Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    EMS QuickStart Guide

    Home FortiClient 7.4.5 EMS QuickStart Guide
    7.4.5
    7.4.5
    7.4.4
    7.4.3
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.9
    6.4.8
    6.4.7
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.8
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0

    Adding a FortiClient installer

    Adding a FortiClient installer

    After you add a FortiClient installer to FortiClient EMS, you cannot edit it. You can delete the deployment package from FortiClient EMS, and edit the installer outside of FortiClient EMS. You can then add the edited installer to FortiClient EMS.

    You can create an installer or installer config file, or upload a packaged installer to add a FortiClient deployment package.

    If the Sign software packages option is enabled in System Settings > EMS Settings, Windows deployment packages display as being from the publisher specified in the certificate file. See theFortiClient EMS Administration Guide.
    To create an installer or install config file:
    1. Go to Deployment & Installers > FortiClient Installer and click Add.

    2. On the General tab, configure the options depending on the type of FortiClient installer you are using:

      • To use an official FortiClient installer, keep the Create a manual installer option disabled under Advanced Options at the bottom and set the following options:

        Option

        Description

        Online Installer Name

        Enter the desired installer name.

        Add Note

        Click to add a note to the installer. In the Notes field, enter any details about the installer.

        Release

        Select the FortiClient release version to install.

        Patch

        Select the specific FortiClient patch version to install.

        Hotfix

        If a hotfix is available for the selected patch, the Hotfix dropdown list appears. See Adding a FortiClient hotfix installer.

        Auto update to the Latest Patch

        If a hot fix is not available for the selected patch, this field displays Auto update to the Latest Patch. Enable to repackage the installer to the latest patch release.

        If a hotfix is available for the selected patch, you can select several options. See Adding a FortiClient hotfix installer.

        Repackaged Installer Files

        Configure which installer files to include.

      • To manually create a FortiClient installer, enable the Create a manual installer option under Advanced Options at the bottom and set the following options:

        Option

        Description

        Release

        Select from the following options:

        • Upload packaged installer—Manually upload a repackaged installer provided by TAC.
        • Use custom installer—Select from a list of previously uploaded custom installers or upload a new custom installer as follows:
          1. Click Add.
          2. Specify the custom installer name.

          3. Browse to select 64-bit/32-bit Window and/or Linux/macOS custom installers in ZIP or MSI format.

            You can download FortiClient installers (in ZIP format) from Fortinet Customer Service & Support., which requires a support account with a valid support contract. To upload an .msi file, you must package the installer as an .msi file.

          4. For Windows and Linux, you can also select Include ARM and browse to select the ARM installer files.
          5. Click Upload.

        Manual Installer Name

        Enter the desired custom installer name.

    3. Click Next. On the Features tab, set the following options. For features that are not available for all operating systems, the dialog displays the icons for the operating systems that the feature is available:
      Note

      Available options may differ depending on the features you have enabled or disabled in Feature Select. See Feature Select.

      Option

      Description

      Zero Trust Telemetry

      Enabled by default and cannot be disabled. Installs FortiClient with Telemetry enabled.

      Secure Access Architecture Components

      Install FortiClient with SSL and IPsec VPN enabled. Disable to omit SSL and IPsec VPN support from the FortiClient deployment package.

      If you enable this feature for a deployment package and include a preconfigured VPN tunnel in the included endpoint profile, users who use this deployment package to install FortiClient can connect to this preconfigured VPN tunnel for three days after their initial FortiClient installation. This is useful for remote users, as it allows them to connect to the corporate network to activate their FortiClient license. If the user does not activate their FortiClient license within the three days, all FortiClient features, including VPN, stop working on their device.

      Vulnerability Scan

      Enabled by default and cannot be disabled. Installs FortiClient with Vulnerability Scan enabled.

      Advanced Persistent Threat (APT) Components

      Install FortiClient with APT components enabled. Disable to omit APT components from the FortiClient deployment package. Includes FortiSandbox detection and quarantine features.

      Malware

      Enable any of the following features:

      • AntiVirus, Anti-Exploit, Removable Media Access
      • Anti-Ransomware
      • Cloud Based Malware Outbreak Detection

      Disable to exclude features from the FortiClient installer.

      Web and Video Filtering

      Enable any of the following features:

      • Web Filtering
      • Video Filtering

      Disable to exclude features from the FortiClient installer.

      Application Firewall

      Enable or disable Application Firewall in the FortiClient installer.

      Single Sign-On Mobility Agent

      Enable or disable single sign-on mobility agent in the FortiClient installer.

      Zero Trust Network Access

      Enable or disable zero trust network access (ZTNA) in the FortiClient installer. The ZTNA feature is always installed on a macOS endpoint, regardless of whether this option is enabled or disabled.

      Privileged Access Agent

      Enable or disable privileged access agent in the FortiClient installer.

      If you enable a feature in the deployment package that is disabled in Feature Select, the feature is installed on the endpoint, but is disabled and does not appear in the FortiClient GUI. For example, when Web Filter is disabled in Feature Select, if you enable Web Filtering in a deployment package, the deployment package installs Web Filter on the endpoint. However, the Web Filter feature is disabled on the endpoint and does not appear in the FortiClient GUI.

    4. Click Next. On the Advanced tab, set the following options:

      Option

      Description

      Enable desktop shortcut

      Configure the FortiClient deployment package to create a desktop shortcut on the endpoint.

      Enable start menu shortcut

      Configure the FortiClient deployment package to create a Start menu shortcut on the endpoint.

      Include MSI installer files

      Enable to include MSI installer files for FortiClient (Windows).

      Enable Installer ID

      Configure an installer ID. Select an existing installer ID or enter a new installer ID. If creating an installer ID, select a group path or create a new group in the Group Path field. FortiClient EMS automatically groups endpoints according to installer ID group assignment rules.

      If you manually move the endpoint to another group after EMS places it into the group defined by the installer ID group assignment rule, EMS returns the endpoint to the group defined by the installer ID group assignment rule.

      In an environment with a large number of endpoints, since you can configure each deployment package with only one installer ID, it may be inefficient to create a deployment package for each installer ID.

      Enable Endpoint VPN Profile

      Select an endpoint VPN profile to include in the installer. EMS applies the VPN profile to the endpoint once it has installed FortiClient. This option is necessary if users require VPN connection to connect to EMS.

      Enable Endpoint System Profile

      Select an endpoint system profile to include in the installer. EMS applies the system profile to the endpoint once it has installed FortiClient. This option is necessary if it is required to have certain security features enabled prior to contact with EMS.

      Invalid Certificate Action

      Select the action to take when FortiClient attempts to connect to EMS with an invalid certificate:

      • Warn: warn the user about the invalid server certificate. Ask the user whether to proceed with connecting to EMS, or terminate the connection attempt. FortiClient remembers the user's decision for this EMS, but displays the warning prompt if FortiClient attempts to connect to another EMS (using a different EMS FQDN/IP address and certificate) with an invalid certificate.
      • Allow: allows FortiClient to connect to EMS with an invalid certificate.
      • Deny: block FortiClient from connecting to EMS with an invalid certificate.
    5. Click Next. The Telemetry tab displays the hostname and IP address of the FortiClient EMS server, which manage FortiClient once it is installed on the endpoint.
    6. Do one of the following:
      • If you selected Create installer, Click Finish. The FortiClient deployment package is added to FortiClient EMS and displays on the Deployment Installers > FortiClient Installer pane. The deployment package may include .exe (64-bit), .msi, .dmg, .rpm, and .deb files depending on the configuration. The end user can download these files to install FortiClient on their machine with the desired configuration.
      • If you selected Create installer config file, click Download. This downloads a config.json file to your device. You can upload this file to a cloud server to create a custom deployment package.
    To upload packaged installers:
    1. Go to Deployment & Installers > FortiClient Installer.
    2. Click Add.
    3. On the General tab, set the following options:

      Option

      Description

      Online Installer Name

      Enter the desired installer name.

      Add Note

      Click to add a note to the installer. In the Notes field, enter any details about the installer.

      Release

      Select Upload packaged installer.

      Repackaged installer

      Browse to and select the installer file.

    4. Click Next. On the Features tab, set the following options. For features that are not available for all operating systems, the dialog displays the icons for the operating systems that the feature is available:
      Note

      Available options may differ depending on the features you have enabled or disabled in Feature Select. See Feature Select.

      Option

      Description

      Zero Trust Telemetry

      Enabled by default and cannot be disabled. Installs FortiClient with Telemetry enabled.

      Secure Access Architecture Components

      Install FortiClient with SSL and IPsec VPN enabled. Disable to omit SSL and IPsec VPN support from the FortiClient deployment package.

      If you enable this feature for a deployment package and include a preconfigured VPN tunnel in the included endpoint profile, users who use this deployment package to install FortiClient can connect to this preconfigured VPN tunnel for three days after their initial FortiClient installation. This is useful for remote users, as it allows them to connect to the corporate network to activate their FortiClient license. If the user does not activate their FortiClient license within the three days, all FortiClient features, including VPN, stop working on their device.

      Vulnerability Scan

      Enabled by default and cannot be disabled. Installs FortiClient with Vulnerability Scan enabled.

      Advanced Persistent Threat (APT) Components

      Install FortiClient with APT components enabled. Disable to omit APT components from the FortiClient deployment package. Includes FortiSandbox detection and quarantine features.

      Malware

      Enable any of the following features:

      • AntiVirus, Anti-Exploit, Removable Media Access
      • Anti-Ransomware
      • Cloud Based Malware Outbreak Detection

      Disable to exclude features from the FortiClient installer.

      Web and Video Filtering

      Enable any of the following features:

      • Web Filtering
      • Video Filtering

      Disable to exclude features from the FortiClient installer.

      Application Firewall

      Enable or disable Application Firewall in the FortiClient installer.

      Single Sign-On Mobility Agent

      Enable or disable single sign-on mobility agent in the FortiClient installer.

      Zero Trust Network Access

      Enable or disable zero trust network access (ZTNA) in the FortiClient installer. The ZTNA feature is always installed on a macOS endpoint, regardless of whether this option is enabled or disabled.

      Privileged Access Agent

      Enable or disable privileged access agent in the FortiClient installer.

      If you enable a feature in the deployment package that is disabled in Feature Select, the feature is installed on the endpoint, but is disabled and does not appear in the FortiClient GUI. For example, when Web Filter is disabled in Feature Select, if you enable Web Filtering in a deployment package, the deployment package installs Web Filter on the endpoint. However, the Web Filter feature is disabled on the endpoint and does not appear in the FortiClient GUI.

    5. Click Next. On the Advanced tab, set the following options:

      Option

      Description

      Enable desktop shortcut

      Configure the FortiClient deployment package to create a desktop shortcut on the endpoint.

      Enable start menu shortcut

      Configure the FortiClient deployment package to create a Start menu shortcut on the endpoint.

      Installer Files

      Enable to include MSI installer files for FortiClient (Windows).

      Enable Installer ID

      Configure an installer ID. Select an existing installer ID or enter a new installer ID. If creating an installer ID, select a group path or create a new group in the Group Path field. FortiClient EMS automatically groups endpoints according to installer ID group assignment rules.

      If you manually move the endpoint to another group after EMS places it into the group defined by the installer ID group assignment rule, EMS returns the endpoint to the group defined by the installer ID group assignment rule.

      In an environment with a large number of endpoints, since you can configure each deployment package with only one installer ID, it may be inefficient to create a deployment package for each installer ID.

      Enable Endpoint VPN Profile

      Select an endpoint VPN profile to include in the installer. EMS applies the VPN profile to the endpoint once it has installed FortiClient. This option is necessary if users require VPN connection to connect to EMS.

      Enable Endpoint System Profile

      Select an endpoint system profile to include in the installer. EMS applies the system profile to the endpoint once it has installed FortiClient. This option is necessary if it is required to have certain security features enabled prior to contact with EMS.

      Invalid Certificate Action

      Select the action to take when FortiClient attempts to connect to EMS with an invalid certificate:

      • Warn: warn the user about the invalid server certificate. Ask the user whether to proceed with connecting to EMS, or terminate the connection attempt. FortiClient remembers the user's decision for this EMS, but displays the warning prompt if FortiClient attempts to connect to another EMS (using a different EMS FQDN/IP address and certificate) with an invalid certificate.
      • Allow: allows FortiClient to connect to EMS with an invalid certificate.
      • Deny: block FortiClient from connecting to EMS with an invalid certificate.

      Invitation

      Select an invitation to include in the deployment package. If you have not created an invitation, you can create one by clicking Create Invitation. See Invitations.

    6. Click Next. The Telemetry tab displays the hostname and IP address of the FortiClient EMS server, which manage FortiClient once it is installed on the endpoint.
    7. Do one of the following:
      • If you selected Create installer, Click Finish. The FortiClient deployment package is added to FortiClient EMS and displays on the Deployment Installers > FortiClient Installer pane. The deployment package may include .exe (64-bit), .msi, .dmg, .rpm, and .deb files depending on the configuration. The end user can download these files to install FortiClient on their machine with the desired configuration.
      • If you selected Create installer config file, click Download. This downloads a config.json file to your device. You can upload this file to a cloud server to create a custom deployment package.
    Previous
    Next

    Adding a FortiClient installer

    Adding a FortiClient installer

    After you add a FortiClient installer to FortiClient EMS, you cannot edit it. You can delete the deployment package from FortiClient EMS, and edit the installer outside of FortiClient EMS. You can then add the edited installer to FortiClient EMS.

    You can create an installer or installer config file, or upload a packaged installer to add a FortiClient deployment package.

    If the Sign software packages option is enabled in System Settings > EMS Settings, Windows deployment packages display as being from the publisher specified in the certificate file. See theFortiClient EMS Administration Guide.
    To create an installer or install config file:
    1. Go to Deployment & Installers > FortiClient Installer and click Add.

    2. On the General tab, configure the options depending on the type of FortiClient installer you are using:

      • To use an official FortiClient installer, keep the Create a manual installer option disabled under Advanced Options at the bottom and set the following options:

        Option

        Description

        Online Installer Name

        Enter the desired installer name.

        Add Note

        Click to add a note to the installer. In the Notes field, enter any details about the installer.

        Release

        Select the FortiClient release version to install.

        Patch

        Select the specific FortiClient patch version to install.

        Hotfix

        If a hotfix is available for the selected patch, the Hotfix dropdown list appears. See Adding a FortiClient hotfix installer.

        Auto update to the Latest Patch

        If a hot fix is not available for the selected patch, this field displays Auto update to the Latest Patch. Enable to repackage the installer to the latest patch release.

        If a hotfix is available for the selected patch, you can select several options. See Adding a FortiClient hotfix installer.

        Repackaged Installer Files

        Configure which installer files to include.

      • To manually create a FortiClient installer, enable the Create a manual installer option under Advanced Options at the bottom and set the following options:

        Option

        Description

        Release

        Select from the following options:

        • Upload packaged installer—Manually upload a repackaged installer provided by TAC.
        • Use custom installer—Select from a list of previously uploaded custom installers or upload a new custom installer as follows:
          1. Click Add.
          2. Specify the custom installer name.

          3. Browse to select 64-bit/32-bit Window and/or Linux/macOS custom installers in ZIP or MSI format.

            You can download FortiClient installers (in ZIP format) from Fortinet Customer Service & Support., which requires a support account with a valid support contract. To upload an .msi file, you must package the installer as an .msi file.

          4. For Windows and Linux, you can also select Include ARM and browse to select the ARM installer files.
          5. Click Upload.

        Manual Installer Name

        Enter the desired custom installer name.

    3. Click Next. On the Features tab, set the following options. For features that are not available for all operating systems, the dialog displays the icons for the operating systems that the feature is available:
      Note

      Available options may differ depending on the features you have enabled or disabled in Feature Select. See Feature Select.

      Option

      Description

      Zero Trust Telemetry

      Enabled by default and cannot be disabled. Installs FortiClient with Telemetry enabled.

      Secure Access Architecture Components

      Install FortiClient with SSL and IPsec VPN enabled. Disable to omit SSL and IPsec VPN support from the FortiClient deployment package.

      If you enable this feature for a deployment package and include a preconfigured VPN tunnel in the included endpoint profile, users who use this deployment package to install FortiClient can connect to this preconfigured VPN tunnel for three days after their initial FortiClient installation. This is useful for remote users, as it allows them to connect to the corporate network to activate their FortiClient license. If the user does not activate their FortiClient license within the three days, all FortiClient features, including VPN, stop working on their device.

      Vulnerability Scan

      Enabled by default and cannot be disabled. Installs FortiClient with Vulnerability Scan enabled.

      Advanced Persistent Threat (APT) Components

      Install FortiClient with APT components enabled. Disable to omit APT components from the FortiClient deployment package. Includes FortiSandbox detection and quarantine features.

      Malware

      Enable any of the following features:

      • AntiVirus, Anti-Exploit, Removable Media Access
      • Anti-Ransomware
      • Cloud Based Malware Outbreak Detection

      Disable to exclude features from the FortiClient installer.

      Web and Video Filtering

      Enable any of the following features:

      • Web Filtering
      • Video Filtering

      Disable to exclude features from the FortiClient installer.

      Application Firewall

      Enable or disable Application Firewall in the FortiClient installer.

      Single Sign-On Mobility Agent

      Enable or disable single sign-on mobility agent in the FortiClient installer.

      Zero Trust Network Access

      Enable or disable zero trust network access (ZTNA) in the FortiClient installer. The ZTNA feature is always installed on a macOS endpoint, regardless of whether this option is enabled or disabled.

      Privileged Access Agent

      Enable or disable privileged access agent in the FortiClient installer.

      If you enable a feature in the deployment package that is disabled in Feature Select, the feature is installed on the endpoint, but is disabled and does not appear in the FortiClient GUI. For example, when Web Filter is disabled in Feature Select, if you enable Web Filtering in a deployment package, the deployment package installs Web Filter on the endpoint. However, the Web Filter feature is disabled on the endpoint and does not appear in the FortiClient GUI.

    4. Click Next. On the Advanced tab, set the following options:

      Option

      Description

      Enable desktop shortcut

      Configure the FortiClient deployment package to create a desktop shortcut on the endpoint.

      Enable start menu shortcut

      Configure the FortiClient deployment package to create a Start menu shortcut on the endpoint.

      Include MSI installer files

      Enable to include MSI installer files for FortiClient (Windows).

      Enable Installer ID

      Configure an installer ID. Select an existing installer ID or enter a new installer ID. If creating an installer ID, select a group path or create a new group in the Group Path field. FortiClient EMS automatically groups endpoints according to installer ID group assignment rules.

      If you manually move the endpoint to another group after EMS places it into the group defined by the installer ID group assignment rule, EMS returns the endpoint to the group defined by the installer ID group assignment rule.

      In an environment with a large number of endpoints, since you can configure each deployment package with only one installer ID, it may be inefficient to create a deployment package for each installer ID.

      Enable Endpoint VPN Profile

      Select an endpoint VPN profile to include in the installer. EMS applies the VPN profile to the endpoint once it has installed FortiClient. This option is necessary if users require VPN connection to connect to EMS.

      Enable Endpoint System Profile

      Select an endpoint system profile to include in the installer. EMS applies the system profile to the endpoint once it has installed FortiClient. This option is necessary if it is required to have certain security features enabled prior to contact with EMS.

      Invalid Certificate Action

      Select the action to take when FortiClient attempts to connect to EMS with an invalid certificate:

      • Warn: warn the user about the invalid server certificate. Ask the user whether to proceed with connecting to EMS, or terminate the connection attempt. FortiClient remembers the user's decision for this EMS, but displays the warning prompt if FortiClient attempts to connect to another EMS (using a different EMS FQDN/IP address and certificate) with an invalid certificate.
      • Allow: allows FortiClient to connect to EMS with an invalid certificate.
      • Deny: block FortiClient from connecting to EMS with an invalid certificate.
    5. Click Next. The Telemetry tab displays the hostname and IP address of the FortiClient EMS server, which manage FortiClient once it is installed on the endpoint.
    6. Do one of the following:
      • If you selected Create installer, Click Finish. The FortiClient deployment package is added to FortiClient EMS and displays on the Deployment Installers > FortiClient Installer pane. The deployment package may include .exe (64-bit), .msi, .dmg, .rpm, and .deb files depending on the configuration. The end user can download these files to install FortiClient on their machine with the desired configuration.
      • If you selected Create installer config file, click Download. This downloads a config.json file to your device. You can upload this file to a cloud server to create a custom deployment package.
    To upload packaged installers:
    1. Go to Deployment & Installers > FortiClient Installer.
    2. Click Add.
    3. On the General tab, set the following options:

      Option

      Description

      Online Installer Name

      Enter the desired installer name.

      Add Note

      Click to add a note to the installer. In the Notes field, enter any details about the installer.

      Release

      Select Upload packaged installer.

      Repackaged installer

      Browse to and select the installer file.

    4. Click Next. On the Features tab, set the following options. For features that are not available for all operating systems, the dialog displays the icons for the operating systems that the feature is available:
      Note

      Available options may differ depending on the features you have enabled or disabled in Feature Select. See Feature Select.

      Option

      Description

      Zero Trust Telemetry

      Enabled by default and cannot be disabled. Installs FortiClient with Telemetry enabled.

      Secure Access Architecture Components

      Install FortiClient with SSL and IPsec VPN enabled. Disable to omit SSL and IPsec VPN support from the FortiClient deployment package.

      If you enable this feature for a deployment package and include a preconfigured VPN tunnel in the included endpoint profile, users who use this deployment package to install FortiClient can connect to this preconfigured VPN tunnel for three days after their initial FortiClient installation. This is useful for remote users, as it allows them to connect to the corporate network to activate their FortiClient license. If the user does not activate their FortiClient license within the three days, all FortiClient features, including VPN, stop working on their device.

      Vulnerability Scan

      Enabled by default and cannot be disabled. Installs FortiClient with Vulnerability Scan enabled.

      Advanced Persistent Threat (APT) Components

      Install FortiClient with APT components enabled. Disable to omit APT components from the FortiClient deployment package. Includes FortiSandbox detection and quarantine features.

      Malware

      Enable any of the following features:

      • AntiVirus, Anti-Exploit, Removable Media Access
      • Anti-Ransomware
      • Cloud Based Malware Outbreak Detection

      Disable to exclude features from the FortiClient installer.

      Web and Video Filtering

      Enable any of the following features:

      • Web Filtering
      • Video Filtering

      Disable to exclude features from the FortiClient installer.

      Application Firewall

      Enable or disable Application Firewall in the FortiClient installer.

      Single Sign-On Mobility Agent

      Enable or disable single sign-on mobility agent in the FortiClient installer.

      Zero Trust Network Access

      Enable or disable zero trust network access (ZTNA) in the FortiClient installer. The ZTNA feature is always installed on a macOS endpoint, regardless of whether this option is enabled or disabled.

      Privileged Access Agent

      Enable or disable privileged access agent in the FortiClient installer.

      If you enable a feature in the deployment package that is disabled in Feature Select, the feature is installed on the endpoint, but is disabled and does not appear in the FortiClient GUI. For example, when Web Filter is disabled in Feature Select, if you enable Web Filtering in a deployment package, the deployment package installs Web Filter on the endpoint. However, the Web Filter feature is disabled on the endpoint and does not appear in the FortiClient GUI.

    5. Click Next. On the Advanced tab, set the following options:

      Option

      Description

      Enable desktop shortcut

      Configure the FortiClient deployment package to create a desktop shortcut on the endpoint.

      Enable start menu shortcut

      Configure the FortiClient deployment package to create a Start menu shortcut on the endpoint.

      Installer Files

      Enable to include MSI installer files for FortiClient (Windows).

      Enable Installer ID

      Configure an installer ID. Select an existing installer ID or enter a new installer ID. If creating an installer ID, select a group path or create a new group in the Group Path field. FortiClient EMS automatically groups endpoints according to installer ID group assignment rules.

      If you manually move the endpoint to another group after EMS places it into the group defined by the installer ID group assignment rule, EMS returns the endpoint to the group defined by the installer ID group assignment rule.

      In an environment with a large number of endpoints, since you can configure each deployment package with only one installer ID, it may be inefficient to create a deployment package for each installer ID.

      Enable Endpoint VPN Profile

      Select an endpoint VPN profile to include in the installer. EMS applies the VPN profile to the endpoint once it has installed FortiClient. This option is necessary if users require VPN connection to connect to EMS.

      Enable Endpoint System Profile

      Select an endpoint system profile to include in the installer. EMS applies the system profile to the endpoint once it has installed FortiClient. This option is necessary if it is required to have certain security features enabled prior to contact with EMS.

      Invalid Certificate Action

      Select the action to take when FortiClient attempts to connect to EMS with an invalid certificate:

      • Warn: warn the user about the invalid server certificate. Ask the user whether to proceed with connecting to EMS, or terminate the connection attempt. FortiClient remembers the user's decision for this EMS, but displays the warning prompt if FortiClient attempts to connect to another EMS (using a different EMS FQDN/IP address and certificate) with an invalid certificate.
      • Allow: allows FortiClient to connect to EMS with an invalid certificate.
      • Deny: block FortiClient from connecting to EMS with an invalid certificate.

      Invitation

      Select an invitation to include in the deployment package. If you have not created an invitation, you can create one by clicking Create Invitation. See Invitations.

    6. Click Next. The Telemetry tab displays the hostname and IP address of the FortiClient EMS server, which manage FortiClient once it is installed on the endpoint.
    7. Do one of the following:
      • If you selected Create installer, Click Finish. The FortiClient deployment package is added to FortiClient EMS and displays on the Deployment Installers > FortiClient Installer pane. The deployment package may include .exe (64-bit), .msi, .dmg, .rpm, and .deb files depending on the configuration. The end user can download these files to install FortiClient on their machine with the desired configuration.
      • If you selected Create installer config file, click Download. This downloads a config.json file to your device. You can upload this file to a cloud server to create a custom deployment package.
    Previous
    Next