Deploying FortiClient

anickless
Contributor II

Has anyone had any experience in deploying Fortinet's FortiClient to computers? I get a DMG from our on-prem controller but that doesn't install when I use Jamf Pro to install onto client machines

49 REPLIES 49

We are getting an error found here when installing things.  Any thoughts on what we can do to get past this?

https://community.jamf.com/t5/jamf-pro/tutorial-forticlient-6-4-x-deploy-with-config/m-p/260674/high...

akamenev47
Contributor II

So at this point I was able to put the cleanest policy to get FortiClient 7.x installed freshly and upgrade 6.x version.

You need to obtain the FortiClient DMG installer from FEMS server.

  • Note: If this is an upgrade policy from previous version, it must have a removal script (run Before) of the current FortiNet client for the re-install policy, what works for me currently is:

 

#!/bin/bash

cd / 
cd /Library/LaunchDaemons 
sudo rm -rf com.fortinet.forticlient.* 

cd / 
cd "/Library/Application Support/Fortinet" 
sudo rm -rf FortiClient

#kill FortiNet processes manually
killall FortiClient
killall FortiClientAgent
killall "FortiClient Helper"

#run FortiClientUninstaller from the Applications Folder
#open /Applications/FortiClientUninstaller.app

#delete FortiClient app and uninstaller from Applications to see if then FortiNet 7.x will install with AV component
sudo rm -rf /Applications/FortiClientUninstaller.app
sudo rm -rf /Applications/FortiClient.app

kill $(ps -e | grep Forti | awk '{print $1}')

sleep 5

 

 

Now, how I managed to setup the installation part:

  • Rename the installer from FEMS server to "FortiClient_Installer.dmg" and copy to /Users/Shared/FortiClient_Installer.dmg
    • Double check/mount the DMG to make sure the installer inside the DMG is named "Install.mpkg"
  • Using JAMF Composer, package the "FortiClient_Installer.dmg" into a new DMG named "Install FortiClient_Users_Shared_DMG.dmg" so that when deployed by the policy from JSS, it would save the FortiClient_Installer.dmg to machine's \Users\Shared folder
  • If upgrading to a new version: upload/replace the current "Install FortiClient_Users_Shared_DMG.dmg" on Jamf Admin app and update the current version in General - Info
  • Now the script which will mount the DMG and install the MPKG is:

 

#!/bin/bash

# Needs to have a DMG present at /Users/Shared/
# Variables
dmgPath="/Users/Shared/FortiClient_Installer.dmg"
packageName="Install.mpkg"

# Mount the DMG, and save its device
device=$(/usr/bin/hdiutil attach -nobrowse "$dmgPath" | /usr/bin/grep "/Volumes" | /usr/bin/awk '{ print $1 }')
echo "device is: $device"

# Using the device, determine the mount point
mountPoint=$(/usr/bin/hdiutil info | /usr/bin/grep "^$device" | /usr/bin/cut -f 3)
echo "mountPoint is: $mountPoint"

# Pointing to pkg/mpkg manually
pkgToinstallManual="$mountPoint"/Install.mpkg""
echo "pkgToinstallManual is: $pkgToinstallManual"

# Install the package
/usr/sbin/installer -verbose -pkg "$pkgToinstallManual" -target /

sleep 15

# Detach the volume and remove the DMG with installer
/usr/bin/hdiutil detach $device
rm -rf /Users/Shared/FortiClient_Installer.dmg

exit 0

 

 

Then you need a policy on JSS, which will include the DMG which will place the FortiClient installation DMG into /Users/Shared folder, then you need the installation script to run After (second one in my post) and if there is currently FortiClient/FortiNet is installed - you need the removal script (the first one in my post). Please note, we are upgrading from simply FortiNet VPN 6.x to FortiNet 7.x with AV included, so macs which already have FortiClient - they only have the VPN component. I have tried the removal script (first one in my post) on FortiClient 7.x with AV component and it worked, but it requires a reboot after you run the script.

 

The only other issue we have is the Full Disk Access, which based on Apple responses at this point can't be automated... whatever I have tried via configuration profiles/JSS - it removed most of the prompts, but we still get the "Permission is required for full protection", which comes from the AV component and only by manually allowing it in the Privacy tab - works...

 

Overall FortiClient vendor does not provide much documentation on how to deploy their software automatically on macs, but this is the closest I got so far...

Ahoy!

akamenev47
Contributor II

My message somehow duplicated.

Ahoy!

jeroenkahle
New Contributor II

I somehow lose some of our machines over time. In the search how to re-add them to EMS i stumbled upon the Linux commandline commands. And yes, they work on the FortiClient 7 versions for the Mac (not on previous version). And because that works, i can simply deploy the .mpkg and afterwards use the command to register to EMS. So no need to push the Fortisettings structure before installing the main Forticlient. Now it is just install, fire off the command and be done. Hope it helps anyone

#!/bin/bash

## Add FortiClient configuration if EMS connection is broken or register the cleaninstall
/Library/Application\ Support/Fortinet/FortiClient/bin/epctrl -r fqdnofserver y

 

Thanks for this. We were finding that for some weird reason if we deployed our 6.4.8 via Software Center then everything working (including EMS registration), but when we told Jamf to deploy to all machines that didn't have it the EMS config file wasn't populating.

Deploying this as a script has resolved that for us!

jeroenkahle
New Contributor II

There is a issue with my script, because of the untrusted certificate. The answer, in this case, YES is not send. So i try to work around this and got some like this which seems to do the trick. 

#!/bin/sh
## Add FortiClient configuration if EMS connection is broken
echo
echo - Are we connected to EMS?
/usr/bin/expect <<EOF
    spawn /Library/Application\ Support/Fortinet/FortiClient/bin/epctrl -r fqdn-or-ip-address
    expect "=============*" {send "y\r"}
    #expect eof
EOF

echo - Is there an invalid certificate to accept?
/Library/Application\ Support/Fortinet/FortiClient/bin/epctrl -t accept
echo

exit 0

Did you use this to fix the below pop-up by chance when installing 7.0.7? We have all the other certs installed ahead of time, and that's worked FLAWLESSLY for us in 7.0.3, but now, as soon in our sandbox, using pretty much everything (we removed KEXT profiles RIP Catalina), we get this AFTER the app has installed.  Even odder, as soon as you provide admin creds, it installs a cert from the EMS server. So we know whatever this is is new and fun and not the way 7.0.3 works.  We even tried with our old profiles and still had the same results.

Image 10-4-22 at 7.49 PM.jpg

I know this is an older post, but we are seeing the same thing upgrading from v6 to v7 of FortiClient. We even added the certificate to a config profile and we still see this message. Did you ever find a solution?

There where some changes in the config profiles... did you create a new profile?
https://docs.fortinet.com/document/forticlient/7.2.0/jamf-deployment-guide/776135/configuration-prof...

@PablitoGordito we got the certs from our NetOps team as they were downloaded right from the EMS portal, and they've been working fantastic thus far.