Jamf Nation Community

mickl089 · ‎03-11-2021

Hello,

I have seen that the FortiClient is causing difficulties for some users. However, I have just been able to create a relatively simple solution with which the config files can also be made to work by default.

My requirements:

macOS 11.2.3 (intel) / Jamf Pro / DEPNotify 1.1.6

complete installation on one system
upload the install.mpkg to Jamf Admin
start Jamf Composer and create a pkg with the following path incl. all subfolders (all custom settings are saved here): /Library/Application Support/Fortinet
new policy: select both pkg-files, I first selected the config-pkg and then the Install.mpkg.

That´s all. I had success with this. FortiClient is running perfect with custom settings. No restart needed.

andrew_nicholas · ‎03-11-2021

Repackaging the dmg from EMS to run the install.mpkg with the fct_data does the same. How are you handling the configuration profiles for PPPC/System Extension and possibly WebFilter?

Gabriel1 · ‎12-02-2021

How did you repackage? Just in Composer like this?
Mine doesn't seem to work.

Gabriel1 · ‎12-02-2021

This is what I created, however doesn't want to install.

andrew_nicholas · ‎12-03-2021

Does your post install script call the installer? I just drop the non-flat package and other files from their DMG into a directory inside of tmp and just call it with a post install script similar to the below:

installer -pkg /private/tmp/FortiClient/Install.mpkg -target /

B-35405 · ‎03-11-2021

I send a new plist to the computer after the client is installed. 1-2-3 all done. Or is it 1-2....

Levi_ · ‎04-21-2021

I gave this a go before seeing the thread but just wanted to confirm this method does work for deploying with a profile for any of those needing to get this done.

mickl089 · ‎04-21-2021

@andrew.nicholas Sorry for the late reply: I created the config profile using PPPC Utility. We do not currently use the web filter.

Gabriel1 · ‎12-02-2021

Is it okay to roll out the same "/Library/Application Support/Fortinet/" folder to all machines though? I actually was testing this myself and Fortinet support said;

"Dear Customer,
The installation to copy folder to another machine is actually not supported officially. This may cause duplicate UID issue triggering duplicate entries on EMS.
Also, the FortiClient license is received once it connects to EMS when retrieving the endpoint profile configs."

Have you had any issues with duplicate entries etc?

mickl089 · ‎12-03-2021

Hi Gabriel,

within our network team I haven't heard anything about having duplicate EMS entries....

aramirez_tch · ‎02-11-2022

Hello,

Do you have a step by step for your process. Ive run into some roadblocks with composer. I'm not clear on this. Seriously thank you..

aramirez_tch · ‎02-11-2022

Hello,

Do you have a step by step for your process. Ive run into some roadblocks with composer. I'm not clear on this. Seriously thank you..

daniel_ross · ‎03-07-2022

Ditto here as @aramirez_tch said looks like some of this might not be working the same in newer Jamf instances or V7.X.X of FortiClient. Still going to give all this another go here in 12.2.X

mickl089 · ‎03-08-2022

the new way we currently go: the whole DMG file, which also holds the preferences, I package as a PKG, put it in private/var/tmp and then there is a command that starts the installation: in the payload files and processes the following command:

installer -allowUntrusted -pkg /private/var/tmp/FortiClient/Install.mpkg -target /Applications/

This has worked very well so far.

HelpDeskDog · ‎08-12-2022

Thank you! You saved me much pain.

stany · ‎08-26-2022

Hi, mickl089

Could you elaborate a bit how you package this?

I followed your steps by steps instruction to deploy FortiClient, however the FortiClient deployed without VPN option.

Where did you create "private/var/tmp" directory? from a snapshot or just simply made some folders?

Any details will be helpful, thank you.

HelpDeskDog · ‎09-19-2022

Create a new directory wherever you want it to reside using composer. Take the .dmg installer and convert it into a source and rebuild it as a package.

In mickl089's example, 'private/var/tmp/FortiClient' and dump the contents of the .dmg in that directory.

Have your post-install script invoke the install. Just make sure you have it in the same directory.

installer -allowUntrusted -pkg /private/var/tmp/FortiClient/Install.mpkg -target /Applications/

daniel_ross · ‎03-08-2022

For users that aren't admins, some are seeing this is in our test deployment. Is anyone familiar with this, and any way to configure it to not prompt users?

mickl089 · ‎03-10-2022

I agree with the question, I also have this with almost every FortiClient installation.

daniel_ross · ‎03-16-2022

We will jump on a call with them and hopefully get this working, but they do not have a lot of experience with macOS, so we've been told our best effort on support.

Baravis · ‎03-17-2022

My understanding is that Apple’s OS is designed with user engagement as part of the system security. Maybe you’ll need a script to temporarily elevate account permissions so that the user can provide an account and password for the installation? There are a couple of tools already scripted out there; I think Jamf even has a rights elevation script.

We have run into this with another process we’re running and that’s the only way around it.

daniel_ross · ‎03-21-2022

My team and I have been testing the script to demote all of our users to standard as part of our path to FedRamp and some customer requirements. So I'll see if I can't script this to include elevating the user rights simultaneously and temporarily while installing this. But it is incredibly disappointing to hear about FortiClient and another item in the Con column for this software when it comes to using it with macOS for us. Sadly our team wasn't involved in the PoC on this. We recently got handed this to be done ASAP on 2,000+ macOS devices.

Jesuscries · ‎05-30-2022

anything for this ?

daniel_ross · ‎06-02-2022

For which part?

Jesuscries · ‎06-03-2022

get rid of Full Disk Access & allow Forti Tray - all the messages when we do the install through jamf

Baravis · ‎07-21-2022

Just a quick update and info share for our free implementation of FortiClient 7.0.3. Thanks to Mickl for providing the bulk of this process!

Deploy FortiClient 7.0.3.mpkg (pulled from DMG) via Composer pkg to custom folder on endpoint
Deploy custom vpn.plist via composer to /Library/Application Support/Fortinet/FortiClient/conf/ to endpoint
If upgrade, run a site acceptable variation of the following script

#!/bin/bash

#Stops all running FortiClient processes
killall FortiClientAgent
    killall FortiClient

#Initiates silent uninstall of current Forticlient
/Applications/FortiClientUninstaller.app/Contents/Library/LaunchServices/com.fortinet.forticlient.uninstall_helper

#Run FortiClient 7.0.3 Installer
installer -verboseR -pkg "/private/tmp/FortiClient_7.0.3_Source_Files/FortiClient 7.0.3.mpkg" -target /

#Copy vpn.plist from tmp to FortiClient config folder
cp /private/tmp/FortiClient_7.0.3_Source_Files/vpn.plist "/Library/Application Support/Fortinet/FortiClient/conf/"

If fresh install, create another policy to push FortiClient 7.0.3.mpkg to endpoint, then install vpn.plist, and add a maintenance item to update inventory
Create a smart group "FortiClient Installed" with criteria "Application Title Is FortiClient.App"
To hide client-side pop-ups (FortiTray popup untested at this time) create a configuration profile with both PPPCs and System Extensions as below, and scope it to "FortiClient Installed":

gdavies · ‎12-09-2022

Where might a fella find the mpkg? When I get the installer from the internet, it is an online installer.

Jamf Nation Community

(Tutorial) FortiClient 6.4.x Deploy with config