Creating a configuration profile for FortiClient

To deploy FortiClient silently without any prompts, you must create a Workspace ONE custom configuration profile and push it to endpoints. The profile automatically installs system extensions and grants required permissions to allow FortiClient to work properly. This single custom configuration profile silently grants the following permissions:

• Full disk access for FortiClient processes:
  • FortiClient
  • fmon2
  • fcaptmon
  • fctservctl2
• Permission for loading system extensions
• Network access for the following extensions:
  • VPN
  • Web content filter
  • Proxy

The profile also preinstalls the EMS zero trust network access (ZTNA) and DNS root CA certificate on endpoints.

For a macOS configuration profile, you must create a profile and add each payload manually in the GUI.

To create a profile with imported configuration:

1. In the Workspace ONE administration portal, go to Resources > Profiles & Baselines > Profiles. Click Add.
2. Select macOS.
3. Select Device Profile.
4. To silence the keychain modification prompt, you must import the ZTNA root CA certificate before registration. You can accomplish this by modifying the CA certificate payload in the mobileconfig file with the CA certificate or by adding the ZTNA CA certificate to the profile in the Workspace ONE GUI. Do one of the following:
   1. To add the CA certificate payload in the mobileconfig file, do the following:
      1. On a macOS endpoint where FortiClient is registered to EMS, go to /Library/Application Support/Fortinet/FortiClient/data/ca_certs/ztna_certs.

         

      2. Open the root CA certificate using a text editor. In this example, the certificate file is FCTEMS2408644169_ca.pem.

         

      3. Copy the certificate content to an accessible location.
      4. Download the FortiClient_Configuration_Profile.WorkspaceOne.mobileconfig sample configuration profile file:
         1. Go to Fortinet Service& Support > Firmware Images.

         2. From the Select Product dropdown list, select FortiClientMac.

         3. On the Download tab, go to FortiClientMac > Mac > v7.00 > 7.2. Select the desired FortiClient version.

         4. Download the FortiClient_Configuration_Profile.WorkspaceOne.mobileconfig sample configuration profile file.

      5. In a text editor, open the FortiClient_Configuration_Profile.WorkspaceOne.mobileconfig sample configuration profile file and add the EMS ZTNA root CA certificate that you copied in step 3 between <data> and </data>. The following shows an example of the CA certificate payload:

         <!-- CA Certificate Payload Start -->
         <dict>
         	<key>PayloadCertificateFileName</key>
         	<string>EMS_ZTNA_CA.cer</string>
         	<key>PayloadContent</key>
         	<data>
         	MIID8DCCAtigAwIBAgIUS1YmanY/PygFSw0rVcmESCQgMJ8wDQYJ
         	KoZIhvcNAQELBQAwgY8xGTAXBgNVBAMMEEZDVEVNUzMxMzc5NTEx
         	MjAxETAPBgNVBAoMCEZvcnRpbmV0MRMwEQYDVQQIDApDYWxpZm9y
         	bmlhMRIwEAYDVQQHDAlTdW5ueXZhbGUxCzAJBgNVBAYTAkNBMSkw
         	JwYDVQQLDCAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
         	MDAeFw0yMjA5MjYyMDE3NDhaFw00NzA5MjAyMDE3NDhaMIGPMRkw
         	FwYDVQQDDBBGQ1RFTVMzMTM3OTUxMTIwMREwDwYDVQQKDAhGb3J0
         	aW5ldDETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UEBwwJU3Vu
         	bnl2YWxlMQswCQYDVQQGEwJDQTEpMCcGA1UECwwgMDAwMDAwMDAw
         	MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwggEiMA0GCSqGSIb3DQEB
         	AQUAA4IBDwAwggEKAoIBAQDIgBem4Q/ehxdP6UrfsV15FtLYBO0X
         	ylL6RCBrLcyeSRGt7yUHDOzxz42e2iBs23dcWqx0Z/dQX60A5CgN
         	MAhAB4E3tu+zZb1b8Hak1tn1uJO3FQEZCcvyJp9MM56QJTqwnBSu
         	0OtuA+T+Y8HZByIZRuQqgqrcbI5wSI6P5HLPEwfRebWT6x3RXgBj
         	76S8qPKx9ouExH1uEX30pyWDJBCHG5p2uA1e87WxwTvoL36VppYB
         	V17CBkhDRhInwQeDvZu3B4jmSTmLfZTGUUA2U1v5gQoYW9/wGVma
         	YjjRI+XpTTPXYKudoAEAGcXkOuSMJ5ntXlmLL9gUH0A87zYko5Th
         	AgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD
         	AgEGMB0GA1UdDgQWBBT/26ZJseF69XKKFwH7qIQ1wzTU+jANBgkq
         	hkiG9w0BAQsFAAOCAQEAh8ZoXWbOVMrBvtvB9KaUBDGCOIp3T6GY
         	m1/q1VurGG+VV+d2gLfuAYBsO1ouMfvOxBC5/md4ySNm3CsBUt2o
         	g5QWMb+Lc0KvmGfbuG8mVL7lS01OcK2A9XSJZDMBy69Ks1JTVyZv
         	PK/7tUL57f18o1XQHK1fAGZKeCrKfDFaPuKi38Pvo19ReOQvMCSI
         	mwdXKlX8LqQVuQ4d0p+rHwdvF1/10/Grw0TWFHxrRuODvbhDUgr0
         	RYjcqVC0V8FKHM96JqJYnrnxALo0lw5YhNasIbndOOhgVNcjH798
         	Hw2fcpXBqYt2ZyJXdYambz3EIH32fmPRTi8w8IiyOBiIYQ+01g==
         	</data>
         	<key>PayloadDescription</key>
         	<string>Adds a CA root certificate</string>
         	<key>PayloadDisplayName</key>
         	<string>EMS_ZTNA_CA</string>
         	<key>PayloadIdentifier</key>
         	<string>com.apple.security.root.1255DA5E-C9F1-4FBF-9967-4000DDF1DFC5</string>
         	<key>PayloadType</key>
         	<string>com.apple.security.root</string>
         	<key>PayloadUUID</key>
         	<string>1255DA5E-C9F1-4FBF-9967-4000DDF1DFC5</string>
         	<key>PayloadVersion</key>
         	<integer>1</integer>
         </dict>
         <!-- CA Certificate Payload End -->
         

      6. Save the modified mobileconfig profile.
      7. If there are multiple EMS servers, repeat the process to add an additional CA certificate payload for each EMS. Change the PayloadUUID and PayloadIdentifer values for each payload, as they are unique and paired for each payload.
   2. To add the ZTNA CA certificate to the profile in the Workspace ONE GUI, do the following:
      1. Get a copy of the CA certifcate that you obtained in step 4.a.i, and change the certificate extension from .pem to .cer.
      2. In Credentials template, click ADD.
      3. In Certificate, select CHOOSE FILE.
      4. Select the certificate, then click ATTACH CERTIFICATE. The GUI displays the uploaded certificate's information.
      5. Under Custom Settings, click ADD.
      6. If there are multiple EMS servers, click Add beside Custom Settings to repeat the process to create a credential template for each EMS.
5. Configure the payloads:
   1. Copy and paste the attached first payload section to the text field under Custom Settings:

      <!—SystemExtension Payload Start -->
      <dict>
      	<key>AllowUserOverrides</key>
      	<false />
      	<key>AllowedSystemExtensions</key>
      	<dict>
      	  <key>AH4XFXJ7DK</key>
      	  <array>
      		<string>com.fortinet.forticlient.macos.webfilter</string>
      		<string>com.fortinet.forticlient.macos.vpn.nwextension</string>
      		<string>com.fortinet.forticlient.macos.proxy</string>
      	  </array>
      	</dict>
      	<key>PayloadDisplayName</key>
      	<string>SystemExtensions</string>
      	<key>PayloadDescription</key>
      	<string>SystemExtensionsSettings</string>
      	<key>PayloadOrganization</key>
      	<string>Fortinet</string>
      	<key>PayloadType</key>
      	<string>com.apple.system-extension-policy</string>
      	<key>PayloadUUID</key>
      	<string>548a3547-d593-4862-a118-b66accd72fd5</string>
      	<key>PayloadVersion</key>
      	<integer>1</integer>
      	<key>PayloadIdentifier</key>
      	<string>8c687ec7-e0bf-4d09-9819-824100288616.SystemExtensions</string>
      </dict>
      <!—SystemExtension Payload End -->
      :

   2. Click ADD to create a new Custom Settings tab. Copy and paste the attached second payload section (Privacy Preferences) to the text field under Custom Settings 2:

      <!-- Privacy Preferences (Full Disk Access) Payload Start -->
      <dict>
      	<key>PayloadDisplayName</key>
      	<string>Privacy Preferences</string>
      	<key>PayloadOrganization</key>
      	<string>Fortinet</string>
      	<key>PayloadDescription</key>
      	<string>Configures Privacy Preferences Policy Control settings for FortiClient</string>
      	<key>PayloadIdentifier</key>
      	<string>5EF9C4F3-292A-4D7F-8B0B-30D3C48EAE9C</string>
      	<key>PayloadUUID</key>
      	<string>5EF9C4F3-292A-4D7F-8B0B-30D3C48EAE9C</string>
      	<key>PayloadEnabled</key>
      	<true/>
      	<key>PayloadType</key>
      	<string>com.apple.TCC.configuration-profile-policy</string>
      	<key>PayloadVersion</key>
      	<integer>1</integer>
      	<key>Services</key>
      	<dict>
      		<key>SystemPolicyAllFiles</key>
      		<array>
      		<dict>
      			<key>Identifier</key>
      			<string>com.fortinet.forticlient.macos.antivirus</string>
      			<key>CodeRequirement</key>
      			<string>anchor apple generic and identifier "com.fortinet.forticlient.macos.antivirus" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AH4XFXJ7DK)</string>
      			<key>IdentifierType</key>
      			<string>bundleID</string>
      			<key>StaticCode</key>
      			<integer>0</integer>
      			<key>Allowed</key>
      			<integer>1</integer>
      		</dict>
      		<dict>
      			<key>Identifier</key>
      			<string>com.fortinet.FortiClient</string>
      			<key>CodeRequirement</key>
      			<string>identifier "com.fortinet.FortiClient" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AH4XFXJ7DK</string>
      			<key>IdentifierType</key>
      			<string>bundleID</string>
      			<key>StaticCode</key>
      			<integer>0</integer>
      			<key>Allowed</key>
      			<integer>1</integer>
      		</dict>
      		<dict>
      			<key>Allowed</key>
      			<true/>
      			<key>CodeRequirement</key>
      			<string>identifier fcaptmon and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AH4XFXJ7DK</string>
      			<key>Comment</key>
      			<string></string>
      			<key>Identifier</key>
      			<string>/Library/Application Support/Fortinet/FortiClient/bin/fcaptmon</string>
      			<key>IdentifierType</key>
      			<string>path</string>
      		</dict>
      		<dict>
      			<key>Allowed</key>
      			<true/>
      			<key>CodeRequirement</key>
      			<string>identifier fctservctl2 and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AH4XFXJ7DK</string>
      			<key>Comment</key>
      			<string></string>
      			<key>Identifier</key>
      			<string>/Library/Application Support/Fortinet/FortiClient/bin/fctservctl2</string>
      			<key>IdentifierType</key>
      			<string>path</string>
      		</dict>
      		</array>
      	</dict>
      </dict>
      <!-- Privacy Preferences (Full Disk Access) Payload End -->
      

   3. Repeat step b to add the following payloads:
      1. Web content
      2. VPN
      3. Proxy
      4. CA certificate

         There should be seven custom settings in total, corresponding to the seven separate payloads that this document provides. Do not copy and paste all the payloads under one Custom Settings tab.

         

         The following provides the remainder of the payloads:

         Remember to add your CA certificate under the CA certificate payload.

         <!-- Web Content Filter Payload Start -->
         <dict>
         	<key>PayloadDisplayName</key>
         	<string>Web Content Filter Payload</string>
         	<key>PayloadOrganization</key>
         	<string>Fortinet</string>
         	<key>PayloadDescription</key>
         	<string/>
         	<key>PayloadEnabled</key>
         	<true/>
         	<key>PayloadIdentifier</key>
         	<string>283F4BF0-788A-4435-9B62-3E00896358D7</string>
         	<key>PayloadUUID</key>
         	<string>283F4BF0-788A-4435-9B62-3E00896358D7</string>
         	<key>PayloadType</key>
         	<string>com.apple.webcontent-filter</string>
         	<key>PayloadVersion</key>
         	<integer>1</integer>
         	<key>PluginBundleID</key>
         	<string>com.fortinet.forticlient.macos</string>
         	<key>UserDefinedName</key>
         	<string>Fortinet Content Filter</string>
         	<key>FilterDataProviderBundleIdentifier</key>
         	<string>com.fortinet.forticlient.macos.webfilter</string>
         	<key>FilterDataProviderDesignatedRequirement</key>
         	<string>identifier "com.fortinet.forticlient.macos.webfilter" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AH4XFXJ7DK</string>
         	<key>FilterGrade</key>
         	<string>inspector</string>
         	<key>FilterPackets</key>
         	<false/>
         	<key>FilterSockets</key>
         	<true/>
         	<key>FilterType</key>
         	<string>Plugin</string>
         </dict>
         <!-- Web Content Filter Payload End -->
         
         <!-- VPN Payload Start -->
         <dict>
         	<key>PayloadDisplayName</key>
         	<string>VPN Payload</string>
         	<key>PayloadOrganization</key>
         	<string>Fortinet</string>
         	<key>PayloadDescription</key>
         	<string/>
         	<key>PayloadEnabled</key>
         	<true/>
         	<key>PayloadIdentifier</key>
         	<string>F4DF7F27-3D0A-421E-94E7-66D44EB74323</string>
         	<key>PayloadUUID</key>
         	<string>F4DF7F27-3D0A-421E-94E7-66D44EB74323</string>
         	<key>PayloadType</key>
         	<string>com.apple.vpn.managed</string>
         	<key>PayloadVersion</key>
         	<integer>1</integer>
         	<key>UserDefinedName</key>
         	<string>FortiClient VPN Tunnel</string>
         	<key>VPNType</key>
         	<string>VPN</string>
         	<key>VPNSubType</key>
         	<string>com.fortinet.forticlient.macos.vpn</string>
         	<key>VPN</key>
         	<dict>
         		<key>AuthenticationMethod</key>
         		<string>Password</string>
         		<key>IncludeAllNetworks</key>
         		<integer>0</integer>
         		<key>ProviderBundleIdentifier</key>
         		<string>com.fortinet.forticlient.macos.vpn.nwextension</string>
         		<key>ProviderDesignatedRequirement</key>
         		<string>identifier "com.fortinet.forticlient.macos.vpn.nwextension" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AH4XFXJ7DK</string>
         		<key>ProviderType</key>
         		<string>packet-tunnel</string>
         		<key>RemoteAddress</key>
         		<string>(LocalVPN)</string>
         	</dict>
         </dict>
         <!-- VPN Payload End -->
         
         <!-- Proxy Payload Start -->
         <dict>
         	<key>PayloadDisplayName</key>
         	<string>Proxy Payload</string>
         	<key>PayloadOrganization</key>
         	<string>Fortinet</string>
         	<key>PayloadDescription</key>
         	<string/>
         	<key>PayloadEnabled</key>
         	<true/>
         	<key>PayloadIdentifier</key>
         	<string>783F4BF0-188A-4735-8B62-7E01896358E6</string>
         	<key>PayloadUUID</key>
         	<string>783F4BF0-188A-4735-8B62-7E01896358E6</string>
         	<key>PayloadType</key>
         	<string>com.apple.proxy.http.global</string>
         	<key>PayloadVersion</key>
         	<integer>1</integer>
         	<key>PluginBundleID</key>
         	<string>com.fortinet.forticlient.macos</string>
         	<key>UserDefinedName</key>
         	<string>Fortinet Proxy</string>
         	<key>FilterDataProviderBundleIdentifier</key>
         	<string>com.fortinet.forticlient.macos.proxy</string>
         	<key>FilterDataProviderDesignatedRequirement</key>
         	<string>identifier "com.fortinet.forticlient.macos.proxy" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = AH4XFXJ7DK</string>
         	<key>FilterGrade</key>
         	<string>inspector</string>
         	<key>FilterPackets</key>
         	<false/>
         	<key>FilterSockets</key>
         	<true/>
         	<key>FilterType</key>
         	<string>Plugin</string>
         </dict>
         <!-- Proxy Payload End -->
         <!-- CA Certificate Payload Start -->
          <dict>
         	<key>PayloadCertificateFileName</key>
         	<string>EMS_ZTNA_CA.cer</string>
         	<key>PayloadContent</key>
         	<data>
         	< !—add your ZTNA root CA certificate here -->
         	</data>
         	<key>PayloadDescription</key>
         	<string>Adds a CA root certificate</string>
         	<key>PayloadDisplayName</key>
         	<string>EMS_ZTNA_CA</string>
         	<key>PayloadIdentifier</key>
         	<string>com.apple.security.root.1255DA5E-C9F1-4FBF-9967-4000DDF1DFC5</string>
         	<key>PayloadType</key>
         	<string>com.apple.security.root</string>
         	<key>PayloadUUID</key>
         	<string>1255DA5E-C9F1-4FBF-9967-4000DDF1DFC5</string>
         	<key>PayloadVersion</key>
         	<integer>1</integer>
         </dict>
         <!-- CA Certificate Payload End -->
         <!-- DNS Root CA Certificate Payload Start -->
         <dict>
         <key>PayloadCertificateFileName</key>
         <string>FortiClient DNS Root.cer</string>
         <key>PayloadContent</key>
         <data>
         MIIEkDCCAvigAwIBAgIRAMoedyMP4hQcoCzRH7n8ozMwDQYJKoZI
         hvcNAQELBQAwYDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRIw
         EAYDVQQHEwlTdW5ueXZhbGUxETAPBgNVBAoTCEZvcnRpbmV0MR0w
         GwYDVQQDExRGb3J0aUNsaWVudCBETlMgUm9vdDAeFw0yMjA0Mjkx
         ODQyNTVaFw0zMjA0MjkxODQyNTVaMGAxCzAJBgNVBAYTAlVTMQsw
         CQYDVQQIEwJDQTESMBAGA1UEBxMJU3Vubnl2YWxlMREwDwYDVQQK
         EwhGb3J0aW5ldDEdMBsGA1UEAxMURm9ydGlDbGllbnQgRE5TIFJv
         b3QwggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDuhDIL
         geV9h22CKDVeSNEALTr1gwCI43e0o1PrBOb+E0YvwCWM5keEGDnA
         XrvMLub4XpWEnlC5O2b8Ql+AUX+P1ZxcgujSqV0gNVcBVsyE7EhE
         lIhjN31lC8swQEUkLX7xgK9WWfFX+UjZkCO/152K6f0RO+8hRMf3
         HOgaxdqCbIjeK1pDrTnpVt14pfI1Bgi5cI0+3oltoiOYmx527Qld
         z6G9hnbuAYFNPBB+pUjaDG47SwKj5BFYhFf/eAsj8L2VKeYx0J9f
         Xi7FH+ohRLp3oXAWyaFhtpCR6LnsAogkkoSGI1eVCd7Zg449gwmy
         Ww/yYPrZLWdPZn4t65Kz4ZzCiLLN1DnKag8kVZnbx9fvvBOqbNnv
         SJkz1CQrvGbi8LqTkqEafwKX0AMaKQ+cVXBMtVCWkQtrLY8aMzSM
         6K8+BG35eSVX+fiqdZ0pvsNpDhnsHV/+xC8UlddiqT0RAR+1CcXL
         ALE4+HVz02oZsOOy2ZbanzIynsj6hiUbt6aRMgsCAwEAAaNFMEMw
         DgYDVR0PAQH/BAQDAgIEMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYD
         VR0OBBYEFL+NpCLYF3opOSweBljeI81hD/jSMA0GCSqGSIb3DQEB
         CwUAA4IBgQDjR/S5xE1ke4ZBkhi37K3ZcxO2orscU0+HDCPZAjMo
         WWjvaMqZAEGLYGdRL99pyupHLIMUjCQ9paPB7CjPhTx9IPXCES2P
         v6knxsR3hI5/Fg6ZH7Renb1OhyoqzPbuoRFJb6Ey03S/ftOsJmYG
         34ub2VpuDVngtIGPbozI3D6JCqMQnsUoaWJ0xD6cDQa6iIHScfEJ
         cRjUfK27hC7+Bj0WjnvRrAofBO1UOfwwzhTPFzqDBdzUsP5C4/o+
         RD2f/tp8cPOqssAvsgZknML08kE9bXWEKh/ocKVMcKCkbnFzE/nW
         ObhCGN+mjeypbmHX9KO97PfMWl9I26KZNL4kNCph/6hTYvqyGP+S
         Js/UZiwt4JLMuujjDqnPkpzz/8YLnjc5+NoR7qwAFMRM0oGJtWVu
         0u42COYFqutcj4ULmgmZaLt/fBT6IGZfOtRsylT9wwnoasF2gHV6
         992RhnZaLsc6ouewxwDkM9x0MYXNPcYvlyry3+KM4zVoAWkXPxAo
         tYE=
         </data>
         <key>PayloadDescription</key>
         <string>Adds a CA root certificate</string>
         <key>PayloadDisplayName</key>
         <string>FortiClient DNS Root</string>
         <key>PayloadIdentifier</key>
         <string>com.apple.security.root.8266F0E2-CB10-47F0-AE1D-B2BBF2C77A66</string>
         <key>PayloadType</key>
         <string>com.apple.security.root</string>
         <key>PayloadUUID</key>
         <string>8266F0E2-CB10-47F0-AE1D-B2BBF2C77A66</string>
         <key>PayloadVersion</key>
         <integer>1</integer>
         </dict>
         <!-- DNS Root CA Certificate Payload End -->

6. Name your profile as desired, select Custom Settings.
7. Click NEXT and assign the profile to your user group using the Smart Group dropdown list. When you select a group, the Admin page shows the number of total assigned devices. In this example, there is one device assigned to the profile.
8. Click SAVE & PUBLISH. Workspace ONE pushes the profile to assigned endpoints shortly. You can find the profile on the endpoint under System Preferences > Profiles. Workspace ONE is now properly configured to silently deploy and install FortiClient on macOS endpoints.