Jamf Nation Community

Can you post your config profile when done? I need to set this up as well.

I was unaware 7.0.3 is out now. I'll look into that. I agree with @kryan though, if you get your configs figured out would you mind posting them?

any luck with the config profile?

@Jacek_ADC& anyone else who may be able to help

Hello, on 7.0.3 now, I've added the Certificate to a configuration profile but I still get this pop-up, is this apart of the post-install script? How did you resolve this pop-up? I can't seem to dial it in.

it's all works except for this any idea?

Hi,

I just received an official statement from our partner which works with fortinet. So the statement from fortinet is, that no official way is possible to install fortinet without user interaction.
From my side I need to test everything once again. I just changed my enrollment script for the macbooks, so fortinet client will be installed after the jamf notify process after the restart. This works very fine. At the moment I wan't find any time for testing. 

with updated EMS you should be able to export the certificate and deploy it via Jamf

Hello, 
Could you share with us where you got the details to create the configuration profiles? My company is about to start using FortiClient v7.0.5 and I can't find any information about how to create these profiles. 

I never had issue until now to install the new client over the old one. This is the easiest way for us to upgrade the major versions without issues. 

We have in-place upgrade issues as well.  We're using the free version.  What I've found is that you need to run the uninstaller for the previous version first, then install the new one.  I've adapted the build workflow created by @mickl089 over in this thread. I package up the Forticlient .mpkg and the vpn.plist from a machine with the connection settings in composer, then I deliver the files to a temp directory and use the script to install (after) the package and connection settings:

#!/bin/bash

#James Mahalek, University of Calgary

#Stops all running FortiClient processes
killall FortiClientAgent
    killall FortiClient

#Initiates silent uninstall of current Forticlient
/Applications/FortiClientUninstaller.app/Contents/Library/LaunchServices/com.fortinet.forticlient.uninstall_helper

#Run FortiClient 7.0.3 Installer
installer -verboseR -pkg "/private/tmp/FortiClient_7.0.3_Source_Files/FortiClient 7.0.3.mpkg" -target /

#Copy vpn.plist from tmp to FortiClient config folder
cp /private/tmp/FortiClient_7.0.3_Source_Files/vpn.plist "/Library/Application Support/Fortinet/FortiClient/conf/"

We also deploy the FortiClient settings for PPPC and System extensions to any device with FortiClient installed (hence the maintenance option in the install), and those are similar to the solution in the thread.  We do use the free version, and only the VPN, so only the nwextension is necessary (see below).  hint: One can use the following command in terminal to derive the Team and Bundle IDs for the system extension if you ever have to create these for an app.

systemextensionsctl list

Also, don't forget the PPPC settings!

Hi, your welcome. I invested a lot of time for testing :)

At the moment I am waiting for the 7.0.6 version which should solve a lot of issues. 
So for the moment I stopped testing and deploying the forticlient. 

I know this is a bit late, but would you recommend reaching out to FortiClient's support team? I have pre-packaged installers from them, but the settings do not seem to be embedded. It's like I might as well have gotten the installer from a direct link on their site. And the administrator's guide is not really accurate from what I've experienced. I sincerely appreciate any help!

going through same popup issue, any help ?

I put it together from the suggestions on this thread and this one: 

https://community.jamf.com/t5/jamf-pro/quot-fortitray-quot-would-like-to-add-vpn-configurations/m-p/... 

I only get the two pop-ups to install the certificates to the keychain. I tried to automate this but I could not figure it out, so we're gonna live with that. 

@JDaher , will be checking through your screenshots to see if it helps to setup the same way on my end, I did see you mentioned the certificate you need to manually install/receive prompts, I was actually able to automate this:

- Install FortiClient via DMG

- Export the FCTEXXXXXXXXXXXX.cer from Keychain Access Manager (make sure it's set to "Always Trust")

- Add/upload the cert via configuration profile and scope to the macs where FortiClient will be pushed

Thanks. I tried this before and it didn't work for me, it didn't install the certificate. Also, in our case there are two certificates that need to be installed. Both go into Keychain > Login. 

Can you tell me the Bundle ID you used for the Notifications payload here?

@kevin_v 

com.fortinet.forticlient.forticlientagent

Thank you. Seeing inconsistencies with people still getting the prompt to allow FortiClientAgent notifications, even with the config profile applied. Sounds like a Jamf PI or something though...

Did you have any issues with allowing full disk access to it with PPPC, Ive tried but it doesnt seem to be working on my m1s

I set up full disk access using the PPPC payload in the configuration profile in Jamf, and that works for me. See the screenshot I posted here on 8/5

I assume the config profile is installing?  Maybe check your identifiers and code signatures for errors, and remember to add in an identifier and code signature pair for fctservctl2, as well.  Example here.

Yes, this worked best for me over making my own default VPN profile, PPPC, and extension allowance. (Initial install 648 from Jamf School, upgrading to 707 from EMS.)

This is the same behavior we see. Not only do we see it when it first installs, but it also pops up from time to time. Our devices are currently on v7.0.7, but we just got the green light to upgrade to v7.2. I will build a new configuration profile using this document as a guide. It's a document upgraded this month: https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/139d51b8-9d11-11ed-8e6d-fa163e...

Hi,
We managed to solve it in the meantime.
Our AV is Microsoft Defender, and we noticed, after several complaints of random URL blocks of our users, that the root cause was the FortiClient Web Filter.

We had already the MS Defender Web Filter active, and it seems it is not compatible with FortiClient.
Basically, after the Network team disabled it because of the issues reported above, I noticed that the prompts stopped appearing for both ARM and intel CPU devices.

We are still contacting FortiClient Support via ticket to validate if this makes any sense, but at least reporting for you guys, this might help..

Best regards!