Deploying the FortiDLP Agent using Jamf can be broken down into 3 main stages:

1. Installing the required MDM profiles for System extensions and optional profiles for Browser extensions and other agent configuration settings.
2. Installing the FortiDLP software PKG.
3. Enrolling the agent after installation.

This article is written for macOS Big Sur or later deployment only. Users who wish to deploy the Catalina should contact Support.

In instances where there are existing MDM profiles in place for managing system or browser extensions, users may choose to deploy them inside the existing policies. For browser extension installation, it is mandatory to install all required browser extensions within a single MDM profile. An outline of how to perform these steps is included at the bottom of this article under Manual Configuration.

Allow System Extensions, Grant Full Disk Access, and Configure the Content Filter:

1. Download and extract the latest version of the macOS accessory bundle from the FortiDLP Agent Downloads page.
2. Log in to Jamf Pro and click Computers -> Configuration Profiles.
   
   

3. Select the Upload button.
   
   

4. Select Choose File.
   
   

5. Select the systemExtensions.mobileconfig configuration file from the extracted macOS accessory bundle and select Open.
   
   

6. Select Upload.
   
   

7. Select the Options tab -> General and enter FortiDLP Agent System Extensions. A category is optional.
   
   

8.  Select the Scope tab, assign the desired Target Computers, then select Save.
   
   

Allowing Notifications and Managed Login Items:

For the FortiDLP Agent to display notifications, for example during a network isolation, or a USB file transfer, Notification permissions must be allowed.

1. Log in to Jamf Pro and click Computers -> Configuration Profiles.
   
   

2. Select the + New button.
   
   

3. Enter a Name for the Configuration Profile: FortiDLP - Notifications.

4. Select the Options tab -> Notifications -> Add.
   
   

5. In the New Notifications Settings section, enter the following information:

• App Name: FortiDLP Agent Helper.
• Bundle ID: uk.ava.reveal.Reveal-Agent-Helper.
• Critical Alerts: Enable and include.
• Notifications: Enable and include.
• Banner alert type: Temporary and include.
• Notifications on Lock screen: Display and include.
• Notifications in Notification Center: Display and include.
• Badge app icon: Display and include.
• Play sound for notifications: Enable.

6. Navigate to Managed Login Items and add 4 rules for:

Team Identifier = JE7N8449S9 

Label Prefix = com.jazznetworks

Label Prefix = NetworkExtension.uk.ava.reveal

Label Prefix = JE7N8449S9.uk.ava.reveal

7. Select the Scope tab, assign the desired Target Computers, then select Save.
   
   

Install the FortiDLP Browser Extension:

To enable web monitoring on a device running macOS 11 or later, deploy the FortiDLP Browser Extension.  

It is recommended that these steps are performed and the updated MDM profile is deployed before the Agent package installation. Jamf requires that this profile is signed for all the payloads to be delivered to the managed device.  The steps below walk through the process to sign this profile with self-signed certificates. 

1. Create a Certificate Signing Request (CSR) and a private key file:

openssl req -out ~/Desktop/CSR.csr -new -newkey rsa:2048 -nodes -keyout ~/Desktop/privateKey.key

2. Respond to each question with the required information:

Country Name (2 letter code) []: Two Letter Country Code Here.
State or Province Name (full name) []: State Name Here.
Locality Name (eg, city) []: City Name Here.
Organization Name (eg, company) []: Company Name Here.
Organizational Unit Name (eg, section) []: Department Name Here.
Common Name (eg, fully qualified host name) []: Company Name Here.
Email Address []: Any Email Address Here.
A challenge password []: (4 characters or more, optional).

The 'Common Name' field will appear in System Preferences when this profile is installed.

3. Copy the entire contents of the CSR (including the 'BEGIN' and 'END" lines') to the clipboard:

cat ~/Desktop/CSR.csr | pbcopy

4. Log in to Jamf Pro and select Settings -> Global Management -> PKI Certificates.
   
   

5. Select the Management Certificate Template tab -> Create Certificate From CSR button.
   
   

6. Paste the contents of the clipboard into the CSR text area, change the Certificate Type dropdown to Web Server Certificate, and select the Create button.

7. A new PEM certificate will be downloaded. Rename this file to SigningCertificate.pem:

mv ~/Downloads/E=* ~/Downloads/SigningCertificate.pem

8. Download and extract the latest version of the macOS accessory bundle.

9. Run the following command to sign browserInstall.mobileconfig with the signing certificate and private key:

openssl smime -sign -signer ~/Downloads/SigningCertificate.pem -inkey ~/Desktop/privateKey.key -nodetach -outform der -in ~/Downloads/agent-accessory/browserInstall.mobileconfig -out ~/Desktop/browserInstall-Signed.mobileconfig

10. Log in to Jamf Pro and select Computers -> Configuration Profiles.
    
    

11. Select the Upload button.
    
    

12. Select Choose File.
    
    

13. Select the browserInstall-Signed.mobileconfig configuration file from the Desktop and select Open.
    
    

14. Select Upload.
    
    

15. Select the Scope tab, assign the desired Scope, then select Save.
    
    

Disable DNS over HTTPS (optional):

Follow the same process as the Browser Extension installation above, using dnsOverHttps.mobileconfig in place of browserInstall.mobileconfig.

Any policies that use DNS resolution (for example Suspicious DNS request) will not function if DNS over HTTPS is used.

Disable Private Browsing (optional):

Follow the same process as the Browser Extension installation above, using privateBrowsing.mobileconfig in place of browserInstall.mobileconfig.

Browser events cannot be collected by the FortiDLP Agent Browser extension if users use private browsing modes, and it is not possible to administratively install the extension for use in private browsing modes without user interaction, hence the need to disable it fully for full visibility.

Deploy an auto-provisioned or externally managed (static) certificate for the FortiDLP Email Add-in:

The FortiDLP Email Add-in requires a trusted certificate to communicate with the FortiDLP Agent. It is possible to use one that is automatically provisioned by FortiDLP or one that is externally managed by the organization:

• When using an auto-provisioned certificate, it will be necessary to download or copy the contents of the certificate from Reveal and then install it in the keychain. The Agent will then automatically create a local self-signed certificate from the root certificate. The root certificate will require renewal after five years.
  
  
• When using the certificate, it will be necessary to upload the private key file and certificate file to FortiDLP and then install the root certificate in the keychain. The key and certificate must be PEM encoded, and the certificate must have a Subject Alternative Name (SAN) extension with the IP address 127.0.0.1.

1. Generate a certificate using either of the above methods. If using the FortiDLP UI, this can be done by navigating to Admin -> Microsoft.
2. Select 'Download certificate'. This should download a PEM certificate.

3. As Jamf does not support PEM encoded certificates to be uploaded, it is required to convert to one of .cer, .der, .p12, or .pfx. Running the following command will convert the PEM file into a .cer file:

openssl x509 -inform PEM -in ~/Downloads/outlook_root_ca.pem -outform DER -out ~/Downloads/outlook_root_ca.cer

4.  Log in to Jamf Pro and select Computers -> Configuration Profiles.

5. Select the + New button:

6. Enter a Name for the Configuration Profile: FortiDLP Outlook Add-in Cert.

7. Select the Certificate option and then Configure:

8. Enter a Certificate Name: Outlook Add-in Root CA and Allow all app access:

9. Choose Upload for the Select Certificate Option. Then select Upload Certificate:

10. Select Choose File:

11. Navigate to the outlook_root_ca.cer certificate that was generated in step 3 and select Upload:

12. Select the Scope tab, assign the desired Target Computers, then select Save.

Installing the FortiDLP Agent & Enrolling using a single Profile.

Fortinet packages the FortiDLP Agent as a standard macOS .pkg file. However, for the agent to communicate with the FortiDLP platform, it is necessary to perform a short enrollment step after the software has been installed. Fortunately, Jamf can deploy a script after installation that will complete this process automatically.

Note:

Disable Self-Service or User Interaction for the FortiDLP Agent deployment.

Software package (.pkg) deployment:

1. Download the latest version of the FortiDLP Agent.
2. Log in to Jamf Pro and select Computers -> Management Settings.
   
   

3. Select Computer Management -> Packages.
   
   

4. Select New.
   
   

5. Select the General tab -> Choose File button.
   
   

6. Select the FortiDLP Agent .pkg and select Open.
   
   

7. Select Save. 
8. Once the upload is finished, Select Edit -> General tab -> Display Name and enter a name for the package: FortiDLP Agent, then select Save.
   
   

9. Select Computers -> Management Settings.
   
   

10. Select Computer Management -> Scripts.
    
    

11. Select New.
    
    

12. Select the General Tab -> Display Name and enter a name for the script: FortiDLP Agent Enrollment - <tenantname>, tenant:

13. Select the Script tab, and enter the following code, replacing <enrollment code> with an enrollment code obtained from the FortiDLP platform under Admin -> Agent Deployment:

#!/bin/bash
sleep 60
sudo /Library/Application\ Support/Ava/Reveal/agent/agent enroll <enrollment code>

Note: 

The sleep command in the below snippet allows time for the agent to finish installing start before issuing the enrollment.

14. Select Save.
15. Select Computers -> Policies.
    
    

16. Select New.
    
    

17. Select the Options tab -> Display Name and type a name for the policy: FortiDLP Agent - Install and enroll.
    
    

18. Set the Trigger to Recurring Check-in.
    
    

19. Set the Execution Frequency to Once per computer.
    
    

20. Select the Options tab -> Packages -> Configure.
    
    

21. Select the FortiDLP Agent Package from the list and select the Add button.
    
    

22. Select the Options tab -> Scripts -> Configure.

23. Select the Add button across from the FortiDLP Agent - Enrollment script.

24. Select the Scope tab, assign the desired Target Computers, then select Save.
    
    

Jamf should deploy the FortiDLP Agent on the next check-in (usually every 15 minutes). To force the check-in process, run the following commands from a terminal on the target machine:

sudo jamf recon && sudo jamf policy

Manual configuration.

In instances where there are existing MDM profiles in place for managing either system extension, customers may choose to deploy them inside an existing policy. For browser extension installation, it is mandatory to install all required browser extensions within a single MDM profile.

System extension settings:

Approval for the FortiDLP Agent System Extensions, Content Filter, and Full Disk Access is included in the systemExtensions.mobileconfig configuration file. This is included in the macOS accessory. For administrators who prefer to create their own configuration profiles, the required payloads are listed below.

System Extensions:

• Team Identifier: JE7N8449S9
• Allowed System Extensions:
• uk.ava.reveal.agent.eps
• uk.ava.reveal.agent.net

Content Filter:

• Filter Name: FortiDLP Agent Network Extension Config Profile
• Identifier: uk.ava.reveal.Reveal-Agent
• Socket Filter:
• Socket Filter Bundle Identifier: uk.ava.reveal.agent.net
• Socket Filter Designated Requirement:

anchor apple generic and identifier "uk.ava.reveal.agent.net" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JE7N8449S9)

Network Filter:

• Network Filter Bundle Identifier: uk.ava.reveal.agent.net
• Network Filter Designated Requirement:

identifier "uk.ava.reveal.agent.net"

Full Disk Access (Privacy Preferences Policy Control):

• Identifier: uk.ava.reveal.agent.eps
• Code Requirement:

anchor apple generic and identifier "uk.ava.reveal.agent.eps" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = JE7N8449S9)

• App or Service: SystemPolicyAllFiles
• Access: Allow

Browser extension and DNS/Private Browsing settings:

Payloads for the Reveal Browser Extension are available in the following article: Deploying macOS agents using Mobile Device Management (MDM) solutions.