Deploying FortiClient software to endpoints
Following is an overview of how to add endpoints to FortiClient EMS and configure FortiClient EMS to deploy FortiClient to endpoints.
You can deploy FortiClient to endpoints using Active Directory (AD) servers and workgroups. There are differences between using AD servers and workgroups.
When using an AD server, you can deploy an initial installation of FortiClient (Windows) to endpoints, but you cannot deploy an initial installation of FortiClient (macOS). After FortiClient for Windows or macOS is installed on endpoints and endpoints are connected to FortiClient EMS, you can deploy upgrades, uninstallations, and replacements of both FortiClient for Windows and macOS using AD servers.
When using workgroups, you cannot deploy an initial installation of FortiClient to endpoints. However, after FortiClient is installed on endpoints and endpoints are connected to FortiClient EMS, you can use workgroups to uninstall and update FortiClient on endpoints.
The image below shows a deployment of FortiClient using FortiClient EMS with an AD server:
- Deploy FortiClient from FortiClient EMS using an AD server to the desired endpoints.
- The endpoints now have FortiClient installed and FortiClient Telemetry is connected to FortiClient EMS.
The image below shows a deployment of FortiClient (Windows) using FortiClient EMS with Windows workgroups:
- You cannot use workgroups with FortiClient EMS to initially install FortiClient on endpoints. You must install FortiClient directly on endpoints. You can configure deployment packages that endpoint users can download to install FortiClient on endpoints. See Viewing deployment packages.
- The endpoints now have FortiClient installed and FortiClient Telemetry is connected to FortiClient EMS.
- Add endpoints with an AD server or Windows workgroups. See Adding endpoints.
Endpoints added using an AD service display in Endpoints > Domains, and endpoints added using Windows workgroups display in Endpoints > Workgroups. You can install FortiClient on endpoints using an AD server without connecting FortiClient to FortiClient EMS as long as the username and password are correct on the profile's Deployment tab in FortiClient EMS. You can only use workgroups to upgrade or uninstall FortiClient if it is already installed on the endpoints and connected to FortiClient EMS. You cannot use workgroups for initial installations of FortiClient. When using workgroups, the credentials on the Deployment tab in FortiClient EMS are not taken into account.
- Create FortiClient deployment packages in FortiClient EMS, and specify which FortiClient features each deployment package installs on endpoints. See Adding a FortiClient deployment package.
- Create a profile to select the FortiClient deployment package and include configuration information for FortiClient software on endpoints. See Creating a profile to deploy FortiClient.
- Prepare domains and workgroups for deployment. See Preparing the AD server for deployment.
- Create an endpoint policy that is configured with desired profile. Configure the endpoint policy to apply to domains and workgroups to deploy FortiClient on endpoints. See Adding an endpoint policy.
See Deploying FortiClient on endpoints.
After you apply the endpoint policy to endpoint groups, EMS pushes profile changes to endpoints with the next Telemetry communication. FortiClient is installed on endpoints, and FortiClient connects Telemetry to FortiClient EMS.
- Monitor the installation process using the Endpoints pane. See Viewing the Endpoints pane.