Jamf Nation Community

e672e508-80b8-4 · ‎10-14-2021

Hello!
I am building a package to install FortiClient vpn (the free vpn standalone client) for our users.
After several tests, a policy authorizing the security extension is indeed present and allows to avoid blocking it during installation, but a popup asking me to authorize the addition of VPN configuration appears right after the installation.

This popup is generated by the "FortiTray" binary and after several tries and I don't know how to authorize it ahead of time so that the installation is totally invisible.

It says that ""FortiTray" would like to add VPN configurations"

Any idea on how I can authorize this or setup ahead of time ?

e672e508-80b8-4 · ‎01-05-2022

Heya, sorry for the late reply, I finally figured this out.

To avoid the VPN popup configuration, we set a dummy VPN configuration that will be used by Forticlient on runtime :

Nothing else is checked, make sure that the Identifier and Provider Bundle Identifier are set to "com.fortinet.forticlient.macos.vpn" and the name isn't "VPN".

Adding this configuration profile before installing Forticlient will suppress the warning, Forticlient will rename the VPN_CP network to "VPN" and use it.

View solution in original post

dsavageED · ‎10-19-2021

Are you using the latest v7 client? If you want to pre-populate a vpn connection you will need to create a package with the files in "/Library/Application Support/Fortinet/FortiClient/conf". We have the policy update the inventory of the Mac, which then puts it into scope to get the configuration profile.

Short answer is you may need to repackage the existing installer, or at the very least create a manual package...

jjenkins_torr1 · ‎11-30-2021

Where you able to figure this out? I have tried a bunch of ways, but can't seem to get it to accept the forticlienttray and stop asking.

Ferdi · ‎01-05-2022

We are struggling as well to auto approve FortiTray.
Is there someone who got this fixed?

The problem is that FortiClient creates an Network interface called "VPN" with VPN-App: FortiTray

e672e508-80b8-4 · ‎01-05-2022

Heya, sorry for the late reply, I finally figured this out.

To avoid the VPN popup configuration, we set a dummy VPN configuration that will be used by Forticlient on runtime :

Nothing else is checked, make sure that the Identifier and Provider Bundle Identifier are set to "com.fortinet.forticlient.macos.vpn" and the name isn't "VPN".

Adding this configuration profile before installing Forticlient will suppress the warning, Forticlient will rename the VPN_CP network to "VPN" and use it.

Jacek_ADC · ‎03-08-2022

@e672e508-80b8-4 could you please share also your settings configured in the shown config profile screenshot for your pppc and system extension setting?

I am wondering if my System extension is configured as yours and i was not able to solve the PPPC settings.

It would help me a lot.
I am already use FortiClient 7.0.3

daniel_ross · ‎04-26-2022

Did you set anything for the User Auth or other fields lower in the configuration profile?

JDaher · ‎06-16-2022

This worked very well for me. Great work figuring it out, and many many thanks for sharing it.

peterthorn · ‎02-18-2022

Hi @e672e508-80b8-4 This trick seems to work for me as well, using Filewave, so thanks a lot! :D

Cheers,

Peter

F_Hadi · ‎04-13-2022

@e672e508-80b8-4 As Int_IT_ADC asked, could you share your System extension configuration ? I am also unable to find the right settings to bypass Gatekeeper.

e672e508-80b8-4 · ‎04-14-2022

Hello @F_Hadi (and sorry @Jacek_ADC for the late reply),

Here is my System extension configuration pane for this Configuration Profile.

F_Hadi · ‎04-14-2022

Thank you!
That is what I have configured too, but FortiTray is still blocked by Gatekeeper 🙄

Jacek_ADC · ‎05-03-2022

Thank you, can you please share also your pppc config?

Manny_TBCS · ‎08-01-2022

Do you mind also sharing the PPPC config screen? I feel like I have most things configured as they should be, but I am still getting a pop-up screen for:

"FortiTray is trying to install a new helper tool.

Enter your password to allow this."

I can't figure out what the helper tool is so I can add it to the PPPC, or maybe I need to allow a Kernel Extension, I am not sure...

Thanks in advance!

akamenev47 · ‎08-12-2022

Got the same issue, in total I have 3 pop ups:

1) FortiTray is trying to install a new helper tool

2) FortiTray WOuld Like to Add VPN Configurations (dummy VPN profile is not working for this)

3) Permission is required for full protection > "Full Disk Access" permission for FortiClient processes fcaptmon (sometimes it's fctservctl2, sometimes it's fmon2), I have added all 3 via Configuration Profile > Privacy Preferences Policy Control, yet it still requires to manually accept these...

FortiNet is not very helpful and don't really have any documentation for this... if anybody figures it out, please share.

Ahoy!

JDaher · ‎08-12-2022

I posted screenshots here: https://community.jamf.com/t5/jamf-pro/deploying-forticlient-preventing-as-many-popups-as-possible-o...

You say that you already created the configuration profiles but are still getting the pop-ups. Did you install the profiles before deploying the client? You have to do that, otherwise you'll get the pop-ups.

Gchaisty91 · ‎10-06-2022

Hey Shurkin18,

were you able to resolve the issue with these 3 pop ups? gone through everyone's screen shots and I still can't shake these 3 prompts! any help is appreciated

thanks

akamenev47 · ‎10-06-2022

Hi, no, seems like at this point with the newest Apple security "features" - there is nothing can be done here as user has to manually "allow" these privacy prompts...

Ahoy!

Gchaisty91 · ‎10-07-2022

so i managed to solve the add VPN config file pop-up with the below:

com.fortinet.forticlient.macos.vpn.nwextension

identifier "com.fortinet.forticlient.macos.vpn.nwextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AH4XFXJ7DK

and then weirdly enough...i have no idea why this works at all... if I add the package to the self-service portal and a user installs it from there none of the extension pop-ups or helper install appear and it installs without issue!

hope the above helps a bit