Fortinet black logo

EMS Administration Guide

Deploying FortiClient software to endpoints

Deploying FortiClient software to endpoints

Following is an overview of how to add endpoints to FortiClient EMS and configure FortiClient EMS to deploy FortiClient to endpoints.

You can deploy FortiClient to endpoints using Active Directory (AD) servers and workgroups. There are differences between using AD servers and workgroups.

When using an AD server, you can deploy an initial installation of FortiClient (Windows) to endpoints, but you cannot deploy an initial installation of FortiClient (macOS). After FortiClient for Windows or macOS installs on endpoints and endpoints connect to FortiClient EMS, you can deploy upgrades, uninstallations, and replacements of both FortiClient for Windows and macOS using AD servers.

When using workgroups, you cannot deploy an initial installation of FortiClient to endpoints. However, after FortiClient installs on endpoints and endpoints connect to FortiClient EMS, you can use workgroups to uninstall and update FortiClient on endpoints.

The following shows a deployment of FortiClient using FortiClient EMS with an AD server:

  1. Deploy FortiClient from FortiClient EMS using an AD server to the desired endpoints.
  2. The endpoints now have FortiClient installed and FortiClient Telemetry is connected to FortiClient EMS.

The following shows a deployment of FortiClient (Windows) using FortiClient EMS with Windows workgroups:

  1. You cannot use workgroups with FortiClient EMS to initially install FortiClient on endpoints. You must install FortiClient directly on endpoints. You can configure deployment packages that endpoint users can download to install FortiClient on endpoints. See Viewing deployment packages.
  2. The endpoints now have FortiClient installed and FortiClient Telemetry is connected to FortiClient EMS.

To deploy FortiClient software to endpoints:
  1. Add endpoints with an AD server or Windows workgroups. See Adding endpoints.

    Endpoints added using an AD service display in Endpoints > Domains, and endpoints added using Windows workgroups display in Endpoints > Workgroups. You can install FortiClient on endpoints using an AD server without connecting FortiClient to FortiClient EMS as long as the username and password are correct for the applied deployment configuration in Deployment in FortiClient EMS. You can only use workgroups to upgrade or uninstall FortiClient if it is already installed on the endpoints and connected to FortiClient EMS. You cannot use workgroups for initial installations of FortiClient. When using workgroups, the deployment configuration credentials in Deployment in FortiClient EMS are not taken into account.

  2. Create a FortiClient deployment package in FortiClient EMS. See Adding a FortiClient deployment package.
  3. Create a profile that includes the desired configuration information for FortiClient software on endpoints. See Creating a profile to configure FortiClient.
  4. Prepare domains and workgroups for deployment. See Preparing the AD server for deployment.
  5. Create a deployment configuration with the desired deployment package. Configure the deployment configuration for the desired workgroup, domain, endpoint group, or organizational group. See Creating a deployment configuration.

    Depending on the selected profile's configuration, FortiClient installs on the endpoints to which the profile is applied.

    After FortiClient installation, the endpoint connects FortiClient Telemetry to FortiClient EMS to receive the profile configuration and complete endpoint management setup.

  6. Monitor the installation process using the Endpoints pane. See Viewing the Endpoints pane.

Deploying FortiClient software to endpoints

Following is an overview of how to add endpoints to FortiClient EMS and configure FortiClient EMS to deploy FortiClient to endpoints.

You can deploy FortiClient to endpoints using Active Directory (AD) servers and workgroups. There are differences between using AD servers and workgroups.

When using an AD server, you can deploy an initial installation of FortiClient (Windows) to endpoints, but you cannot deploy an initial installation of FortiClient (macOS). After FortiClient for Windows or macOS installs on endpoints and endpoints connect to FortiClient EMS, you can deploy upgrades, uninstallations, and replacements of both FortiClient for Windows and macOS using AD servers.

When using workgroups, you cannot deploy an initial installation of FortiClient to endpoints. However, after FortiClient installs on endpoints and endpoints connect to FortiClient EMS, you can use workgroups to uninstall and update FortiClient on endpoints.

The following shows a deployment of FortiClient using FortiClient EMS with an AD server:

  1. Deploy FortiClient from FortiClient EMS using an AD server to the desired endpoints.
  2. The endpoints now have FortiClient installed and FortiClient Telemetry is connected to FortiClient EMS.

The following shows a deployment of FortiClient (Windows) using FortiClient EMS with Windows workgroups:

  1. You cannot use workgroups with FortiClient EMS to initially install FortiClient on endpoints. You must install FortiClient directly on endpoints. You can configure deployment packages that endpoint users can download to install FortiClient on endpoints. See Viewing deployment packages.
  2. The endpoints now have FortiClient installed and FortiClient Telemetry is connected to FortiClient EMS.

To deploy FortiClient software to endpoints:
  1. Add endpoints with an AD server or Windows workgroups. See Adding endpoints.

    Endpoints added using an AD service display in Endpoints > Domains, and endpoints added using Windows workgroups display in Endpoints > Workgroups. You can install FortiClient on endpoints using an AD server without connecting FortiClient to FortiClient EMS as long as the username and password are correct for the applied deployment configuration in Deployment in FortiClient EMS. You can only use workgroups to upgrade or uninstall FortiClient if it is already installed on the endpoints and connected to FortiClient EMS. You cannot use workgroups for initial installations of FortiClient. When using workgroups, the deployment configuration credentials in Deployment in FortiClient EMS are not taken into account.

  2. Create a FortiClient deployment package in FortiClient EMS. See Adding a FortiClient deployment package.
  3. Create a profile that includes the desired configuration information for FortiClient software on endpoints. See Creating a profile to configure FortiClient.
  4. Prepare domains and workgroups for deployment. See Preparing the AD server for deployment.
  5. Create a deployment configuration with the desired deployment package. Configure the deployment configuration for the desired workgroup, domain, endpoint group, or organizational group. See Creating a deployment configuration.

    Depending on the selected profile's configuration, FortiClient installs on the endpoints to which the profile is applied.

    After FortiClient installation, the endpoint connects FortiClient Telemetry to FortiClient EMS to receive the profile configuration and complete endpoint management setup.

  6. Monitor the installation process using the Endpoints pane. See Viewing the Endpoints pane.