Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Agent Deployment Guide

    Home FortiDLP Agent 12.0.0 FortiDLP Agent Deployment Guide
    12.0.0
    12.0.0
    11.5.1
    11.4.6
    11.4.5
    11.4.3
    11.4.2
    11.3.4
    11.3.3
    11.3.2
    11.2.3
    11.2.0
    11.1.2
    11.1.1
    11.0.1
    10.5.1
    10.4.0
    10.3.1

    Bulk deploying the FortiDLP Email Add-in to Windows

    Bulk deploying the FortiDLP Email Add-in to Windows

    The FortiDLP Email Add-in monitors outbound email activity for New Outlook for Windows and Outlook on the Web. It is accessible in XML format from the FortiDLP Console's Admin settings (Integrations > Microsoft > New Outlook add-in).

    The FortiDLP Email Add-in requires a trusted certificate to communicate with the FortiDLP Agent. You can either use one that is automatically provisioned by FortiDLP or one that is externally managed by your organization:

    • When using an auto-provisioned certificate, Agents automatically create local self-signed certificates. Agents also automatically renew their certificates without manual intervention.
    • When using your own certificate, you will need to upload your private key file and certificate file to FortiDLP and then push the root certificate to devices using Microsoft GPO. Your key and certificate must be PEM encoded, and your certificate must have a Subject Alternative Name (SAN) extension with the IP address 127.0.0.1.

    If you want to monitor Outlook on the Web when Firefox is used, you will also need to enable Enterprise Roots mode for your certificate to be trusted. You can do this centrally using GPO Administrative templates (ADMX/ADML files).

    After you configure your certificate, you can bulk deploy the FortiDLP Email Add-in using Microsoft 365.

    Follow these instructions to deploy the FortiDLP Email Add-in:

    1. How to configure a trusted certificate using FortiDLP
    2. How to install an externally managed (static) certificate using Microsoft GPO
    3. Optional: How to enable Enterprise Roots mode for Firefox using Microsoft GPO
    4. How to bulk deploy the FortiDLP Email Add-in using Microsoft 365.

    Below, you will also find information on manually updating and uninstalling the add-in.

    Caution

    The FortiDLP Email Add-in should only be deployed to users with devices which have the Agent installed and which also meet the requirements detailed in FortiDLP Agent optional requirements. Failure to meet these conditions will cause a pop-up message to display each time the user sends an email.
    How to configure a trusted certificate using FortiDLP
    1. In the FortiDLP Console, on the left-hand sidebar, click .
    2. Under Integrations > Microsoft, select the New Outlook add-in tab.
    3. In the FortiDLP Email Add-in section, expand the 2. Configure a trusted certificate for the Agent's local web server and install it (if applicable) panel.
    4. Do one of the following:
      • To use an auto-provisioned certificate:
        1. In the Certificate mode menu, select Auto-provisioned.
        2. Click Apply.
          3. Caution

          Once an auto-provisioned certificate has been deployed to devices, clicking the Regenerate certificate button in the Microsoft tab will break this trust.

      • To use an externally managed certificate:
        1. In the Certificate mode menu, select Static key pair.
        2. Click Upload key and select your private key file.
        3. Click Upload certificate and select your certificate file.
        4. Click Apply.
    How to install an externally managed (static) certificate using Microsoft GPO
    1. In Microsoft GPO, open Group Policy Management and create a GPO named Install Agent Root CA.
    2. Right-click the GPO you created and select Edit.
    3. Expand Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies, right-click Trusted Root Certificate Authorities, and then select Import.
    4. Select your certificate file, and then click Next.
    5. On the Certificate Store page, click Place all certificates in the following store, and then click Next.
    6. On the Completing the Certificate Import Wizard page, click Finish.
    Optional: How to enable Enterprise Roots mode for Firefox using Microsoft GPO
    1. Download Mozilla's ADMX templates.
    2. Open the policy templates ZIP file you downloaded, go to the windows directory, and copy the firefox.admx file and any directories containing the ADML files for the languages you are using.
    3. On the domain controller, paste the files to the GPO Central Store.
    4. In Microsoft GPO, open Group Policy Management and either create a new GPO or edit an existing GPO.
    5. Expand Administrative Templates > Mozilla > Firefox and click Certificates.
    6. Edit the Import Enterprise Roots setting.
    7. Select the Enabled radio button.
    8. Click OK.

    For more information, see the Firefox documentation here and here.

    How to bulk deploy the FortiDLP Email Add-in using Microsoft 365
    1. In the FortiDLP Console, on the left-hand sidebar, click .
    2. Under Integrations > Microsoft, select the New Outlook add-in tab.
    3. In the FortiDLP Email Add-in section, expand the 3. Deploy the FortiDLP Email Add-in panel.
    4. Do one of the following:
      • To deploy the add-in using the URL, click Copy manifest URL.
      • To deploy the add-in using the XML file, click Download manifest.
    5. Log in to the Microsoft 365 admin center.
    6. Go to Settings > Integrated apps.
    7. At the top of the Integrated apps page, click Add-ins.
    8. Click Deploy Add-In.
    9. In the Deploy a new add-in panel, do the following:
      1. Click Next.
      2. Click Upload custom apps.
      3. Do one of the following:
        • To deploy the add-in using the XML file:
          1. Keep the I have the manifest file (.xml) on this device radio button selected.
          2. Click Choose File.

          3. Select the XML file you downloaded.
          4. Click Upload.
        • To deploy the add-in using the URL:
          1. Select the I have a URL for the manifest file radio button.
          2. Paste the URL into the field below.
          3. Click Upload.
    10. In the Configure add-in panel, do the following:
      1. In the Assign Users section, select the users/groups you want the add-in to be installed for.
      2. In the Deployment Method section, do one of the following:
        • To deploy the add-in to all selected users and prevent them from removing it from their Outlook ribbon, keep Fixed selected.
        • To deploy the add-in to all selected users but allow them to remove it from their Outlook ribbon, select Optional.
        • To allow selected users to deploy the add-in on their own, select Available.
          Note

          When using the Available method, users will need to click the Get Add-ins button on the Home tab of their Outlook ribbon and install the add-in from the Admin-managed section.

      3. Click Deploy.

    The FortiDLP Email Add-in will display in users' Outlook ribbons within 24 hours.

    After you deploy the FortiDLP Email Add-in, you must enable email monitoring for all relevant nodes using Agent configuration groups. For details, refer to the FortiDLP Administration Guide.

    Optionally, you can also configure email policies. For details, refer to the FortiDLP Policies Reference Guide.

    How to update the FortiDLP Email Add-in

    In rare cases, it may be necessary to manually update the FortiDLP Email Add-in. For details, see Updating the FortiDLP Email Add-in.

    How to bulk uninstall the FortiDLP Email Add-in using Microsoft 365
    1. Log in to the Microsoft 365 admin center.
    2. Go to Settings > Integrated apps.
    3. In the Deployed apps page, click the FortiDLP Email Add-in.
    4. In the FortiDLP Email Add-in panel, click Remove app.
    5. In the confirmation dialog box, click Remove.
    Previous
    Next

    Bulk deploying the FortiDLP Email Add-in to Windows

    Bulk deploying the FortiDLP Email Add-in to Windows

    The FortiDLP Email Add-in monitors outbound email activity for New Outlook for Windows and Outlook on the Web. It is accessible in XML format from the FortiDLP Console's Admin settings (Integrations > Microsoft > New Outlook add-in).

    The FortiDLP Email Add-in requires a trusted certificate to communicate with the FortiDLP Agent. You can either use one that is automatically provisioned by FortiDLP or one that is externally managed by your organization:

    • When using an auto-provisioned certificate, Agents automatically create local self-signed certificates. Agents also automatically renew their certificates without manual intervention.
    • When using your own certificate, you will need to upload your private key file and certificate file to FortiDLP and then push the root certificate to devices using Microsoft GPO. Your key and certificate must be PEM encoded, and your certificate must have a Subject Alternative Name (SAN) extension with the IP address 127.0.0.1.

    If you want to monitor Outlook on the Web when Firefox is used, you will also need to enable Enterprise Roots mode for your certificate to be trusted. You can do this centrally using GPO Administrative templates (ADMX/ADML files).

    After you configure your certificate, you can bulk deploy the FortiDLP Email Add-in using Microsoft 365.

    Follow these instructions to deploy the FortiDLP Email Add-in:

    1. How to configure a trusted certificate using FortiDLP
    2. How to install an externally managed (static) certificate using Microsoft GPO
    3. Optional: How to enable Enterprise Roots mode for Firefox using Microsoft GPO
    4. How to bulk deploy the FortiDLP Email Add-in using Microsoft 365.

    Below, you will also find information on manually updating and uninstalling the add-in.

    Caution

    The FortiDLP Email Add-in should only be deployed to users with devices which have the Agent installed and which also meet the requirements detailed in FortiDLP Agent optional requirements. Failure to meet these conditions will cause a pop-up message to display each time the user sends an email.
    How to configure a trusted certificate using FortiDLP
    1. In the FortiDLP Console, on the left-hand sidebar, click .
    2. Under Integrations > Microsoft, select the New Outlook add-in tab.
    3. In the FortiDLP Email Add-in section, expand the 2. Configure a trusted certificate for the Agent's local web server and install it (if applicable) panel.
    4. Do one of the following:
      • To use an auto-provisioned certificate:
        1. In the Certificate mode menu, select Auto-provisioned.
        2. Click Apply.
          3. Caution

          Once an auto-provisioned certificate has been deployed to devices, clicking the Regenerate certificate button in the Microsoft tab will break this trust.

      • To use an externally managed certificate:
        1. In the Certificate mode menu, select Static key pair.
        2. Click Upload key and select your private key file.
        3. Click Upload certificate and select your certificate file.
        4. Click Apply.
    How to install an externally managed (static) certificate using Microsoft GPO
    1. In Microsoft GPO, open Group Policy Management and create a GPO named Install Agent Root CA.
    2. Right-click the GPO you created and select Edit.
    3. Expand Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies, right-click Trusted Root Certificate Authorities, and then select Import.
    4. Select your certificate file, and then click Next.
    5. On the Certificate Store page, click Place all certificates in the following store, and then click Next.
    6. On the Completing the Certificate Import Wizard page, click Finish.
    Optional: How to enable Enterprise Roots mode for Firefox using Microsoft GPO
    1. Download Mozilla's ADMX templates.
    2. Open the policy templates ZIP file you downloaded, go to the windows directory, and copy the firefox.admx file and any directories containing the ADML files for the languages you are using.
    3. On the domain controller, paste the files to the GPO Central Store.
    4. In Microsoft GPO, open Group Policy Management and either create a new GPO or edit an existing GPO.
    5. Expand Administrative Templates > Mozilla > Firefox and click Certificates.
    6. Edit the Import Enterprise Roots setting.
    7. Select the Enabled radio button.
    8. Click OK.

    For more information, see the Firefox documentation here and here.

    How to bulk deploy the FortiDLP Email Add-in using Microsoft 365
    1. In the FortiDLP Console, on the left-hand sidebar, click .
    2. Under Integrations > Microsoft, select the New Outlook add-in tab.
    3. In the FortiDLP Email Add-in section, expand the 3. Deploy the FortiDLP Email Add-in panel.
    4. Do one of the following:
      • To deploy the add-in using the URL, click Copy manifest URL.
      • To deploy the add-in using the XML file, click Download manifest.
    5. Log in to the Microsoft 365 admin center.
    6. Go to Settings > Integrated apps.
    7. At the top of the Integrated apps page, click Add-ins.
    8. Click Deploy Add-In.
    9. In the Deploy a new add-in panel, do the following:
      1. Click Next.
      2. Click Upload custom apps.
      3. Do one of the following:
        • To deploy the add-in using the XML file:
          1. Keep the I have the manifest file (.xml) on this device radio button selected.
          2. Click Choose File.

          3. Select the XML file you downloaded.
          4. Click Upload.
        • To deploy the add-in using the URL:
          1. Select the I have a URL for the manifest file radio button.
          2. Paste the URL into the field below.
          3. Click Upload.
    10. In the Configure add-in panel, do the following:
      1. In the Assign Users section, select the users/groups you want the add-in to be installed for.
      2. In the Deployment Method section, do one of the following:
        • To deploy the add-in to all selected users and prevent them from removing it from their Outlook ribbon, keep Fixed selected.
        • To deploy the add-in to all selected users but allow them to remove it from their Outlook ribbon, select Optional.
        • To allow selected users to deploy the add-in on their own, select Available.
          Note

          When using the Available method, users will need to click the Get Add-ins button on the Home tab of their Outlook ribbon and install the add-in from the Admin-managed section.

      3. Click Deploy.

    The FortiDLP Email Add-in will display in users' Outlook ribbons within 24 hours.

    After you deploy the FortiDLP Email Add-in, you must enable email monitoring for all relevant nodes using Agent configuration groups. For details, refer to the FortiDLP Administration Guide.

    Optionally, you can also configure email policies. For details, refer to the FortiDLP Policies Reference Guide.

    How to update the FortiDLP Email Add-in

    In rare cases, it may be necessary to manually update the FortiDLP Email Add-in. For details, see Updating the FortiDLP Email Add-in.

    How to bulk uninstall the FortiDLP Email Add-in using Microsoft 365
    1. Log in to the Microsoft 365 admin center.
    2. Go to Settings > Integrated apps.
    3. In the Deployed apps page, click the FortiDLP Email Add-in.
    4. In the FortiDLP Email Add-in panel, click Remove app.
    5. In the confirmation dialog box, click Remove.
    Previous
    Next