icon-zapp.svg
Client Connector

Deploying Zscaler Client Connector with JAMF Pro for macOS

This guide is for admins only. If you are an end user, contact your organization’s administrator for deployment-related details.

With Jamf Pro, you can deploy Zscaler Client Connector for your macOS devices. Before deploying Zscaler Client Connector from the Jamf Pro Portal, download the .pkg file from the Zscaler Client Connector App Store first.

  • To deploy Zscaler Client Connector using the Jamf Pro Portal, you must obtain a .pkg file from the Zscaler Client Connector Portal.

    To download the Zscaler Client Connector .pkg file:

    1. In the Zscaler Client Connector Portal, go to Administration.
    2. In the left-side navigation, go to Client Connector App Store.
    3. On the New Releases tab, select macOS.
    4. Download the .pkg file.

    pkg file

    Close

  • To deploy Zscaler Client Connector on your macOS devices from the Jamf Pro Portal:

    1. In the Jamf Pro Portal, go to Settings > Computer Management > Packages​​​​​​.
    2. Under the General section, click Choose File to upload the .pkg file.

    1. Click Save.
    2. In the left-side navigation, go to Computers > Policies.
    3. In the Policies window, click New.

    1. In the General section, choose the Trigger events and Execution frequency as needed in your environment.

    1. Click Save.
    2. In the left-side navigation, select Packages, and click Configure.

    1. Click Add, and choose the .pkg file uploaded previously.
    2. Click Save.
    3. In the Scope tab, assign the .pkg to the applicable devices.

    1. Click Save.

    To reinstall the same version of Zscaler Client Connector for a specific device or user, go to the computer's history and select Flush All for all the Policy Logs. Alternatively, you can delete the device or user from Jamf Pro and reinstall via the client.

    Close

  • You can use a property list file to set tunnel parameters, allowing DNS caching to be cleared from users’ devices. To configure tunnel parameters in the Jamf Pro Portal:

    1. In the Jamf Pro Portal, go to Computers > Configuration Profiles.
    2. Click Application & Custom Settings to expand the section and select Upload.

    1. In the Upload section:
      • Preference Domain: Enter com.zscaler.tunnelparams
      • Property List: Download ZscalerSampleConfig.plist
        • clearDnsCacheOnT2Start: If enabled, on Tunnel restart, DNS caches are cleared from the device. Enter 1 to enable, or 0 to disable.

    If you are already logged into Zscaler Client Connector, exit and relaunch the app or click Restart Service in the More window of the app.

    1. Click Upload to upload the Plist file.
    2. Click Save.
    Close

  • You can use a property list file to set values for various configuration keys in the Jamf Pro Portal. To configure a custom settings profile in the Jamf Pro Portal:

    1. In the Jamf Pro Portal, go to Computers > Configuration Profiles.
    2. Click Application & Custom Settings to expand the section.
    3. Select Upload.

    1. In the Upload section:
      • Preference Domain: Enter com.zscaler.installparams.
      • Property List: Upload the ZscalerSamplePlist file.

    1. Use the ZscalerSample.plist file as a starting template, and remove the keys you don't require before uploading the file to the MDM.
      • cloudName: The name of the cloud on which your organization is provisioned. For example, if your cloud name is zscalertwo.net, you would enter zscalertwo. To learn more, see What is my cloud name for ZIA?
      • deviceToken: The appropriate device token from the Zscaler Client Connector Portal, if you want to use the Zscaler Client Connector Portal as an IdP.
      • hideAppUIOnLaunch: Forces the app window to stay hidden before users enroll. Users can always open the window by clicking the app icon in the system tray.
      • launchTray: By default, Zscaler Client Connector starts its services and user interface after installation. launchTray prevents Zscaler Client Connector from automatically starting after installation. Users must open Zscaler Client Connector manually to start the app, or Zscaler Client Connector automatically runs after the next reboot.
      • policyToken: Allows you to specify which app profile policy you want to enforce for the app before the user enrolls. All relevant settings associated with the policy apply, including the bypass of the IdP login page. After the user enrolls, this policy is replaced with the app profile policy that matches the user based on group affiliation.
      • strictEnforcement: Allows you to block internet traffic before the user enrolls in Zscaler Client Connector. strictEnforcement works when the forwarding profile action for Zscaler Client Connector is Tunnel or Tunnel with Local Proxy.
      • userDomain: Allows you to configure the user domain so that the users skip the Zscaler Client Connector enrollment page and directly go to the SSO login page.
      • externalRedirect: Allows you to redirect authentication to your organization's SAML IdP through the Safari browser. When redirected to the browser for the first time, the users must select Remember Me on their IdP login screen. For any subsequent authentications, the browser remembers the user and automatically logs them in.
    2. In the Scope section, set Targets, Limitations, and Exclusions to bind the configuration profile to particular devices and users.
    Close

  • You can use a mobileconfig file to enter the bundle identifier for the applications you want to bypass. To configure a custom settings profile in the Jamf Pro Portal:

    1. In the Jamf Pro Portal, go to Computers > Configuration Profiles.
    2. Select Upload.
    3. Upload the mobile config file.

    4. Use the ZscalerSampleMobileConfig file as a starting template, and edit the values in the <VendorConfig> section of the file based on your needs.

      For BypassAppProcesses, enter the bundle identifier for the applications you want to bypass.

      If your identifier has both a Team ID and a Bundle ID in it, enter them in the format <Team ID>.<Bundle ID>. For example:

      <string>UBF8T346G9.com.microsoft.teams</string>

      Where:

      • UBF8T346G9 is the Team ID
      • com.microsoft.teams is the Bundle ID
    5. In the Scope section, set Targets, Limitations, and Exclusions to bind the configuration profile to particular devices and users.
    Close

  • Zscaler Endpoint Data Loss Prevention (DLP) requires full disk access for proper operation. Choose either of the following two options to create a DLP profile with Jamf Pro Portal to allow full disk access.

    • To configure a full disk access for Endpoint DLP in the Jamf Pro Portal:

        1. Go to Computers > Configuration Profiles.
        2. Click New.
        3. For the General section:
          • Name: Enter ZDP.
          • Description: Enter a brief explanation of the profile.
        4. Click Save.

        Close
        1. From the Options tab, click the Privacy Preferences Policy Control > Configure.
        2. Click the + button (located in the upper right-hand corner of the pane) to add a new app to the Privacy Preferences section. Repeat this step for the three identifiers listed in the following table in the App Access section:
        Identifiercom.zscaler.zdp.pdcom.zscaler.zdp.esdcom.zscaler.zep.at
        Identifier TypeBundle IDBundle IDBundle ID
        Code Requirementidentifier "com.zscaler.zdp.pd" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = PCBCQZJ7S7identifier "com.zscaler.zdp.esd" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = PCBCQZJ7S7identifier "com.zscaler.zep.at" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = PCBCQZJ7S7
        App or ServiceSystemPolicyAllFilesSystemPolicyAllFilesSystemPolicyAllFiles
        AccessAllowAllowAllow
        1. Click Save.

        Close
        1. From the Options tab, click the Privacy Preferences Policy Control > Configure.
        2. From the left-side navigation, click the Notifications section.
        3. Click Add to add a new notification.
          • App Name: Enter zdpagent.
          • Bundle ID: Enter com.zscaler.zdp.agent.

        4. For Notifications, select Enable.

          • Banner alert type: Select Persistent from the drop-down menu.
          • Notifications in Notification Center: Select Display from the drop-down menu.
          • Play sound for notifications: Select Enable.

        Close

      • For Endpoint DLP to function correctly, you must configure permissions for System Extensions.

        1. From the left-side navigation, click System Extensions > Configure.
        2. In the Allowed Team IDs and System Extensions section:
          • Display Name: Enter PCBCQZJ7S7.
          • System Extension Types: Select Allowed System Extensions.
          • Team Identifier: Enter PCBCQZJ7S7.
        3. In the Allowed System Extensions section, click the + Add button and enter com.zscaler.zep.at.
        4. Click Save.
        5. To add a removable System Extensions configuration, click the + button next to the Allowed Team IDs and System Extensions.
        6. In the Allowed Team IDs and System Extensions section:
          • Display Name: Enter PCBCQZJ7S7.
          • System Extension Types: Select Removable System Extensions.
          • Team Identifier: Enter PCBCQZJ7S7.
        7. In the Removable System Extensions section, Click the + Add button and enter com.zscaler.zep.at.

        1. Click Save.
        Close
      Close
      1. In the Jamf Pro Portal, go to Computers > Configuration Profiles.
      2. Download the ZDP.mobileconfig file.
      3. Click the Upload button > Choose File and upload the ZDP.mobileconfig file.

      1. Click Save.

      Close
    Close

  • You can configure managed login items to prevent users from disabling Zscaler Client Connector on their own devices. To configure managed login items in the Jamf Pro Portal:

    1. In the Jamf Pro Portal, go to Computers > Configuration Profiles.
    2. Select Managed Login Items.

    1. Click Add for each of the following Rule Types and Rule Values:
    Rule TypeRule Value
    Bundle Identifier
    com.zscaler.tray
    Bundle Identifier Prefix
    com.zscaler
    Label Prefix
    com.zscaler
    Label
    com.zscaler.tray
    Team Identifier
    PCBCQZJ7S7
    • Bundle Identifier Prefix: A part of the bundle identifier reflecting the developer or organization.
    • Label: A descriptive name for an app or an element in the app's UI or settings.
    • Label Prefix: Used to group or categorize labels.
    • Team Identifier: A unique identifier for the developer team or organization within the Apple ecosystem. Applies to all of the configured rules.
    • Rule comment (optional): Enter a comment for the rule.

    1. Click Save.

    1. In the Scope section set Targets, Limitations, and Exclusions to bind the configuration profile to particular devices and users.
    Close
Related Articles
Understanding Zscaler Client Connector App DownloadsConfiguring Zscaler Client Connector for Microsoft 365 Cloud PCsCustomizing Zscaler Client Connector with Install Options for MSICustomizing Zscaler Client Connector with Install Options for EXECustomizing Zscaler Client Connector with Install Options for macOSCustomizing Zscaler Client Connector with Install Options for LinuxCustomizing Zscaler Client Connector with Install Options for AndroidCustomizing Zscaler Client Connector with Install Options for iOSDeploying Zscaler Client Connector with Active Directory for WindowsDeploying ZDX With Workspace ONE UEM for iOSDeploying ZDX with Jamf Pro for iOSDual Tunnel Feature Configuration with Jamf Pro for iOSDual Tunnel Feature Configuration with Microsoft Intune for iOSDeploying Zscaler Client Connector with MaaS360 for AndroidDeploying Zscaler Client Connector with MaaS360 for iOSDeploying Zscaler Client Connector with Microsoft Intune for AndroidDeploying Zscaler Client Connector with Microsoft Intune for macOSDeploying Zscaler Client Connector with Microsoft Intune for iOSDeploying Zscaler Client Connector with Google WorkspaceDeploying Zscaler Client Connector with MobileIron for iOSDeploying Zscaler Client Connector with MobileIron for AndroidDeploying Zscaler Client Connector with JAMF Pro for macOSDeploying Zscaler Client Connector with Jamf Pro for iOSDeploying Zscaler Client Connector with Workspace ONE UEM for AndroidDeploying Zscaler Client Connector with Workspace ONE UEM for iOSBlocking LAN AccessBest Practices for Zscaler Client Connector DeploymentBest Practices for Updating Latest Versions of Zscaler Client Connector ApplicationUninstalling Zscaler Client ConnectorReverting Zscaler Client Connector to the Previous VersionUpgrading Zscaler Client Connector