Fortinet black logo

EMS Administration Guide

Deploying FortiClient software to endpoints

Deploying FortiClient software to endpoints

Following is an overview of how to add endpoints to FortiClient EMS and configure FortiClient EMS to deploy FortiClient to endpoints.

You can deploy FortiClient to endpoints using AD servers and workgroups. There are differences between using AD servers and workgroups.

When using an AD server, you can deploy an initial installation of FortiClient (Windows) to endpoints, but you cannot deploy an initial installation of FortiClient (macOS). After FortiClient for Windows or macOS is installed on endpoints and endpoints are connected to FortiClient EMS, you can deploy upgrades, uninstallations, and replacements of both FortiClient for Windows and macOS using AD servers.

When using workgroups, you cannot deploy an initial installation of FortiClient to endpoints. However, after FortiClient is installed on endpoints and endpoints are connected to FortiClient EMS, you can use workgroups to uninstall and update FortiClient on endpoints.

The image below shows a deployment of FortiClient using FortiClient EMS with an AD server:

  1. Deploy FortiClient from FortiClient EMS using an AD server to the desired endpoints.
  2. The endpoints now have FortiClient installed and FortiClient Telemetry is connected to FortiClient EMS.

The image below shows a deployment of FortiClient (Windows) using FortiClient EMS with Windows workgroups:

  1. Workgroups cannot be used with FortiClient EMS to initially install FortiClient on endpoints. FortiClient must be installed directly on endpoints. Endpoint users can access Manage Installers in FortiClient EMS to download and install FortiClient on endpoints. See Viewing installers.
  2. The endpoints now have FortiClient installed and FortiClient Telemetry is connected to FortiClient EMS.

  1. Add endpoint with an AD server or Windows workgroups. See Adding endpoints.

    Endpoints added using an AD service are displayed on the Endpoints > Domains pane, and endpoints added using Windows workgroups are displayed on the Endpoints > Workgroups pane. You can install, upgrade, and uninstall FortiClient on endpoints using an AD server without connecting FortiClient to FortiClient EMS as long as the username and password are correct on the profile's Deployment tab in FortiClient EMS. Note workgroups can only be used to upgrade or uninstall FortiClient if it is already installed on the endpoints and connected to FortiClient EMS; workgroups cannot be used for initial installations of FortiClient. When using workgroups, the credentials on the Deployment tab in FortiClient EMS are not taken into account.

  2. Add FortiClient installers to FortiClient EMS, and specify which FortiClient features each installer will install on endpoints. See Adding FortiClient installers.
  3. Create a profile to select the FortiClient installer and include configuration information for FortiClient software on endpoints. See Creating profiles to deploy FortiClient.
  4. Prepare domains and workgroups for deployment. See Preparing the AD server for deployment.
  5. Assign profiles to domains and workgroups to deploy FortiClient on endpoints. See Assigning profiles.

    See Deploying FortiClient on endpoints.

    After the profile is assigned to endpoints, its changes are pushed to endpoints. FortiClient is installed on endpoints, and FortiClient connects Telemetry to FortiClient EMS.

  6. Monitor the installation process using the Endpoints content pane. See Viewing the Endpoints content pane.

Deploying FortiClient software to endpoints

Following is an overview of how to add endpoints to FortiClient EMS and configure FortiClient EMS to deploy FortiClient to endpoints.

You can deploy FortiClient to endpoints using AD servers and workgroups. There are differences between using AD servers and workgroups.

When using an AD server, you can deploy an initial installation of FortiClient (Windows) to endpoints, but you cannot deploy an initial installation of FortiClient (macOS). After FortiClient for Windows or macOS is installed on endpoints and endpoints are connected to FortiClient EMS, you can deploy upgrades, uninstallations, and replacements of both FortiClient for Windows and macOS using AD servers.

When using workgroups, you cannot deploy an initial installation of FortiClient to endpoints. However, after FortiClient is installed on endpoints and endpoints are connected to FortiClient EMS, you can use workgroups to uninstall and update FortiClient on endpoints.

The image below shows a deployment of FortiClient using FortiClient EMS with an AD server:

  1. Deploy FortiClient from FortiClient EMS using an AD server to the desired endpoints.
  2. The endpoints now have FortiClient installed and FortiClient Telemetry is connected to FortiClient EMS.

The image below shows a deployment of FortiClient (Windows) using FortiClient EMS with Windows workgroups:

  1. Workgroups cannot be used with FortiClient EMS to initially install FortiClient on endpoints. FortiClient must be installed directly on endpoints. Endpoint users can access Manage Installers in FortiClient EMS to download and install FortiClient on endpoints. See Viewing installers.
  2. The endpoints now have FortiClient installed and FortiClient Telemetry is connected to FortiClient EMS.

  1. Add endpoint with an AD server or Windows workgroups. See Adding endpoints.

    Endpoints added using an AD service are displayed on the Endpoints > Domains pane, and endpoints added using Windows workgroups are displayed on the Endpoints > Workgroups pane. You can install, upgrade, and uninstall FortiClient on endpoints using an AD server without connecting FortiClient to FortiClient EMS as long as the username and password are correct on the profile's Deployment tab in FortiClient EMS. Note workgroups can only be used to upgrade or uninstall FortiClient if it is already installed on the endpoints and connected to FortiClient EMS; workgroups cannot be used for initial installations of FortiClient. When using workgroups, the credentials on the Deployment tab in FortiClient EMS are not taken into account.

  2. Add FortiClient installers to FortiClient EMS, and specify which FortiClient features each installer will install on endpoints. See Adding FortiClient installers.
  3. Create a profile to select the FortiClient installer and include configuration information for FortiClient software on endpoints. See Creating profiles to deploy FortiClient.
  4. Prepare domains and workgroups for deployment. See Preparing the AD server for deployment.
  5. Assign profiles to domains and workgroups to deploy FortiClient on endpoints. See Assigning profiles.

    See Deploying FortiClient on endpoints.

    After the profile is assigned to endpoints, its changes are pushed to endpoints. FortiClient is installed on endpoints, and FortiClient connects Telemetry to FortiClient EMS.

  6. Monitor the installation process using the Endpoints content pane. See Viewing the Endpoints content pane.