Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

EMS Administration Guide

Adding FortiClient deployment packages

When you create a FortiClient deployment package in FortiClient EMS, you can specify what FortiClient features to include in the deployment package for the endpoint. You can include a feature in the deployment package, then disable the feature in the profile. Because the feature is included in the deployment package, you can update the profile later to enable the feature on the endpoint.

For example, consider that you create a deployment package that has SSL VPN and IPsec VPN enabled. You then assign the deployment package to a profile where VPN is disabled. The endpoints that the profile is deployed to will have VPN disabled. At a later time, if you enable VPN on the profile, the endpoints will then have VPN enabled, since it was included in the deployment package.

After you add a FortiClient deployment package to FortiClient EMS, you cannot edit it. You can delete the deployment package from FortiClient EMS, and edit the deployment package outside of FortiClient EMS. You can then add the edited deployment package to FortiClient EMS.

  1. Go to Manage Installers > Deployment Packages.
  2. Click Add.
  3. On the Version tab, set the following options:

    Installer Type

    Configure the deployment package to use an official FortiClient installer or a custom FortiClient installer. See FortiClient installers.

    Release

    Select the FortiClient release version to install.

    Patch

    Select the specific FortiClient patch version to install.

    Keep updated to the latest patch

    Select to enable FortiClient to automatically update to the latest patch release when FortiClient is installed on an endpoint.

  4. Click Next. On the General tab, set the following options:

    Name

    Enter the FortiClient installer's name.

    Notes

    (Optional) Enter any notes about the FortiClient installer.

  5. Click Next. On the Features tab, set the following options:

    Security Fabric Agent

    Enabled by default and cannot be disabled. Installs FortiClient with Telemetry and Vulnerability Scan enabled.

    Secure Access Architecture Components

    Install FortiClient with SSL and IPsec VPN enabled. Disable to omit SSL and IPsec VPN support from the FortiClient deployment package.

    Advanced Persistent Threat (APT) Components

    Install FortiClient with APT components enabled. Disable to omit APT components from the FortiClient installer. Includes FortiSandbox detection and quarantine features.

    Additional Security Features

    Enable any of the following features:

    • AntiVirus
    • Web Filtering
    • Application Firewall
    • Single Sign-On mobility agent
    • Cloud Based Malware Outbreak Detection. This feature is available for FortiClient 6.2.0 and later versions.

    Disable to exclude the features from the FortiClient deployment package.

  6. Click Next. On the Advanced tab, set the following options:

    Enable automatic registration

    Configure FortiClient to automatically connect Telemetry to FortiClient EMS after FortiClient is installed on the endpoint. Disable to turn off this feature and require endpoint users to manually connect Telemetry to FortiClient EMS.

    Enable desktop shortcut

    Configure the FortiClient installer to create a desktop shortcut on the endpoint.

    Enable start menu shortcut

    Configure the FortiClient installer to create a Start menu shortcut on the endpoint.

    Enable Installer ID

    Configure an installer ID. Select an existing installer ID or enter a new installer ID. If creating an installer ID, select a group path or create a new group in the Group Path field. FortiClient EMS automatically groups endpoints according to installer ID group assignment rules. See Group assignment rules.

    Enable Endpoint Profile

    Select an endpoint profile to include in the installer. EMS applies the profile to the endpoint once it has installed FortiClient. This option is necessary if it is required to have certain security features enabled prior to contact with EMS, or if users require VPN connection to connect to EMS.

  7. Click Next. The Telemetry tab displays the hostname and IP address of the FortiClient EMS server, which will manage FortiClient once it is installed on the endpoint. Also configure the following option:

    Enable telemetry connection to Security Fabric (FortiGate)

    Enable this option, and select the name of the gateway list to use. The gateway list defines the IP address for the FortiGate.

    If you have not created a gateway list, this option is not available. See Creating Telemetry gateway lists.

  8. Click Finish. The FortiClient deployment package is added to FortiClient EMS and displays on the Manage Installers > Deployment Packages pane. The deployment package may include .exe (32-bit and 64-bit), .msi, and .dmg files depending on the configuration. The following shows an example of a deployment package that includes .exe, .msi, and .dmg files. The end user can download these files to install FortiClient on their machine with the desired configuration.

If the Sign software packages option is enabled in System Settings > Server, Windows deployment packages display as being from the publisher specified in the certificate file. See Configuring Server settings.

Adding FortiClient deployment packages

When you create a FortiClient deployment package in FortiClient EMS, you can specify what FortiClient features to include in the deployment package for the endpoint. You can include a feature in the deployment package, then disable the feature in the profile. Because the feature is included in the deployment package, you can update the profile later to enable the feature on the endpoint.

For example, consider that you create a deployment package that has SSL VPN and IPsec VPN enabled. You then assign the deployment package to a profile where VPN is disabled. The endpoints that the profile is deployed to will have VPN disabled. At a later time, if you enable VPN on the profile, the endpoints will then have VPN enabled, since it was included in the deployment package.

After you add a FortiClient deployment package to FortiClient EMS, you cannot edit it. You can delete the deployment package from FortiClient EMS, and edit the deployment package outside of FortiClient EMS. You can then add the edited deployment package to FortiClient EMS.

  1. Go to Manage Installers > Deployment Packages.
  2. Click Add.
  3. On the Version tab, set the following options:

    Installer Type

    Configure the deployment package to use an official FortiClient installer or a custom FortiClient installer. See FortiClient installers.

    Release

    Select the FortiClient release version to install.

    Patch

    Select the specific FortiClient patch version to install.

    Keep updated to the latest patch

    Select to enable FortiClient to automatically update to the latest patch release when FortiClient is installed on an endpoint.

  4. Click Next. On the General tab, set the following options:

    Name

    Enter the FortiClient installer's name.

    Notes

    (Optional) Enter any notes about the FortiClient installer.

  5. Click Next. On the Features tab, set the following options:

    Security Fabric Agent

    Enabled by default and cannot be disabled. Installs FortiClient with Telemetry and Vulnerability Scan enabled.

    Secure Access Architecture Components

    Install FortiClient with SSL and IPsec VPN enabled. Disable to omit SSL and IPsec VPN support from the FortiClient deployment package.

    Advanced Persistent Threat (APT) Components

    Install FortiClient with APT components enabled. Disable to omit APT components from the FortiClient installer. Includes FortiSandbox detection and quarantine features.

    Additional Security Features

    Enable any of the following features:

    • AntiVirus
    • Web Filtering
    • Application Firewall
    • Single Sign-On mobility agent
    • Cloud Based Malware Outbreak Detection. This feature is available for FortiClient 6.2.0 and later versions.

    Disable to exclude the features from the FortiClient deployment package.

  6. Click Next. On the Advanced tab, set the following options:

    Enable automatic registration

    Configure FortiClient to automatically connect Telemetry to FortiClient EMS after FortiClient is installed on the endpoint. Disable to turn off this feature and require endpoint users to manually connect Telemetry to FortiClient EMS.

    Enable desktop shortcut

    Configure the FortiClient installer to create a desktop shortcut on the endpoint.

    Enable start menu shortcut

    Configure the FortiClient installer to create a Start menu shortcut on the endpoint.

    Enable Installer ID

    Configure an installer ID. Select an existing installer ID or enter a new installer ID. If creating an installer ID, select a group path or create a new group in the Group Path field. FortiClient EMS automatically groups endpoints according to installer ID group assignment rules. See Group assignment rules.

    Enable Endpoint Profile

    Select an endpoint profile to include in the installer. EMS applies the profile to the endpoint once it has installed FortiClient. This option is necessary if it is required to have certain security features enabled prior to contact with EMS, or if users require VPN connection to connect to EMS.

  7. Click Next. The Telemetry tab displays the hostname and IP address of the FortiClient EMS server, which will manage FortiClient once it is installed on the endpoint. Also configure the following option:

    Enable telemetry connection to Security Fabric (FortiGate)

    Enable this option, and select the name of the gateway list to use. The gateway list defines the IP address for the FortiGate.

    If you have not created a gateway list, this option is not available. See Creating Telemetry gateway lists.

  8. Click Finish. The FortiClient deployment package is added to FortiClient EMS and displays on the Manage Installers > Deployment Packages pane. The deployment package may include .exe (32-bit and 64-bit), .msi, and .dmg files depending on the configuration. The following shows an example of a deployment package that includes .exe, .msi, and .dmg files. The end user can download these files to install FortiClient on their machine with the desired configuration.

If the Sign software packages option is enabled in System Settings > Server, Windows deployment packages display as being from the publisher specified in the certificate file. See Configuring Server settings.