Deploying FortiClient using a shell script

With Intune, you can silently deploy FortiClient to macOS devices that have any user accounts (administrator and non-administrator user accounts) without requiring user interaction. Following this method to deploy FortiClient to macOS devices is recommended, as it is simple and effective. For this procedure, all macOS devices should meet the following prerequisites:

Running macOS High Sierra (version 10.13) or a later version
Managed by Intune
Shell scripts begin with #! and are in a valid location, such as #!/bin/sh or #!/usr/bin/env zsh.
Command line interpreters for the applicable shells are installed.

After verifying that all macOS devices meet the prerequisites, do the following.

To deploy FortiClient using a shell script:

Modify the script file:
1. On a test macOS device, download the given FortiClient deployment shell script .sh file.
2. Open a terminal, go to the downloaded script file, and open it.
3. Do one of the following:
  1. If using on-premise EMS, modify the weburl value to your FortiClient download link from EMS. For example, you would change the value from weburl= <"FortiClient download URL from EMS"> to weburl="https://your_EMS_FQDN:10443/installers/Default/FCT_MAC_7.0.6_GA/FortiClient_7.0.6.dmg", if the download link is https://your_EMS_FQDN:10443/installers/Default/FCT_MAC_7.0.6_GA/FortiClient_7.0.6.dmg.
  2. If using FortiClient Cloud, you must first obtain the installer URL from the invitation email that FortiClient Cloud sends to end users. Configure an invitation email as Adding a new invitation for a deployment package describes, configuring only yourself as a recipient. After receiving the invitation email, copy the installer link in the email. Replace the "FCT7.zip" at the end of the URL to "FortiClient_7.0.x.dmg", then enter this value in weburl. For example, if the invitation email includes example.ems.forticlient.forticloud.com/installers/default/FCT7/FCT7.zip as the installer URL and the installer is for FortiClient 7.0.6, you would enter weburl="example.ems.forticlient.forticloud.com/installers/default/FCT7/FortiClient_7.0.6.dmg".
4. Modify the FortiClient_Installerversion value in the script file based on your FortiClient installer version. For example, change the value from FortiClient_Installerversion=<Your FortiClient Installer version> to FortiClient_Installerversion=”7060208” if the FortiClient version is 7.0.6.0208. Enter the version number without periods.
5. Modify the values av, af, sb, sra, sso, vs, wf, ztna values to 1 or 0 based on the enabled features in the FortiClient installer. For example, change the value from av=<Feature enabled or disabled> to av="1” to enable malware protection. Otherwise, set av="0” to disable malware protection on the FortiClient installer. By default, all values for av, af, sb, sra, sso, vs, wf, ztna are set to “1” based on the default installer with all features enabled.
6. The shell script mainly performs the following tasks:
  - Check if FortiClient is already installed on the system.
  - Skip the installation process if there is FortiClient installed with same version and features.
  - Continue the installation process if one of the following is true:
    - There is no FortiClient installed or free VPN version installed.
    - FortiClient is installed with a different version and/or different features.
  - Uninstall older versions of FortiClient if there is any.
  - Download the FortiClient deployment package from the EMS server. Therefore, the managed macOS device should be able to access the download link.
  - Install FortiClient on the macOS device.
  If desired, modify the script file based on your requirements.
7. Save the file. The script is now ready to upload to Intune.
Log in to the Microsoft Endpoint Manager Admin Center.
Go to Devices > macOS > Shell scripts > Add.
In Basics, enter the following:
1. In the Name field, enter the shell script name.
2. In the Description field, enter a description for the shell script. This setting is optional but recommended.
Click Next. In script settings, enter the following:
1. In Upload script, browse to the shell script. The script file must be less than 200 KB in size.
2. For Run script as signed-in user, select Yes to run the script with the user credentials on the device. Select No to run the script as the root user. No is the default option.
3. If desired, enable Hide script notifications on devices. By default, the device shows a script notification for each script that it runs. On a macOS device, the end user sees a notification from Intune that IT is configuring their computer.
4. For Script frequency, select how often to run the script. To run the script only once, select Not configured, the default value.
5. For Max number of times to retry if script fails, select how many times to run the script if it returns a non-zero exit code. A zero exit code means success. To not retry when the script fails, select Not configured, the default value.
Go to Assignments > Select groups to include, and assign the script to the macOS devices group.
Review the summary, then click Add to save the script.
Intune runs the script on all devices and users in the assigned group. Go to Intune MDM > All services > Devices > macOS > Shell Scripts > Overview to verify the deployment statistics.

In some cases, Intune may take some time to run the script on the devices. In that case, you can select the device and click Sync. If you want to sync on all macOS devices, click Bulk Device Actions, select the desired OS, then click Sync.This synchronizes the latest configuration changes to the endpoint. After running the script, Intune takes some time to update the device and user statuses.

Note the following:

Manually uninstalling FortiClient using the FortiClient uninstaller tool removes the VPN virtual adapter and stored zero trust network access (ZTNA) certificates on the endpoint. As a result, reinstalling FortiClient displays the FortiTray VPN and system keychain modification prompts. In this case, push and distribute the MDM configuration profile again before reinstalling FortiClient to fully silence the prompts.
When connecting to VPN with client certificates, the system prompts the user for keychain access credentials to access and read the stored certificate. The user can decide to allow or deny access. Selecting Always Allow silences future prompts when FortiTray accesses the certificate.
When FortiClient acts as a ZTNA client, the system is expected to display prompts to ask for user credentials to access the ZTNA client certificate stored in the login keychain.
Revoking the endpoint client certificate from EMS removes the ZTNA client certificate and the MDM preloaded CA certificate from keychain access. Therefore, when removing the revoked CA Certificate, the system prompts for administrator credentials to modify the system keychain.

Deploying FortiClient using a shell script

Running macOS High Sierra (version 10.13) or a later version

Managed by Intune

Shell scripts begin with #! and are in a valid location, such as #!/bin/sh or #!/usr/bin/env zsh.

Command line interpreters for the applicable shells are installed.

After verifying that all macOS devices meet the prerequisites, do the following.

To deploy FortiClient using a shell script:

Modify the script file:

On a test macOS device, download the given FortiClient deployment shell script .sh file.
Open a terminal, go to the downloaded script file, and open it.
Do one of the following:
1. If using on-premise EMS, modify the weburl value to your FortiClient download link from EMS. For example, you would change the value from weburl= <"FortiClient download URL from EMS"> to weburl="https://your_EMS_FQDN:10443/installers/Default/FCT_MAC_7.0.6_GA/FortiClient_7.0.6.dmg", if the download link is https://your_EMS_FQDN:10443/installers/Default/FCT_MAC_7.0.6_GA/FortiClient_7.0.6.dmg.
2. If using FortiClient Cloud, you must first obtain the installer URL from the invitation email that FortiClient Cloud sends to end users. Configure an invitation email as Adding a new invitation for a deployment package describes, configuring only yourself as a recipient. After receiving the invitation email, copy the installer link in the email. Replace the "FCT7.zip" at the end of the URL to "FortiClient_7.0.x.dmg", then enter this value in weburl. For example, if the invitation email includes example.ems.forticlient.forticloud.com/installers/default/FCT7/FCT7.zip as the installer URL and the installer is for FortiClient 7.0.6, you would enter weburl="example.ems.forticlient.forticloud.com/installers/default/FCT7/FortiClient_7.0.6.dmg".
Modify the FortiClient_Installerversion value in the script file based on your FortiClient installer version. For example, change the value from FortiClient_Installerversion=<Your FortiClient Installer version> to FortiClient_Installerversion=”7060208” if the FortiClient version is 7.0.6.0208. Enter the version number without periods.
Modify the values av, af, sb, sra, sso, vs, wf, ztna values to 1 or 0 based on the enabled features in the FortiClient installer. For example, change the value from av=<Feature enabled or disabled> to av="1” to enable malware protection. Otherwise, set av="0” to disable malware protection on the FortiClient installer. By default, all values for av, af, sb, sra, sso, vs, wf, ztna are set to “1” based on the default installer with all features enabled.
The shell script mainly performs the following tasks:
- Check if FortiClient is already installed on the system.
- Skip the installation process if there is FortiClient installed with same version and features.
- Continue the installation process if one of the following is true:
  - There is no FortiClient installed or free VPN version installed.
  - FortiClient is installed with a different version and/or different features.
- Uninstall older versions of FortiClient if there is any.
- Download the FortiClient deployment package from the EMS server. Therefore, the managed macOS device should be able to access the download link.
- Install FortiClient on the macOS device.
If desired, modify the script file based on your requirements.
Save the file. The script is now ready to upload to Intune.

Go to Devices > macOS > Shell scripts > Add.

In Basics, enter the following:

In the Name field, enter the shell script name.
In the Description field, enter a description for the shell script. This setting is optional but recommended.

Click Next. In script settings, enter the following:

In Upload script, browse to the shell script. The script file must be less than 200 KB in size.
For Run script as signed-in user, select Yes to run the script with the user credentials on the device. Select No to run the script as the root user. No is the default option.
If desired, enable Hide script notifications on devices. By default, the device shows a script notification for each script that it runs. On a macOS device, the end user sees a notification from Intune that IT is configuring their computer.
For Script frequency, select how often to run the script. To run the script only once, select Not configured, the default value.
For Max number of times to retry if script fails, select how many times to run the script if it returns a non-zero exit code. A zero exit code means success. To not retry when the script fails, select Not configured, the default value.

Go to Assignments > Select groups to include, and assign the script to the macOS devices group.

Review the summary, then click Add to save the script.

Intune runs the script on all devices and users in the assigned group. Go to Intune MDM > All services > Devices > macOS > Shell Scripts > Overview to verify the deployment statistics.

Note the following:

Manually uninstalling FortiClient using the FortiClient uninstaller tool removes the VPN virtual adapter and stored zero trust network access (ZTNA) certificates on the endpoint. As a result, reinstalling FortiClient displays the FortiTray VPN and system keychain modification prompts. In this case, push and distribute the MDM configuration profile again before reinstalling FortiClient to fully silence the prompts.

When connecting to VPN with client certificates, the system prompts the user for keychain access credentials to access and read the stored certificate. The user can decide to allow or deny access. Selecting Always Allow silences future prompts when FortiTray accesses the certificate.

When FortiClient acts as a ZTNA client, the system is expected to display prompts to ask for user credentials to access the ZTNA client certificate stored in the login keychain.

Revoking the endpoint client certificate from EMS removes the ZTNA client certificate and the MDM preloaded CA certificate from keychain access. Therefore, when removing the revoked CA Certificate, the system prompts for administrator credentials to modify the system keychain.

Intune Deployment Guide

Deploying FortiClient using a shell script

Deploying FortiClient using a shell script

To deploy FortiClient using a shell script:

Deploying FortiClient using a shell script

To deploy FortiClient using a shell script: