Disable ZScaler temporarily on your Mac

Share this:

If you are using a corporate machine with ZScaler installed on it, you may face SSL handshake errors, especially with Java apps throwing up javax.net.ssl.SSLHandshakeException errors when getting certificates proxied by ZScaler instead of the original certificates. ZScaler also caused issues when I tried to enable Wireless@SGx connectivity setup on the Mac. Therefore, it is useful to be able to disable ZScaler client temporarily. However, most corporate MDM policies takes away the capability for you to disable the ZScaler client from its UI.

ZScaler Client UI

Disable ZScaler Client

Before I start, a short disclaimer. Do this at your own risk. If you’re not sure why you are doing this, don’t.

1. Unload the ZScaler services

Open up Terminal (or iTerm2) and use the following command to unload the ZScaler services. This will require your user id to have administrator rights. If you don’t, then unfortunately you are out of luck in trying to disable ZScaler on your machine. There are two (2) zscaler services that you need to unload to disable ZScaler client temporarily. The command below unloads them all in a single line.

sudo launchctl unload /Library/LaunchDaemons/com.zscaler.service.plist && sudo launchctl unload /Library/LaunchDaemons/com.zscaler.tunnel.plist
unload zscaler services on iterm2

The command should not display any output and will temporarily unload the ZScaler service until you manually load the service again, or restart your Mac. If the service has already been disabled, you will see an error stating that it cannot find the service.

powerlevel10k zsh theme on item

Want to get the same terminal experience as you see in the screenshot above? Check out my macOS set up for coding guide here now!

Once you have done that, you should see that ZScaler service is now temporarily disabled.

ZScaler client disabled

3. Check the certificates to confirm ZScaler is temporarily disabled

You can easily check if your internet traffic is still being proxied through ZScaler or not. Open up Safari and load up google.com (or any other websites for that matter) and check the certificate. When ZScaler is enabled, you would see that the certificate will have is one that is generated by ZScaler.

ZScaler proxied certs

But when you disable ZScaler successfully, you will see the original certificates again.

Google's original cert when ZScaler is disabled.

Enabling back ZScaler

To enable back ZScaler, just reload the ZScaler service using the following command. You should see ZScaler running back up again as it was.

sudo launchctl load /Library/LaunchDaemons/com.zscaler.service.plist && sudo launchctl load /Library/LaunchDaemons/com.zscaler.tunnel.plist

If this post has been useful, support me by buying me a latte or two 🙂
Buy Me A Coffee
Share this:

You may also like...

2 Responses

  1. Rodolfo says:

    this works nice, however the name resolution doesn’t work after disable.

  2. Ken Ng says:

    I had this issue once. I needed to restart my Mac for it to get working again.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.