Customizing the Zscaler App with Install Options (MSI)


Customizing the Zscaler App with Install Options (MSI)

You can use the MSI file to manually install the Zscaler App on a device, or if you're deploying the app to your users via GPO, SSCM, or other device management methods that support MSI files. After downloading the Zscaler App MSI installer file, you can deploy the file as is with your device management method.

You can also add to the file install options to customize the app for your organization via one of the following methods:

  • Creating an MST and deploy it via GPO or a compatible device management tool 
  • Running the MSI with command-line options

Create an MST File

To create an MST file using Orca:

  1. Open Orca and go to File > Open.
  2. Locate and double-click on the MSI file.
  3. Go to Transform > New Transform.

Screenshot of the New Transform option

  1. In the Tables column, click Property.

Screenshot of the Zscaler App MSI file properties

  1. Edit the values for the following install options or add more options:

If your organization is provisioned on more than one cloud, your users are asked to select the cloud to which their traffic is sent during the enrollment process. See image.

Screenshot of selecting a cloud on the Zscaler App


With this install option, you can specify the cloud to which the app must send user traffic so that your users do not have to make the selection during enrollment. Do not use this option if your organization is provisioned on one cloud. The app will automatically send traffic to the proper cloud and your users do not need to make a selection during enrollment.

This install option is required if you enable the STRICTENFORCEMENT option.

To add the CLOUDNAME install option:

  1. Click Tables from the top menu, and then click Add Row.
  2. In the Add Row window, do the following:
    1. For Property, enter CLOUDNAME.
    2. Press Enter or click the Value field.
    3. For Value, enter the name of the cloud on which your organization is provisioned, in lowercase letters. For example, if your cloud name is zscalertwo.net, you would enter zscalertwo. To learn more, see What is my cloud name?
  3. Click OK.

The install option appears as a new line.

Screenshot of adding the CLOUDNAME install option when creating a Zscaler App MST file

The DEVICETOKEN install option only applies to Zscaler Internet Access (ZIA). It is not supported by Zscaler Private Access (ZPA).

This install option allows you to use the Zscaler App portal as an IdP. The Zscaler service will silently provision and authenticate users even if you don't have an authentication mechanism in place. Before adding this option, you must generate a device token in the Zscaler App portal and completed the full configuration detailed in Using the Zscaler App Portal as an IdP.

To add the DEVICETOKEN install option:

  1. Click Tables from the top menu, and then click Add Row.
  2. In the Add Row window, do the following:
    1. For Property, enter DEVICETOKEN.
    2. Press Enter or click the Value field.
    3. For Value, enter the appropriate device token from the Zscaler App portal. To learn more, see Using the Zscaler App Portal as an IdP.
  3. Click OK.

The install option appears as a new line.

Screenshot of adding the DEVICETOKEN install option when creating a Zscaler App MST file

This install option forces the app window to stay hidden before users enroll. Users can always open the window by clicking the app icon in the system tray.

To enable the HIDEAPPUIONLAUNCH install option:

  1. In the table, double-click on the HIDEAPPUIONLAUNCH property.
  2. Enter 1 as the value. By default, the value is 0 (i.e., disabled).

Screenshot of configuring the HIDEAPPUIONLAUNCH install option when creating a Zscaler App MST file

This install option allows you to silently install the network adapter signature certificate along with the app so that users are not prompted to accept the certificate after you install it.

If you are using Zscaler App version 1.2 or later, you don't need to add this option. The network adapter signature certificate is automatically installed with the app. However, if you're using version earlier than 1.2, or if you have a strict GPO policy restricting the certificates, the following installation guidelines apply:

  • If you're using an earlier version than 1.2:
    1. In the table, double-click on the INSTALLDRIVERCERT property.
    2. Enter 1 as the value. By default, the value is 0 (i.e., disabled).
  • If you're using version 1.2 or later but have a GPO policy restricting the certificates that can be installed on your organization's devices:
    1. In the table, double-click on the INSTALLDRIVERCERT property.
    2. Enter 0 as the value. By default, the value is 1 (i.e., enabled).
    3. Complete the steps described in How do I push the network adapter signature certificate for Zscaler App using GPO?

Screenshot of configuring the INSTALLDRIVERCERT install option when creating a Zscaler App MST file

This install option allows you to specify which app profile policy you want to enforce for the app before the user enrolls. All relevant settings associated with the policy will apply, including the bypass of the IdP login page. Once the user enrolls, this policy is replaced with the app profile policy that matches the user based on group affiliation.

Prerequisites:

  • This install option is only applicable, and required, if you enable the STRICTENFORCEMENT option and want users to enroll with the app before accessing the Internet.
  • In the Zscaler App portal, you must configure the app profile policy that you want to enforce and ensure that the custom PAC file associated with that policy includes a bypass for your IdP login page. This allows the user to access the IdP page to log in as necessary before enrolling with the app.


To add the POLICYTOKEN install option:

  1. Click Tables from the top menu, and then click Add Row.
  2. In the Add Row window, do the following:
    1. For Property, enter POLICYTOKEN.
    2. Press Enter or click the Value field.
    3. For Value, enter the policy token associated with the policy you want to enforce before enrollment. To learn more, see Configuring Zscaler App Profiles.
  3. Click OK.
  4. The install option appears as a new line.

Screenshot of configuring the POLICYTOKEN install option when creating a Zscaler App MST file

This install option forces a reinstallation of the driver, even if you already have a driver installed. Use this option if you are having issues with the currently installed driver.

To enable the REINSTALLDRIVER install option:

  1. In the table, double-click on the REINSTALLDRIVER property.
  2. Enter 1 as the value. By default, the value is 0 (i.e., disabled).

Screenshot of configuring the REINSTALLDRIVER install option when creating a Zscaler App MST file

This install option allows you to require users to enroll with the app before accessing the Internet.

If you enable this install option, the CLOUDNAME and POLICYTOKEN options are required.

To enable the STRICTENFORCEMENT install option:

  1. In the table, double-click on the STRICTENFORCEMENT property.
  2. Enter 1 as the value. By default, the value is 0 (i.e., disabled).

Screenshot of configuring the STRICTENFORCEMENT install option when creating a Zscaler App MST file

This install option allows you to silently uninstall the app from users' devices using device management methods like GPO. This option is only available when using MSI. The password you add for this option must match the Logout Password configured in the app profiles. Using the password, you'll be able to uninstall the app from your users' devices by removing the MST file from the GPO.

Prerequisites:

  • Your users must be enrolled in the app. If users have the app installed on their devices but have not enrolled, you cannot uninstall the app using this method.
  • You must have a Logout Password configured in the app profile policy. To learn more, see Configuring Zscaler App Profiles.

To add the UNINSTALLPASSWORD install option:

  1. Click Tables from the top menu, and then click Add Row.
  2. In the Add Row window, do the following:
    1. For Property, enter UNINSTALLPASSWORD.
    2. Press Enter or click the Value field.
    3. For Value, enter the Logout Password from the app profile policy.
  3. Click OK.

The install option appears as a new line.

Screenshot of adding the UNINSTALLPASSWORD install option when creating a Zscaler App MST file

This install option allows users to skip the app enrollment page. (See image.) If SSO is enabled for your organization, users are taken right to your organization's SSO login page. If you've integrated SSO with the app (i.e., using a mechanism like Integrated Windows Authentication (IWA)), users can also skip the SSO login page and are automatically enrolled with Zscaler service and logged in.


To add the USERDOMAIN install option:

  1. Click Tables from the top menu, and then click Add Row.
  2. In the Add Row window, do the following:
    1. For Property, enter USERDOMAIN.
    2. Press Enter or click the Value field.
    3. For Value, enter your organization's domain name.
  3. Click OK.
  4. The install option appears as a new line.

Screenshot of adding the USERDOMAIN install option when creating a Zscaler App MST file

Screenshot of the Zscaler App enrollment page and an organization SSO login page 

  1. To save your changes after adding the options you want, go to Transform > Generate Transform....
  2. In the Save Transform As window, enter a file name and click Save.

Screenshot of saving the Zscaler App MST file

After creating the MST, you can use it when deploying the Zscaler App to your users with Active Directory.

Running the MSI File with Command-Line Options

Zscaler recommends using the MST file to install the Zscaler App with custom options. However, if you have a device management tool that does not support MST (e.g., SCCM or PSEXEC) or manually installing the MSI file, you can run the MSI file using the command-line and add the options needed.

To run the MSI file using command-line options:

  1. Start a command prompt as an administrator:
    1. Click Start.
    2. In the Start Search box, enter cmd, then press CTRL+SHIFT+ENTER.
    3. If the User Account Control (UAC) dialog box appears, confirm that you want to continue.

Screenshot of the running the command prompt as an administrator

  1. Enter the following command:
msiexec /i "<complete path>" /quiet <install options>

If your organization is provisioned on more than one cloud, your users are asked to select the cloud to which their traffic is sent during the enrollment process. See image.

Screenshot of selecting a cloud on the Zscaler App


With this install option, you can specify the cloud to which the app must send user traffic so that your users do not have to make the selection during enrollment. Do not use this option if your organization is provisioned on one cloud. The app will automatically send traffic to the proper cloud and your users do not need to make a selection during enrollment.

This install option is required if you enable the STRICTENFORCEMENT option.

To add this option using the command-line, enter CLOUDNAME=<organization's cloud name in lowercase>. For example, if your cloud name is zscalertwo.net, you would enter zscalertwo. To learn more, see What is my cloud name?

The DEVICETOKEN install option only applies to Zscaler Internet Access (ZIA). It is not supported by Zscaler Private Access (ZPA).

This install option allows you to use the Zscaler App portal as an IdP. The Zscaler service will silently provision and authenticate users even if you don't have an authentication mechanism in place. Before adding this option, you must generate a device token in the Zscaler App portal and completed the full configuration detailed in Using the Zscaler App Portal as an IdP.

To add this option using the command-line, enter DEVICETOKEN=<device token from the Zscaler App portal>.

Screenshot of the device token from the Zscaler App Portal

This install option forces the app window to stay hidden before users enroll. Users can always open the window by clicking the app icon in the system tray.

To enable this option using the command-line, enter HIDEAPPUIONLAUNCH=1. By default, the value is 0 (i.e., disabled).

This install option allows you to silently install the network adapter signature certificate along with the app so that users are not prompted to accept the certificate after you install it.

If you are using Zscaler App version 1.2 or later, you don't need to add this option. The network adapter signature certificate is automatically installed with the app. However, if you're using version earlier than 1.2, or if you have a strict GPO policy restricting the certificates, the following installation guidelines apply:

  • If you're using an earlier version than 1.2, enable this option using the command-line by entering INSTALLDRIVERCERT=1.
  • If you're using version 1.2 or later but have a GPO policy restricting the certificates that can be installed on your organization's devices:
    1. Disable this option using the command-line by entering INSTALLDRIVERCERT=0.
    2. Complete the steps described in How do I push the network adapter signature certificate for Zscaler App using GPO?

This install option allows you to specify which app profile policy you want to enforce for the app before the user enrolls. All relevant settings associated with the policy will apply, including the bypass of the IdP login page. Once the user enrolls, this policy is replaced with the app profile policy that matches the user based on group affiliation.

Prerequisites:

  • This install option is only applicable, and required, if you enable the STRICTENFORCEMENT option and want users to enroll with the app before accessing the Internet.
  • In the Zscaler App portal, you must configure the app profile policy that you want to enforce and ensure that the custom PAC file associated with that policy includes a bypass for your IdP login page. This allows the user to access the IdP page to log in as necessary before enrolling with the app.


To add this option using the command-line, enter POLICYTOKEN=<policy token from the Zscaler App portal>.

Screenshot of the policy token from a Zscaler App Profile policy

This install option forces a reinstallation of the driver, even if you already have a driver installed. Use this option if you are having issues with the currently installed driver.

To enable this option using the command-line, enter REINSTALLDRIVER=1. By default, the value is 0 (i.e., disabled).

This install option allows you to require users to enroll with the app before accessing the Internet.

If you enable this install option, the CLOUDNAME and POLICYTOKEN options are required.

To enable this option using the command-line, enter STRICTENFORCEMENT=1. By default, the value is 0 (i.e., disabled).

This install option allows users to skip the app enrollment page. (See image.) If SSO is enabled for your organization, users are taken right to your organization's SSO login page. If you've integrated SSO with the app (i.e., using a mechanism like Integrated Windows Authentication (IWA)), users can also skip the SSO login page and are automatically enrolled with Zscaler service and logged in.


To add this option using the command-line, enter USERDOMAIN=<organization's domain name>.

Screenshot of the Zscaler App enrollment page and an organization SSO login page

The image below is an example of a command-line that uses all the available install options above (with the exception of INSTALLDRIVERCERT), where:

  • The absolute path to the MSI file is C:\Users\User\Downloads\Zscaler-windows-1.2.0.000311-installer.msi
  • The /quiet switch is used to install the app in silent mode
  • The cloud on which the organization is provisioned is zscalertwo.net
  • The device token value is 4e36647447326e5a553335303232416e6279784b51513d3d
  • The policy token value is 32343A343A312E31204D6967726174696F6E
  • The organization's domain name is safemarch.com

Screenshot of an example of running the Zscaler App MSI File with a command line