (i.e., disabled).
  Close
- STRICTENFORCEMENT
  This install option only works when the forwarding profile action for Zscaler Client Connector is Tunnel or Tunnel with Local Proxy. To learn more, see Configuring Forwarding Profiles for Zscaler Client Connector.
  This install option allows you to require users to enroll with the app before accessing the internet and blocks traffic in the following situations:
  - The user has not yet logged in after a new install.
  - A user logs in and logs out.
  - An administrator removes a device.
  This install option does not affect users that remain logged in and disable the Internet & SaaS service.
  If you enable this install option, the --cloudName and --policyToken options are required.
  To enable this option using the CLI, enter --strictEnforcement 1. By default, the value is 0 (i.e., disabled).
  Close
- UNINSTALLPASSWORDCMDLINE
  This install option allows you to silently uninstall the app from users' devices using device management methods like GPO. This option is only available when using MSI. The password you add for this option must match the uninstall Password configured for access in unattended mode. Using the password, you can uninstall the app from your users' devices by removing the MST file from the GPO.
  Prerequisites:
  - Your users must be enrolled in the app. If users have the app installed on their devices but have not enrolled, you cannot uninstall the app using this method.
  - You must have an Uninstall Password enabled and an unexpired uninstall password generated. To learn more, see Configuring Passwords for Access in Unattended Mode.
  To add the UNINSTALLPASSWORDCMDLINE install option:
  1. Click Tables from the top menu, and then click Add Row.
  2. In the Add Row window:
    For Property, enter UNINSTALLPASSWORDCMDLINE.
    Press Enter or click the Value field.
    For Value, enter the uninstall Password configured for access in unattended mode.
  3. Click OK.
    The install option appears on a new line.
  The uninstall password for unattended mode is available only in Zscaler Client Connector version 4.2.1 for Windows or later. If you use an earlier version or you prefer to use the password configured in the app profile, enter the following in the Add Row window:
  - A Property of UNINSTALLPASSWORD
  - A Value of the Uninstall Password configured in the app profile.
  Close
- USERDOMAIN
  This install option allows users to skip the app enrollment page. If SSO is enabled for your organization, users are taken directly to your organization's SSO login page. If you've integrated SSO with the app (i.e., using a mechanism like Integrated Windows Authentication [IWA]), users can also skip the SSO login page and are automatically enrolled with Zscaler service and logged in.
  See image.
  Close
  To add the USERDOMAIN install option:
  1. Click Tables from the top menu, and then click Add Row.
  2. In the Add Row window:
    For Property, enter USERDOMAIN.
    Press Enter or click the Value field.
    For Value, enter your organization's domain name. If your instance has multiple domains associated with it, enter the primary domain for your instance.
  3. Click OK.
    .
    The install option appears on a new line.
  Close
- UNAME
  You can specify a unique username for each device using the UNAME parameter in the CLI.
  The following conditions apply:
  - The UNAME parameter requires the userDomain parameter to be non-empty.
  - The UNAME parameter can have a maximum of 255 alphanumeric and special characters.
  To add the UNAME install option:
  1. Click Tables from the top menu, and then click Add Row.
  2. In the Add Row window:
    For Property, enter UNAME.
    Press Enter or click the Value field.
    For Value, enter test.
  3. Click OK.
    The install option appears on a new line.
  Close
1. To save your changes after adding the options you want, go to Transform > Generate Transform...
1. In the Save Transform As window, enter a file name and click Save.
After creating the MST, you can use it when deploying Zscaler Client Connector to your users with Active Directory.
Close
Running the MSI with CLI Options
Zscaler recommends using the MST file to install Zscaler Client Connector with custom options. However, if you have a device management tool that does not support MST (e.g., SCCM or PSEXEC) or you are manually installing the MSI file, you can run the MSI file using the CLI and add the options needed.
To run the MSI file using CLI options:
1. Start a command prompt as an administrator:
  1. Click Start.
  2. In the Start Search box, enter cmd, then press CTRL+SHIFT+ENTER.
  3. If the User Account Control (UAC) window appears, confirm that you want to continue.
1. Enter the following command:
```
msiexec /i "<complete path>" /quiet <install options>
```
- Replace <complete path> with the absolute pathname to the MSI install file. For example, C:\Users\User\Downloads\Zscaler-windows-1.0.2.000018-installer.msi
- Use the /quiet switch to install the app in silent mode.
- Replace <install options> with one or more of the following install options:
  - CLOUDNAME
    If your organization is provisioned on more than one cloud, your users are asked to select the cloud where their traffic is sent during the enrollment process.
    See image.
    Close
    With this install option, you can specify the cloud where the app sends user traffic so that your users do not have to make the selection during enrollment. Do not use this option if your organization is provisioned on one cloud. The app automatically sends traffic to the proper cloud and your users do not need to make a selection during enrollment.
    This install option is required if you enable the STRICTENFORCEMENT option.
    To add this option using the CLI, enter CLOUDNAME=<organization's cloud name in lowercase>. For example, if your cloud name is zscalertwo.net, you would enter zscalertwo.
    Close
  - DEVICETOKEN
    The DEVICETOKEN install option only applies to Internet & SaaS. It is not supported by Private Applications.
    This install option allows you to use Zscaler Client Connector as an IdP. The Zscaler service silently provisions and authenticates users even if you don't have an authentication mechanism in place. Before adding this option, you must generate a device token in the Admin Portal and must have completed the full configuration detailed in Using Zscaler Client Connector as an IdP.
    To add this option using the CLI, enter DEVICETOKEN=<device token from the Admin Portal>.
    Close
  - HIDEAPPUIONLAUNCH
    This install option forces the app window to stay hidden before users enroll. Users can always open the window by clicking the app icon in the system tray.
    To enable this option using the CLI, enter HIDEAPPUIONLAUNCH=1. By default, the value is 0 (i.e., disabled).
    Close
  - POLICYTOKEN
    This install option allows you to specify which app profile policy you want to enforce for the app before the user enrolls. All relevant settings associated with the policy apply, including the bypass of the IdP login page. After the user enrolls, this policy is replaced with the app profile policy that matches the user based on group affiliation.
    Prerequisites:
    This install option is only applicable, and required, if you enable the STRICTENFORCEMENT option and want users to enroll with the app before accessing the internet.
    In the Admin Portal, you must configure the app profile policy that you want to enforce and ensure that the custom PAC file associated with that policy includes a bypass for your IdP login page. This allows the user to access the IdP page to log in as necessary before enrolling with the app.
    To add this option using the command-line, enter POLICYTOKEN=<policy token from the Admin Portal>.
    Close
  - REINSTALLDRIVER
    This install option forces a reinstallation of the driver, even if you already have a driver installed. Use this option if you are having issues with the currently installed driver.
    To enable this option using the CLI, enter REINSTALLDRIVER=1. By default, the value is 0 (i.e., disabled).
    Close
  - STRICTENFORCEMENT
    This install option only works when the forwarding profile action for Zscaler Client Connector is Tunnel or Tunnel with Local Proxy. To learn more, see Configuring Forwarding Profiles for Zscaler Client Connector.
    This install option allows you to require users to enroll with the app before accessing the internet and blocks traffic in the following situations:
    The user has not yet logged in after a new install.
    A user logs in and logs out.
    An administrator removes a device.
    This install option does not affect users that remain logged in and disable the Internet & SaaS service.
    If you enable this install option, the --cloudName and --policyToken options are required.
    To enable this option using the CLI, enter --strictEnforcement 1. By default, the value is 0 (i.e., disabled).
    Close
  - USERDOMAIN
    This install option allows users to skip the app enrollment page. If SSO is enabled for your organization, users are taken directly to your organization's SSO login page. If you've integrated SSO with the app (i.e., using a mechanism like Integrated Windows Authentication [IWA]), users can also skip the SSO login page and are automatically enrolled with Zscaler service and logged in.
    See image.
    Close
    To add this option using the command-line, enter USERDOMAIN=<organization's domain name>. If your instance has multiple domains associated with it, enter the primary domain for your instance.
    Close
  - UNAME
    You can specify a unique username for each device using the UNAME parameter in the CLI.
    The following conditions apply:
    The UNAME parameter requires the userDomain parameter to be non-empty.
    The UNAME parameter can have a maximum of 255 alphanumeric and special characters.
    Close
  - ENABLEIMPRIVATAINTEGRATION
    This install option enables integration with Imprivata OneSign. If enabled, Zscaler Client Connector silently logs in an Imprivata OneSign user to Zscaler Client Connector, applies security policies, and logs the end-user activity in Zscaler Client Connector.
    Close
  - IMPORTSEFAILCLOSECONFIG
    This install option allows you to pass a predownloaded configuration file with fail-close settings to use when Zscaler Client Connector is in strict enforcement mode.
    If you pass this install option, you must also pass the STRICTENFORCEMENT and SEFAILCLOSECONFIGTHUMBPRINT options.
    To add this option using the CLI, enter IMPORTSEFAILCLOSECONFIG=<path to the configuration file>.
    Close
  - SEFAILCLOSECONFIGTHUMBPRINT
    This install option allows you to pass the public key for a predownloaded configuration file with fail-close settings to use when Zscaler Client Connector is in strict enforcement mode.
    If you pass this install option, you must also pass the STRICTENFORCEMENT and IMPORTSEFAILCLOSECONFIG options.
    To add this option using the CLI, enter SEFAILCLOSECONFIGTHUMBPRINT=<public key from the Admin Portal>.
    Close
The following image is an example of a CLI where:
- The absolute path to the MSI file is C:\Users\User\Downloads\Zscaler-windows-1.2.0.000311-installer.msi.
- The /quiet switch is used to install the app in silent mode.
- The cloud on which the organization is provisioned is zscalertwo.
- The device token value is 4e36647447326e5a553335303232416e6279784b51513d3d.
- The policy token value is 32343A343A312E31204D6967726174696F6E.
- The organization's domain name is safemarch.com.
- The UNAME is test.
Close
Deploying Zscaler Client Connector with Non-Persistent Citrix VDIs
Zscaler Client Connector only supports a dedicated, single-user VDI model. Multi-session VDIs are not supported.
Follow these best practices when using Zscaler Client Connector in a virtual desktop infrastructure (VDI):
- Zscaler recommends that you don't log in to Zscaler Client Connector on the master VM.
- To use the STRICTENFORCEMENT install option, you must have the HIDEAPPUIONLAUNCH install option disabled. This allows Zscaler Client Connector to remind users to enroll with Zscaler Client Connector before accessing the internet.
- To use the USERDOMAIN install option, you must use Integrated Windows Authentication (IWA).
Install Zscaler Client Connector on the master VM using the following parameters:
1. Configure Citrix UPM to backup and restore to the following folder: {UserProfileFolder}\AppData\Roaming\Zscaler
2. Run your installer:
  - For the .exe installer, run the installer executable file: --vdi 1 --configTimeout 300 --installLWFDriver 1 –hideAppUIOnLaunch
  - For the .msi installer, run the MSI installer: msiexec/i ZCC_installer.msi USERDOMAIN=<AD domain> CLOUDNAME=<cloudname> VDI=1 CONFIGTIMEOUT=300 INSTALLLWFDRIVER=1
Close