• Welcome to Support Forum: Get Support for Patch My PC Products and Services.
 

Update strategy for ZScaler Client Connector

Started by rlgura, January 12, 2024, 02:36:45 PM

Previous topic - Next topic

rlgura

We've started leveraging PMPC for our ZScaler Client upgrades and I'm trying to figure out which versions that PMPC pulls in. (We're also discussing with the vendor their release strategy).
It seems the vendor maintains 3 branches at a time (4.1. 4.2, and 4.3 currently), our security group wants to stay on the 4.2 branch for now, but it seems like PMPC is now just publishing updates for 4.3. At what point do you switch over from 1 version to the next?

ZScaler release history:
https://help.zscaler.com/client-connector/client-connector-app-release-summary-2023

Thanks for any clarification,
Rob Gura

Justin Chalfant (Patch My PC)

Hi Rob,

Sorry for the delay. We try to keep the latest version of each application in our catalog, unless we have information that states that we should support a certain set of versions. For ZScaler, we looked at the release notes and saw that 4.3 included all enhancements for 4.21 and assumed that we should always update the product to the latest. We've also not have other customers request to keep older versions around.

I'd be interested in the info that you get back from ZScaler, based on that information, we may determine that we should keep a few different "tracks" of this product around.

Puma1740

#2
Hello, I would also like to jump into this discussion to try and figure out how PMPC (Intune version here) will play best with Zscaler. There looks like many ways to do this, and each could have pros/cons/unintended consequences.

In the Zscaler Client Connector administration area, under App Store, there are 3x distinct sections. Zscaler has a lot of documentation here.

The "New Releases" tab basically lets you "Enable" or "Disable" releases for your tenant.

The "Registered Versions" tab lets you see current counts of which version you have out there, and "Force Revert" a batch to a specific build.

The "Update Settings" tab lets you create a detailed roll-out policy including "slow rollout" features, with timed releases.

This leaves me with a lot of questions. Like:

  • Which version is PMPC rolling out?
  • What does the "update" functionality in PMPC do, with Zscaler?
  • What happens if I try to control it with Zscaler? Just PMPC? Both?

For now, I have unchecked the entire "update" for Zscaler in PMPC, to try and control this a bit. We have 1000 endpoints on various versions, and if PMPC is constantly trying to update them, but Zscaler is trying to slow roll-out them, this will just cause issues.

See screenshots.

Andrew Jimenez (Patch My PC)

For Zscaler, our we provide the latest available release. I would say if you want to manage the deployments beyond deploying the latest release, use the Zscaler console over using Patch My PC. If you always want the latest available, then the Patch My PC update is the way to go.

Puma1740

Thanks. If we want to manage complex roll-out settings with the Zscaler console, but do the initial base installation with PMPC + Intune (for all devices), how do you suggest configuring that in the publisher?

Andrew Jimenez (Patch My PC)

I would publish the base install app with Patch My PC, then uncheck the product so that Patch My PC does not update it further. Deploy out the base install, then let Zscaler handle it from there. The only issue you will run into is if you want to deploy an OLDER version from Zscaler, because then the Patch My PC app will continuously re-upgrade it if it downgrades.

Puma1740

Makes sense to me, thanks!

I've unchecked the product now altgoether in publisher, so the baseline install is essentially 'orphaned' in Intune. So we will just get updates moving forward from Zscaler as intended.  8)

rlgura

We do a hybrid approach. We've found that major upgrades from ZScaler (even 4.2 to 4.3 is considered a major upgrade) are disruptive to the network connection, so we deploy those with ConfigMgr/PMPC while no user is logged on. And we use those packages for our build process also, so it's up to date.
Point releases are updated via the ZScaler console.

sterycop

I've unchecked the product now altgoether in publisher, so the baseline install is essentially 'orphaned' in Intune. So we will just get updates moving forward from Zscaler as intended.  8)