I'm seeing this popup on some of our users devices since the upgrade to Monterey, but I'm not entirely sure what it's trying to do, and it seems like I need to know in order to prevent it from popping up by automating what it's trying to do. I think this is from trying to install FortiClient, but I'm not positive.
How can I tell what it's doing so I can make this easier on our users?
Solved! Go to Solution.
Is there an easy way to check what cert password it's trying to install in the keychain? That is primarily what I'm having trouble with. I'm not sure if there are any specific logs I should be looking at, as I've done very little with certs on Mac.
Don't know if you're still trying to figure this out, but here's what I found out:
FortiClient installs two ZTNA certs to the Keychain > login
One of the certs matches the serial number of the FortiClient EMS, and should be the same for every user. The other cert is specific to each endpoint, and the name of that cert matches the UID2 serial that you see if you open FortiClient > About.
I figured that the first cert could be exported and pushed through a configuration profile, but it doesn't install to the keychain, and when I install the client I still get the prompt to approve changes. Maybe I'm missing a piece here, I've never pushed a cert via config profile.
I'm still working on this, but wanted to post this info in case it serves you. Perhaps we can figure it out together.
Following the instructions from the other users, I was able to get rid of this message by adding the certificate I found to my pre-forticlient-install config profile. Of note, I did notice that a lot of the issues/popups I see on installing forticlient are different between MacOS versions - my prep config profile doesn't work properly on Big Sur vs Monterey, as an example.
Where I am all devices are Monterey and Ventura. If there is no Forti Client installed on the device before, I do not encounter pop-up windows. However, if the Forti Client is already installed on the device, I encounter the pop-up problem and it asks the user to enter a password.
How can I find the certificate you are talking about? Can you describe it to me? Or if you can share your profile file, I can better understand what I'm doing wrong.
Hi there @hdagidir - I'm interested in the solution you found. I'm using the mobileconfig from Fortinet support, which seems to work best from other put-together profiles I attempted. I am attempting to deploy update of 707 from existing installs of 648. I'm down to two prompts:
Forticlientagent wants to change the system cert (requires admin pass, our staff are standard)
VPN service asking for login password, which I think is FCT asking permission to access the cached cred in keychain for the existing VPN credential so it can autofill in the app?
I gather from the original threads and great info from @JDaher @dungeonadept and others that I need to locate and include a cert from an existing install (or elsewhere), likely the one designating my EMS serial. I do see one in the system root CA keychain. I do not see a unique one for the individual client/endpoint. Are we saying this needs to be deployed prior to install? I have a bunch of bits and pieces of the resolution here, and am just trying to unify it all for my case. We use Jamf School, so there are often differences in the solutions found by Pro users and the steps to reproduce success are different. Hoping that's not the case here! : )