Sign in Get API keys
User guide

Installing the agent

One binary (ztna), one install command per platform. The installer detects OS and architecture, downloads the correct build, installs as a system service, and (if ZTNA_AUTH_KEY is set) auto-registers.

Quick install

$ curl -fsSL https://login.quickztna.com/install.sh | sh

# With auth key (headless fleet rollout):
$ curl -fsSL https://login.quickztna.com/install.sh | ZTNA_AUTH_KEY=tskey-auth-xxx sh
PS> irm https://login.quickztna.com/install.ps1 | iex

# With auth key:
PS> $env:ZTNA_AUTH_KEY="tskey-auth-xxx"
PS> irm https://login.quickztna.com/install.ps1 | iex

What the installer does

  1. Detects OS (linux, darwin, windows) and architecture (amd64, arm64).
  2. Queries /api/client-version with action: "check" and your platform to get the latest release URL.
  3. Downloads the binary from /api/releases/* over HTTPS.
  4. Verifies the SHA-256 checksum against the release manifest.
  5. Installs to /usr/local/bin/ztna (Linux/macOS) or C:\\Program Files\\QuickZTNA\\ztna.exe (Windows).
  6. Installs + starts a system service: systemd on Linux, launchd on macOS, Windows service on Windows.
  7. If ZTNA_AUTH_KEY is set: runs ztna login --auth-key + ztna up.

Platform requirements

Linuxkernel 5.6+

WireGuard kernel module (built into mainline 5.6+, or wireguard-dkms). Falls back to userspace (wireguard-go) if kernel module missing.

macOS13+

Uses userspace WireGuard (utun device). Requires admin password for network extension on first install.

Windows10+, Server 2019+

Uses Wintun driver (installed automatically). Requires admin privileges for install only; daily operation needs no admin.

CPUamd64 / arm64

ARM supported: Apple Silicon (M1/M2/M3), Graviton, Raspberry Pi 4/5 (64-bit OS).

Networkoutbound

HTTPS 443 to login.quickztna.com, UDP 3478 (STUN), WSS 443 (DERP). Inbound is not required.

MDM rollout — Intune, Jamf, Kandji

Most MDMs can push a shell or PowerShell script. The installer is idempotent — running it twice is safe.

Microsoft Intune (Windows + macOS)

  1. Devices → Configuration → Scripts and remediations → Add
  2. Platform: macOS or Windows
  3. Script content: 
    $env:ZTNA_AUTH_KEY = "tskey-auth-xxx"
irm https://login.quickztna.com/install.ps1 | iex
    #!/bin/bash
export ZTNA_AUTH_KEY=tskey-auth-xxx
curl -fsSL https://login.quickztna.com/install.sh | sh
  4. Assignment: your target device group
  5. Set execution frequency: once (or weekly for auto-healing)

Jamf (macOS)

Create a policy with a shell script payload. Scope to devices or a Smart Group. Trigger on enrolment.

Kandji / Workspace One

Use a Custom App or Automated App with the install script above. Pass the auth key as a secret variable.

Ansible playbook

- name: Install QuickZTNA on Linux + macOS
  hosts: all
  become: true
  vars:
    ztna_auth_key: "{{ lookup('env', 'ZTNA_KEY') }}"
  tasks:
    - name: Run installer
      shell: |
        curl -fsSL https://login.quickztna.com/install.sh | ZTNA_AUTH_KEY={{ ztna_auth_key }} sh
      environment:
        ZTNA_AUTH_KEY: "{{ ztna_auth_key }}"
      args:
        creates: /usr/local/bin/ztna

    - name: Verify connection
      command: ztna status --json
      register: ztna_status

    - name: Report tailnet IP
      debug:
        msg: "{{ (ztna_status.stdout | from_json).tailnet_ip }}"

cloud-init (AWS, GCP, DigitalOcean)

#cloud-config
write_files:
  - path: /etc/environment
    append: true
    content: "ZTNA_AUTH_KEY=tskey-auth-xxx\n"

runcmd:
  - curl -fsSL https://login.quickztna.com/install.sh | ZTNA_AUTH_KEY=tskey-auth-xxx sh
  - ztna set --advertise-tags tag:server,tag:prod

For Terraform providers that accept user_data (AWS EC2, GCP Compute Engine, DigitalOcean Droplets), render the cloud-init above via a template_file data source.

Docker / Kubernetes

Run the agent in userspace mode — no TUN device, no privileged container, no host-network dependency.

FROM ubuntu:24.04

ARG ZTNA_AUTH_KEY
RUN apt-get update && apt-get install -y curl && \
    curl -fsSL https://login.quickztna.com/install.sh | ZTNA_AUTH_KEY=$ZTNA_AUTH_KEY sh

ENTRYPOINT ["ztna", "up", "--userspace"]
apiVersion: v1
kind: Secret
metadata:
  name: ztna-auth-key
type: Opaque
stringData:
  key: tskey-auth-xxx
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: ztna-sidecar
spec:
  template:
    spec:
      containers:
      - name: ztna
        image: myorg/app-with-ztna:latest
        env:
        - name: ZTNA_AUTH_KEY
          valueFrom:
            secretKeyRef:
              name: ztna-auth-key
              key: key

Manual binary install (offline / air-gapped)

  1. Download the binary from login.quickztna.com/download on an internet-connected machine.
  2. Verify the SHA-256 checksum from the same page.
  3. Copy to the target device + chmod +x.
  4. Move to /usr/local/bin/ztna or equivalent.
  5. sudo ztna install — sets up the service.
  6. sudo ztna up --auth-key ... — registers + connects.
Air-gapped control plane Air-gapped environments need the full QuickZTNA stack deployed on-prem, not just the agent. Contact sales@quickztna.com for the self-hosted deployment guide.

Uninstall

$ sudo ztna uninstall
→ Stopping service
→ Removing /etc/systemd/system/quickztna-svc.service
✓ Service removed · config preserved in ~/.config/ztna/
# To fully purge: sudo rm -rf /usr/local/bin/ztna ~/.config/ztna
$ ztna uninstall
PS> ztna uninstall

Troubleshooting

Installer hangs on download

Outbound HTTPS 443 to login.quickztna.com blocked. Add firewall exception.

"Operation not permitted" (Linux)

Run with sudo. The installer needs root to install the systemd unit.

macOS network extension blocked

System Settings → Privacy & Security → Allow QuickZTNA. Then re-run ztna up.

Wintun driver install failed

Run PowerShell as admin. Uninstall existing Wintun. Re-run installer.

"Auth key expired"

Issue a new one from the dashboard and re-run with the new key.

See also

Previous
Issuing auth keys