Deploy FortiClient VPN as a Custom App

Use this guide to deploy FortiClient VPN as a custom app from your Kandji instance.

Prerequisites

• Download the forticlient_settings.mobileconfig file from the Kandji support GitHub repository (GitHub Link). You can right-clink the link and select Save link as ... to download the mobileconfig file directly.

  • This configuration profile enables Notifications, System Extensions, Privacy Preferences (PPPC) to allow Full Disk Access, and a Web Content filter for FortiClient.

• Copy the forticlient_ae_script.zsh script from the Kandji support GitHub repository (GitHub Link)

• Download the FortiClient installer from your FortiClient portal

Custom Configuration Profile

1. Create a Custom Configuration Profile in Kandji by selecting Library > Add New > Custom Profile > Add & Configure

2. Give the custom profile the following name: FortiClient Settings

3. Assign the library item to a Blueprint

   NOTE: It's generally good practice to assign new library items to a testing Blueprint to ensure that everything works as expected

4. Set Device Families to Mac

5. Upload the forticlient_settings.mobileconfig file to Kandji as a custom configuration profile. This profile will automatically grant Privacy settings for Accessibility and Full Disk and enable Notifications

6. Click Save

Custom App

1. Create a new Custom App in Kandji by Selecting Library > Add New > Custom App > Add & Configure

2. Give the Custom App a name

3. Assign your custom app to a test Blueprint

   NOTE: It's generally good practice to assign new library items to a testing Blueprint to ensure that everything works as expected

4. Change the installation type to Audit and Enforce

5. Paste the forticlient_ae_script.zsh script from earlier into the Audit & Enforce text box. No modification is needed

6. Select ZIP File (unzip contents into specified directory) as the deployment type

7. Enter /var/tmp as the Unzip Location

8. Zip the FortiClient DMG file and upload it to Kandji

   1. To create the zip file on a Mac, right-click on the DMG file and select Compress “name of file”

       

9. Click Add Postinstall Script and paste the post-install script from the bottom of this article

10. In the Post-Install script, ensure that the DMG_FILE_NAME variable matches the name of the DMG file that you have

11. Click Save

Postinstall script

#!/bin/zsh

#
# Postinstaller for FortiClient
#

###################################################################################################
####################################### VARIABLES #################################################
###################################################################################################

# DMG file name
# This name should match the file name that you are deploying
DMG_FILE_NAME="FortiClient_7.0.0_3377f964.dmg"

###################################################################################################
############################ MAIN - DO NOT MODIFY BELOW ###########################################
###################################################################################################

# pkg name - found inside of the DMG file
pkg_name="Install.mpkg"

# Unzip path
unzip_path="/var/tmp"

# Mount path
mount_path="/Volumes/FortiClient"

echo "Mounting DMG ..."
/usr/bin/hdiutil attach "$unzip_path/$DMG_FILE_NAME"

# look for the installer
installer_path=$(/usr/bin/find "$mount_path" -name $pkg_name)

echo "$pkg_name found at $installer_path"
# install the package that was found
/usr/sbin/installer -pkg "$installer_path" -target /

# Unmount DMG
echo "Unmounting DMG ..."
/usr/bin/hdiutil unmount "$mount_path"

# Clean-up a little
echo "Cleaning up ..."
/bin/rm -Rf "$unzip_path/$DMG_FILE_NAME"

exit 0