Fortinet black logo

EMS Administration Guide

Adding a FortiClient deployment package

Adding a FortiClient deployment package

After you add a FortiClient deployment package to FortiClient EMS, you cannot edit it. You can delete the deployment package from FortiClient EMS, and edit the deployment package outside of FortiClient EMS. You can then add the edited deployment package to FortiClient EMS.

To add a deployment package:
  1. Go to Deployment & Installers > FortiClient Installer.
  2. Click Add.
  3. On the Version tab, set the following options:

    Installer Type

    Use an official or custom FortiClient installer.

    When using a custom FortiClient installer, you can select from a list of previously uploaded installers, or upload a new custom installer. You can also remove previously created installers.

    To upload a new custom FortiClient installer, enter the desired name, then upload Windows (64-bit and 32-bit) and/or macOS custom installers. You can download FortiClient installers to use with FortiClient EMS from Fortinet Customer Service & Support. This requires a support account with a valid support contract. You can also download installers from FortiClient.com. Download the Windows or macOS installation file. The installation files on the Fortinet Customer Service & Support and FortiClient.com websites are unavailable in .msi or .zip format. You must package the installer as an .msi or .zip file to upload it.

    Release

    Select the FortiClient release version to install.

    Patch

    Select the specific FortiClient patch version to install.

    Keep updated to the latest patch

    Enable EMS to repackage EMS-created FortiClient deployment package to the latest patch release.

  4. Click Next. On the General tab, set the following options:

    Name

    Enter the FortiClient deployment package name.

    Notes

    (Optional) Enter notes about the FortiClient deployment package.

  5. Click Next. On the Features tab, set the following options:
    Note

    Available options may differ depending on the features you have enabled or disabled in Feature Select. See Feature Select.

    Zero Trust Telemetry

    Enabled by default and cannot be disabled. Installs FortiClient with Telemetry enabled.

    Secure Access Architecture Components

    Install FortiClient with SSL and IPsec VPN enabled. Disable to omit SSL and IPsec VPN support from the FortiClient deployment package.

    If you enable this feature for a deployment package and include a preconfigured VPN tunnel in the included endpoint profile, users who use this deployment package to install FortiClient can connect to this preconfigured VPN tunnel for three days after their initial FortiClient installation. This is useful for remote users, as it allows them to connect to the corporate network to activate their FortiClient license. If the user does not activate their FortiClient license within the three days, all FortiClient features, including VPN, stop working on their device.

    See Remote Access for details on configuring a VPN tunnel.

    Vulnerability Scan

    Enabled by default and cannot be disabled. Installs FortiClient with Vulnerability Scan enabled.

    Advanced Persistent Threat (APT) Components

    Install FortiClient with APT components enabled. Disable to omit APT components from the FortiClient deployment package. Includes FortiSandbox detection and quarantine features.

    Additional Security Features

    Enable any of the following features:

    • Malware
      • AntiVirus, Anti-Exploit, Removable Media Access
      • Anti-Ransomware
      • Cloud Based Malware Outbreak Detection
    • Web Filtering
    • Application Firewall
    • Single Sign-On mobility agent
    • Zero Trust Network Access. Note that for FortiClient (macOS) 7.0.1 and later versions, the zero trust network access feature is always installed, regardless of whether this option is enabled or disabled.

    Disable to exclude features from the FortiClient deployment package.

    If you enable a feature in the deployment package that is disabled in Feature Select, the feature is installed on the endpoint, but is disabled and does not appear in the FortiClient GUI. For example, when Web Filter is disabled in Feature Select, if you enable Web Filtering in a deployment package, the deployment package installs Web Filter on the endpoint. However, the Web Filter feature is disabled on the endpoint and does not appear in the FortiClient GUI.

  6. Click Next. On the Advanced tab, set the following options:

    Enable desktop shortcut

    Configure the FortiClient deployment package to create a desktop shortcut on the endpoint.

    Enable start menu shortcut

    Configure the FortiClient deployment package to create a Start menu shortcut on the endpoint.

    Enable Installer ID

    Configure an installer ID. Select an existing installer ID or enter a new installer ID. If creating an installer ID, select a group path or create a new group in the Group Path field. FortiClient EMS automatically groups endpoints according to installer ID group assignment rules. See Group assignment rules.

    If you manually move the endpoint to another group after EMS places it into the group defined by the installer ID group assignment rule, EMS returns the endpoint to the group defined by the installer ID group assignment rule.

    In an environment with a large number of endpoints, since you can configure each deployment package with only one installer ID, it may be inefficient to create a deployment package for each installer ID. See Deploying different installer IDs to endpoints using the same deployment package.

    Enable Endpoint VPN Profile

    Select an endpoint VPN profile to include in the installer. EMS applies the VPN profile to the endpoint once it has installed FortiClient. This option is necessary if users require VPN connection to connect to EMS.

    Enable Endpoint System Profile

    Select an endpoint system profile to include in the installer. EMS applies the system profile to the endpoint once it has installed FortiClient. This option is necessary if it is required to have certain security features enabled prior to contact with EMS.

    Invalid Certificate Action

    Select the action to take when FortiClient attempts to connect to EMS with an invalid certificate:

    • Warn: warn the user about the invalid server certificate. Ask the user whether to proceed with connecting to EMS, or terminate the connection attempt. FortiClient remembers the user's decision for this EMS, but displays the warning prompt if FortiClient attempts to connect to another EMS (using a different EMS FQDN/IP address and certificate) with an invalid certificate.
    • Allow: allows FortiClient to connect to EMS with an invalid certificate.
    • Deny: block FortiClient from connecting to EMS with an invalid certificate.
  7. Click Next. The Telemetry tab displays the hostname and IP address of the FortiClient EMS server, which manages FortiClient once it is installed on the endpoint.
  8. Click Finish. EMS adds the FortiClient deployment package to Deployment Installers > FortiClient Installer. The deployment package may include .exe (32-bit and 64-bit), .msi, and .dmg files depending on the configuration. The following shows an example of a deployment package that includes .exe, .msi, and .dmg files. The end user can download these files to install FortiClient on their machine with the desired configuration.

If the Sign software packages option is enabled in System Settings > EMS Settings, Windows deployment packages display as being from the publisher specified in the certificate file. See Configuring EMS settings.

Related Videos

sidebar video

Getting Started with EMS 7.0: Part 2

  • 1,779 views
  • 2 years ago

Adding a FortiClient deployment package

After you add a FortiClient deployment package to FortiClient EMS, you cannot edit it. You can delete the deployment package from FortiClient EMS, and edit the deployment package outside of FortiClient EMS. You can then add the edited deployment package to FortiClient EMS.

To add a deployment package:
  1. Go to Deployment & Installers > FortiClient Installer.
  2. Click Add.
  3. On the Version tab, set the following options:

    Installer Type

    Use an official or custom FortiClient installer.

    When using a custom FortiClient installer, you can select from a list of previously uploaded installers, or upload a new custom installer. You can also remove previously created installers.

    To upload a new custom FortiClient installer, enter the desired name, then upload Windows (64-bit and 32-bit) and/or macOS custom installers. You can download FortiClient installers to use with FortiClient EMS from Fortinet Customer Service & Support. This requires a support account with a valid support contract. You can also download installers from FortiClient.com. Download the Windows or macOS installation file. The installation files on the Fortinet Customer Service & Support and FortiClient.com websites are unavailable in .msi or .zip format. You must package the installer as an .msi or .zip file to upload it.

    Release

    Select the FortiClient release version to install.

    Patch

    Select the specific FortiClient patch version to install.

    Keep updated to the latest patch

    Enable EMS to repackage EMS-created FortiClient deployment package to the latest patch release.

  4. Click Next. On the General tab, set the following options:

    Name

    Enter the FortiClient deployment package name.

    Notes

    (Optional) Enter notes about the FortiClient deployment package.

  5. Click Next. On the Features tab, set the following options:
    Note

    Available options may differ depending on the features you have enabled or disabled in Feature Select. See Feature Select.

    Zero Trust Telemetry

    Enabled by default and cannot be disabled. Installs FortiClient with Telemetry enabled.

    Secure Access Architecture Components

    Install FortiClient with SSL and IPsec VPN enabled. Disable to omit SSL and IPsec VPN support from the FortiClient deployment package.

    If you enable this feature for a deployment package and include a preconfigured VPN tunnel in the included endpoint profile, users who use this deployment package to install FortiClient can connect to this preconfigured VPN tunnel for three days after their initial FortiClient installation. This is useful for remote users, as it allows them to connect to the corporate network to activate their FortiClient license. If the user does not activate their FortiClient license within the three days, all FortiClient features, including VPN, stop working on their device.

    See Remote Access for details on configuring a VPN tunnel.

    Vulnerability Scan

    Enabled by default and cannot be disabled. Installs FortiClient with Vulnerability Scan enabled.

    Advanced Persistent Threat (APT) Components

    Install FortiClient with APT components enabled. Disable to omit APT components from the FortiClient deployment package. Includes FortiSandbox detection and quarantine features.

    Additional Security Features

    Enable any of the following features:

    • Malware
      • AntiVirus, Anti-Exploit, Removable Media Access
      • Anti-Ransomware
      • Cloud Based Malware Outbreak Detection
    • Web Filtering
    • Application Firewall
    • Single Sign-On mobility agent
    • Zero Trust Network Access. Note that for FortiClient (macOS) 7.0.1 and later versions, the zero trust network access feature is always installed, regardless of whether this option is enabled or disabled.

    Disable to exclude features from the FortiClient deployment package.

    If you enable a feature in the deployment package that is disabled in Feature Select, the feature is installed on the endpoint, but is disabled and does not appear in the FortiClient GUI. For example, when Web Filter is disabled in Feature Select, if you enable Web Filtering in a deployment package, the deployment package installs Web Filter on the endpoint. However, the Web Filter feature is disabled on the endpoint and does not appear in the FortiClient GUI.

  6. Click Next. On the Advanced tab, set the following options:

    Enable desktop shortcut

    Configure the FortiClient deployment package to create a desktop shortcut on the endpoint.

    Enable start menu shortcut

    Configure the FortiClient deployment package to create a Start menu shortcut on the endpoint.

    Enable Installer ID

    Configure an installer ID. Select an existing installer ID or enter a new installer ID. If creating an installer ID, select a group path or create a new group in the Group Path field. FortiClient EMS automatically groups endpoints according to installer ID group assignment rules. See Group assignment rules.

    If you manually move the endpoint to another group after EMS places it into the group defined by the installer ID group assignment rule, EMS returns the endpoint to the group defined by the installer ID group assignment rule.

    In an environment with a large number of endpoints, since you can configure each deployment package with only one installer ID, it may be inefficient to create a deployment package for each installer ID. See Deploying different installer IDs to endpoints using the same deployment package.

    Enable Endpoint VPN Profile

    Select an endpoint VPN profile to include in the installer. EMS applies the VPN profile to the endpoint once it has installed FortiClient. This option is necessary if users require VPN connection to connect to EMS.

    Enable Endpoint System Profile

    Select an endpoint system profile to include in the installer. EMS applies the system profile to the endpoint once it has installed FortiClient. This option is necessary if it is required to have certain security features enabled prior to contact with EMS.

    Invalid Certificate Action

    Select the action to take when FortiClient attempts to connect to EMS with an invalid certificate:

    • Warn: warn the user about the invalid server certificate. Ask the user whether to proceed with connecting to EMS, or terminate the connection attempt. FortiClient remembers the user's decision for this EMS, but displays the warning prompt if FortiClient attempts to connect to another EMS (using a different EMS FQDN/IP address and certificate) with an invalid certificate.
    • Allow: allows FortiClient to connect to EMS with an invalid certificate.
    • Deny: block FortiClient from connecting to EMS with an invalid certificate.
  7. Click Next. The Telemetry tab displays the hostname and IP address of the FortiClient EMS server, which manages FortiClient once it is installed on the endpoint.
  8. Click Finish. EMS adds the FortiClient deployment package to Deployment Installers > FortiClient Installer. The deployment package may include .exe (32-bit and 64-bit), .msi, and .dmg files depending on the configuration. The following shows an example of a deployment package that includes .exe, .msi, and .dmg files. The end user can download these files to install FortiClient on their machine with the desired configuration.

If the Sign software packages option is enabled in System Settings > EMS Settings, Windows deployment packages display as being from the publisher specified in the certificate file. See Configuring EMS settings.