Fortinet black logo

Special notices

Special notices

Endpoint security improvement

EMS 6.4.7 adds an improvement to endpoint security that impacts compatibility between FortiClient and EMS, and the recommended upgrade path. The FortiClient 6.4.7 installer is not available on FortiGuard Distribution Servers (FDS). To install the FortiClient 6.4.7 installer, you must download it from Customer Service & Support. See Endpoint security improvement.

If the EMS server certificate is invalid, and FortiClient is upgraded to 6.4.7, by default, FortiClient displays a warning message on the GUI when trying to connect to the EMS. The end user should click allow to complete the connection. FortiClient does not connect to the EMS if the end user selects deny. If the end user selects deny, FortiClient retries connecting to the EMS after a system reboot. The same warning message displays while trying to connect to the EMS. The end user should click allow to complete the connection.

Enabling full disk access on macOS 11 Big Sur and 10.15 Catalina

You can install FortiClient (macOS) 6.4.7 on macOS 11 Big Sur and 10.15 Catalina. With these releases, FortiClient works properly only when you grant permissions to access the full disk in the Security & Privacy pane for the following services:

  • fcaptmon
  • fctservctl
  • fmon
  • fmon2
  • FortiClient
  • FortiClientAgent

The FortiClient (macOS) free VPN-only client does not include the fcaptmon, fmon, and fmon2 services. If you are using the VPN-only client, you only need to grant permissions for fctservctl and FortiClient.

You may have to manually add fmon2 to the list, as it may not be in the list of applications to allow full disk access to. Click the + icon to add an application. Browse to /Library/Application Support/Fortinet/FortiClient/bin/ and select fmon2.

The following lists the services and their folder locations:

  • fmon, Fctservctl, Fcaptmon: /Library/Application\ Support/Fortinet/FortiClient/bin/

  • FortiClient (macOS) application: /Applications/FortiClient.app

  • FortiClient agent (FortiTray): /Applications/FortiClient.app/Contents/Resources/runtime.helper/FortiClientAgent.app

Activating system extensions

After you perform an initial install of FortiClient (macOS), the device prompts you to allow some settings and disk access for FortiClient (macOS) processes. You must have administrator credentials for the macOS machine to configure this change.

You must enable the FortiClientNetwork extension for Web Filter and Application Firewall to work properly. The FortiClient (macOS) team ID is AH4XFXJ7DK.

To enable the FortiClientNetwork extension:
  1. Go to System Preferences > Security & Privacy.
  2. Click the Allow button beside System software from application "FortiClientNetwork" was blocked from loading.

  3. Verify the status of the extension by running the systemextensionsctl list command in the macOS terminal. The following provides example of output when the extension is enabled:

Enabling notifications

After initial installation, macOS prompts the user to enable FortiClient (macOS) notifications.

To enable notifications:
  1. Go to System Preferences > Notifications > FortiClientAgent.
  2. Toggle Allow Notifications on.

DHCP over IPsec VPN not supported

FortiClient (macOS) does not support DHCP over IPsec VPN.

macOS Mojave (version 10.14) reboot prompt

When using macOS Mojave (version 10.14), you must reboot the macOS device after installing FortiClient (macOS). FortiClient (macOS) displays the following prompt after installation:

IKEv2 not supported

FortiClient (macOS) does not support IPsec VPN IKEv2.

FortiClientAgent only starts after login

FortiClientAgent can only start after the user logs in to macOS. FortiClient only starts its other services after FortiClientAgent is running.

Special notices

Endpoint security improvement

EMS 6.4.7 adds an improvement to endpoint security that impacts compatibility between FortiClient and EMS, and the recommended upgrade path. The FortiClient 6.4.7 installer is not available on FortiGuard Distribution Servers (FDS). To install the FortiClient 6.4.7 installer, you must download it from Customer Service & Support. See Endpoint security improvement.

If the EMS server certificate is invalid, and FortiClient is upgraded to 6.4.7, by default, FortiClient displays a warning message on the GUI when trying to connect to the EMS. The end user should click allow to complete the connection. FortiClient does not connect to the EMS if the end user selects deny. If the end user selects deny, FortiClient retries connecting to the EMS after a system reboot. The same warning message displays while trying to connect to the EMS. The end user should click allow to complete the connection.

Enabling full disk access on macOS 11 Big Sur and 10.15 Catalina

You can install FortiClient (macOS) 6.4.7 on macOS 11 Big Sur and 10.15 Catalina. With these releases, FortiClient works properly only when you grant permissions to access the full disk in the Security & Privacy pane for the following services:

  • fcaptmon
  • fctservctl
  • fmon
  • fmon2
  • FortiClient
  • FortiClientAgent

The FortiClient (macOS) free VPN-only client does not include the fcaptmon, fmon, and fmon2 services. If you are using the VPN-only client, you only need to grant permissions for fctservctl and FortiClient.

You may have to manually add fmon2 to the list, as it may not be in the list of applications to allow full disk access to. Click the + icon to add an application. Browse to /Library/Application Support/Fortinet/FortiClient/bin/ and select fmon2.

The following lists the services and their folder locations:

  • fmon, Fctservctl, Fcaptmon: /Library/Application\ Support/Fortinet/FortiClient/bin/

  • FortiClient (macOS) application: /Applications/FortiClient.app

  • FortiClient agent (FortiTray): /Applications/FortiClient.app/Contents/Resources/runtime.helper/FortiClientAgent.app

Activating system extensions

After you perform an initial install of FortiClient (macOS), the device prompts you to allow some settings and disk access for FortiClient (macOS) processes. You must have administrator credentials for the macOS machine to configure this change.

You must enable the FortiClientNetwork extension for Web Filter and Application Firewall to work properly. The FortiClient (macOS) team ID is AH4XFXJ7DK.

To enable the FortiClientNetwork extension:
  1. Go to System Preferences > Security & Privacy.
  2. Click the Allow button beside System software from application "FortiClientNetwork" was blocked from loading.

  3. Verify the status of the extension by running the systemextensionsctl list command in the macOS terminal. The following provides example of output when the extension is enabled:

Enabling notifications

After initial installation, macOS prompts the user to enable FortiClient (macOS) notifications.

To enable notifications:
  1. Go to System Preferences > Notifications > FortiClientAgent.
  2. Toggle Allow Notifications on.

DHCP over IPsec VPN not supported

FortiClient (macOS) does not support DHCP over IPsec VPN.

macOS Mojave (version 10.14) reboot prompt

When using macOS Mojave (version 10.14), you must reboot the macOS device after installing FortiClient (macOS). FortiClient (macOS) displays the following prompt after installation:

IKEv2 not supported

FortiClient (macOS) does not support IPsec VPN IKEv2.

FortiClientAgent only starts after login

FortiClientAgent can only start after the user logs in to macOS. FortiClient only starts its other services after FortiClientAgent is running.