Adding FortiClient installers
When you add a FortiClient installer to FortiClient EMS, you can specify what FortiClient features to include in the installer for the endpoint. You can include a feature in the installer, then disable the feature in the profile. Because the feature is included in the installer, you can update the profile later to enable the feature on the endpoint.
When you add a FortiClient installer to FortiClient EMS, an installer for the Windows operating system and an installer for the macOS operating system are added to FortiClient EMS.
After you add a FortiClient installer to FortiClient EMS, you cannot edit it. You can delete the installer from FortiClient EMS, and edit the installer outside of FortiClient EMS. You can then add the edited installer to FortiClient EMS.
To add FortiClient installers:
- Go to Profile Components > Manage Installers.
- Click Add.
- On the General tab, set the following options:
Type the FortiClient installer's name.
(Optional) Type any notes about the FortiClient installer.
Select the FortiClient version to install. Click Upload to add a custom FortiClient installer.
Select the specific FortiClient patch version to install.
Keep updated to the latest patch
Select to enable FortiClient to automatically update to the latest patch release when FortiClient is installed on an endpoint. This field is only available for the latest FortiClient version FortiClient EMS can access from FortiGuard. This option is not available if an older FortiClient version is selected.
- Click Next. On the Features tab, set the following options:
Security Fabric Agent (Mandatory Feature)
Enabled by default and cannot be disabled. Installs FortiClient with Telemetry and Vulnerability Scanning enabled.
Secure Access Architecture Components
Enable to install FortiClient with SSL VPN and IPsec VPN enabled. Disable to omit SSL VPN and IPsec VPN support from the FortiClient installer.
Advanced Persistent Threat (APT) Components
Enable to install FortiClient with APT components enabled. Disable to omit APT components from the FortiClient installer. Includes FortiSandbox detection and quarantine features.
Additional Security Features
Enable to select one, two, or all of the following features:
- Web Filtering
- Application Firewall
- Single Sign-On mobility agent
Disable to exclude the features from the FortiClient installer.
- Click Next. On the Advanced tab, set the following options:
Enable automatic registration
Enable to configure FortiClient to automatically connect Telemetry to EMS or FortiGate after FortiClient is installed on the endpoint. Disable to turn off this feature and require endpoint users to manually connect Telemetry to EMS or FortiGate.
Enable desktop shortcut
Enable to configure the FortiClient installer to create a desktop shortcut on the endpoint.
Enable start menu shortcut
Enable to configure the FortiClient installer to create a Start menu shortcut on the endpoint.
Enable endpoint tag
Enable to configure an endpoint tag to assign to endpoints. Under Endpoint Tag, select an existing tag or enter a new tag. FortiClient EMS automatically groups tagged endpoints according to group assignment rules. See Group assignment rules.
This option is not available when the FortiClient installer selected or uploaded in step 3 is a version prior to 6.0.0.
- Click Next. On the Telemetry tab, set the following options:
Click EMS to configure the FortiClient installer to connect Telemetry to EMS.
Click FortiGate, and select the name of the gateway list to use. The gateway list defines the IP address for FortiGate and includes the IP address for EMS.
You must define a FortiClient Telemetry gateway list to select FortiGate. If you have not created a list, the No Gateway IPs have been defined dialog box is displayed, and you can click OK to create a list.
- Click Save. The FortiClient installer is added to FortiClient EMS and displays on the Manage Installers pane.
If the Sign software packages option is enabled in System Settings > Server, Windows installers display as being from the publisher specified in the certificate file. See