I'm trying to deploy FortiClient 7.0.2, and I have some questions about order of operations and whether this is going to cause trouble on specific OS versions. I still have some more testing to do but it seems to work on the one I tried, but maybe it was a fluke. I can post configs as necessary, but I suspect that they aren't needed for these questions as it's more about how these functions work.
I have a script that grabs the file from our server and installs it. That works. I need to get curl to fail out of the script if the download fails, but I haven't looked into it yet so I'm sure I can find a way.
Unfortunately though, FortiClient needs users to make tons of changes to System Prefs. Full Disk Access, requests for VPN connections, and request for System Extensions.
I used PPPC to grab those Full Disk Access settings from an install and make a config profile.
I have a blank VPN being deployed in the same config profile using com.fortinet.forticlient.macos.vpn in the Custom SSL settings (someone else on here suggested this solves that issue if you deploy it first). I haven't tested this, but supposing it works I don't have any questions about it since I know it needs to go on first.
System Extensions is the only other thing I'm worried about. I added them to this same config profile, and I think they're correct.
I believe these work for Big Sur. However, I've noticed, specifically, Catalina doesn't add the one program to Full Disk Access and you end up needing to search for it. Of note, that program is in the PPPC as "com.fortinet.forticlient.macos.antivirus" instead of the filepath. I suspect this is fine, but I don't know.
Sorry, I know this is a lot, but I want to make sure I'm not missing something, especially since I've never worked with these functions of configuration profiles before. Specifically the System Extensions and the Privacy settings.
Solved! Go to Solution.
First, forget about version 7.0.2 and take the latest release 7.0.3. In the latest release a lot issues from 7.0.2 are solved. Also on the M1 MacBooks and for Monterey.
I'm in the process right now to finish the configuration profiles. The only one i am missing is the network extension.
@Int_IT_ADC& anyone else who may be able to help
Hello, on 7.0.3 now, I've added the Certificate to a configuration profile but I still get this pop-up, is this apart of the post-install script? How did you resolve this pop-up? I can't seem to dial it in.
I just received an official statement from our partner which works with fortinet. So the statement from fortinet is, that no official way is possible to install fortinet without user interaction.
From my side I need to test everything once again. I just changed my enrollment script for the macbooks, so fortinet client will be installed after the jamf notify process after the restart. This works very fine. At the moment I wan't find any time for testing.
We have in-place upgrade issues as well. We're using the free version. What I've found is that you need to run the uninstaller for the previous version first, then install the new one. I've adapted the build workflow created by @mickl089 over in this thread. I package up the Forticlient .mpkg and the vpn.plist from a machine with the connection settings in composer, then I deliver the files to a temp directory and use the script to install (after) the package and connection settings:
#!/bin/bash #James Mahalek, University of Calgary #Stops all running FortiClient processes killall FortiClientAgent killall FortiClient #Initiates silent uninstall of current Forticlient /Applications/FortiClientUninstaller.app/Contents/Library/LaunchServices/com.fortinet.forticlient.uninstall_helper #Run FortiClient 7.0.3 Installer installer -verboseR -pkg "/private/tmp/FortiClient_7.0.3_Source_Files/FortiClient 7.0.3.mpkg" -target / #Copy vpn.plist from tmp to FortiClient config folder cp /private/tmp/FortiClient_7.0.3_Source_Files/vpn.plist "/Library/Application Support/Fortinet/FortiClient/conf/"
We also deploy the FortiClient settings for PPPC and System extensions to any device with FortiClient installed (hence the maintenance option in the install), and those are similar to the solution in the thread. We do use the free version, and only the VPN, so only the nwextension is necessary (see below). hint: One can use the following command in terminal to derive the Team and Bundle IDs for the system extension if you ever have to create these for an app.
Also, don't forget the PPPC settings!
@Int_IT_ADC thanks a ton for these screenshots, definitely helped me get started! Have you made any further progress since this implementation? Currently, I'm running into an issue where the profile is creating a whole new VPN config but upon pushing FortiClient 7.0.3 'install.mpkg', it creates a new VPN config and asking to 'Allow' FortiTray. Any thoughts on that?
I know this is a bit late, but would you recommend reaching out to FortiClient's support team? I have pre-packaged installers from them, but the settings do not seem to be embedded. It's like I might as well have gotten the installer from a direct link on their site. And the administrator's guide is not really accurate from what I've experienced. I sincerely appreciate any help!
I put it together from the suggestions on this thread and this one:
I only get the two pop-ups to install the certificates to the keychain. I tried to automate this but I could not figure it out, so we're gonna live with that.
@JDaher , will be checking through your screenshots to see if it helps to setup the same way on my end, I did see you mentioned the certificate you need to manually install/receive prompts, I was actually able to automate this:
- Install FortiClient via DMG
- Export the FCTEXXXXXXXXXXXX.cer from Keychain Access Manager (make sure it's set to "Always Trust")
- Add/upload the cert via configuration profile and scope to the macs where FortiClient will be pushed
Thanks. I tried this before and it didn't work for me, it didn't install the certificate. Also, in our case there are two certificates that need to be installed. Both go into Keychain > Login.
We are are already on 7.0.7 which has solved the dns resolving issue the client had since version 7.0.0
So we install the FortiClient on the machines in our prestage notify process. FortiClient is installed after the notify process is done and a few settings are done and triggered with a dummy file. This works flawless.
We have our own forti ems system and are starting now to testing the update procedure directly with the ems server and not with jamf.
I will test the next few days the setting with the certificate and the added pppc keys in this thread and will inform you.
I am currently working on this same thing
I see in the FortiClient 7.0.7 directory on the support site they have an intune and jamf .mobileconfig - has anyone tried simply importing that?
separate from that I was attempting to use fcconfig to import the config and despite it saying its "finished" it doesn't have it... https://community.fortinet.com/t5/Fortinet-Forum/Library-Application-Support-Fortinet-FortiClient-bi...