Customizing Zscaler App with Install Options (MSI)

You can use the MSI file to manually install the Zscaler App on a device, or if you're deploying the Zscaler App to your users via GPO, SSCM, or other device management methods that support MSI files. After downloading the Zscaler App MSI installer file, you can simply deploy the file as is with your device management method.

You can also add to the file install options to customize the App for your organization via one of the following methods. See below to learn more.

Create an MST File

Complete the following steps to create an MST file with Orca:

  1. After opening Orca, click File, then Open. Double-click the MSI file.
  2. Click Transform, then click New Transform.
Create an MST File
  1. In the Tables column, click Property.
  1. From here, you can edit values for install options or add more options. Click below for more details.

CLOUDNAME

If your organization is provisioned on more than one cloud, during the enrollment process, your users are asked to select the cloud to which their traffic is sent. See image.

With this install option, you can specify the cloud to which the App must send user traffic so that your users do not have to make the selection during enrollment. Do not use this option if your organization is provisioned on one cloud. The Zscaler App automatically sends traffic to the right cloud and your users do not encounter this step.

NOTE: This install option is required if you enable the STRICTENFORCEMENT install option. To add the option:

  1. Click Tables from the top menu, and then click Add Row.
  2. In the Add Row window, do the following:
    1. For Property, enter CLOUDNAME.
    2. Hit Enter or click the Value field.
    3. For Value, enter the name of the cloud on which your organization is provisioned, in lowercase letters. For example, if your cloud is zscalertwo.net, you would enter zscalertwo. See What is my cloud name? to learn how to find your cloud name.
  3. Click OK.
  4. The install option appears as a new line.
CLOUDNAME

select a cloud

select a cloud

DEVICETOKEN

This allows you to use the Zscaler App Portal as an IdP. With this option, Zscaler can silently provision and authenticate users even if you don't have an authentication mechanism in place.

NOTE: Before adding this option, you must have generated the device token in the Zscaler App Portal and completed the full configuration detailed in Using the Zscaler App Portal as an IdP.

To add the option:

  1. Click Tables from the top menu, and then click Add Row.
  2. In the Add Row window, do the following:
    1. For Property, enter DEVICETOKEN.
    2. Hit Enter or click the Value field.
    3. For Value, enter the appropriate device token from the Zscaler App Portal. See Using the Zscaler App Portal as an IdP to learn more.
  3. Click OK.
  4. The install option appears as a new line.
DEVICETOKEN

HIDEAPPUIONLAUNCH

This forces the Zscaler App window to stay hidden before users enroll with the App. Users can always open the window by clicking the Zscaler App icon in the system tray.

The default value is 0. To enable the option, change the value to 1 directly in the table by double-clicking the field and entering your new value.

HIDEAPPUIONLAUNCH

INSTALLDRIVERCERT

This allows you to silently install the network adapter signature certificate along with the App so that users are not prompted to accept the certificate themselves when you install the Zscaler App.

NOTE: Starting with Zscaler App 1.2 this network adapter is automatically installed with the App. If you are using version 1.2 or later, you don't need to add this option. However, if you're using an earlier version than Zscaler App 1.2, or if you have a strict GPO policy restricting the certificates, see below.

  • If you're using an earlier version than 1.2: Change the value to 1 directly in the table by double-clicking the field and entering your new value.
  • If you're using version 1.2 or later but have a GPO policy restricting the certificates that can be installed on your organization's devices: Change the value to 0 directly in the table by double-clicking the field and entering your new value. You must also complete the steps described in How do I push the network adapter signature certificate for Zscaler App using GPO?
INSTALLDRIVERCERT

POLICYTOKEN

This install option is only applicable (and required) if you enable STRICTENFORCEMENT and want users to enroll with the Zscaler App before accessing the Internet. This option allows you to specify which App Profile policy you want to enforce for the App before the user enrolls. All relevant settings associated with the policy will apply, including the bypass of the IdP login page. Once the user enrolls, this policy is replaced with the App Profile policy that matches the user based on group affiliation.

NOTES:

  • In the Zscaler App Portal, you must have configured the App Profile policy that you want to enforce and ensured that the custom PAC file associated with that policy includes a bypass for your IdP login page. This allows the user to access the IdP page to log in as necessary before enrolling with the Zscaler App.
  • This install option is only applicable, and required, if you enable STRICTENFORCEMENT and want users to enroll with the Zscaler App before accessing the Internet.

To add the option:

  1. Click Tables from the top menu, and then click Add Row.
  2. In the Add Row window, do the following:
    1. For Property, enter POLICYTOKEN.
    2. Hit Enter or click the Value field.
    3. For Value, enter the policy token associated with the policy you want to enforce before enrollment. See Configuring Zscaler App Profiles to learn more.
  3. Click OK.
  4. The install option appears as a new line.
POLICYTOKEN

REINSTALLDRIVER

This forces a reinstallation of the driver, even if you already have a driver installed. Use this option if you are having issues with the currently installed driver.

The default value is 0. To enable the option, change the value to 1 directly in the table by double-clicking the field and entering your new value.

REINSTALLDRIVER

STRICTENFORCEMENT

This allows you to require users to enroll with the Zscaler App before accessing the Internet.

NOTE: Adding this install option requires that you provide values for CLOUDNAME and POLICYTOKEN install options as well.

The default value is 0. Change the value to 1 to enable this install option.

STRICTENFORCEMENT

UNINSTALLPASSWORD

This allows you to silently uninstall the Zscaler App from user devices using device management methods like GPO. This option is available only with MSI. The password you add for this option must match the Logout password configured in the Zscaler App profiles. With the password, you'll be able to uninstall the Zscaler App from your users' devices by removing the MST file from the GPO.

NOTES:

  • Your users must be enrolled in the Zscaler App. If users have the App installed on their devices but have not enrolled, you cannot uninstall the App with this method.
  • You must have a Logout Password configured in the Zscaler App profiles. See Configuring Zscaler App Profiles to learn more.

To add the option:

  1. Click Tables from the top menu, and then click Add Row.
  2. In the Add Row window, do the following:
    1. For Property, enter UNINSTALLPASSWORD.
    2. Hit Enter or click the Value field.
    3. For Value, enter the Logout Password from the App Profile policy.
  3. Click OK.
  4. The install option appears as a new line.
UNINSTALLPASSWORD

USERDOMAIN

This allows users to skip the Zscaler App enrollment page (see image). Users are taken right to your organization's SSO login page.

NOTES:

  • SSO must be enabled for your organization.
  • If you've integrated your SSO with the Zscaler App (using a mechanism like Integrated Windows Authentication (IWA)), users can also skip the SSO login page and are automatically enrolled with Zscaler service and logged in.

To add the option:

  1. Click Tables from the top menu, and then click Add Row.
  2. In the Add Row window, do the following:
    1. For Property, enter USERDOMAIN.
    2. Hit Enter or click the Value field.
    3. For Value, enter your organization's domain name.
  3. Click OK.
  4. The install option appears as a new line.
USERDOMAIN

userdomain

userdomain
  1. To save your changes after adding the options you want, click Transform, and then click Generate Transform.
  2. In the Save Transform As menu, enter a file name and click Save.

After creating the MST, you can use it when deploying the Zscaler App to your users with Active Directory.

Run the MSI File with Command-Line Options

Zscaler recommends using the MST file to install the Zscaler App with custom options. But if you have a device management tool that does not support MST (for example, SCCM or PSEXEC), or you're manually installing the MSI file on your system, you can run the MSI file with a command line and add the options you want with the following steps:

  1. Start a command prompt as an administrator.
    1. Click Start.
    2. In the Start Search box, enter cmd, then press CTRL+SHIFT+ENTER.
    3. If the User Account Control dialog box appears, confirm that you want to continue.
Run the MSI File with Command-Line Options
  1. Use the following command line: msiexec /i "<complete_path>" /quiet followed by the options you want.

The image below is an example of a command line that uses all the available options above (except INSTALLDRIVERCERT), where:

  • The complete path of the MSI file is C:\Users\User\Downloads\Zscaler-windows-1.2.0.000311-install.msi
  • /quiet is used to enforce silent installation
  • The cloud on which the organization is provisioned is zscalertwo.net
  • The device token value is 4e36647447326e5a553335303232416e6279784b51513d3d
  • The policy token value is 32343A343A312E31204D6967726174696F6E
  • The organization's domain name is safemarch.com

The image has been annotated to show the different components.

CLOUDNAME2

If your organization is provisioned on more than one cloud, during the enrollment process, your users are asked to select the cloud to which their traffic is sent. See image.

With this install option, you can specify the cloud to which the App must send user traffic so that your users do not have to make the selection during enrollment. Do not use this option if your organization is provisioned on one cloud. The Zscaler App automatically sends traffic to the right cloud and your users do not encounter this step.

NOTE: This install option is required if you enable the STRICTENFORCEMENT install option.

To add the option, enter CLOUDNAME=<your organization's cloud name in lowercase letters>. For example, if your cloud is zscalertwo.net, you would enter zscalertwo. See What is my cloud name? to learn how to find your cloud name.

seeimage2

seeimage2

DEVICETOKEN2

This allows you to use the Zscaler App Portal as an IdP. With this option, Zscaler can silently provision and authenticate users even if you don't have an authentication mechanism in place.

NOTE: Before adding this option, you must have generated the device token in the Zscaler App Portal and completed the full configuration detailed in Using the Zscaler App Portal as an IdP.

To add the option, enter DEVICETOKEN=<the appropriate device token from the Zscaler App Portal>

DEVICETOKEN2

HIDEAPPUIONLAUNCH2

This forces the Zscaler App window to stay hidden before users enroll with the App. Users can always open the window by clicking the Zscaler App icon in the system tray.

To add this option, enter HIDEAPPUIONLAUNCH=1

INSTALLDRIVERCERT2

This allows you to silently install the network adapter signature certificate along with the App so that users are not prompted to accept the certificate themselves when you install the Zscaler App.

NOTE: Starting with Zscaler App 1.2 this network adapter certificate is automatically installed with the App. If you are using version 1.2 or later, you don't need to add this option. However, if you're using an earlier version than Zscaler App 1.2, or if you have a strict GPO policy restricting the certificates that can be installed on organizational devices, see below.

POLICYTOKEN2

This install option is only applicable (and required) if you enable STRICTENFORCEMENT and want users to enroll with the Zscaler App before accessing the Internet. This option allows you to specify which App Profile policy you want to enforce for the App before the user enrolls. All relevant settings associated with the policy will apply, including the bypass of the IdP login page. Once the user enrolls, this policy is replaced with the App Profile policy that matches the user based on group affiliation.

NOTES:

  • In the Zscaler App Portal, you must have configured the App Profile policy that you want to enforce and ensured that the custom PAC file associated with that policy includes a bypass for your IdP login page. This allows the user to access the IdP page to log in as necessary before enrolling with the Zscaler App.
  • This install option is only applicable, and required, if you enable STRICTENFORCEMENT and want users to enroll with the Zscaler App before accessing the Internet.

To add this option, enter POLICYTOKEN=<appropriate policy token from the Zscaler App Portal>

NOTE: This install option is only applicable (and required) if you enable STRICTENFORCEMENT and want users to enroll with the Zscaler App before accessing the Internet.

POLICYTOKEN2

REINSTALLDRIVER2

This forces a reinstallation of the driver, even if you already have a driver installed. Use this option if you are having issues with the currently installed driver.

To add this option, enter REINSTALLDRIVER=1

STRICTENFORCEMENT2

This allows you to require users to enroll with the Zscaler App before accessing the Internet.

NOTE: Adding this install option requires that you provide values for CLOUDNAME and POLICYTOKEN install options as well.

To add this option, enter STRICTENFORCEMENT=1

USERDOMAIN2

This allows users to skip the Zscaler App enrollment page (see image). Users are taken right to your organization's SSO login page.

NOTES:

  • SSO must be enabled for your organization.
  • If you've integrated your SSO with the Zscaler App (using a mechanism like Integrated Windows Authentication (IWA)), users can also skip the SSO login page and are automatically enrolled with Zscaler service and logged in.

To add the option, enter USERDOMAIN=<your organization's domain name>.

userdom2image

userdom2image