Fortinet black logo

Jamf Deployment Guide

Home FortiClient 7.2.0 Jamf Deployment Guide
7.2.0
7.2.0
7.0.0

Configuration profiles

Configuration profiles

When deploying FortiClient (macOS) without Jamf Pro configuration profiles, the endpoint displays the following prompts to the user:

  • To grant full disk access to load the following FortiClient processes:

    • FortiClient

    • fmon2

    • fcaptmon

    • fctservctl2

  • To grant FortiTray permissions to load and grant network access for following extensions:

    • com.fortinet.forticlient.macos.webfilter

    • com.fortinet.forticlient.macos.vpn.nwextension

    • com.fortinet.forticlient.macos.proxy

  • To import and trust zero trust network access (ZTNA) CA and DNS root CA certificates in system keychain access

Efficient and silent deployment of FortiClient (macOS) requires a Jamf Pro custom configuration profile that allows all the required prompts.

To configure profiles on Jamf Pro:
  1. Log in to Jamf Pro. Go to Computers > Configuration Profiles.
  2. Download the FortiClient_<version.build>_macosx.Jamf.mobileconfig sample configuration profile file:
    1. Go to Fortinet Services & Support > Firmware Images.
    2. From the Select Product dropdown list, select FortiClientMac.
    3. On the Download tab, go to FortiClientMac > Mac > v7.00 > 7.2. Select the latest FortiClient version.
    4. Download the FortiClient_Configuration_Profile.JAMF.mobileconfig sample configuration profile file.
  3. Prepare the configuration profile with the EMS ZTNA root CA certificate. You can silence the ZTNA certificate prompt by adding the certificate content to the configuration profile between <data> and </data> or directly uploading the certificate as a trusted certificate in the Jamf configuration profile after changing the extension types. To add the certificate content to the configuration profile between <data> and </data>, do the following. To directly upload the certificate as a trusted certificate in the Jamf configuration profile after changing the extension types, proceed to step 4:
    1. On a macOS endpoint where FortiClient is registered to EMS, go to /Library/Application Support/Fortinet/FortiClient/data/ca_certs/ztna_certs.
    2. Copy the certificate content to an accessible location.

    3. Open the configuration profile file in a text editor, remove <!-- Add your ZTNA root certificate here -->, and add the certificate content that you copied between <data> and </data>. The following shows an example of the CA certificate payload:

      </data>
<dict> 
<key>PayloadCertificateFileName</key> 
<string>EMS_ZTNA_CA.cer</string> 
<key>PayloadContent</key> 
<data> 
<!-- Add your ZTNA root certificate here --> 
</data> 
<key>PayloadDescription</key> 
<string>Adds a CA root certificate</string> 
<key>PayloadDisplayName</key> 
<string>EMS ZTNA CA CERTIFICATE</string> 
<key>PayloadIdentifier</key> 
<string>com.apple.security.root.1255DA5E-C9F1-4FBF-9967-4000DDF1DFC5</string> 
<key>PayloadType</key> 
<string>com.apple.security.root</string> 
<key>PayloadUUID</key> 
<string>1255DA5E-C9F1-4FBF-9967-4000DDF1DFC5</string> 
<key>PayloadVersion</key> 
<integer>1</integer> 
</dict>
    4. Save the modified mobileconfig profile.
  4. Click Upload, choose File, and upload a mobile configuration file available from the Fortinet support page.
  5. After uploading an XML mobile configuration file, you must complete some required fields such as team identifiers under system extensions. You must modify the file in the GUI under System Extensions. Click Allow users to approve system extensions.
    Note

    Users cannot import system extensions using a mobile configuration file on Jamf Pro and must manually change settings as follows:

    • Systems extensions type to allowed system extensions
    • Set team identifier to AH4XFXJ7DK
    • Add following system extensions to allowed system extensions list and save them:

      • com.fortinet.forticlient.macos.webfilter

      • com.fortinet.forticlient.macos.vpn.nwextension

      • com.fortinet.forticlient.macos.proxy

  6. Go to Content Filter. Configure the required fields: Filter Name, Identifier, Filter Order (inspector), Socket Filter Bundle Identifier, and Socket Filter Designated Requirement.

  7. If you did not add the certificate content to the configuration profile in step 3, directly upload the certificate as a trusted certificate in the Jamf configuration profile after changing the extension types:

    1. Right-click the certificate, then go to Get Info > Name & Extension. Change the certificate extension from .pem to .cer and close it.

    2. Go to Options > Certificate.

    3. Upload the ZTNA root CA certificate.

    4. Enable Allow export from keychain.

    5. Click Save.

    Note

    You can follow either method to silence the certificate prompts during FortiClient deployment. Configuring the certificate using both methods does not affect the FortiClient deployment and only one ZTNA root CA certificate is present in the keychain.
  8. On the Scope tab, select the target computers where you want to assign this configured profile.
  9. To verify if the endpoint gets proper profiles, go to System Preferences > Profiles. Ensure that all required extensions are allowed.

Previous
Next

Configuration profiles

When deploying FortiClient (macOS) without Jamf Pro configuration profiles, the endpoint displays the following prompts to the user:

  • To grant full disk access to load the following FortiClient processes:

    • FortiClient

    • fmon2

    • fcaptmon

    • fctservctl2

  • To grant FortiTray permissions to load and grant network access for following extensions:

    • com.fortinet.forticlient.macos.webfilter

    • com.fortinet.forticlient.macos.vpn.nwextension

    • com.fortinet.forticlient.macos.proxy

  • To import and trust zero trust network access (ZTNA) CA and DNS root CA certificates in system keychain access

Efficient and silent deployment of FortiClient (macOS) requires a Jamf Pro custom configuration profile that allows all the required prompts.

To configure profiles on Jamf Pro:
  1. Log in to Jamf Pro. Go to Computers > Configuration Profiles.
  2. Download the FortiClient_<version.build>_macosx.Jamf.mobileconfig sample configuration profile file:
    1. Go to Fortinet Services & Support > Firmware Images.
    2. From the Select Product dropdown list, select FortiClientMac.
    3. On the Download tab, go to FortiClientMac > Mac > v7.00 > 7.2. Select the latest FortiClient version.
    4. Download the FortiClient_Configuration_Profile.JAMF.mobileconfig sample configuration profile file.
  3. Prepare the configuration profile with the EMS ZTNA root CA certificate. You can silence the ZTNA certificate prompt by adding the certificate content to the configuration profile between <data> and </data> or directly uploading the certificate as a trusted certificate in the Jamf configuration profile after changing the extension types. To add the certificate content to the configuration profile between <data> and </data>, do the following. To directly upload the certificate as a trusted certificate in the Jamf configuration profile after changing the extension types, proceed to step 4:
    1. On a macOS endpoint where FortiClient is registered to EMS, go to /Library/Application Support/Fortinet/FortiClient/data/ca_certs/ztna_certs.
    2. Copy the certificate content to an accessible location.

    3. Open the configuration profile file in a text editor, remove <!-- Add your ZTNA root certificate here -->, and add the certificate content that you copied between <data> and </data>. The following shows an example of the CA certificate payload:

      </data>
<dict> 
<key>PayloadCertificateFileName</key> 
<string>EMS_ZTNA_CA.cer</string> 
<key>PayloadContent</key> 
<data> 
<!-- Add your ZTNA root certificate here --> 
</data> 
<key>PayloadDescription</key> 
<string>Adds a CA root certificate</string> 
<key>PayloadDisplayName</key> 
<string>EMS ZTNA CA CERTIFICATE</string> 
<key>PayloadIdentifier</key> 
<string>com.apple.security.root.1255DA5E-C9F1-4FBF-9967-4000DDF1DFC5</string> 
<key>PayloadType</key> 
<string>com.apple.security.root</string> 
<key>PayloadUUID</key> 
<string>1255DA5E-C9F1-4FBF-9967-4000DDF1DFC5</string> 
<key>PayloadVersion</key> 
<integer>1</integer> 
</dict>
    4. Save the modified mobileconfig profile.
  4. Click Upload, choose File, and upload a mobile configuration file available from the Fortinet support page.
  5. After uploading an XML mobile configuration file, you must complete some required fields such as team identifiers under system extensions. You must modify the file in the GUI under System Extensions. Click Allow users to approve system extensions.
    Note

    Users cannot import system extensions using a mobile configuration file on Jamf Pro and must manually change settings as follows:

    • Systems extensions type to allowed system extensions
    • Set team identifier to AH4XFXJ7DK
    • Add following system extensions to allowed system extensions list and save them:

      • com.fortinet.forticlient.macos.webfilter

      • com.fortinet.forticlient.macos.vpn.nwextension

      • com.fortinet.forticlient.macos.proxy

  6. Go to Content Filter. Configure the required fields: Filter Name, Identifier, Filter Order (inspector), Socket Filter Bundle Identifier, and Socket Filter Designated Requirement.

  7. If you did not add the certificate content to the configuration profile in step 3, directly upload the certificate as a trusted certificate in the Jamf configuration profile after changing the extension types:

    1. Right-click the certificate, then go to Get Info > Name & Extension. Change the certificate extension from .pem to .cer and close it.

    2. Go to Options > Certificate.

    3. Upload the ZTNA root CA certificate.

    4. Enable Allow export from keychain.

    5. Click Save.

    Note

    You can follow either method to silence the certificate prompts during FortiClient deployment. Configuring the certificate using both methods does not affect the FortiClient deployment and only one ZTNA root CA certificate is present in the keychain.
  8. On the Scope tab, select the target computers where you want to assign this configured profile.
  9. To verify if the endpoint gets proper profiles, go to System Preferences > Profiles. Ensure that all required extensions are allowed.

Previous
Next