Customizing Zscaler App with Install Options (EXE)


Customizing Zscaler App with Install Options (EXE)

You can use the EXE file to manually install the Zscaler App on a device, or if you're deploying the Zscaler App to your users via device management methods that do not support MSI files. After downloading the Zscaler App EXE installer file, you can simply deploy the file as is with your device management method.

You can also add to the file install options to customize the Zscaler App for your organization via one of the following methods:

  • If you're deploying the Zscaler App in an AD environment, you can add these options as parameters when assigning a computer startup script to install the Zscaler App. See Deploying the EXE file to install the Zscaler App in D. Install the Zscaler App on the OU's Windows computers in silent mode in Deploying the Zscaler App for Windows with Active Directory.
  • You can also run the EXE file with command-line options. See below for instructions.

In addition to the custom features enabled by the install options below, you can also modify the EXE file to allow users to log into the Zscaler App without entering domain name. See configuration instructions for this option at the end of this article.

Running the EXE File with Command-Line Options

You can add options while running the EXE with a command line. To begin:

  1. Start a command prompt as an administrator.
    1. Click Start.
    2. In the Start Search box, enter cmd, then press CTRL+SHIFT+ENTER.
    3. If the User Account Control dialog box appears, confirm that you want to continue.
  1. Enter the complete path of the EXE install file followed by the options you want. Available options are as follows (click to learn more about how to add the option):

If your organization is provisioned on more than one cloud, during the enrollment process, your users are asked to select the cloud to which their traffic is sent. See image.

cn2image

With this install option, you can specify the cloud to which the App must send user traffic so that your users do not have to make the selection during enrollment. Do not use this option if your organization is provisioned on one cloud. The Zscaler App automatically sends traffic to the right cloud and your users do not encounter this step.

Note: This install option is required if you enable the --strictEnforcement option.

To add the option: Enter --cloudName <your organization's cloud name in lowercase letters>. See What is my cloud name? to learn how to find your cloud name.

Example (where an organization's cloud is zscalertwo.net): --cloudName zscalertwo

This allows you to use the Zscaler App Portal as an IdP. With this option, Zscaler can silently provision and authenticate users even if you don't have an authentication mechanism in place.

Note: Before adding this option, you must have generated the device token in the Zscaler App Portal and completed the full configuration detailed in Using the Zscaler App Portal as an IdP.

To add the option: Enter --deviceToken <appropriate device token from the Zscaler App Portal>. You must obtain the appropriate device token from the Zscaler App Portal.

Example (where device token is 123456789): --deviceToken 123456789

dt

This forces the Zscaler App window to stay hidden before users enroll with the App. Users can always open the window by clicking the Zscaler App icon in the system tray.

To add this option, enter --hideAppUIOnLaunch 1

This allows you to install the Zscaler App in silent mode.

To add this option, enter --mode unattended

This install option is only applicable (and required) if you enable --strictEnforcement and want users to enroll with the Zscaler App before accessing the Internet. This option allows you to specify which App Profile policy you want to enforce for the App before the user enrolls. All relevant settings associated with the policy will apply, including the bypass of the IdP login page. Once the user enrolls, this policy is replaced with the App Profile policy that matches the user based on group affiliation.

Note:

  • In the Zscaler App Portal, you must have configured the App Profile policy that you want to enforce and ensured that the custom PAC file associated with that policy includes a bypass for your IdP login page. This allows the user to access the IdP page to log in as necessary before enrolling with the Zscaler App. Once you configure an App Profile policy, the Zscaler App Portal automatically generates a policy token. You must use this policy token as the value for this option (see image below).

To add this option, enter --policyToken <policy token from the Zscaler App Portal>. Note that you must also add --strictEnforcement 1 and --cloudName <your organization's cloud name in lower case letters>.

See the example below. In the example, the organization's cloud name is zscalertwo.

Example (where policy token is 123456789 and the cloud is zscalertwo.net):  --strictEnforcement 1 --policyToken 123456789 --cloudName zscalertwo

pt

This forces a reinstallation of the driver, even if you already have a driver installed. Use this option if you are having issues with the currently installed driver.

To add this option, enter the following: --reinstallDriver 1

This allows you to require users to enroll with the Zscaler App before accessing the Internet.

Note, with the --strictEnforcement option, you must add the --policyToken and --cloudName options. See more about the --policyToken and --cloudName options above.

To add this option, enter --strictEnforcement 1

Example (where policy token is 123456789 and the cloud is zscalertwo.net):  --strictEnforcement 1 --policyToken 123456789 --cloudName zscalertwo

This allows you to control what's displayed to users if you are performing an unattended installation of the Zscaler App.

To add the option:

In the Script Parameters field, enter the following: --unattendedmodeui <none, minimal, or minimalWithDialogs>, where:

  • none: Nothing is displayed to users and no interaction is required. If you add a mode --unattended option (see above), this is the default value, and you do not need to add this option.
  • minimal: Very little is displayed to the user (for example, a small progress bar showing installation progress).
  • minimalWithDialogs: More information is displayed to the user with some dialogs that require user interaction.

Example: --unattendedmodeui minimal

This allows users to skip the Zscaler App enrollment page (see image). Users are taken right to your organization's SSO login page.

Notes:

  • SSO must be enabled for your organization.
  • If you've integrated your SSO with the Zscaler App (using a mechanism like Integrated Windows Authentication (IWA)), users can also skip the SSO login page and are automatically enrolled with Zscaler service and logged in.
  • An alternative to using this install option is to change the name of the installer file. See Allow Users to Log into the Zscaler App Without Entering Domains, below.

To add this option, enter the following: --userDomain <your organization's domain>

Example (where organization's domain name is zscaler.com): --userDomain zscaler.com

udmi2

The image below is an example of a command line that uses all the available options above, where:

  • The complete path of the EXE file is C:\Users\User\Downloads\Zscaler-windows-1.2.0.000311-installer.exe
  • The cloud on which the organization is provisioned is zscalertwo.net
  • The device token value is 123456789
  • The policy token value is 987654321
  • The organization's domain name is safemarch.com

The image has been annotated to show the different components.

Allowing Users to Log into the Zscaler App Without Entering Domains

Note: This configuration can only be used if your organization's domain is registered on a single cloud. If your organization's domain is registered on multiple clouds, use the command-line options above.

This configuration achieves the same function as the install option --userDomain above. Note:

  • SSO must be enabled for your organization.
  • If you've integrated your SSO with the Zscaler App (using a mechanism like Integrated Windows Authentication (IWA)), users can also skip the SSO login page and are automatically enrolled with Zscaler service and logged in.

To allow users to log into the Zscaler App without entering domains, and do the following:

  • Locate the EXE file you downloaded.
  • Prefix the installer file name with your organization's domain name. For example, if the installer file name is "Zscaler-windows-1.1.0.000213-installer" and your organization's domain is "safemarch.com" you would rename the installer file to: "safemarch.com-Zscaler-windows-1.1.0.000213-installer".

Allow Users to Log into the Zscaler App Without Entering Domains