Hi!
I have around 60 Macs managed by Intune (yes, it’s not the best MDM) that use FortiClient VPN. I want to set up VPN profiles so users don’t have to configure them. I have a script that works locally but was wondering if it’s possible to do the same thing via configuration profile?
I tested this script locally, it works.
Is it possible to create a configuration profile in Intune that edits the vpn.plist file to what I want?
I’m currently not installing FortiClient. On Windows I used the .msi but on Mac, I haven’t tried to install the VPN yet. Maybe it’s best to create a script that installs FortiClient and then configures VPN profile?
Thanks in advance.
Here’s the script if you’re wondering.
#!/bin/bash
# Location
file_path="/Library/Application Support/Fortinet/FortiClient/conf"
file_name="vpn.plist"
# Define the value
value='Type here what you need inside the .plist file.'
# Exit if FortiClient is not installed
if [ ! -d "/Library/Application Support/Fortinet/FortiClient" ]
then
echo "FortiClient folder not found. FortiClient is not installed."
exit 0
fi
# Look for the vpn.plist file
if [ -f "$file_path/$file_name" ]
then
echo "Found vpn.plist file, changing the configuration."
if ! (echo "$value" > "$file_path/$file_name") > /dev/null 2>&1
then
echo "Failed to change vpn.plist file."
exit 1
else
echo "Made changes to the file."
exit 0
fi
else
# Create the file if it's not found. This file doesn't exist when FortiClient hasn't been opened before.
echo "vpn.plist file not found, creating the file."
if ! (touch $file_path/$file_name) > /dev/null 2>&1
then
echo "Failed to create vpn.plist file."
exit 1
fi
if ! (echo "$value" > "$file_path/$file_name") > /dev/null 2>&1
then
echo "Failed to change vpn.plist file."
exit 1
else
echo "Made changes to the file."
exit 0
fi
fi
Instead of a configuration profile why not deploy the script directly via Intune?
As far as deploying the app goes, I would probably script that too. We have several MacOS apps stored in an Azure blob storage and push scripts to download and install them so that once a user signs into Company Portal their apps begin installing automatically
AFAIK, it’s not possible with configuration profiles. Profiles can’t write to the path expected by Forticlient, and I’ve found no documentation to support a setup like the one you want.
We’ve simply created a package to deploy the vpn.plist file to the expected path of client computers.
If your forti thing supports IPSec, just use that and a normal configuration profile.
Hi!
Nope, I ceated it myself, it didn’t take much time. I tested it locally. I added echo messages, I can see those in Intune, not much to troubleshoot.
Why not use EMS to configure the VPN? When Forticlient connects to EMS, your VPN should be configured to apply itself that way for you.
Depending on your vpn setup , you can push out the native VPN profile for Mac’s.
Bypassing the need for the app.
If you’re using the app, make sure you’ve allowed the Fortnite kernel/ system ext
This is exactly what I’ve done with Jamf as we switched our authentication method. I looked high and low for anyway to manage as a configuration profile but the package of that file ended up being a 5 minute job, start to finish.
Forti-thing? Thats what we call a “technical Term” lol
sorry, it made me laugh. xD
I don’t have EMS. I used to have it but I ended the contract half a year ago, we kept using the free version of VPN.
Having said this, there are several things that need to be manually added to “Full Disk Access” in MacOS for FortiClient to function correctly. This includes the virtual network adapter that it installs.
This link requires a login, of some sort, so it’s not helpful.
Well, technically it’s also just because I don’t know which of the many fortinet products they are using :-p and I stopped deploying it a long time ago.
Interesting, looking over your script, I would always recommend adding exports to a log file of sorts so that you can see the progress and troubleshoot. Your script looks VERY “ChatGPT-ish” in nature. Did you by chance ask it to create this for you?
I know your license in EMS is expired, but if you are a paying customer, I would reach out to your rep and get the documentation on what needs to be added to “Full Disk Access” for it to function. Do you know the name of your rep?
I suspect that Kandji moved that article.
Having said all that, yes. You can edit the vpn.plist file with a bash script, but you will need to make sure that Intune has root access to that file, or this will not work.
The “Define the value” part of your script is what tipped me off that this was written by ChatGPT or other AI assisted tools. It’s not direct, and multiple values need to be modified inside that plist file. I know that you would not add sensitive information on Reddit, but the wording is off, which because of this makes the rest of the script not be entirely correct based on the defined values. If this was written by a human, you would search for multiple values in order and change their information.
If the script was working correctly, it would need to look for specific values, change them, or modify them.
It’s always good practice to add log exports in your scripting to help troubleshoot what line fails or if something gets stuck. you can do this with the following:
echo “—[ $(date) ]—” >> /some_random_folder/install_log.log
By adding “>> /some_random_folder/install_log.log” at the end of a command, the system will output in real time to that log file and you can monitor the progress.
Also, I’m not shaming or attempting to insult you with the ChatGPT comment. I use AI tools to help with my scripting all the time, but mostly just to test the script and ask the tool for comments on making it better. Usually, when you ask an AI tool to create a script from scratch, it tends to make something that looks very similar to what you posted.
Hope this helps 
