(Tutorial) FortiClient 6.4.x Deploy with config

mickl089
Contributor III

Hello,

I have seen that the FortiClient is causing difficulties for some users. However, I have just been able to create a relatively simple solution with which the config files can also be made to work by default.

My requirements:

macOS 11.2.3 (intel) / Jamf Pro / DEPNotify 1.1.6

  1. complete installation on one system
  2. upload the install.mpkg to Jamf Admin
  3. start Jamf Composer and create a pkg with the following path incl. all subfolders (all custom settings are saved here): /Library/Application Support/Fortinet
  4. new policy: select both pkg-files, I first selected the config-pkg and then the Install.mpkg.

That´s all. I had success with this. FortiClient is running perfect with custom settings. No restart needed.
91bb7447ce9d4e27b4e1ffb5ccc99806

26 REPLIES 26

andrew_nicholas
Valued Contributor

Repackaging the dmg from EMS to run the install.mpkg with the fct_data does the same. How are you handling the configuration profiles for PPPC/System Extension and possibly WebFilter?

How did you repackage? Just in Composer like this?
Mine doesn't seem to work.

 

Screen Shot 2021-12-03 at 11.28.33 am.png

  This is what I created, however doesn't want to install.

Does your post install script call the installer? I just drop the non-flat package and other files from their DMG into a directory inside of tmp and just call it with a post install script similar to the below:

installer -pkg /private/tmp/FortiClient/Install.mpkg -target /

B-35405
Contributor

I send a new plist to the computer after the client is installed. 1-2-3 all done. Or is it 1-2....

Levi_
Contributor

I gave this a go before seeing the thread but just wanted to confirm this method does work for deploying with a profile for any of those needing to get this done.

mickl089
Contributor III

@andrew.nicholas Sorry for the late reply: I created the config profile using PPPC Utility. We do not currently use the web filter.

Gabriel1
New Contributor

Is it okay to roll out the same "/Library/Application Support/Fortinet/" folder to all machines though? I actually was testing this myself and Fortinet support said;

"Dear Customer,
The installation to copy folder to another machine is actually not supported officially. This may cause duplicate UID issue triggering duplicate entries on EMS.
Also, the FortiClient license is received once it connects to EMS when retrieving the endpoint profile configs."

Have you had any issues with duplicate entries etc? 

mickl089
Contributor III

Hi Gabriel,

within our network team I haven't heard anything about having duplicate EMS entries....

aramirez_tch
New Contributor

Hello,

   Do you have a step by step for your process. Ive run into some roadblocks with composer. I'm not clear on this. Seriously thank you..

aramirez_tch
New Contributor

Hello,

   Do you have a step by step for your process. Ive run into some roadblocks with composer. I'm not clear on this. Seriously thank you..

daniel_ross
Contributor III

Ditto here as @aramirez_tch said looks like some of this might not be working the same in newer Jamf instances or V7.X.X of FortiClient.  Still going to give all this another go here in 12.2.X

mickl089
Contributor III

the new way we currently go: the whole DMG file, which also holds the preferences, I package as a PKG, put it in private/var/tmp and then there is a command that starts the installation: in the payload files and processes the following command:

installer -allowUntrusted -pkg /private/var/tmp/FortiClient/Install.mpkg -target /Applications/

This has worked very well so far.

Thank you! You saved me much pain. 

stany
New Contributor

Hi, mickl089

 

Could you elaborate a bit how you package this?

 

I followed your steps by steps instruction to deploy FortiClient, however the FortiClient deployed without VPN option.

 

Where did you create "private/var/tmp" directory? from a snapshot or just simply made some folders?

 

Any details will be helpful, thank you.

HelpDeskDog
New Contributor II

HelpDeskDog_0-1663606402472.png

Create a new directory wherever you want it to reside using composer. Take the .dmg installer and convert it into a source and rebuild it as a package. 

 

In mickl089's example, 'private/var/tmp/FortiClient' and dump the contents of the .dmg in that directory.

 

Have your post-install script invoke the install. Just make sure you have it in the same directory. 

installer -allowUntrusted -pkg /private/var/tmp/FortiClient/Install.mpkg -target /Applications/

daniel_ross
Contributor III

For users that aren't admins, some are seeing this is in our test deployment.  Is anyone familiar with this, and any way to configure it to not prompt users?

MicrosoftTeams-image (2).png

I agree with the question, I also have this with almost every FortiClient installation.

We will jump on a call with them and hopefully get this working, but they do not have a lot of experience with macOS, so we've been told our best effort on support.

Baravis
New Contributor III

My understanding is that Apple’s OS is designed with user engagement as part of the system security.  Maybe you’ll need a script to temporarily elevate account permissions so that the user can provide an account and password for the installation?  There are a couple of tools already scripted out there; I think Jamf even has a rights elevation script.

 

We have run into this with another process we’re running and that’s the only way around it.

My team and I have been testing the script to demote all of our users to standard as part of our path to FedRamp and some customer requirements. So I'll see if I can't script this to include elevating the user rights simultaneously and temporarily while installing this. But it is incredibly disappointing to hear about FortiClient and another item in the Con column for this software when it comes to using it with macOS for us. Sadly our team wasn't involved in the PoC on this. We recently got handed this to be done ASAP on 2,000+ macOS devices.

anything for this ?

For which part?

Jesuscries
New Contributor

get rid of Full Disk Access & allow Forti Tray - all the messages when we do the install through jamf

Baravis
New Contributor III

Just a quick update and info share for our free implementation of FortiClient 7.0.3.  Thanks to Mickl for providing the bulk of this process! 

  • Deploy FortiClient 7.0.3.mpkg (pulled from DMG) via Composer pkg to custom folder on endpoint
  • Deploy custom vpn.plist via composer to /Library/Application Support/Fortinet/FortiClient/conf/ to endpoint
  • If upgrade, run a site acceptable variation of the following script

 

 

#!/bin/bash

#Stops all running FortiClient processes
killall FortiClientAgent
    killall FortiClient

#Initiates silent uninstall of current Forticlient
/Applications/FortiClientUninstaller.app/Contents/Library/LaunchServices/com.fortinet.forticlient.uninstall_helper

#Run FortiClient 7.0.3 Installer
installer -verboseR -pkg "/private/tmp/FortiClient_7.0.3_Source_Files/FortiClient 7.0.3.mpkg" -target /

#Copy vpn.plist from tmp to FortiClient config folder
cp /private/tmp/FortiClient_7.0.3_Source_Files/vpn.plist "/Library/Application Support/Fortinet/FortiClient/conf/"

 

 

  • If fresh install, create another policy to push FortiClient 7.0.3.mpkg to endpoint, then install vpn.plist, and add a maintenance item to update inventory
  • Create a smart group "FortiClient Installed" with criteria "Application Title Is FortiClient.App"
  • To hide client-side pop-ups (FortiTray popup untested at this time) create a configuration profile with both PPPCs and System Extensions as below, and scope it to "FortiClient Installed": 
    • PPPC1.png
    • PPPC2.png
    • SystemExtension1.png
    • SystemExtension2.png

Where might a fella find the mpkg? When I get the installer from the internet, it is an online installer.