Methods.

Enrollment Code:

1. Create an enrollment code with the required number of uses and a suitable expiry time in the FortiDLP Agent Deployment admin page.
2. Create a standard MSI installer package using the agent_x[86|64]_release_signed.msi package
3. Modify detection method (if using auto-update) - see below.
4. Modify msiexec install parameters to include the ENROLL_CODE:

msiexec /i agent_x64_release_signed.msi ENROLL_CODE=<enrollmentcode> /qn

Enrollment Bundle as part of the package:

1. Create an enrollment bundle with the required number of uses and a suitable expiry time in the FortiDLP Agent Deployment admin page.
2. Place the enrollment.bundle file in the same folder as the agent MSI before building the application. This should ensure that SCCM includes the file as part of the package pushed to the machine directly.
3. Create a standard MSI installer package using the agent_x[86|64]_release_signed.msi package.
4. Modify detection method (if using auto-update) - see below.
5. Modify msiexec install parameters to include the BUNDLE_FILEPATH:

msiexec /qn /i agent_x64_release_signed.msi BUNDLE_FILEPATH="<enrollment.bundle>"

Note:

The enrollment code contains no spaces, so it is safe to use the standard ENROLL_CODE=<enrollmentcode> property specification option, without a space either side of the equals sign. If the enrollment.bundle file path contains spaces, the string must be placed into quotes (").

Enrollment Bundle on shared fileserver:

With the addition of multiple-use enrollment bundles with modifiable expiration dates and max_uses. This mechanism is no longer recommended. Deploy the bundle file as part of the original application, and if it is close to expiry, update the date on the FortiDLP Platform. No new package is needed.

Return codes:

After an install or update of the FortiDLP Agent, the two normally expected return codes will be 0 or 3010. It is generally safe to skip the reboot in both instances. Fortinet recommends changing the Return Codes settings to avoid all restarts on install or if using SCCM to update the FortiDLP Agent.

Application Detection Mechanism (Needed only for FortiDLP Auto-Update):

By default, SCCM uses the presence of a specific ProductCode in the Windows Registry to detect the installation of a specific version, however, as this value changes for each new FortiDLP Agent version, SCCM by default will force a specific version to be installed.

This can cause conflicts if planning to use the FortiDLP Auto-Update mechanism, where installer files are pushed to the agent directly from the FortiDLP platform. In such cases, it is necessary to change the detection mechanism to ensure that any agent version being present is sufficient to pass the detection check and prevent re-installation of the old version. This can be done by detecting the UpgradeCode in the registry, which remains the same for each version.

Modifying the detection method can be found within the Deployment Types setting under Detection Method:

• Set the detection method in the deployment type to use the UpgradeCode registry entry.
• To do this, view the properties on the application and select the Deployment Types tab.

• Select the deployment type we are using and select Edit
• From here, select Detection Method.

• Select the current method and select Edit Clause.
• The values that need to be set are: 
• Setting Type to 'Registry'.
• Hive needs to be set to 'HKEY_CLASSES_ROOT'.
• Key needs to be set to:

Installer\UpgradeCodes\729C78E253AAC574EA50AA3E043B5629

Troubleshooting:

Check the enrollment logs at %PROGRAMDATA%\Jazz Networks\Agent\logs\enroll.log.

If this reports it isn’t possible to open the bundle file then check the path is correct and the system user can access this file. 'The system cannot find the file specified'. Errors can also be indicative of permissions errors if the system user does not have file list permissions to the enclosing folder.