How do I push the network adapter signature certificate for the Zscaler App using GPO?
The instructions below are relevant only if you have a strict GPO policy restricting the certificates that can be installed on your organization's devices.
Starting with Zscaler App 1.2, the network adapter certificate is automatically installed with the App. If you are using an earlier version of the App, you must add an install option (see details for MSI or EXE) to silently install the network adapter signature certificate along with the App.
If you have a strict GPO policy restricting the certificates that can be installed on your organization's devices, you must download the network adapter signature certificate from the Zscaler App Portal then import it into your system trust store to enable silent installation of the Zscaler App on your OU computers. See the instructions below.
Download the Network Adapter Signature Certificate
- From the Zscaler admin portal, go to Policy > Zscaler App Portal.
- In the Zscaler App portal, go to Administration, then to Zscaler App Store.
- Click Download Client Certificates at the top right hand corner.
- Save the certificates to a location of your choice.
Add the Zscaler Network Adapter Signature Certificate to system trust store.
- Select the OU GPO policy you created for the Zscaler App and click Edit.
- Go to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Publishers. Right-click and click Import. Locate and import the Zscaler Network Adapter Signature Certificates (both SHA-1 and SHA-2).
- Execute the command ‘gpupdate.exe /force’ to update.
- Verify that the certificate has been imported to the trust store of the OU's Windows computers with the following steps:
- Log in to a remote Windows computer and go to Run > certmgr.msc.
- Go to Trusted Publishers and verify that the certificates defined with the GPO Policy have been imported into the trust store of the computer.