"FortiTray" would like to add VPN configurations

e672e508-80b8-4
New Contributor II

Hello!
I am building a package to install FortiClient vpn (the free vpn standalone client) for our users.
After several tests, a policy authorizing the security extension is indeed present and allows to avoid blocking it during installation, but a popup asking me to authorize the addition of VPN configuration appears right after the installation.

This popup is generated by the "FortiTray" binary and after several tries and I don't know how to authorize it ahead of time so that the installation is totally invisible.

It says that ""FortiTray" would like to add VPN configurations"

Any idea on how I can authorize this or setup ahead of time ?

1 ACCEPTED SOLUTION

e672e508-80b8-4
New Contributor II

Heya, sorry for the late reply, I finally figured this out.

To avoid the VPN popup configuration, we set a dummy VPN configuration that will be used by Forticlient on runtime :

e672e50880b84_0-1641380012409.png

Nothing else is checked, make sure that the Identifier and Provider Bundle Identifier are set to "com.fortinet.forticlient.macos.vpn" and the name isn't "VPN".

Adding this configuration profile before installing Forticlient will suppress the warning, Forticlient will rename the VPN_CP network to "VPN" and use it.

e672e50880b84_2-1641380252868.png

 

View solution in original post

18 REPLIES 18

dsavageED
Contributor III

Are you using the latest v7 client? If you want to pre-populate a vpn connection you will need to create a package with the files in "/Library/Application Support/Fortinet/FortiClient/conf". We have the policy update the inventory of the Mac, which then puts it into scope to get the configuration profile.

Short answer is you may need to repackage the existing installer, or at the very least create a manual package...

jjenkins_torr1
New Contributor

Where you able to figure this out? I have tried a bunch of ways, but can't seem to get it to accept the forticlienttray and stop asking.

Ferdi
New Contributor

We are struggling  as well to auto approve FortiTray.
Is there someone who got this fixed?

The problem is that FortiClient creates an Network interface called "VPN" with VPN-App: FortiTray

e672e508-80b8-4
New Contributor II

Heya, sorry for the late reply, I finally figured this out.

To avoid the VPN popup configuration, we set a dummy VPN configuration that will be used by Forticlient on runtime :

e672e50880b84_0-1641380012409.png

Nothing else is checked, make sure that the Identifier and Provider Bundle Identifier are set to "com.fortinet.forticlient.macos.vpn" and the name isn't "VPN".

Adding this configuration profile before installing Forticlient will suppress the warning, Forticlient will rename the VPN_CP network to "VPN" and use it.

e672e50880b84_2-1641380252868.png

 

@e672e508-80b8-4 could you please share also your settings configured in the shown config profile screenshot for your pppc and system extension setting?

I am wondering if my System extension is configured as yours and i was not able to solve the PPPC settings.

It would help me a lot.
I am already use FortiClient 7.0.3

Did you set anything for the User Auth or other fields lower in the configuration profile?

This worked very well for me. Great work figuring it out, and many many thanks for sharing it. 

peterthorn
New Contributor

Hi @e672e508-80b8-4  This trick seems to work for me as well, using Filewave, so thanks a lot! :D

Cheers,

Peter

F_Hadi
New Contributor

@e672e508-80b8-4 As  Int_IT_ADC asked, could you share your  System extension configuration ? I am also unable to find the right settings to bypass Gatekeeper.

Hello @F_Hadi (and sorry @Int_IT_ADC for the late reply),

Here is my System extension configuration pane for this Configuration Profile.

e672e50880b84_0-1649924115721.png

 

Thank you!
That is what I have configured too, but FortiTray is still blocked by Gatekeeper 🙄

Thank you, can you please share also your pppc config?

Do you mind also sharing the PPPC config screen? I feel like I have most things configured as they should be, but I am still getting a pop-up screen for:

"FortiTray is trying to install a new helper tool.

Enter your password to allow this."

 

I can't figure out what the helper tool is so I can add it to the PPPC, or maybe I need to allow a Kernel Extension, I am not sure...

 

Thanks in advance!

Got the same issue, in total I have 3 pop ups:

1) FortiTray is trying to install a new helper tool

2) FortiTray WOuld Like to Add VPN Configurations (dummy VPN profile is not working for this)

3) Permission is required for full protection > "Full Disk Access" permission for FortiClient processes fcaptmon (sometimes it's fctservctl2, sometimes it's fmon2), I have added all 3 via Configuration Profile > Privacy Preferences Policy Control, yet it still requires to manually accept these... 

FortiClient-3-popups.JPG

FortiNet is not very helpful and don't really have any documentation for this... if anybody figures it out, please share.

JDaher
New Contributor III

I posted screenshots here: https://community.jamf.com/t5/jamf-pro/deploying-forticlient-preventing-as-many-popups-as-possible-o...

You say that you already created the configuration profiles but are still getting the pop-ups. Did you install the profiles before deploying the client? You have to do that, otherwise you'll get the pop-ups. 

Hey Shurkin18, 

were you able to resolve the issue with these 3 pop ups? gone through everyone's screen shots and I still can't shake these 3 prompts! any help is appreciated

 

thanks 

Hi, no, seems like at this point with the newest Apple security "features" - there is nothing can be done here as user has to manually "allow" these privacy prompts... 

so i managed to solve the add VPN config file pop-up with the below:  

Gchaisty91_0-1665142061990.png

com.fortinet.forticlient.macos.vpn.nwextension

Gchaisty91_1-1665142086715.png

identifier "com.fortinet.forticlient.macos.vpn.nwextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AH4XFXJ7DK

 

and then weirdly enough...i have no idea why this works at all... if I add the package to the self-service portal and a user installs it from there none of the extension pop-ups or helper install appear and it installs without issue! 

hope the above helps a bit