Skip to main content
Solved

"FortiTray" would like to add VPN configurations

  • October 14, 2021
  • 18 replies
  • 354 views
E
Forum|alt.badge.img+5

Hello!
I am building a package to install FortiClient vpn (the free vpn standalone client) for our users.
After several tests, a policy authorizing the security extension is indeed present and allows to avoid blocking it during installation, but a popup asking me to authorize the addition of VPN configuration appears right after the installation.

This popup is generated by the "FortiTray" binary and after several tries and I don't know how to authorize it ahead of time so that the installation is totally invisible.

It says that ""FortiTray" would like to add VPN configurations"

Any idea on how I can authorize this or setup ahead of time ?

Best answer by e672e508-80b8-4

Heya, sorry for the late reply, I finally figured this out.

To avoid the VPN popup configuration, we set a dummy VPN configuration that will be used by Forticlient on runtime :

Nothing else is checked, make sure that the Identifier and Provider Bundle Identifier are set to "com.fortinet.forticlient.macos.vpn" and the name isn't "VPN".

Adding this configuration profile before installing Forticlient will suppress the warning, Forticlient will rename the VPN_CP network to "VPN" and use it.

 

    18 replies

    dsavageED
    Forum|alt.badge.img+8
    • dsavageED
    • New Contributor
    • October 19, 2021

    Are you using the latest v7 client? If you want to pre-populate a vpn connection you will need to create a package with the files in "/Library/Application Support/Fortinet/FortiClient/conf". We have the policy update the inventory of the Mac, which then puts it into scope to get the configuration profile.

    Short answer is you may need to repackage the existing installer, or at the very least create a manual package...

    J
    Forum|alt.badge.img
    • jjenkins_torr1
    • New Contributor
    • November 30, 2021

    Where you able to figure this out? I have tried a bunch of ways, but can't seem to get it to accept the forticlienttray and stop asking.

    F
    Forum|alt.badge.img+1
    • Ferdi
    • New Contributor
    • January 5, 2022

    We are struggling  as well to auto approve FortiTray.
    Is there someone who got this fixed?

    The problem is that FortiClient creates an Network interface called "VPN" with VPN-App: FortiTray

    E
    Forum|alt.badge.img+5
    • e672e508-80b8-4
    • Author
    • New Contributor
    • Answer
    • January 5, 2022

    Heya, sorry for the late reply, I finally figured this out.

    To avoid the VPN popup configuration, we set a dummy VPN configuration that will be used by Forticlient on runtime :

    Nothing else is checked, make sure that the Identifier and Provider Bundle Identifier are set to "com.fortinet.forticlient.macos.vpn" and the name isn't "VPN".

    Adding this configuration profile before installing Forticlient will suppress the warning, Forticlient will rename the VPN_CP network to "VPN" and use it.

     

    JDaher
    P
    R
    P
    Forum|alt.badge.img
    • peterthorn
    • New Contributor
    • February 18, 2022

    Hi @e672e508-80b8-4  This trick seems to work for me as well, using Filewave, so thanks a lot! :D

    Cheers,

    Peter

    Jacek_ADC
    Forum|alt.badge.img+7
    • Jacek_ADC
    • Valued Contributor
    • March 8, 2022

    Heya, sorry for the late reply, I finally figured this out.

    To avoid the VPN popup configuration, we set a dummy VPN configuration that will be used by Forticlient on runtime :

    Nothing else is checked, make sure that the Identifier and Provider Bundle Identifier are set to "com.fortinet.forticlient.macos.vpn" and the name isn't "VPN".

    Adding this configuration profile before installing Forticlient will suppress the warning, Forticlient will rename the VPN_CP network to "VPN" and use it.

     


    @e672e508-80b8-4 could you please share also your settings configured in the shown config profile screenshot for your pppc and system extension setting?

    I am wondering if my System extension is configured as yours and i was not able to solve the PPPC settings.

    It would help me a lot.
    I am already use FortiClient 7.0.3

    F
    Forum|alt.badge.img+1
    • F_Hadi
    • New Contributor
    • April 13, 2022

    @e672e508-80b8-4 As  Int_IT_ADC asked, could you share your  System extension configuration ? I am also unable to find the right settings to bypass Gatekeeper.

    E
    Forum|alt.badge.img+5
    • e672e508-80b8-4
    • Author
    • New Contributor
    • April 14, 2022

    @e672e508-80b8-4 As  Int_IT_ADC asked, could you share your  System extension configuration ? I am also unable to find the right settings to bypass Gatekeeper.


    Hello @F_Hadi (and sorry @Jacek_ADC for the late reply),

    Here is my System extension configuration pane for this Configuration Profile.

     

    F
    Forum|alt.badge.img+1
    • F_Hadi
    • New Contributor
    • April 14, 2022

    Hello @F_Hadi (and sorry @Jacek_ADC for the late reply),

    Here is my System extension configuration pane for this Configuration Profile.

     


    Thank you!
    That is what I have configured too, but FortiTray is still blocked by Gatekeeper 🙄

    daniel_ross
    Forum|alt.badge.img+18
    • daniel_ross
    • Jamf Heroes
    • April 26, 2022

    Heya, sorry for the late reply, I finally figured this out.

    To avoid the VPN popup configuration, we set a dummy VPN configuration that will be used by Forticlient on runtime :

    Nothing else is checked, make sure that the Identifier and Provider Bundle Identifier are set to "com.fortinet.forticlient.macos.vpn" and the name isn't "VPN".

    Adding this configuration profile before installing Forticlient will suppress the warning, Forticlient will rename the VPN_CP network to "VPN" and use it.

     


    Did you set anything for the User Auth or other fields lower in the configuration profile?

    Jacek_ADC
    Forum|alt.badge.img+7
    • Jacek_ADC
    • Valued Contributor
    • May 3, 2022

    Hello @F_Hadi (and sorry @Jacek_ADC for the late reply),

    Here is my System extension configuration pane for this Configuration Profile.

     


    Thank you, can you please share also your pppc config?

    JDaher
    Forum|alt.badge.img+9
    • JDaher
    • Contributor
    • June 16, 2022

    Heya, sorry for the late reply, I finally figured this out.

    To avoid the VPN popup configuration, we set a dummy VPN configuration that will be used by Forticlient on runtime :

    Nothing else is checked, make sure that the Identifier and Provider Bundle Identifier are set to "com.fortinet.forticlient.macos.vpn" and the name isn't "VPN".

    Adding this configuration profile before installing Forticlient will suppress the warning, Forticlient will rename the VPN_CP network to "VPN" and use it.

     


    This worked very well for me. Great work figuring it out, and many many thanks for sharing it. 

    Manny_TBCS
    Forum|alt.badge.img+2
    • Manny_TBCS
    • New Contributor
    • August 1, 2022

    Hello @F_Hadi (and sorry @Jacek_ADC for the late reply),

    Here is my System extension configuration pane for this Configuration Profile.

     


    Do you mind also sharing the PPPC config screen? I feel like I have most things configured as they should be, but I am still getting a pop-up screen for:

    "FortiTray is trying to install a new helper tool.

    Enter your password to allow this."

     

    I can't figure out what the helper tool is so I can add it to the PPPC, or maybe I need to allow a Kernel Extension, I am not sure...

     

    Thanks in advance!

    akamenev47
    Forum|alt.badge.img+10
    • akamenev47
    • Valued Contributor
    • August 12, 2022

    Do you mind also sharing the PPPC config screen? I feel like I have most things configured as they should be, but I am still getting a pop-up screen for:

    "FortiTray is trying to install a new helper tool.

    Enter your password to allow this."

     

    I can't figure out what the helper tool is so I can add it to the PPPC, or maybe I need to allow a Kernel Extension, I am not sure...

     

    Thanks in advance!


    Got the same issue, in total I have 3 pop ups:

    1) FortiTray is trying to install a new helper tool

    2) FortiTray WOuld Like to Add VPN Configurations (dummy VPN profile is not working for this)

    3) Permission is required for full protection > "Full Disk Access" permission for FortiClient processes fcaptmon (sometimes it's fctservctl2, sometimes it's fmon2), I have added all 3 via Configuration Profile > Privacy Preferences Policy Control, yet it still requires to manually accept these... 

    FortiNet is not very helpful and don't really have any documentation for this... if anybody figures it out, please share.

    Ahoy!
    JDaher
    Forum|alt.badge.img+9
    • JDaher
    • Contributor
    • August 12, 2022

    Got the same issue, in total I have 3 pop ups:

    1) FortiTray is trying to install a new helper tool

    2) FortiTray WOuld Like to Add VPN Configurations (dummy VPN profile is not working for this)

    3) Permission is required for full protection > "Full Disk Access" permission for FortiClient processes fcaptmon (sometimes it's fctservctl2, sometimes it's fmon2), I have added all 3 via Configuration Profile > Privacy Preferences Policy Control, yet it still requires to manually accept these... 

    FortiNet is not very helpful and don't really have any documentation for this... if anybody figures it out, please share.


    I posted screenshots here: https://community.jamf.com/t5/jamf-pro/deploying-forticlient-preventing-as-many-popups-as-possible-on/m-p/271108/emcs_t/S2h8ZW1haWx8dG9waWNfc3Vic2NyaXB0aW9ufEw2R0RMNlY2Q0hFUkYwfDI3MTEwOHxTVUJTQ1JJUFRJT05TfGhL#M247414

    You say that you already created the configuration profiles but are still getting the pop-ups. Did you install the profiles before deploying the client? You have to do that, otherwise you'll get the pop-ups. 

    G
    Forum|alt.badge.img+1
    • Gchaisty91
    • New Contributor
    • October 6, 2022

    Got the same issue, in total I have 3 pop ups:

    1) FortiTray is trying to install a new helper tool

    2) FortiTray WOuld Like to Add VPN Configurations (dummy VPN profile is not working for this)

    3) Permission is required for full protection > "Full Disk Access" permission for FortiClient processes fcaptmon (sometimes it's fctservctl2, sometimes it's fmon2), I have added all 3 via Configuration Profile > Privacy Preferences Policy Control, yet it still requires to manually accept these... 

    FortiNet is not very helpful and don't really have any documentation for this... if anybody figures it out, please share.


    Hey Shurkin18, 

    were you able to resolve the issue with these 3 pop ups? gone through everyone's screen shots and I still can't shake these 3 prompts! any help is appreciated

     

    thanks 

    akamenev47
    Forum|alt.badge.img+10
    • akamenev47
    • Valued Contributor
    • October 6, 2022

    Hey Shurkin18, 

    were you able to resolve the issue with these 3 pop ups? gone through everyone's screen shots and I still can't shake these 3 prompts! any help is appreciated

     

    thanks 


    Hi, no, seems like at this point with the newest Apple security "features" - there is nothing can be done here as user has to manually "allow" these privacy prompts... 

    Ahoy!
    G
    Forum|alt.badge.img+1
    • Gchaisty91
    • New Contributor
    • October 7, 2022

    Hi, no, seems like at this point with the newest Apple security "features" - there is nothing can be done here as user has to manually "allow" these privacy prompts... 


    so i managed to solve the add VPN config file pop-up with the below:  

    com.fortinet.forticlient.macos.vpn.nwextension

    identifier "com.fortinet.forticlient.macos.vpn.nwextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AH4XFXJ7DK

     

    and then weirdly enough...i have no idea why this works at all... if I add the package to the self-service portal and a user installs it from there none of the extension pop-ups or helper install appear and it installs without issue! 

    hope the above helps a bit 

    E
    T
    Terms & ConditionsCookie settingsAccessibility statement