Dear Benjamin,

Thank you for posting on SOTI Pulse.

Using SOTI MobiControl to deploy Zscaler Client Connector with user certificates involves configuring both platforms to work together.

SOTI MobiControl manages the certificates and the installation of the Zscaler app, while Zscaler uses these certificates for authentication and policy enforcement. 

  Prerequisites for the integration

Before configuring the two platforms, ensure you have the following in place:

• A Public Key Infrastructure (PKI): You must have a Certificate Authority (CA) that SOTI MobiControl can use to request and sign certificates. This can be an internal Microsoft Active Directory Certificate Services (ADCS) or another certificate provider configured with SCEP (Simple Certificate Enrollment Protocol).
• Zscaler and SOTI setup: Your Zscaler account and SOTI MobiControl console must be properly configured.
• Permissions: You need the necessary administrative rights in both Zscaler and SOTI MobiControl to configure certificates and app deployment. 

How to configure SOTI MobiControl to use user certificates

SOTI MobiControl can create and manage user certificates that authenticate devices to the Zscaler service. 

1. Configure a Certificate Authority:

1.  In the SOTI MobiControl Administration Utility, go to the Certificates section.

2.  Set up a Certificate Authority (CA) profile that points to your PKI.

3.  For an ADCS setup, configure the certificate enrollment web service and policy web service URLs.

4.  This allows SOTI to request certificates from your CA on behalf of users or devices.

2. Create a certificate policy:

1.   Within SOTI MobiControl, create a certificate policy that uses the CA you configured.

2.   This policy specifies the certificate template and properties for the user certificates, such as the subject name format (e.g., UPN or email address) and key usage (e.g., client authentication).

3. Deploy the certificate policy:

1.   Apply the certificate policy to the device groups or individual devices that will use the Zscaler Client   Connector.

2.   SOTI will then automatically request and install a unique user certificate on each device. 

    How to configure Zscaler to accept user certificates

Zscaler needs to trust the certificates issued by your internal CA to accept them for authentication. 

1. Export the root CA certificate:

1.From your PKI, export the root CA certificate that signs the user certificates.

2. Upload the trusted CA to Zscaler:

1. In the Zscaler Admin Portal, navigate to Administration > Authentication Settings > Endpoint Integration.

2. Create or edit a device posture profile.

3. Configure a check for a Server Validated Client Certificate.

4. Upload the root CA certificate from the previous step. This allows Zscaler to validate the client certificates presented by the devices. 

      Deploying the Zscaler Client Connector with SOTI

Once the certificate configuration is complete, you can deploy the Zscaler Client Connector application via SOTI.

1. Add the Zscaler app to SOTI:

1.  Download the Zscaler Client Connector installer for your target platform (e.g., Android, Windows) and add it to your SOTI MobiControl app repository.

2.  Customize the installation options to enable certificate-based authentication.

2. Assign and install the app:

1.  Create an application policy in SOTI to deploy the Zscaler Client Connector app to the desired device groups.
 
2.  As SOTI installs the app, the certificate policy you configured earlier ensures that the necessary user certificate is already on the device for authentication

 
If you have any additional questions or concerns, please don't hesitate to reach out here or you can contact us at support@soti.net

We're dedicated to providing assistance and support

Kind regards,

  SOTI

Hi @Benjamin Chan,

Thank you for posting your query. Please let us know if your question is answered above or if more clarification is required from our end. We would be more than happy to help you.

Looking forward to hearing from you.