Currently in the process of deploying FortiClient 6.4.x to macOS devices, however after installing FortiClient 6.4.x, users are seeing a prompt to allow "com.fortinet.forticlient.macos" to filter network content.
Does anybody know how to create a configuration profile for the delivery of a payload which adds the web content filter for FortiClient, pre-allowing it and thus avoiding the users being prompted?
3 ACCEPTED SOLUTIONS
Thanks @jonlju for the suggestions... Googling for over a week didn't really help & Fortinet support was pretty useless when reached out to them. But through persistence combined with trial and error I have now found that implementing the following settings as part of a configuration profile does the trick for macOS:
OPTIONS > CONTENT FILTER
FILTER NAME = com.fortinet.forticlient.macos.webfilter
IDENTIFIER = com.fortinet.forticlient.macos
SOCKET FILTER BUNDLE IDENTIFIER = com.fortinet.forticlient.macos
SOCKET FILTER DESIGNATED REQUIREMENT = identifier "com.fortinet.forticlient.macos" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AH4XFXJ7DK
NETWORK FILTER BUNDLE IDENTIFIER = com.fortinet.forticlient.macos
NETWORK FILTER DESIGNATED REQUIREMENT = identifier "com.fortinet.forticlient.macos" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AH4XFXJ7DK
Thanks for the suggestions. I had been Googling for over a week with no success and found Fortinet support to be useless when reached out to them. But through continued persistence combined with trail and error I've eventually manage to put together a solution that works. Implementing a configuration profile as follows has done the trick:
OPTIONS > CONTENT FILTER
FILTER NAME = com.fortinet.forticlient.macos.webfilter
IDENTIFIER = com.fortinet.forticlient.macos
SOCKET FILTER BUNDLE IDENTIFIER = com.fortinet.forticlient.macos
SOCKET FILTER DESIGNATED REQUIREMENT = identifier "com.fortinet.forticlient.macos" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AH4XFXJ7DK
NETWORK FILTER BUNDLE IDENTIFIER = com.fortinet.forticlient.macos
NETWORK FILTER DESIGNATED REQUIREMENT = identifier "com.fortinet.forticlient.macos" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AH4XFXJ7DK
Thanks for the suggestions. I had been Googling for over a week with no success and found Fortinet support to be useless when reached out to them. But through continued persistence combined with trail and error I've eventually manage to put together a solution that works. Implementing a configuration profile as follows has done the trick:
Thanks @jonlju for the suggestions... Googling for over a week didn't really help & Fortinet support was pretty useless when reached out to them. But through persistence combined with trial and error I have now found that implementing the following settings as part of a configuration profile does the trick for macOS:
OPTIONS > CONTENT FILTER
FILTER NAME = com.fortinet.forticlient.macos.webfilter
IDENTIFIER = com.fortinet.forticlient.macos
SOCKET FILTER BUNDLE IDENTIFIER = com.fortinet.forticlient.macos
SOCKET FILTER DESIGNATED REQUIREMENT = identifier "com.fortinet.forticlient.macos" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AH4XFXJ7DK
NETWORK FILTER BUNDLE IDENTIFIER = com.fortinet.forticlient.macos
NETWORK FILTER DESIGNATED REQUIREMENT = identifier "com.fortinet.forticlient.macos" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AH4XFXJ7DK
Thanks for the suggestions. I had been Googling for over a week with no success and found Fortinet support to be useless when reached out to them. But through continued persistence combined with trail and error I've eventually manage to put together a solution that works. Implementing a configuration profile as follows has done the trick:
OPTIONS > CONTENT FILTER
FILTER NAME = com.fortinet.forticlient.macos.webfilter
IDENTIFIER = com.fortinet.forticlient.macos
SOCKET FILTER BUNDLE IDENTIFIER = com.fortinet.forticlient.macos
SOCKET FILTER DESIGNATED REQUIREMENT = identifier "com.fortinet.forticlient.macos" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AH4XFXJ7DK
NETWORK FILTER BUNDLE IDENTIFIER = com.fortinet.forticlient.macos
NETWORK FILTER DESIGNATED REQUIREMENT = identifier "com.fortinet.forticlient.macos" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AH4XFXJ7DK
Thanks for the suggestions. I had been Googling for over a week with no success and found Fortinet support to be useless when reached out to them. But through continued persistence combined with trail and error I've eventually manage to put together a solution that works. Implementing a configuration profile as follows has done the trick:
I used the PPPC Utility to get the info for the FortiClient app to give me the Filter Designation Requirements, then swapped the identifier to that which was being presented in the popup macOS was presenting.
