When you create a FortiClient installer to FortiClient EMS, you can specify what FortiClient features to include in the installer for the endpoint. You can include a feature in the installer, then disable the feature in the profile. Because the feature is included in the installer, you can update the profile later to enable the feature on the endpoint.
For example, consider that you create an installer that has SSL VPN and IPsec VPN enabled. You then assign the installer to a profile where VPN is disabled. The endpoints that the profile is deployed to will have VPN disabled. At a later time, if you enable VPN on the profile, the endpoints will then have VPN enabled, since it was included in the installer.
When you create a FortiClient installer in FortiClient EMS, an installer for the Windows operating system and an installer for the macOS operating system are added to FortiClient EMS.
After you add a FortiClient installer to FortiClient EMS, you cannot edit it. You can delete the installer from FortiClient EMS, and edit the installer outside of FortiClient EMS. You can then add the edited installer to FortiClient EMS.
- Go to Profile Components > Manage Installers.
- Click Add.
- On the General tab, set the following options.
Enter the FortiClient installer's name.
(Optional) Enter any notes about the FortiClient installer.
Select the FortiClient version to install.
Select the specific FortiClient patch version to install.
Keep updated to the latest patch
Select to enable FortiClient to automatically update to the latest patch release when FortiClient is installed on an endpoint. This field is only available for the latest FortiClient version FortiClient EMS can access from FortiGuard. This option is not available if an older FortiClient version is selected.
- Click Next. On the Features tab, set the following options.
Security Fabric Agent (Mandatory Feature)
Enabled by default and cannot be disabled. Installs FortiClient with Telemetry and Vulnerability Scanning enabled.
Secure Access Architecture Components
Install FortiClient with SSL VPN and IPsec VPN enabled. Disable to omit SSL VPN and IPsec VPN support from the FortiClient installer.
Advanced Persistent Threat (APT) Components
Install FortiClient with APT components enabled. Disable to omit APT components from the FortiClient installer. Includes FortiSandbox detection and quarantine features.
Additional Security Features
Select one, two, or all of the following features:
- Web Filtering
- Application Firewall
- Single Sign-On mobility agent
Disable to exclude the features from the FortiClient installer.
- Click Next. On the Advanced tab, set the following options.
Enable automatic registration
Configure FortiClient to automatically connect Telemetry to EMS or FortiGate after FortiClient is installed on the endpoint. Disable to turn off this feature and require endpoint users to manually connect Telemetry to EMS or FortiGate.
Enable desktop shortcut
Configure the FortiClient installer to create a desktop shortcut on the endpoint.
Enable start menu shortcut
Configure the FortiClient installer to create a Start menu shortcut on the endpoint.
Enable Installer ID
Configure an installer ID to assign to endpoints. Under Installer ID, select an existing installer ID or enter a new installer ID. FortiClient EMS automatically groups endpoints according to installer ID group assignment rules.
See Group assignment rules.
This option is not available when the FortiClient installer selected or uploaded in step 3 is a version prior to 6.0.0.
- Click Next. The Telemetry tab displays the hostname and IP address of EMS, which manages FortiClient once it is installed on the endpoint. Also set the following option.
Connect Telemetry to Security Fabric (FortiGate)
Enable this option, and select the name of the gateway list to use. The gateway list defines the IP address for the FortiGate.
If you have not created a gateway list, this option is not available.
See Creating gateway lists.
- Click Save. The FortiClient installer is added to FortiClient EMS and displays on the Manage Installers pane.
If the Sign software packages option is enabled in System Settings > Server, Windows installers display as being from the publisher specified in the certificate file. See