icon-unified.svg
Experience Center

Deploying Zscaler Client Connector with Microsoft Intune for macOS

This article provides instructions to deploy Zscaler Client Connector with Microsoft Intune for macOS 3.9 and later versions. For instructions on versions earlier than Zscaler Client Connector macOS 3.9, see Customizing Zscaler Client Connector with Install Options for macOS.

With Microsoft Intune, you can deploy Zscaler Client Connector for your macOS devices. Before deploying Zscaler Client Connector from the Microsoft Intune Portal, download the .pkg file from the Zscaler Client Connector App Store first.

  • To deploy Zscaler Client Connector using the Microsoft Intune Portal, you must obtain a .pkg file from the Admin Portal.

    To download the Zscaler Client Connector .pkg file:

    1. In the Admin Portal, go to Infrastructure > Common Resources > Client Connector Deployment > Platform Releases.
    2. On the New Releases tab, select macOS.
    3. Download the .pkg file.
    Close

  • To deploy Zscaler Client Connector on your Mac devices from the Microsoft Intune Portal:

    1. In the Microsoft Intune Portal, click Apps from the menu.
    2. In the By platform section, select macOS.

    1. Click Add to add the line-of-business app.

    1. Select Line-of-business-app from the App type drop-down menu.

    1. Click Select.

    1. On the App information tab:
    • Select file: Upload the .pkg file.

    • Name: Enter Zscaler Client Connector 3.X.X.X - macOS 3.X.X.X (where 3.X.X.X is the version number of the app and allows you to distinguish the version distributed by Intune).
    • Description: Enter Zscaler Client Connector for macOS.
    • Publisher: Enter Zscaler, Inc.
    • Minimum operating system: Select OS X Yosemite 10.10.

    Zscaler Client Connector supports macOS 10.14 and later for Zscaler Client Connector versions earlier than 3.7, and supports macOS 10.15 for Zscaler Client Connector versions 3.7 and later.

    • Ignore app version: Set to Yes. Zscaler Client Connector automatically updates itself once deployed, so Intune can safely ignore the version the user has installed after deployment.
    • Install as managed: Set to Yes if you want to install Zscaler Client Connector as a managed app. The default is No.
    • Included apps: Review the app details. List the App Bundle ID com.zscaler.zscaler first.

    If Intune populates zscaler.installer.uninstall, delete it. If the app version is different from the .pkg file you uploaded, manually fix it.

    • Category: (Optional) Select an app category to allocate Zscaler Client Connector to.

    1. On the Assignments tab, select the group assignments for which you want to deploy Zscaler Client Connector.

    You can allocate users or groups to two different sections depending on how you want the app rolled out to users.

    • Required: The app is mandatory for these users/groups. The app is automatically pushed to the users of this group.
    • Available for enrolled devices: The app is optional for these users/groups. The app is not automatically pushed and the users can download the app themselves from the Company Portal.

    1. Click Next.
    2. On the Review + create tab, review the values and settings entered, and then click Create.

    Close

  • You can use a property list file to set values for various configuration keys in the Microsoft Intune Portal. To configure a custom settings profile in the Microsoft Intune Portal:

    1. In the Microsoft Intune for macOS Admin Portal, go to Devices.
    2. From the options, click Configuration Profiles.

    1. Click Create profile.

    1. In the Create a profile section:
    • Platform: Select macOS.
    • Profile type: Select Templates.
    • Template name: Choose Preference file.

    1. Click Create.
    2. In the Basics section:
    • Name: Enter a name for the preference file. For example, Zscaler Plist.
    • Description: (Optional) Enter a description.

    1. Click Next.
    2. In the Configuration settings section:
    • Preference domain name: Enter com.zscaler.installparams.
    • Property list file: Upload the property list file. You can use the ZscalerSample.plist file as a starting template, and edit the following values in the <VendorConfig> section of the file based on your needs:
      • cloudName: The name of the cloud on which your organization is provisioned. For example, if your cloud name is zscalertwo.net, you would enter zscalertwo.
      • deviceToken: The appropriate device token from the Admin Portal, if you want to use the Zscaler Client Connector as an IdP.
      • hideAppUIOnLaunch: Forces the app window to stay hidden before users enroll. Users can always open the window by clicking the app icon in the system tray.
      • launchTray: By default, Zscaler Client Connector starts its services and user interface after installation. launchTray prevents Zscaler Client Connector from automatically starting after installation. Users must open Zscaler Client Connector manually to start the app, or Zscaler Client Connector automatically runs after the next reboot.
      • policyToken: Allows you to specify which app profile policy you want to enforce for the app before the user enrolls. All relevant settings associated with the policy apply, including the bypass of the IdP login page. Once the user enrolls, this policy is replaced with the app profile policy that matches the user based on group affiliation.
      • strictEnforcement: Allows you to block internet traffic before the user enrolls in Zscaler Client Connector. strictEnforcement works when the forwarding profile action for Zscaler Client Connector is Tunnel or Tunnel with Local Proxy.
      • userDomain: This allows you to configure the user domain so that the users skip the Zscaler Client Connector enrollment page and directly go to the SSO login page.
      • externalRedirect: Allows you to redirect authentication to your organization’s SAML IdP through the Safari browser. When redirected to the browser for the first time, the users must select Remember Me on their IdP log-in screen. For any subsequent authentications, the browser remembers the user and automatically logs them in.

    1. Click Next.
    2. In the Assignments section, choose the users, groups, and devices for the profile.

    1. Click Next.
    2. In the Review + create section, review the summary, and click Create.
    Close

  • You can use a mobileconfig file to enter the bundle identifier for the applications you want to bypass. To configure a custom VPN profile in the Microsoft Intune Portal:

    1. In the Microsoft Intune for macOS Admin Portal, go to Devices.
    2. From the options, click Configuration Profiles.
    3. Click Create > New Policy.

    1. In the Create a profile section:
    • Platform: Select macOS.
    • Profile type: Select Templates.
    • Template name: Choose Custom.

    1. Click Create.
    2. In the Basics section:
    • Name: Enter a name for the custom file. For example, ApplicationBypass.
    • Description: (Optional) Enter a description.

    1. Click Next.
    2. In the Configuration settings section:
    • Custom configuration profile name: Enter the profile name.
    • Deployment channel: Choose a channel for deployment.
    • Configuration profile file: Upload the mobile config file. You can use the ZscalerSampleMobileConfig file as a starting template, and edit the values in the <VendorConfig> section of the file based on your needs.

    For BypassAppProcesses, enter the bundle identifier for the applications you want to bypass.

    1. Click Next.
    2. In the Assignments section, choose the users, groups, and devices for the profile.

    1. Click Next.
    2. In the Review + create section, review the summary, and click Create.

    Close

  • Endpoint Data Loss Prevention (DLP) requires full disk access for proper operation. To create a DLP profile with Microsoft Intune to allow full disk access for Endpoint DLP:

    1. In the Microsoft Intune for macOS Endpoint Manager admin center, go to Devices.
    2. From the options, click Configuration profiles.

    1. In the Create a profile section:
      • Platform: Select macOS.
      • Profile type: Choose Settings catalog.
    2. Click Create.

    1. In the Basics section:
      • Name: Enter a name for the settings catalog. For example, Endpoint DLP Settings.
      • Description (Optional): Enter a description.

    1. Click Next.
    2. In the Configuration settings section, click Add settings.

    1. Configure the following settings using the Settings picker:

        1. In the Browse by category section, scroll down to Privacy.
        2. Select Privacy Preferences Policy Control.
        3. Under the Setting name section, expand Services > System Policy All Files.
        4. Select System Policy All Files and Allowed.

        Close
        1. In the Browse by category section, scroll down to User Experience.
        2. Select Notifications.
        3. Under the Setting name section, expand the Notification Settings section and select all of the options.

        Close
        1. In the Browse by category section, scroll down to System Configuration.
        2. Select System Extensions.
        3. Under the Setting name section, check Allowed System Extensions, Allowed Team Identifiers, and Removable System Extensions.

        Close

    2. On the left-hand side of the screen, configure the settings for the profiles you added in step h:

        1. In the Privacy Preferences Policy Control section, under System Policy All Files, click Edit Instance to add the following three identifiers and configure settings for these identifiers.
        Identifiercom.zscaler.zdp.pdcom.zscaler.zdp.esdcom.zscaler.zdp.at
        Identifier TypeBundle IDBundle IDBundle ID
        Code Requirementidentifier "com.zscaler.zdp.pd" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = PCBCQZJ7S7identifier "com.zscaler.zdp.esd" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = PCBCQZJ7S7identifier "com.zscaler.zep.at" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = PCBCQZJ7S7
        App or ServiceSystemPolicyAllFilesSystemPolicyAllFilesSystemPolicyAllFiles
        AccessAllowAllowAllow

        Close
        1. In the Notifications section, configure the settings under the Notification Settings section.
        2. Click Edit instance. In the window that opens on the right-hand side, add the following details:
          • Alert Type: Select Persistent Banner from the drop-down menu.
          • Badges Enabled: Turn the toggle to false.
          • Bundle Identifier: com.zscaler.zdp.agent

        Leave all other settings as they are.

        1. Click Save.

        Close
        1. In the Privacy Preferences Policy Control section, under System Extensions section, configure the following settings:
          • Under the Allowed Team Identifiers section, enter PCBCQZJ7S7.
          • In the Removable System Extensions and the Allowed System Extensions sections, click the Edit Instance button.
          • In the window that opens on the right-hand side:
            • In the first box, enter com.zscaler.zep.at.
            • In the Team Identifier section, enter PCBCQZJ7S7.

        1. Click Save.
        Close
    3. Click Next.
    4. In the Scope tags section, add tags for particular devices and users.
    5. On the Assignments tab, select the group assignments for which you want to assign the app configuration policy, and then click Next.
    6. Click Review and Create.
    7. Click Create.

    Close
Related Articles
Understanding Zscaler Client Connector App DownloadsCustomizing Zscaler Client Connector with Install Options for MSICustomizing Zscaler Client Connector with Install Options for EXECustomizing Zscaler Client Connector with Install Options for macOSCustomizing Zscaler Client Connector with Install Options for LinuxCustomizing Zscaler Client Connector with Install Options for AndroidCustomizing Zscaler Client Connector with Install Options for iOSDeploying Zscaler Client Connector with Active Directory for WindowsDeploying Zscaler Client Connector with MaaS360 for AndroidDeploying Zscaler Client Connector with MaaS360 for iOSDeploying Zscaler Client Connector with Microsoft Intune for AndroidDeploying Zscaler Client Connector with Microsoft Intune for macOSDeploying Zscaler Client Connector with Microsoft Intune for iOSDeploying Zscaler Client Connector with MobileIron for iOSDeploying Zscaler Client Connector with MobileIron for AndroidDeploying Zscaler Client Connector with Jamf Pro for macOSDeploying Zscaler Client Connector with Jamf Pro for iOSDeploying Zscaler Client Connector with Workspace ONE UEM for AndroidDeploying Zscaler Client Connector with Workspace ONE UEM for iOSBlocking LAN AccessBest Practices for Zscaler Client Connector DeploymentBest Practices for Updating Latest Versions of Zscaler Client Connector ApplicationUninstalling Zscaler Client ConnectorReverting Zscaler Client Connector to the Previous VersionUpgrading Zscaler Client Connector