Customizing Zscaler App with Install Options (EXE)


Customizing Zscaler App with Install Options (EXE)

You can use the EXE file to manually install the Zscaler App on a device, or if you're deploying the app to your users via device management methods that do not support MSI files. After downloading the Zscaler App EXE installer file, you can deploy the file as is with your device management method.

You can also add install options to customize the app for your organization via one of the following methods:

  • If you're deploying the app in an Active Directory (AD) environment, you can add install options as parameters when assigning a system start-up script to install the app. To learn more, see Deploying the Zscaler App for Windows with Active Directory.
  • You can also run the EXE file using command-line options. To learn more, see Running the EXE file with Command-Line Options below.

In addition to the custom features enabled by the install options, you can also modify the EXE file to allow users to log into the app without entering a domain name. To learn more see Allow Users to Log into the Zscaler App Without Entering Domains.

Running the EXE File with Command-Line Options

To run the EXE file using command-line options:

  1. Start a command prompt as an administrator.
    1. Click Start.
    2. In the Start Search box, enter cmd, then press CTRL+SHIFT+ENTER.
    3. If the User Account Control (UAC) dialog box appears, confirm that you want to continue.
  1. Enter the absolute path to the EXE file using one or more of the following install options:

If your organization is provisioned on more than one cloud, your users are asked to select the cloud to which their traffic is sent during the enrollment process. See image.


With this install option, you can specify the cloud to which the app must send user traffic so that your users do not have to make the selection during enrollment. Do not use this option if your organization is provisioned on one cloud. The app will automatically send traffic to the proper cloud and your users do not need to make a selection during enrollment.

This install option is required if you enable the --strictEnforcement option.

To add this option using the command-line, enter --cloudName <organization's cloud name in lowercase>. For example, if your cloud name is zscalertwo.net, you would enter zscalertwo. To learn more, see What is my cloud name?

Selecting a cloud on the Zscaler App

The --deviceToken install option only applies to Zscaler Internet Access (ZIA). It is not supported by Zscaler Private Access (ZPA).

This install option allows you to use the Zscaler App portal as an IdP. The Zscaler service will silently provision and authenticate users even if you don't have an authentication mechanism in place. Before adding this option, you must generate a device token in the Zscaler App portal and completed the full configuration detailed in Using the Zscaler App Portal as an IdP.

To add this option using the command-line, enter --deviceToken <device token from the Zscaler App portal>.

A device token from the Zscaler App Portal

This install option forces the app window to stay hidden before users enroll. Users can always open the window by clicking the app icon in the system tray.

To enable this option using the command-line, enter --hideAppUIOnLaunch 1. By default, the value is 0 (i.e., disabled).

This install option allows you to install the app in silent mode.

To add this option using the command-line, enter --mode unattended.

This install option allows you to specify which app profile policy you want to enforce for the app before the user enrolls. All relevant settings associated with the policy will apply, including the bypass of the IdP login page. Once the user enrolls, this policy is replaced with the app profile policy that matches the user based on group affiliation.

Prerequisites:

  • This install option is only applicable, and required, if you enable the --strictEnforcement option and want users to enroll with the app before accessing the Internet.
  • In the Zscaler App portal, you must configure the app profile policy that you want to enforce and ensure that the custom PAC file associated with that policy includes a bypass for your IdP login page. This allows the user to access the IdP page to log in as necessary before enrolling with the app.

To add this option using the command-line, enter --policyToken <policy token from the Zscaler App portal>.

The policy token for a Zscaler App profile policy

This install option forces a reinstallation of the driver, even if you already have a driver installed. Use this option if you are having issues with the currently installed driver.

To enable this option using the command-line, enter --reinstallDriver 1. By default, the value is 0 (i.e., disabled).

This install option allows you to require users to enroll with the app before accessing the Internet.

If you enable this install option, the --cloudName and --policyToken options are required.

To enable this option using the command-line, enter --strictEnforcement 1. By default, the value is 0 (i.e., disabled).

This install option allows you to control what's displayed to users if you are performing an unattended installation of the app.

To add the install option using the command-line, enter --unattendedmodeui <value>, where <value> is one of the following:

  • none: Nothing is displayed to the user and no interaction is required. If you included the mode --unattended install option, none is the default value for --unattendedmodeui.
  • minimal: A small progress bar showing installation progress is displayed to the user and no interaction is required.
  • minimalWithDialogs: More information is displayed to the user with some dialogs that require user interaction.

This install option allows users to skip the app enrollment page. (See Image.) If SSO is enabled for your organization, users are taken right to your organization's SSO login page. If you've integrated SSO with the app (i.e., using a mechanism like Integrated Windows Authentication (IWA)), users can also skip the SSO login page and are automatically enrolled with Zscaler service and logged in.

An alternative to using this install option is to change the name of the installer file. To learn more, see Allow Users to Log into the Zscaler App Without Entering Domains.

To add the install option using the command-line, enter --userDomain <organization's domain name>.

The Zscaler App enrollment page and an organization SSO login page

The image below is an example of a command-line that uses all the available install options above, where:

  • The absolute path to the EXE file is C:\Users\User\Downloads\Zscaler-windows-1.2.0.000311-installer.exe
  • The cloud on which the organization is provisioned is zscalertwo.net
  • The device token value is 123456789
  • The policy token value is 987654321
  • The organization's domain name is safemarch.com

Running the Zscaler App EXE file with a command line

Allowing Users to Log into the Zscaler App Without Entering Domains

This configuration can only be used if your organization's domain is registered on a single cloud. If your organization's domain is registered on multiple clouds, use the command-line install options described above.

This configuration achieves the same function as the --userDomain install option. The following guidelines apply:

  • SSO must be enabled for your organization.
  • If you've integrated your SSO with the Zscaler App (using a mechanism like Integrated Windows Authentication (IWA)), users can also skip the SSO login page and are automatically enrolled with Zscaler service and logged in.

To allow users to log into the app without entering domains:

  1. Locate the EXE file.
  2. Prefix the file name with your organization's domain name. For example, if the file name is Zscaler-windows-1.1.0.000213-installer and your organization's domain is safemarch.com, you would rename the file to, safemarch.com-Zscaler-windows-1.1.0.000213-installer.

A configured Zscaler App EXE file that allows users to log in without entering domains