FortiClient For Mac. Packaging and deploying with Casper Suite.

pditty
New Contributor

We are evaluating a new appliance for content filtering (firewall, and email scrubbing). This Appliance is made by Fortinet.

I have been tasked with investigating the packaging and deployment of the Forticlient. Fortinets documentation shows the steps to Manually install and configure the client for OSX but does not contain any information on best practices for large enterprise deployments of this product. I want their take before I hack and slash this on my own.

I'm waiting for a call back from their support team so I thought I would give a shout out to Jamf Nation and see if any of you have boldly gone before me in this area.

Thanks in advance to anyone willing to take the time to contribute.

Sincerely,
Paul

26 REPLIES 26

barnesaw
Contributor III

If you can, show us the documentation and we can take a stab at it.

pditty
New Contributor

This is the only documentation I have found. Lots of info for packaging the PC client and automating that install.

http://docs.fortinet.com/fclient/forticlient-admin-504.pdf

mm2270
Legendary Contributor II

From the looks of the documentation's Mac install screenshots, it looks like a standard Apple style pkg install. Have you tried just dropping that pkg as is into Casper Admin and deploying to a test system? Never know, it might "just work"
It means nothing that they don't include any enterprise deployment instructions. Maybe they don't because they have no idea what management product you'd be using and all of them work a little differently. Or it might mean they don't need to, as in, drop it into ARD, Casper, Munki, your tool of choice and install away.
The post configuration might be a slightly different story...

donmontalvo
Esteemed Contributor II

Push the native PKG/MPKG to a logged off Mac (the litmus test). If you log on and the application works, simply wrap the vendor provided PKG/MPKG and deploy it.

Wrapping existing PKG/MPKG installers is the best way to ensure the vendor's dependancies are met (versioning, etc.), and the wrapper makes it easier to manage things on the Casper end (vendor-application-version.pkg).

[Edit: My apologies, missed the part about it being a self contained *.app...please disregard the above. :)]

Snapshots are dangerous and it assumes all the logic built into vendor provided PKG/MPKG installers isn't needed. Snapshots are a good way to get burned, whether it's immediately apparent, or whether you later come to the realization later on down the road that you've built a house of cards. 😉

Don

--
https://donmontalvo.com

pditty
New Contributor

Good suggestions, thank you for your time and thoughts. I heard from their customer support, and they told me enterprise deployment of the client was not supported by them and it would be up to me to use a 3rd party application to package and deploy. They also offered no help as to what config files were essential and how to configure the clients to connect, register with, and cooperate with the Fortinet appliance that will be hosted internally. We are getting a sales engineer assigned to us next week so I'm hoping he can help.

I am pretty confident I can deploy the application, its the post registration and configuration that has me concerned.

Thanks again for the advice so far and taking the time to contribute. If anyone else has any additional thoughts and esp. experience with deploying the forticlient on a large scale I'm all ears.

Paul

mm2270
Legendary Contributor II

The post registration and config part is the only place I would use a snapshot method in Composer to at least figure out what files it may be adding as the client gets configured. Not necessarily that you'd want to just wrap up whatever Composer sees, but you can use it as a basis of what files and preferences, etc to examine. I sometimes use Composer snapshots or the "Monitor File System Changes" method just to figure out what's being dropped on the system during a manual configuration and take things from there.
I recommend doing it on as clean a system as you possibly can, maybe even one not joined to your domain for example, to prevent all kinds of extra stuff getting picked up. Even monitoring file system changes for a few seconds can pull in dozens of files not related to what you're configuring, so just be careful to examine everything carefully afterwards. In some cases you might need to script it with something like defaults or PlistBuddy.

On a side note, its amazing they can't give you even some guidance on what gets configured. Do they not know their own product? Perhaps not.

donmontalvo
Esteemed Contributor II

A quick glance, the initial download gives you "FortiClient_5.0.3.105_Installer.dmg" which only contains a 400K "FortiClientUpdate.app" application that downloads the REAL installer.

Once the REAL installer is downloaded and triggered, then COMMAND-click the installer title bar to get to the enclosing folder, which for my test shows up as:

/private/var/folders/k8/9rryssq947vfrg6w67902h3c0000gp/T/fctupdate/

In that folder:

fdni.conf
FortiClient.dmg    <-- Install.mpkg is also in here
Install.mpkg
QuickStartGuide.webloc
Uninstall.app

The fdni.conf file contains:

SerialNumber=FPT-FCS-29500013|Address=208.91.112.135:443|FDNListener=208.91.112.135:8889|TimeZone=-5
SerialNumber=FPT-FCS-DELL0003|Address=208.91.112.130:443|FDNListener=208.91.112.130:8889|TimeZone=0
SerialNumber=FPT-FCS-DELL0004|Address=208.91.112.131:443|FDNListener=208.91.112.131:8889|TimeZone=-5
SerialNumber=FPT-FCS-DELL0005|Address=208.91.112.132:443|FDNListener=208.91.112.132:8889|TimeZone=-5
SerialNumber=FPT-FCS-DELL0006|Address=216.2.48.139:443|FDNListener=216.2.48.139:8889|TimeZone=-8
SerialNumber=FPT-FCS-DELL0008|Address=208.91.112.133:443|FDNListener=208.91.112.133:8889|TimeZone=-5
SerialNumber=FPT-FCS-DELL0012|Address=208.91.112.134:443|FDNListener=208.91.112.134:8889|TimeZone=-5
SerialNumber=FPT-FCS-DELL0015|Address=208.91.112.136:443|FDNListener=208.91.112.136:8889|TimeZone=8
SerialNumber=FPT-FCS-DELL0016|Address=208.91.112.137:443|FDNListener=208.91.112.137:8889|TimeZone=-8
SerialNumber=FPT-FCS-DELL0017|Address=208.91.112.138:443|FDNListener=208.91.112.138:8889|TimeZone=-8
SerialNumber=FPT-FCS-DELL0018|Address=208.91.112.139:443|FDNListener=208.91.112.139:8889|TimeZone=-5
SerialNumber=FPT-FCS-DELL0019|Address=208.91.112.140:443|FDNListener=208.91.112.140:8889|TimeZone=-8
SerialNumber=FPT-FCS-DELL0020|Address=208.91.112.141:443|FDNListener=208.91.112.141:8889|TimeZone=-5
SerialNumber=FPT-FCS-DELL0021|Address=208.91.112.142:443|FDNListener=208.91.112.142:8889|TimeZone=-5
SerialNumber=FPT-FCS-DELL0022|Address=96.45.32.96:443|FDNListener=96.45.32.96:8889|TimeZone=-8
SerialNumber=FPT-FCS-DELL0023|Address=64.26.135.85:443|FDNListener=64.26.135.85:8889|TimeZone=1
SerialNumber=FPT-FCS-DELL0024|Address=64.26.135.86:443|FDNListener=64.26.135.86:8889|TimeZone=1
SerialNumber=FPT-FCS-DELL0025|Address=216.2.48.140:443|FDNListener=216.2.48.140:8889|TimeZone=-8
SerialNumber=FPT-FCS-DELL0026|Address=216.2.48.141:443|FDNListener=216.2.48.141:8889|TimeZone=-8

The Install.mpkg tested fine, pushed to logged off Mac...so it passes the zero-touch deployment litmus test. I would wrap Install.mpkg in a FortiClient-FortiClient-5.0.2.98 package (vendor-application-version), to deploy the client.

Then see if a snapshot can help you determine what needs to be captured....that's IF you can capture what's needed. Then wrap that stuff up as a second payload, or put it into the above wrapper (I guess monolythic vs programatic approach, whether to end up with one or two packages).

This is where I put the "Packages.app is a great packaging tool" comment...especially when you're designing a Mac packaging workflow that facilitates quick updates to existing pacakges.

Checkpoint Endpoint Security E75 is a good example of stuff being created at install time, specific to the Mac it's being installed on, that simply can't be captured (they must have hired ex-Adobe engineers).

PS, there is an option to "Backup or restore full configuration" in the FortiClient agent prefs...might want to reach out to whoever manages the appliance to see if they can provide you with a configuration file. Or, if this solution is like Checkpoint Endpoint Security, maybe that person or group can spit out a customized PKG/MPKG that you can deploy. Else, I hope the backed up configuration profile can somehow be imported after deploying the client in a zero-touch kind of way...unless they hired ex-Adobe engineers (then all bets are off). 🙂

Don

--
https://donmontalvo.com

pditty
New Contributor

Don, Thank you very much for taking the time to help me. That was very kind of you. Your info has me off and running. We hope to have a sales engineer assigned to us soon and with your help I'll be in a pretty good position to have an intelligent conversation with him about his product.

Thanks again,
Sincerely,
Paul

donmontalvo
Esteemed Contributor II

@pditty Happy to help, in case you haven't tried Packages.app...

http://s.sudre.free.fr/Software/Packages/about.html

Keep Composer.app under your waist band, in case your primary fails you. Although I haven't touched it in some time now. 😉

Don

--
https://donmontalvo.com

dvanderbroek
New Contributor

Paul,

How did your deployment go? I've just ordered an FC license and will be deploying soon. Can you share what steps you actually did?

Dave

dvanderbroek
New Contributor

When I went to forticlient.com and got the download for Mac, I got the small installer as Don describes. FortiNet tech support had me go to support.fortinet.com and log in to my account. Then under Download I clicked on Firmware Images, then FortiClient, and then kept drilling down to the image that I wanted. The image that I got was a 14 MG .dmg file that when expanded included a .mpkg.

pditty
New Contributor

sorry I just noticed dvanderbroek's post.

We have a successful package built and it worked pretty well. The firewall is maturing some and adding additional features we can push down to the clients to get it configured the way we want.

If you need specifics let me know and I would be happy to share what we did.

dvanderbroek
New Contributor

I would like to know what you did. I got the client installed fine, but didn't do much for the additional features.

jimderlatka
Contributor

i'm now working with fortinet and having some troubles.
1) i can extract from the dmg file the raw install.mkpg file
2) i can install the install.mkpg file just fine, but its unconfigured

3) how did you push your configuration down with casper....

michaelherrick
New Contributor III

@jimderlatka You can get FortiClient Configurator from your FortiClient account login; Look for the Forticlient Tools Download. From there you can make a custom package that includes a configuration file.

chris_miller
Contributor

I love the Forticlient and have used it in my base image for the past few years. I've also captured it with Composer (I know, quit laughing.) and it pushes out well. We don't have it configured to integrate with our firewall/filter. It really seems to work pretty well on it's own.

Thanks for the Forticlient Configurator tip. I want to try that one out and make it work even closer with Fortinet.

A word of caution, guns are filtered by default which blocks Cabella's and Academy Sporting Goods. If you are in Texas, users get really, really cranky about that. Go figure.

a_holley
Contributor

Wondering if anyone has had any success in configuring the client once installed on the machines?
We have the app installed on all of our machines, and we have an FAQ for end users on the setup steps, but some of our users still struggle to correctly fill in the settings.
Has anyone managed to come up with a way to automatically fill in the server address etc? A script or a Config profile set to user-level?

chris_miller
Contributor

There is a plist at /Library/Application Support/Fortinet/FortiClient/conf/epctrl.plist You can open this in Xcode and copy/edit the fields according to your needs. Save the plist and then export via Jamf as a config profile.

jrauch
New Contributor III

I know this hasn't been updated in over a year but just in case anyone else here is having trouble with this (like I did), we solved it this way.

You need to get/create a DMG with the config files from Fortinet. We have an EMS server that can create a DMG install with the custom configuration.
I then created a folder "FortiClient" in /tmp, opened the DMG, and threw all of the files into it. I dragged that folder, from /tmp, into Composer and adjusted permissions accordingly, then created the DMG from Composer (FUT and FEU checked).
I created the following simple script:

#!/bin/sh
installer -pkg /tmp/FortiClient/Install.mpkg -target /

I created a Policy that would extract the DMG and after that run the script to install FortiClient with the right settings.
The install knows to look in the same directory on the client computer, find the configs, and install correctly.

olamike
New Contributor III

Hi @jrauch

Could go thru your steps with me please as i cannot seems to get it to work. I have used the forticlient configurator to create a customer configuration and then a dmg file and then followed your method. I have also tried installing manually and then dragged the app file into composer but then when i push it out to my test macs you get a blank screen when you tried to open the installed application

MacMike
New Contributor

@olamike We've managed to enroll FortiClient with this solution.

I then created a folder "FortiClient" in /tmp, opened the DMG, and threw all of the files into it. I dragged that folder, from /tmp, into Composer and adjusted permissions accordingly, then created the DMG from Composer (FUT and FEU checked).

But since there is a hidden folder with the customization files in the DMG, you need that folder also! Use the key combination on your keyboard <SHIFT> plus <CMD> plus < . > to see hidden files in the Finder, thus select and copy them. Use the same key combination to revert back your Finder settings.

tjhall
Contributor III

Been a while but once the client was fully installed I set it up as requested (all the different VPN configs and settings).Then corrected the permissions on /Application Support/Fortinet/FortiClient/Conf/vpn.list so it's not locked for the user and then packaged it in Composer.

esv
New Contributor II

@olamike @jrauch - you mention you modify permissions, could you please explain what permissions?

esv
New Contributor II

Tried all kinds of ways without much luck

  1. created /private/tmp/FortiClient folder
  2. copied items from .DMG to /private/tmp/FortiClient (no hidden files checked)
  3. Dragged /private/tmp/FortiClient to Composer created DMG
  4. Uploaded to jamfpro package with following setttings enabled on that package: Fill user templates and Fill existing user home directories
  5. Created script to install Install.mpkg
    #!/bin/sh installer -pkg /private/tmp/FortiClient/Install.mpkg -target /

During jamf policy get following:

Executing Policy Install FortiClient 6.2.1 Caching package FortiClient.dmg... Downloading https://cdn.jamfcloud.com//download/123/FortiClient.dmg?token=123... Verifying DMG... Running script Install Forticlient from DMG script... Script exit code: 1 Script result: installer: Error - the package path specified was invalid: '/private/tmp/FortiClient/Install.mpkg'. Error running script: return code was 1.

esv
New Contributor II

Used slightly different script and worked

#!/bin/bash

Changes directory to '/library/Application Support/JAMF/Waiting Room/' this is where JSS storred cached files.

cd /Library/Application Support/JAMF/Waiting Room/

Mounts Downloaded DMG within the Jamf Waiting room

hdiutil attach -nobrowse FortiClient.dmg

Changes Directory (this is where the PKG lives with its dependancies)

cd /Volumes/FortiClient/private/tmp/FortiClient/

cd /Applications/

Calls the installer and installs it to the root of the dirve which is the default

installer -pkg Install.mpkg -target /

Backs out of the DMG (This has to happen or else the DMG resource will be busy and cant be dismounted

cd /

Sleeps for 20 seconds to finish up any lingering processes from installer

sleep 20

Detatches the DMG

hdiutil detach /Volumes/FortiClient/ 10/

a_holley
Contributor

@esv I've just manually tested this and it seems to work great. Just had to remove the 10/ from the last line.
I have a question though. What do you think the best way to handle this is in a deployment situation? Can I include the script as a postinstall script in the dmg? Or should I just add it to the policy and run after?