Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiSASE Administration Guide

    Configuring the configuration profile

    Configuring the configuration profile

    When deploying FortiClient (macOS) without Intune configuration profiles, the endpoint displays the following prompts to the user:

    • To grant network access to the following extensions:
      • Web Filter
      • VPN
      • Proxy
    • To grant full disk access to FortiClient processes
    • To grant FortiTray permission to load the following extensions. This occurs if the user has not previously installed FortiClient on the macOS device:

      • com.fortinet.forticlient.macos.webfilter

      • com.fortinet.forticlient.macos.vpn.nwextension

      • com.fortinet.forticlient.macos.proxy

    Silently deploying FortiClient (macOS) so that the user does not view these prompts requires an Intune custom configuration profile that allows all prompts. This single custom configuration profile grants the following:

    • Full disk access for FortiClient processes:
      • FortiClient
      • fmon2
      • fcaptmon
      • fctservctl2
    • Permission for loading system extensions
    • Network access for the following:
      • VPN
      • Web Filter
      • Proxy
    • Permission for adding zero trust network access (ZTNA) root CA certificate to the keychain

    You can silence certificate prompts in one of the following ways:

    • Add certificate content to the configuration profile between <data> and </data> as To grant the permissions: describes
    • Directly upload the certificate as a trusted certificate in the Intune configuration profiles after changing the extension type

    This document provides instructions for the first method. For the second method, see To directly upload the ZTNA certificate as trusted certificate:.

    To grant the permissions:
    1. Download the FortiClient_Configuration_Profile.Intune.mobileconfig sample configuration profile file:
      1. Go to Fortinet Service & Support > Support > Firmware Download.
      2. From the Select Product dropdown list, select FortiClientMac.
      3. On the Download tab, go to Mac > v7.00 > 7.2 > 7.2.9
      4. Download the FortiClient_Configuration_Profile.Intune.mobileconfig sample configuration profile file.
    2. Prepare the configuration profile with the FortiSASE root and ZTNA root CA certificates:

      1. To obtain the FortiSASE root certificate, in FortiSASE, go to Configuration > Security.

      2. Click Configure SSL.

      3. Beside the CA certificate value, click Download.

      4. To obtain the ZTNA root CA certificate, on a macOS endpoint where FortiClient is connected to FortiSASE, go to /Library/Application Support/Fortinet/FortiClient/data/ca_certs/ztna_certs.

      5. In a text editor, open the FortiSASE root certificate and ZTNA root CA certificate.
      6. Copy the certificates content to an accessible location.
      7. Open the FortiClient_Configuration_Profile.Intune.mobileconfig file in a text editor. The file contains two entries for PayloadCertificateFileName. You will leave the first entry, for FortiClient DNS Root.cer, as-is. You will overwrite the second entry, for EMS_ZTNA.cer, with the following content. Copy and paste the following content in to the profile, overwriting the EMS_ZTNA.cer entry. Replace <!-- Add your FortiSASE root certificate here --> and <!-- Add your FortiSASE ZTNA certificate here --> in the sample with the FortiSASE root certificate content and ZTNA root CA certificate, respectively, that you copied in step f:
        <dict>
	<key>PayloadCertificateFileName</key>
	<string>FortiSASE_Root.cer</string>
	<key>PayloadContent</key>
	<data>
	<!-- Add your FortiSASE root certificate here -->
	</data>
	<key>PayloadDescription</key>
	<string>Adds a CA root certificate</string>
	<key>PayloadDisplayName</key>
	<string>FortiSASE Root Certificate for SSL Decryption</string>
	<key>PayloadIdentifier</key>
	<string>com.apple.security.root.1255DA5E-C9F1-4FBF-9967-4000DDF1DFC5</string>
	<key>PayloadType</key>
	<string>com.apple.security.root</string>
	<key>PayloadUUID</key>
	<string>1255DA5E-C9F1-4FBF-9967-4000DDF1DFC5</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
<dict>
	<key>PayloadCertificateFileName</key>
	<string>FortiSASE_ZTNA.cer</string>
	<key>PayloadContent</key>
	<data>
	<!-- Add your FortiSASE ZTNA certificate here -->
	</data>
	<key>PayloadDescription</key>
	<string>Adds a CA root certificate</string>
	<key>PayloadDisplayName</key>
	<string>FortiSASE ZTNA Certificate</string>
	<key>PayloadIdentifier</key>
	<string>com.apple.security.root.1255DA5E-C9F1-4FBF-9967-4000DDF1DFC6</string>
	<key>PayloadType</key>
	<string>com.apple.security.root</string>
	<key>PayloadUUID</key>
	<string>1255DA5E-C9F1-4FBF-9967-4000DDF1DFC6</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
    3. Sign in to the Microsoft Endpoint Manager Admin Center.
    4. Go to Devices > macOS > Configuration Profiles > Create Profile > Profile Type > Templates > Custom and click Create.
    5. Enter the profile name and description as desired, then click Next.
    6. Under Configuration settings, from the Deployment channel dropdown list, select Device channel.
    7. In the Configuration profile file field, import the FortiClient_Configuration_Profile.Intune.mobileconfig sample configuration profile file. The text field shows the sample XML configuration in the file. Click Next.

    8. Assign this profile to the macOS device group by selecting Add Groups under Included Groups. Click Next.
    9. Review the summary, then click Create. Intune creates the custom profile to grant access to the Web Filter and VPN extensions.
    Previous
    Next

    Configuring the configuration profile

    Configuring the configuration profile

    When deploying FortiClient (macOS) without Intune configuration profiles, the endpoint displays the following prompts to the user:

    • To grant network access to the following extensions:
      • Web Filter
      • VPN
      • Proxy
    • To grant full disk access to FortiClient processes
    • To grant FortiTray permission to load the following extensions. This occurs if the user has not previously installed FortiClient on the macOS device:

      • com.fortinet.forticlient.macos.webfilter

      • com.fortinet.forticlient.macos.vpn.nwextension

      • com.fortinet.forticlient.macos.proxy

    Silently deploying FortiClient (macOS) so that the user does not view these prompts requires an Intune custom configuration profile that allows all prompts. This single custom configuration profile grants the following:

    • Full disk access for FortiClient processes:
      • FortiClient
      • fmon2
      • fcaptmon
      • fctservctl2
    • Permission for loading system extensions
    • Network access for the following:
      • VPN
      • Web Filter
      • Proxy
    • Permission for adding zero trust network access (ZTNA) root CA certificate to the keychain

    You can silence certificate prompts in one of the following ways:

    • Add certificate content to the configuration profile between <data> and </data> as To grant the permissions: describes
    • Directly upload the certificate as a trusted certificate in the Intune configuration profiles after changing the extension type

    This document provides instructions for the first method. For the second method, see To directly upload the ZTNA certificate as trusted certificate:.

    To grant the permissions:
    1. Download the FortiClient_Configuration_Profile.Intune.mobileconfig sample configuration profile file:
      1. Go to Fortinet Service & Support > Support > Firmware Download.
      2. From the Select Product dropdown list, select FortiClientMac.
      3. On the Download tab, go to Mac > v7.00 > 7.2 > 7.2.9
      4. Download the FortiClient_Configuration_Profile.Intune.mobileconfig sample configuration profile file.
    2. Prepare the configuration profile with the FortiSASE root and ZTNA root CA certificates:

      1. To obtain the FortiSASE root certificate, in FortiSASE, go to Configuration > Security.

      2. Click Configure SSL.

      3. Beside the CA certificate value, click Download.

      4. To obtain the ZTNA root CA certificate, on a macOS endpoint where FortiClient is connected to FortiSASE, go to /Library/Application Support/Fortinet/FortiClient/data/ca_certs/ztna_certs.

      5. In a text editor, open the FortiSASE root certificate and ZTNA root CA certificate.
      6. Copy the certificates content to an accessible location.
      7. Open the FortiClient_Configuration_Profile.Intune.mobileconfig file in a text editor. The file contains two entries for PayloadCertificateFileName. You will leave the first entry, for FortiClient DNS Root.cer, as-is. You will overwrite the second entry, for EMS_ZTNA.cer, with the following content. Copy and paste the following content in to the profile, overwriting the EMS_ZTNA.cer entry. Replace <!-- Add your FortiSASE root certificate here --> and <!-- Add your FortiSASE ZTNA certificate here --> in the sample with the FortiSASE root certificate content and ZTNA root CA certificate, respectively, that you copied in step f:
        <dict>
	<key>PayloadCertificateFileName</key>
	<string>FortiSASE_Root.cer</string>
	<key>PayloadContent</key>
	<data>
	<!-- Add your FortiSASE root certificate here -->
	</data>
	<key>PayloadDescription</key>
	<string>Adds a CA root certificate</string>
	<key>PayloadDisplayName</key>
	<string>FortiSASE Root Certificate for SSL Decryption</string>
	<key>PayloadIdentifier</key>
	<string>com.apple.security.root.1255DA5E-C9F1-4FBF-9967-4000DDF1DFC5</string>
	<key>PayloadType</key>
	<string>com.apple.security.root</string>
	<key>PayloadUUID</key>
	<string>1255DA5E-C9F1-4FBF-9967-4000DDF1DFC5</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
<dict>
	<key>PayloadCertificateFileName</key>
	<string>FortiSASE_ZTNA.cer</string>
	<key>PayloadContent</key>
	<data>
	<!-- Add your FortiSASE ZTNA certificate here -->
	</data>
	<key>PayloadDescription</key>
	<string>Adds a CA root certificate</string>
	<key>PayloadDisplayName</key>
	<string>FortiSASE ZTNA Certificate</string>
	<key>PayloadIdentifier</key>
	<string>com.apple.security.root.1255DA5E-C9F1-4FBF-9967-4000DDF1DFC6</string>
	<key>PayloadType</key>
	<string>com.apple.security.root</string>
	<key>PayloadUUID</key>
	<string>1255DA5E-C9F1-4FBF-9967-4000DDF1DFC6</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
    3. Sign in to the Microsoft Endpoint Manager Admin Center.
    4. Go to Devices > macOS > Configuration Profiles > Create Profile > Profile Type > Templates > Custom and click Create.
    5. Enter the profile name and description as desired, then click Next.
    6. Under Configuration settings, from the Deployment channel dropdown list, select Device channel.
    7. In the Configuration profile file field, import the FortiClient_Configuration_Profile.Intune.mobileconfig sample configuration profile file. The text field shows the sample XML configuration in the file. Click Next.

    8. Assign this profile to the macOS device group by selecting Add Groups under Included Groups. Click Next.
    9. Review the summary, then click Create. Intune creates the custom profile to grant access to the Web Filter and VPN extensions.
    Previous
    Next