You can use the EXE file to manually install Zscaler Client Connector on a device, or if you're deploying the app to your users through device management methods that do not support MSI files. After downloading the Zscaler Client Connector EXE installer file, you can deploy the file as is with your device management method.

You can also add install options to customize the app for your organization. This article covers the following options:

• Running the EXE File with CLI Options

  To run the EXE file using CLI options:

  1. Start a command prompt as an administrator.
     1. Click Start.
     2. In the Start Search box, enter cmd, then press CTRL+SHIFT+ENTER.
     3. If the User Account Control (UAC) window appears, confirm that you want to continue.
  2. Enter the absolute path to the EXE file using one or more of the following install options:
     • --cloudName

       If your organization is provisioned on more than one cloud, your users are asked to select the cloud to which their traffic is sent during the enrollment process.

       See image.

       

       Close

       With this install option, you can specify the cloud to which the app must send user traffic so your users don't have to make the selection during enrollment. Do not use this option if your organization is provisioned on one cloud. The app automatically sends traffic to the proper cloud. Your users don't need to make a selection during enrollment.

       This install option is required if you enable the --strictEnforcement option.

       To add this option using the CLI, enter --cloudName <organization's cloud name in lowercase>. For example, if your cloud name is zscalertwo.net, you would enter zscalertwo. To learn more, see What Is My Cloud Name for ZIA?

       Close
     • --deviceToken

       The --deviceToken install option only applies to Zscaler Internet Access (ZIA). It is not supported by Zscaler Private Access (ZPA).

       This install option allows you to use the Zscaler Client Connector Portal as an IdP. The Zscaler service silently provisions and authenticates users even if you don't have an authentication mechanism in place. Before adding this option, you must generate a device token in the Zscaler Client Connector Portal and complete the full configuration detailed in Using the Zscaler Client Connector Portal as an IdP.

       To add this option using the CLI, enter --deviceToken <device token from the Zscaler Client Connector Portal>.

       

       Close
     • --hideAppUIOnLaunch

       This install option forces the app window to stay hidden before users enroll. Users can always open the window by clicking the app icon in the system tray.

       To enable this option using the CLI, enter --hideAppUIOnLaunch 1. By default, the value is 0 (i.e., disabled).

       Close
     • --mode

       This install option allows you to install the app in silent mode.

       To add this option using the CLI, enter --mode unattended.

       Close
     • --policyToken

       This install option allows you to specify which app profile policy you want to enforce for the app before the user enrolls. All relevant settings associated with the policy are applied, including the bypass of the IdP login page. After the user enrolls, this policy is replaced with the app profile policy that matches the user based on group affiliation.

       Prerequisites:

       • This install option is only applicable, and required, if you enable the --strictEnforcement option and want users to enroll with the app before accessing the internet.
       • In the Zscaler Client Connector Portal, you must configure the app profile policy that you want to enforce and ensure that the custom PAC file associated with that policy includes a bypass for your IdP login page. This allows the user to access the IdP page to log in as necessary before enrolling with the app.

       To add this option using the CLI, enter --policyToken <policy token from the Zscaler Client Connector Portal>.

       

       Close
     • --reinstallDriver

       This install option forces a reinstallation of the driver, even if you already have a driver installed. Use this option if you are having issues with the currently installed driver.

       To enable this option using the CLI, enter --reinstallDriver 1. By default, the value is 0 (i.e., disabled).

       Close
     • --strictEnforcement

       This install option only works when the forwarding profile action for Zscaler Client Connector is Tunnel or Tunnel with Local Proxy. To learn more, see Configuring Forwarding Profiles for Zscaler Client Connector.

       This install option allows you to require users to enroll with the app before accessing the internet and blocks traffic in the following situations:

       • The user has not yet logged in after a new install.
       • A user logs in and logs out.
       • An administrator removes a device.

       This install option does not affect users that remain logged in and disable the ZIA service.

       If you enable this install option, the --cloudName and --policyToken options are required.

       To enable this option using the CLI, enter --strictEnforcement 1. By default, the value is 0 (i.e., disabled).

       Close
     • --unattendedmodeui

       This install option allows you to control what's displayed to users if you are performing an unattended installation of the app.

       To add the install option using the CLI, enter --unattendedmodeui <value>, where <value> is one of the following:

       • none: Nothing is displayed to the user and no interaction is required. If you included the --mode unattended install option, none is the default value for --unattendedmodeui.
       • minimal: A small progress bar showing installation progress is displayed to the user and no interaction is required.
       • minimalWithDialogs: More information is displayed to the user with some dialogs that require user interaction.

       Close
     • --userDomain

       This install option allows users to skip the app enrollment page. If SSO is enabled for your organization, users are taken directly to your organization's SSO login page. If you've integrated SSO with the app (i.e., using a mechanism like Integrated Windows Authentication [IWA]), users can also skip the SSO login page and are automatically enrolled in the Zscaler service and logged in.

       See image.

       

       Close

       An alternative to using this install option is to change the name of the installer file. To learn more, see Allow Users to Log into Zscaler Client Connector Without Entering Domains.

       To add the install option using the CLI, enter --userDomain <organization's domain name>. If your instance has multiple domains associated with it, enter the primary domain for your instance.

       Close
     • --userName

       You can specify a unique username for each device using the userName parameter in the command line.
       The following conditions apply:

       • The userName parameter requires the userDomain parameter to be non-empty.
       • The userName parameter can have a maximum of 255 alphanumeric and special characters.

       See image.

       

       Close

       Close
     • --enableAntiTampering

       This install option prevents end users from stopping, modifying, and deleting Zscaler products and services.

       To enable this option using the CLI, enter --enableAntiTampering 1. By default, the value is 0 (i.e., disabled).

       Close
     • --externalDeviceId

       The identifier that associates an external MDM device ID with devices in the Zscaler Client Connector Portal. You can use this to associate devices in an MDM solution with devices in the Zscaler Client Connector Portal.
       To enable this option using the CLI, enter --externalDeviceId . By default, the value is 0 (i.e., disabled).

       The --externalDeviceId parameter is not supported on Zscaler Client Connector version 4.1 and earlier for macOS and on Zscaler Client Connector version 4.0 and earlier for Windows.

       Close
     • --enableImprivataIntegration

       This install option enables integration with Imprivata OneSign. If enabled, Zscaler Client Connector silently logs in an Imprivata OneSign user to Zscaler Client Connector, applies security policies, and logs the end user activity in Zscaler Client Connector.

       To enable this option using the CLI, enter --enableImprivataIntegration 1.

       Close
     • --bcpConfigFilePath

       This install option allows you to install Zscaler Client Connector to enroll new users during a ZPA-related cloud outage or Internet Service Provider (ISP) outage. You can pass a predownloaded configuration file with Business Continuity settings from the ZPA Admin Portal. To learn more, see About Business Continuity.

       If you pass this install option, you must also pass the --bcpMAPublicKeyHash option.

       To add this option using the CLI, enter --bcpConfigFilePath <path to the configuration file>.

       Close
     • --bcpMAPublicKeyHash

       This install option allows you to install Zscaler Client Connector to enroll new users during a ZPA-related cloud outage or Internet Service Provider (ISP) outage. You can pass a public key provided by ZPA and copied from the Zscaler Client Connector Portal. To learn more, see About Business Continuity.

       If you pass this install option, you must also pass the --bcpConfigFilePath option.

       To add this option using the CLI, enter --bcpMAPublicKeyHash <public key from the Zscaler Client Connector Portal>.

       Close
     • --importSEFailCloseConfig

       This install option allows you to pass a predownloaded configuration file with fail-close settings to use when Zscaler Client Connector is in strict enforcement mode.

       If you pass this install option, you must also pass the --failCloseConfigThumbprint and --strictEnforcement options.

       To add this option using the CLI, enter --importSEFailCloseConfig <path to the configuration file>.

       Close
     • --failCloseConfigThumbprint

       This install option allows you to pass the public key for a predownloaded configuration file with fail-close settings to use when Zscaler Client Connector is in strict enforcement mode.

       If you pass this install option, you must also pass the --importSEFailCloseConfig and --strictEnforcement options.

       To add this option using the CLI, enter --failCloseConfigThumbprint <public key from the Zscaler Client Connector Portal>.

       Close

  The following image is an example of a CLI where:

  • The absolute path to the EXE file is C:\Users\User\Downloads\Zscaler-windows-1.2.0.000311-installer.exe
  • The cloud on which the organization is provisioned is zscalertwo
  • The device token value is 123456789
  • The policy token value is 987654321
  • The organization's domain name is safemarch.com
  • The userName is test
  • The externalDeviceId is TestDevice

  

  Close
• Allowing Users to Log into Zscaler Client Connector Without Entering Domains

  In addition to the custom features enabled by the install options, you can also modify the EXE file to allow users to log in to the app without entering a domain name.

  You can use this configuration only if your organization's domain is registered on a single cloud. If your organization's domain is registered on multiple clouds, use the CLI install options described earlier.

  This configuration achieves the same function as the --userDomain install option. The following guidelines apply:

  • SSO must be enabled for your organization.
  • If you've integrated your SSO with Zscaler Client Connector using a mechanism like Integrated Windows Authentication (IWA), users can also skip the SSO login page and are automatically enrolled in the Zscaler service and logged in.

  To allow users to log into the app without entering domains:

  1. Locate the EXE file.
  2. Prefix the file name with your organization's domain name. For example, if the file name is Zscaler-windows-1.1.0.000213-installer and your organization's domain is safemarch.com, you would rename the file to safemarch.com-Zscaler-windows-1.1.0.000213-installer.

  

  Close