(Tutorial) FortiClient 6.4.x Deploy with config

Repackaging the dmg from EMS to run the install.mpkg with the fct_data does the same. How are you handling the configuration profiles for PPPC/System Extension and possibly WebFilter?

I send a new plist to the computer after the client is installed. 1-2-3 all done. Or is it 1-2....

I gave this a go before seeing the thread but just wanted to confirm this method does work for deploying with a profile for any of those needing to get this done.

@andrew.nicholas Sorry for the late reply: I created the config profile using PPPC Utility. We do not currently use the web filter.

How did you repackage? Just in Composer like this?
Mine doesn't seem to work.

  This is what I created, however doesn't want to install.

Is it okay to roll out the same "/Library/Application Support/Fortinet/" folder to all machines though? I actually was testing this myself and Fortinet support said;

"Dear Customer,
The installation to copy folder to another machine is actually not supported officially. This may cause duplicate UID issue triggering duplicate entries on EMS.
Also, the FortiClient license is received once it connects to EMS when retrieving the endpoint profile configs."

Have you had any issues with duplicate entries etc? 

Hi Gabriel,

within our network team I haven't heard anything about having duplicate EMS entries....

Does your post install script call the installer? I just drop the non-flat package and other files from their DMG into a directory inside of tmp and just call it with a post install script similar to the below:

Hello,

   Do you have a step by step for your process. Ive run into some roadblocks with composer. I'm not clear on this. Seriously thank you..

Hello,

   Do you have a step by step for your process. Ive run into some roadblocks with composer. I'm not clear on this. Seriously thank you..

Ditto here as @aramirez_tch said looks like some of this might not be working the same in newer Jamf instances or V7.X.X of FortiClient.  Still going to give all this another go here in 12.2.X

the new way we currently go: the whole DMG file, which also holds the preferences, I package as a PKG, put it in private/var/tmp and then there is a command that starts the installation: in the payload files and processes the following command:

installer -allowUntrusted -pkg /private/var/tmp/FortiClient/Install.mpkg -target /Applications/

This has worked very well so far.

For users that aren't admins, some are seeing this is in our test deployment.  Is anyone familiar with this, and any way to configure it to not prompt users?

I agree with the question, I also have this with almost every FortiClient installation.

We will jump on a call with them and hopefully get this working, but they do not have a lot of experience with macOS, so we've been told our best effort on support.

My understanding is that Apple’s OS is designed with user engagement as part of the system security.  Maybe you’ll need a script to temporarily elevate account permissions so that the user can provide an account and password for the installation?  There are a couple of tools already scripted out there; I think Jamf even has a rights elevation script.

We have run into this with another process we’re running and that’s the only way around it.

My team and I have been testing the script to demote all of our users to standard as part of our path to FedRamp and some customer requirements. So I'll see if I can't script this to include elevating the user rights simultaneously and temporarily while installing this. But it is incredibly disappointing to hear about FortiClient and another item in the Con column for this software when it comes to using it with macOS for us. Sadly our team wasn't involved in the PoC on this. We recently got handed this to be done ASAP on 2,000+ macOS devices.

anything for this ?

For which part?

get rid of Full Disk Access & allow Forti Tray - all the messages when we do the install through jamf

Just a quick update and info share for our free implementation of FortiClient 7.0.3.  Thanks to Mickl for providing the bulk of this process! 

• Deploy FortiClient 7.0.3.mpkg (pulled from DMG) via Composer pkg to custom folder on endpoint
• Deploy custom vpn.plist via composer to /Library/Application Support/Fortinet/FortiClient/conf/ to endpoint
• If upgrade, run a site acceptable variation of the following script

• If fresh install, create another policy to push FortiClient 7.0.3.mpkg to endpoint, then install vpn.plist, and add a maintenance item to update inventory
• Create a smart group "FortiClient Installed" with criteria "Application Title Is FortiClient.App"
• To hide client-side pop-ups (FortiTray popup untested at this time) create a configuration profile with both PPPCs and System Extensions as below, and scope it to "FortiClient Installed": 
  • 
  •  
  •  
  • 

     

     

Thank you! You saved me much pain. 

Hi, mickl089

Could you elaborate a bit how you package this?

I followed your steps by steps instruction to deploy FortiClient, however the FortiClient deployed without VPN option.

Where did you create "private/var/tmp" directory? from a snapshot or just simply made some folders?

Any details will be helpful, thank you.

Create a new directory wherever you want it to reside using composer. Take the .dmg installer and convert it into a source and rebuild it as a package. 

In mickl089's example, 'private/var/tmp/FortiClient' and dump the contents of the .dmg in that directory.

Have your post-install script invoke the install. Just make sure you have it in the same directory. 

installer -allowUntrusted -pkg /private/var/tmp/FortiClient/Install.mpkg -target /Applications/