I'm trying to deploy FortiClient 7.0.2, and I have some questions about order of operations and whether this is going to cause trouble on specific OS versions. I still have some more testing to do but it seems to work on the one I tried, but maybe it was a fluke. I can post configs as necessary, but I suspect that they aren't needed for these questions as it's more about how these functions work.I have a script that grabs the file from our server and installs it. That works. I need to get curl to fail out of the script if the download fails, but I haven't looked into it yet so I'm sure I can find a way.Unfortunately though, FortiClient needs users to make tons of changes to System Prefs. Full Disk Access, requests for VPN connections, and request for System Extensions.I used PPPC to grab those Full Disk Access settings from an install and make a config profile.Will it cause a problem if I deploy those before the policy for the install, when the filepaths and apps don't exist yet? It seems to be working this way currently, but I don't see those settings in the System Prefs Privacy panel. Are they hidden because they're installed this way?I have a blank VPN being deployed in the same config profile using com.fortinet.forticlient.macos.vpn in the Custom SSL settings (someone else on here suggested this solves that issue if you deploy it first). I haven't tested this, but supposing it works I don't have any questions about it since I know it needs to go on first.System Extensions is the only other thing I'm worried about. I added them to this same config profile, and I think they're correct.Will they work if they're installed before the app is?I believe these work for Big Sur. However, I've noticed, specifically, Catalina doesn't add the one program to Full Disk Access and you end up needing to search for it. Of note, that program is in the PPPC as "com.fortinet.forticlient.macos.antivirus" instead of the filepath. I suspect this is fine, but I don't know.Sorry, I know this is a lot, but I want to make sure I'm not missing something, especially since I've never worked with these functions of configuration profiles before. Specifically the System Extensions and the Privacy settings.

Hi guyshere are the configuratios, which are working for meexcept the PPPC settings, which are not working on the new m1 MacBooks with monterey. I am awaiting some help from our security partner or Forti as well.

Deploying FortiClient, preventing as many popups as possible on Big Sur, think I got it?

I'm trying to deploy FortiClient 7.0.2, and I have some questions about order of operations and whether this is going to cause trouble on specific OS versions. I still have some more testing to do but it seems to work on the one I tried, but maybe it was a fluke. I can post configs as necessary, but I suspect that they aren't needed for these questions as it's more about how these functions work.

I have a script that grabs the file from our server and installs it. That works. I need to get curl to fail out of the script if the download fails, but I haven't looked into it yet so I'm sure I can find a way.

Unfortunately though, FortiClient needs users to make tons of changes to System Prefs. Full Disk Access, requests for VPN connections, and request for System Extensions.

I used PPPC to grab those Full Disk Access settings from an install and make a config profile.

Will it cause a problem if I deploy those before the policy for the install, when the filepaths and apps don't exist yet? It seems to be working this way currently, but I don't see those settings in the System Prefs Privacy panel. Are they hidden because they're installed this way?

I have a blank VPN being deployed in the same config profile using com.fortinet.forticlient.macos.vpn in the Custom SSL settings (someone else on here suggested this solves that issue if you deploy it first). I haven't tested this, but supposing it works I don't have any questions about it since I know it needs to go on first.

System Extensions is the only other thing I'm worried about. I added them to this same config profile, and I think they're correct.

Will they work if they're installed before the app is?

I believe these work for Big Sur. However, I've noticed, specifically, Catalina doesn't add the one program to Full Disk Access and you end up needing to search for it. Of note, that program is in the PPPC as "com.fortinet.forticlient.macos.antivirus" instead of the filepath. I suspect this is fine, but I don't know.

Sorry, I know this is a lot, but I want to make sure I'm not missing something, especially since I've never worked with these functions of configuration profiles before. Specifically the System Extensions and the Privacy settings.

Page 2 / 2

Fortinet has a Jamf mobile config for the Forticlient that you can download and import into Jamf. Check out their site where you download the Forticlient. Works perfectly.

Found it in Fortinet's Jamf Deployment guide.

To configure profiles on Jamf Pro:

Log in to Jamf Pro. Go to Computers > Configuration Profiles.
Download the FortiClient_<version.build>_macosx.Jamf.mobileconfig sample configuration profile file:
1. Go to Fortinet Services & Support > Firmware Images.
2. From the Select Product dropdown list, select FortiClientMac.
3. On the Download tab, go to FortiClientMac > Mac > v7.00 > 7.0. Select the latest FortiClient version.
4. Download the FortiClient_<version.build>_macosx.Jamf.mobileconfig sample configuration profile file.

I am currently working on this same thing

I see in the FortiClient 7.0.7 directory on the support site they have an intune and jamf .mobileconfig - has anyone tried simply importing that?

separate from that I was attempting to use fcconfig to import the config and despite it saying its "finished" it doesn't have it... https://community.fortinet.com/t5/Fortinet-Forum/Library-Application-Support-Fortinet-FortiClient-bin-fcconfig/m-p/225157#M200401

mobileconfig

Yes, this worked best for me over making my own default VPN profile, PPPC, and extension allowance. (Initial install 648 from Jamf School, upgrading to 707 from EMS.)

@JDaher , will be checking through your screenshots to see if it helps to setup the same way on my end, I did see you mentioned the certificate you need to manually install/receive prompts, I was actually able to automate this:

- Install FortiClient via DMG

- Export the FCTEXXXXXXXXXXXX.cer from Keychain Access Manager (make sure it's set to "Always Trust")

- Add/upload the cert via configuration profile and scope to the macs where FortiClient will be pushed

Can you tell me the Bundle ID you used for the Notifications payload here?

@kevin_v

com.fortinet.forticlient.forticlientagent

Thank you. Seeing inconsistencies with people still getting the prompt to allow FortiClientAgent notifications, even with the config profile applied. Sounds like a Jamf PI or something though...

Just some infos from my side and testing.

So we are testing 7.2.0 now on our Macbooks with ventura.
It seems that the 7.0.7 and also the 7.2.0 not solved the dns resolving issue.

The licensing has also changed with the latest version on the ems itself.

So we tried also to use the config and the guide from Forti. But we wasn't able to use the guide from forti and i was not able to do the steps with the cert.

Updated deployment guide

https://docs.fortinet.com/document/forticlient/7.2.0/jamf-deployment-guide/776135/configuration-profiles

when I install during setup, it installs correctly. when I do it from self service, the pkg is blocked.

it's all works except for this any idea?

with updated EMS you should be able to export the certificate and deploy it via Jamf

Hi all,

Any new regarding the FortiClient Agent prompt?
I have applied the config profile for macOS and everything is working as expected, but while the Intel macs install the app silently, the ARM ones get the "FortiClientAgent - You are making changes to the System Certificate Trust Settings" and asks for an admin authentication.

Thank you!

This is the same behavior we see. Not only do we see it when it first installs, but it also pops up from time to time. Our devices are currently on v7.0.7, but we just got the green light to upgrade to v7.2. I will build a new configuration profile using this document as a guide. It's a document upgraded this month: https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/139d51b8-9d11-11ed-8e6d-fa163e15d75b/FortiClient_7.2_Jamf_Deployment_Guide.pdf

Hi,
We managed to solve it in the meantime.
Our AV is Microsoft Defender, and we noticed, after several complaints of random URL blocks of our users, that the root cause was the FortiClient Web Filter.

We had already the MS Defender Web Filter active, and it seems it is not compatible with FortiClient.
Basically, after the Network team disabled it because of the issues reported above, I noticed that the prompts stopped appearing for both ARM and intel CPU devices.

We are still contacting FortiClient Support via ticket to validate if this makes any sense, but at least reporting for you guys, this might help..

Best regards!

Regarding the certificate prompt... It looks like the issue is not there anymore with FortiClient 7.0.11. Please, see the documentation:

ref. https://docs.fortinet.com/document/forticlient/7.0.11/macos-release-notes/510031/resolved-issues

We did some testing since Friday and the issue didn't occur indeed so seems to be fixed.

Reply

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded