Deploying the Zscaler App for Windows with Active Directory


Deploying the Zscaler App for Windows with Active Directory

This article provides instructions for deploying the Zscaler App in an Active Directory (AD) environment. It also provides details on how to complete a silent installation on users' devices.

A. Prepare AD environment.

  1. Log in to the AD environment (Domain Controller) as an admin user.
  2. Ensure that you have a well-defined organizational unit (OU) in the AD where you want to deploy the Zscaler App. If you do not have an appropriate OU, create one by going to Server Manager > Active Directory Domain Services > [your Domain] > New > Organizational Unit.

A. Prepare AD environment.

  1. Ensure that the newly created OU has all the users and computer systems on which you want to deploy the Zscaler App.

B. Create a network share. 

You must ensure that the Zscaler App installer is accessible to all relevant computers by creating a network share on the drive in the Domain Controller.

  1. Create a folder, then right-click Properties. Click Enable Sharing, and in the Security tab, provide the relevant domain Administrators and Authenticated Users with access permissions.

B. Create a network share.

  1. Copy the Zscaler App installer to this folder.
  2. Map this folder as a network drive and make sure it is accessible by client computers across the relevant OU within the domain.

C. Create a Group Policy (GPO) for Zscaler App Installation. 

You must create a new GPO policy for your OU to in order to install the Zscaler App.

  1. Go to Run and type ‘gpmc.msc’ to open the Group Policy Management editor. Select your OU, then right-click and select Create a GPO in this domain, and Link it here.

C. Create a Group Policy Object (GPO) for Zscaler App Installation.

  1. Under Security Filtering, specify the users, groups, and computers to which the policy must apply.

D. Install the Zscaler App on the OU's Windows computers in silent mode.

You must now edit the GPO policy for the OU in order to install the Zscaler App on the OU's Windows computers. You can use either the MSI or EXE file, but Zscaler recommends the MSI because it integrates well with GPO. Click one of the options below:

These steps provide details on how to complete a silent installation of the App on users' devices using an MSI file.

Note: If you want to customize the MSI file and add install options (for example, you want to require users to enroll with the Zscaler App before accessing the Internet), you must first create an MST before proceeding to the steps below. See Creating an MST in Customizing Zscaler App with Install Options (MSI) for instructions.

  1. Right-click the GPO Policy you created and click Edit.
  2. Go to User Configuration > Policies > Software Settings > Software installation. Right-click and click New, then click Package.
  3. Double-click the MSI Window Installer Package. In the Deploy Software window, select Advanced as your deployment method. Click OK. See image.
  4. To install this Zscaler App on the OU's Windows computers in silent mode, do the following:
    In the Zscaler Properties window, go to the Deployment tab:
    • For Deployment type, select Assigned.
    • For Deployment options, select Install this application at logon.
    • For Installation user interface option, select Basic. See image.
  1. Do one of the following:
    • If you did not create an MST, click OK.
    • If you created an MST, go to the Modifications tab and click Add. Select the MST file you created. Click OK. See image.

Dep Soft 

ZProp

Zprop2

After you complete the steps above, the Zscaler App is automatically deployed the next time users logs on to their computers.

Below are instructions for defining a system start-up script to install the Zscaler App on user devices with an EXE file.

  1. Select the GPO Policy and go to Computer Configuration > Policies > Windows Settings > Scripts > Startup. Double-click to open.
  2. Select Add to open a new wizard.
  3. In the Script Name field, specify the complete path of the Zscaler App installer. For example: \\SERVER\\share\Zscaler-windows-1.1.0.000213-installer.exe
  4. Do one of the following:
  5. Click OK.
  6. Click Apply to apply the changes to the policy and execute ‘gpupdate.exe /force’.
  7. Remotely reboot the OU computers on which you want to install the Zscaler App with the following command:

    ‘shutdown.exe –r –m \\Remote-Computer-Name –t 0’

If your organization is provisioned on more than one cloud, during the enrollment process, your users are asked to select the cloud to which their traffic is sent. See image.

sc4

With this install option, you can specify the cloud to which the App must send user traffic so that your users do not have to make the selection during enrollment. Do not use this option if your organization is provisioned on one cloud. The Zscaler App automatically sends traffic to the right cloud and your users do not encounter this step.

Note: This install option is required if you enable the --strictEnforcement option.

To add the option: Enter --cloudName <your organization's cloud name in lowercase letters>. See What is my cloud name? to learn how to find your cloud name.

Example (where an organization's cloud is zscalertwo.net): --cloudName zscalertwo

cn4

This allows you to use the Zscaler App Portal as an IdP. With this option, Zscaler can silently provision and authenticate users even if you don't have an authentication mechanism in place.

Note: Before adding this option, you must have generated the device token in the Zscaler App Portal and completed the full configuration detailed in Using the Zscaler App Portal as an IdP.

To add the option: Enter --deviceToken <appropriate device token from the Zscaler App Portal>. You must obtain the appropriate device token from the Zscaler App Portal.

Example (where the device token is 54764b396b435a455178332b4b4a45566a6d58474b773d3d): --deviceToken 54764b396b435a455178332b4b4a45566a6d58474b773d3d

dt4

This forces the Zscaler App window to stay hidden before users enroll with the App. Users can always open the window by clicking the Zscaler App icon in the system tray.

To add the option:

In the Script Parameters field, enter the following: --hideAppUIOnLaunch 1

h4

This allows you to install the Zscaler App in silent mode.

To add the option:

In the Script Parameters field, enter the following: --mode unattended

See the example below.

m4

This install option is only applicable (and required) if you enable --strictEnforcement and want users to enroll with the Zscaler App before accessing the Internet. This option allows you to specify which App Profile policy you want to enforce for the App before the user enrolls. All relevant settings associated with the policy will apply, including the bypass of the IdP login page. Once the user enrolls, this policy is replaced with the App Profile policy that matches the user based on group affiliation.

Note:

  • In the Zscaler App Portal, you must have configured the App Profile policy that you want to enforce and ensured that the custom PAC file associated with that policy includes a bypass for your IdP login page. This allows the user to access the IdP page to log in as necessary before enrolling with the Zscaler App. Once you configure an App Profile policy, the Zscaler App Portal automatically generates a policy token. You must use this policy token as the value for this option (see image below).

To add the option:

In the Script Parameters field, enter the following: --policyToken <policy token from the Zscaler App Portal>. Note that you must also add --strictEnforcement 1 and --cloudName <your organization's cloud name in lower case letters> to the script parameters field.

See the example below. In the example, the organization's cloud name is zscalertwo.

pt4

This forces a reinstallation of the driver, even if you already have a driver installed. Use this option if you are having issues with the currently installed driver.

To add the option:

In the Script Parameters field, enter the following: --reinstallDriver 1

See the example below.

rd4

This allows you to require users to enroll with the Zscaler App before accessing the Internet.

Note: Adding this install option requires that you provide values for --policyToken and --cloudName install options as well. See more about the --policyToken and --cloudName options above.

To add the option:

In the Script Parameters field, enter the following: --strictEnforcement 1 --policyToken <policy token from the Zscaler App Portal> --cloudName <your organization's cloud name in lower case letters>

See the example below. In the example, the organization's cloud name is zscalertwo.

se4

This allows you to control what's displayed to users if you are performing an unattended installation of the Zscaler App.

To add the option:

In the Script Parameters field, enter the following: --unattendedmodeui <none, minimal, or minimalWithDialogs>, where:

See the example below. In the example, the organization has chosen the minimal option.

um4

  • none: Nothing is displayed to users and no interaction is required. If you add a mode --unattended option (see above), this is the default value, and you do not need to add this option.
  • minimal: Very little is displayed to the user (for example, a small progress bar showing installation progress).
  • minimalWithDialogs: More information is displayed to the user with some dialogs that require user interaction.

This allows users to skip the Zscaler App enrollment page (see image). Users are taken right to your organization's SSO login page.

Notes:

  • SSO must be enabled for your organization.
  • If you've integrated your SSO with the Zscaler App (using a mechanism like Integrated Windows Authentication (IWA)), users can also skip the SSO login page and are automatically enrolled with Zscaler service and logged in.

To add the option:

In the Script Parameters field, enter the following: --userDomain <your organization's domain>

See the example below. In this example, the organization's domain is safemarch.com.  

ud4

udi4

E. Verify the installation of the Zscaler App on the OU's Windows systems.

  1. Once the OU system is rebooted, log in to a remote system.
  2. Verify that the Zscaler App is running in the desktop foreground and that the desktop shortcut is installed.

F. Verify the installation of the Zscaler App on the OU's Windows systems.