Overview:

The FortiDLP Agent can either be deployed as an Intune Application, or as a Line-of-Business (LOB) app. This article will provide a walkthrough of how to deploy and enroll the FortiDLP Agent via the Line-of-business method for Windows or MacOS.

Methods.

Windows:

• Navigate to the Microsoft Intune admin center: https://intune.microsoft.com/#home
• Select Apps -> All Apps -> Add.

• In the App type dropdown menu, select Line-of-business app:

• Press Select.

• Download the FortiDLP Agent Installer from our Support Portal: FortiDLP Agent.
• Press Select app package file and upload the installer that was downloaded in the previous step:
  
  

• Navigate to where the FortiDLP Agent Installer was downloaded and press OK.

• In the App Information tab, enter the following information:
• Name: FortiDLP Agent.
• Description: FortiDLP Agent.
• Publisher: Fortinet.
• App install context: Device.
• Ignore app version: Yes.
• Command-line arguments:
  Make sure to have created an enrollment token in the FortiDLP UI with an appropriate number of remaining uses and a sufficient log expiry time for any enrollments required, then set the command line argument as follows:

ENROLL_CODE="<YOUR_ENROLLMENT_CODE>" /qn /norestart

For example:

ENROLL_CODE="v1.MIG3MCUTI2VkZ2UuZ2FtbWEuZGV2LmphenpuZXR3b3Jrcy5jb206NDQzMCIEIKll3DztXmHDyLrtEqLchLPZ…" /qn /norestart

• Category: 0 selected.
• Show this as a feature app in the Company Portal: No.

• Select Next.
• In the Required section in the Assignments tab, select Add group.

• Search for the group that to install the FortiDLP Agent onto.
• Select Next.
  
  

• In the Review + Create section, select Create.

The next time Intune checks in with the devices associated with the group(s), it should attempt to install and enroll the agent. 

MacOS:

Creating the Application for MacOS is very similar to the process for Windows, however, there are some differences in the installation that can be viewed as three parts:

• MacOS requires specific permissions for the FortiDLP Agent to be granted.
• Installation of the FortiDLP Agent.
• Enrollment of the Agent.

Creating Configuration policies:

MacOS requires permissions to be set for the FortiDLP Agent to operate normally.  These can be manually granted on a per-user basis or pre-approved via MDM (Intune). There are pre-built configuration profiles provided in the macOS agent-accessory bundle found on the support portal (FortiDLP Agent). Deploy the following:

systemExtensions.mobileconfig

loginItemsandNotifications.mobileconfig

browserInstall.mobileconfig

These will allow the System and network extensions the required permissions, the browser extension installation, and the dismissal of notifications and login items from the FortiDLP Agent.

Deployments vary and pushing multiple browser extensions through an MDM can cause conflicts. If pushing force-installed browser extensions with an existing profile, the FortiDLP extensions should be added to this profile as a consolidated source of extensions.

To add a configuration profile:

• Navigate to the Devices ->MacOS overview page and select Configuration Profiles.
• Select the Create dropdown and select New Policy.
• In the side window that displays, select a profile type as Templates and the Custom template name.
• Give the Configuration Profile a name and description, then select Next.
• On the Configuration Settings tab, give the profile a name (this is visible to the end-user).
• Select a deployment channel for the deployment.
• In the Configuration Profile file section, select the mobile config file to add.

• Then select Next.
• Review the assignments for the groups to deploy this to, then select Next.
• After reviewing the profile summary, select Create.

These profiles should then be assigned to the devices to deploy the FortiDLP Agent to prevent the prompting of these permissions from the installation.

Installing the FortiDLP Agent:

• Add a New application in Intune and select Line Of Business.
• Download the FortiDLP Agent Installer from our Support Portal: FortiDLP Agent.
• In the App Information tab, enter the following information:
• Name: FortiDLP Agent.
• Description: FortiDLP Agent.
• Publisher: Fortinet.
• Ignore app version: Yes.
• Install as managed: No.
• Included apps: There are several app bundle IDs prepopulated, however, reduce this list to the following for the agent's installation status to be correctly detected:

com.jazznetworks.agent.JazzBrowserNative

com.jazznetworks.agent.LockHelper

uk.ava.reveal.Reveal-Agent

• Category: 0 selected.
• Show this an a feature app in the Company Portal: No.
  
  

Note there are additional fields to help in documenting the deployment.  These can also be populated as necessary for the deployment.

• In the assignments tab, select the groups to deploy the agent to.

Enrolling the FortiDLP Agent:

To enroll the agent, it is necessary to push a shell script out to the agents to allow them to enroll in the FortiDLP Cloud. To do this:

• Navigate to the MacOS overview page and select Shell Scripts.
• Select Add.
• Provide a name and description:
• Name: Enroll FortiDLP Agent.
• Description: Script to perform FortiDLP Enrollment.
• Insert the following script (substituting with the enrollment code):

#!/bin/bash
sleep 60
sudo /Library/Application\ Support/Ava/Reveal/agent/agent enroll <enrollment code>

• With the following configurations:
• Run the script as a signed-in user: No.
• Hide script notifications on devices: Not configured.
• Script frequency: Not configured.
• Max number of times to retry if script fails: 3 times.
• In the Assignments section, select the Groups to assign this script to.