Configuration

When deploying FortiClient (macOS) without Intune configuration profiles, the endpoint displays the following prompts to the user:

• To grant network access to the following:
  • Web Filter extension
  • VPN extension
  • Proxy extension
• To grant full disk access to FortiClient processes
• To grant FortiTray permission to load the following extensions. This occurs if the user has not previously installed FortiClient on the macOS device:

  • com.fortinet.forticlient.macos.webfilter

  • com.fortinet.forticlient.macos.vpn.nwextension

  • com.fortinet.forticlient.macos.proxy

Silently deploying FortiClient (macOS) so that the user does not view these prompts requires an Intune custom configuration profile that allows all prompts. This single custom configuration profile completes the following tasks:

• Grant full disk access for FortiClient processes:
  • FortiClient
  • fmon2
  • fcaptmon
  • fctservctl2
• Grant permission for loading system extensions
• Grant network access for the following:
  • VPN
  • Web Filter
  • Proxy
• Grant permission for adding EMS zero trust network access (ZTNA) root CA certificate to the keychain

To grant the permissions:

1. Download the FortiClient_<version.build>_macosx.Intune.mobileconfig sample configuration profile file:
   1. Go to Fortinet Service & Support > Firmware Images.
   2. From the Select Product dropdown list, select FortiClientMac.
   3. On the Download tab, go to FortiClientMac > Mac > v7.00 > 7.0 > 7.0.3 or > 7.0.5.
   4. Download the FortiClient_<version.build>_macosx.Intune.mobileconfig sample configuration profile file.
2. Prepare the configuration profile with the EMS ZTNA root CA certificate:
   1. On a macOS endpoint where FortiClient is registered to EMS, go to /Library/Application Support/Fortinet/FortiClient/data/ca_certs/ztna_certs.

      

   2. In a text editor, open the root CA certificate. In this example, the certificate is FCTEMS2408644169_ca.pem.
   3. Copy the certificate content to an accessible location.
   4. Open the configuration profile file in a text editor. Add the certificate content that you copied between <data> and </data> and save the file. The following is an example for the CA certificate payload. Remove <!-- Add your ZTNA root certificate here --> comment and enter your certificate content in between <data> </data>:

      <dict>
      	<key>PayloadCertificateFileName</key>
      	<string>EMS_ZTNA_CA.cer</string>
      	<key>PayloadContent</key>
      	<data>
      	<!-- Add your ZTNA root certificate here -->
      	</data>
      	<key>PayloadDescription</key>
      	<string>Adds a CA root certificate</string>
      	<key>PayloadDisplayName</key>
      	<string>EMS ZTNA CA CERTIFICATE</string>
      	<key>PayloadIdentifier</key>
      	<string>com.apple.security.root.1255DA5E-C9F1-4FBF-9967-4000DDF1DFC5</string>
      	<key>PayloadType</key>
      	<string>com.apple.security.root</string>
      	<key>PayloadUUID</key>
      	<string>1255DA5E-C9F1-4FBF-9967-4000DDF1DFC5</string>
      	<key>PayloadVersion</key>
      	<integer>1</integer>
      </dict> 
      

3. Sign in to the Microsoft Endpoint Manager Admin Center.
4. Go to Devices > macOS > Configuration Profiles > Create Profile > Profile Type > Templates > Custom and click Create.
5. Enter the profile name and description as desired, then click Next.
6. Under Configuration settings, from the Deployment channel dropdown list, select Device channel.
7. In the Configuration profile file field, import the FortiClient_<version.build>_macosx.Intune.mobileconfig sample configuration profile file. The text field shows the sample XML configuration in the file. Click Next.

   

8. Assign this profile to the macOS device group by selecting Add Groups under Included Groups. Click Next.
9. Review the summary, then click Create. Intune creates the custom profile to grant access to the Web Filter and VPN extensions.

To directly upload the ZTNA certificate as trusted certificate:

You can silence the ZTNA certificate prompt in one of the following ways:

• Add certificate content to the configuration profile between <data> and </data> as To grant the permissions: describes.
• Directly upload the certificate as a trusted certificate in the Intune configuration profiles after changing the extension type. The following steps describe this method:

1. On a test macOS endpoint where FortiClient is registered to the EMS, go to /Library/Application Support/Fortinet/FortiClient/data/ca_certs/ztna_certs.
2. Copy the certificate to an accessible location.
3. Right-click the certificate, then go to Get Info > Name & Extension. Change the certificate extension from .pem to .cer and close it.
4. Sign in to the Microsoft Endpoint Manager Admin Center.
5. Go to Devices > macOS > Configuration Profiles > Create Profile > Profile Type > Templates > Trusted Certificate and click Create.
6. Enter the profile name and description as desired, then click Next.
7. Under Certificate file field, import the ZTNA root CA certificate file. Ensure that certificate extension is .cer. Click Next.
8. Assign this profile to the macOS device group by selecting Add Groups under Included Groups. Click Next.
9. Review the summary, then click Create. Intune creates the trusted certificate profile.

You can follow any of the described methods to silence the certificate prompts during FortiClient deployment. Configuring the certificate using both methods does not affect FortiClient deployment, and only one ZTNA root CA certificate is present in the keychain.