So at this point I was able to put the cleanest policy to get FortiClient 7.x installed freshly and upgrade 6.x version.
You need to obtain the FortiClient DMG installer from FEMS server.
- Note: If this is an upgrade policy from previous version, it must have a removal script (run Before) of the current FortiNet client for the re-install policy, what works for me currently is:
#!/bin/bash
cd /
cd /Library/LaunchDaemons
sudo rm -rf com.fortinet.forticlient.*
cd /
cd "/Library/Application Support/Fortinet"
sudo rm -rf FortiClient
#kill FortiNet processes manually
killall FortiClient
killall FortiClientAgent
killall "FortiClient Helper"
#run FortiClientUninstaller from the Applications Folder
#open /Applications/FortiClientUninstaller.app
#delete FortiClient app and uninstaller from Applications to see if then FortiNet 7.x will install with AV component
sudo rm -rf /Applications/FortiClientUninstaller.app
sudo rm -rf /Applications/FortiClient.app
kill $(ps -e | grep Forti | awk '{print $1}')
sleep 5
Now, how I managed to setup the installation part:
- Rename the installer from FEMS server to "FortiClient_Installer.dmg" and copy to /Users/Shared/FortiClient_Installer.dmg
- Double check/mount the DMG to make sure the installer inside the DMG is named "Install.mpkg"
- Using JAMF Composer, package the "FortiClient_Installer.dmg" into a new DMG named "Install FortiClient_Users_Shared_DMG.dmg" so that when deployed by the policy from JSS, it would save the FortiClient_Installer.dmg to machine's \Users\Shared folder
- If upgrading to a new version: upload/replace the current "Install FortiClient_Users_Shared_DMG.dmg" on Jamf Admin app and update the current version in General - Info
- Now the script which will mount the DMG and install the MPKG is:
#!/bin/bash
# Needs to have a DMG present at /Users/Shared/
# Variables
dmgPath="/Users/Shared/FortiClient_Installer.dmg"
packageName="Install.mpkg"
# Mount the DMG, and save its device
device=$(/usr/bin/hdiutil attach -nobrowse "$dmgPath" | /usr/bin/grep "/Volumes" | /usr/bin/awk '{ print $1 }')
echo "device is: $device"
# Using the device, determine the mount point
mountPoint=$(/usr/bin/hdiutil info | /usr/bin/grep "^$device" | /usr/bin/cut -f 3)
echo "mountPoint is: $mountPoint"
# Pointing to pkg/mpkg manually
pkgToinstallManual="$mountPoint"/Install.mpkg""
echo "pkgToinstallManual is: $pkgToinstallManual"
# Install the package
/usr/sbin/installer -verbose -pkg "$pkgToinstallManual" -target /
sleep 15
# Detach the volume and remove the DMG with installer
/usr/bin/hdiutil detach $device
rm -rf /Users/Shared/FortiClient_Installer.dmg
exit 0
Then you need a policy on JSS, which will include the DMG which will place the FortiClient installation DMG into /Users/Shared folder, then you need the installation script to run After (second one in my post) and if there is currently FortiClient/FortiNet is installed - you need the removal script (the first one in my post). Please note, we are upgrading from simply FortiNet VPN 6.x to FortiNet 7.x with AV included, so macs which already have FortiClient - they only have the VPN component. I have tried the removal script (first one in my post) on FortiClient 7.x with AV component and it worked, but it requires a reboot after you run the script.
The only other issue we have is the Full Disk Access, which based on Apple responses at this point can't be automated... whatever I have tried via configuration profiles/JSS - it removed most of the prompts, but we still get the "Permission is required for full protection", which comes from the AV component and only by manually allowing it in the Privacy tab - works...
Overall FortiClient vendor does not provide much documentation on how to deploy their software automatically on macs, but this is the closest I got so far...
Ahoy!
