Help
FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
kwernecke
Staff
Staff

Created on ‎12-12-2022 09:22 PM Edited on ‎11-13-2025 10:34 PM By Moderator

Article Id 239448

Troubleshooting Tip: macOS troubleshooting tips

Description

 

This article describes troubleshooting tips for FortiEDR macOS Collectors.

 

Scope

 

FortiEDR macOS Collectors v4.1.x and v6.0.x.

 

Solution

 

Troubleshooting macOS Collector.

 

Uninstall from Manager:

 

  1. MacOS can be uninstalled via the manager. See the steps in the screenshot below.

 

kwernecke_0-1670888086007.png

 

Uninstall with script:

  1. sudo /Applications/FortiEDR.app/fortiedr_collector.sh stop {registration password}.
  2. sudo /Applications/FortiEDR.app/fortiedr_uninstaller.sh.
  3. Manually remove FortiEDR files in the list of Full Disk Access, as they will not be removed automatically. This is by Design of Apple macOS.
  4. Reboot.

 

Version 6.0+.

 

sudo /Applications/FortiEDR.app/Contents/Library/LaunchServices/fortiedr_uninstaller.sh

 

Stopping and starting the collector in the terminal:

 

  1. Version 4.1: /Applications/FortiEDR.app/fortiedr_collector.sh stop and /Applications/FortiEDR.app/fortiedr_collector.sh start.
  2. Version 6.0+: /Applications/FortiEDR.app/Contents/MacOS/FortiEDRCollector.app/Contents/MacOS/FortiEDRCollector --stop.

 

macOS Status:

 

This is the shell script that is used for collector start/stop/status:

 

/Applications/FortiEDR.app/fortiedr_collector.sh status

 

The output will be along the lines of:

  1. Service: Up/Down.
  2. Fortinet NetworkExtension: Up/Up (not enabled)/Down.
  3. Fortinet EndPoint Extension: Up/Up (not enabled)/Down.
  4. Fortinet Status: Enabled/Disabled.

 

The '(not enabled)' should appear when the extension has not been approved yet.

 

Version 6.0+.

 

/Applications/FortiEDR.app/Contents/MacOS/FortiEDRCollector.app/Contents/MacOS/FortiEDRCollector --status

 

Help commands:

  1. Version 4.1: /Applications/FortiEDR.app/fortiedr_collector.sh --help (To see additional commands, use the help command).
  2. Version 6.0+: /Applications/FortiEDR.app/Contents/MacOS/FortiEDRCollector.app/Contents/MacOS/FortiEDRCollector --help.

 

Bootstrap path:

 

/Library/Application Support/FortiEDR/Config/Collector/CollectorBootstrap.jsn

 

Show system extensions:

 

systemextensionsctl list

 

Remove system extensions (Another way to remove stale extensions manually):

 

  1. Boot into Recovery Mode.
  2. Open Utilities/Terminal.
  3. Run 'csrutil disable'.
  4. Reboot
  5. In the terminal, run:

 

sudo systemextensionsctl uninstall A97R6J3L29 com.ensilo.ftnt

sudo systemextensionsctl uninstall A97R6J3L29 com.ensilo.ftnt.sysext

 

  1. Boot into Recovery Mode.

     

  2. Open Utilities/Terminal.

     

  3. Run 'csrutil enable'.

     

  4. Reboot.

     

 

Additional Troubleshooting steps:

  1. Uninstalling and reinstalling fresh as listed earlier in this article.
  2. Use the other commands to confirm it is removed.
  3. It is necessary to manually remove FortiEDR files from the FDA by highlighting the files and selecting the '- 'sign.
  4. Reboot.
  5. Confirm FortiEDR files are removed after reboot from FDA.
  6. Run this command:

 

systemextensionsctl list

 

  1. Confirm FortiEDR extensions are not in the list.
  2. If it is clean, run a fresh new install:
  • Approve Extensions.
  • Give the FDA FortiEDR files.
  • Look in the console to see what the status shows. If it is degraded, reboot.
  • Check FortiEDR files are selected again in FDA - there should be 3 in the list or 2 (reboot to be sure).
  • Run this command in Terminal and check the output:

 

systemextensionsctl list

 

Gather logs:

  1. Version 4.1: /Applications/FortiEDR.app/FortiEDRCollector --support.
  2. Version 6.0: /Applications/FortiEDR.app/Contents/MacOS/FortiEDRCollector.app/Contents/MacOS/FortiEDRCollector --support.

 

If there is still a problem, check to see if there was an app that crashed by viewing crash reports:

  1. Check to see if an app crashed under ~/Library/Logs/DiagnosticReports/.
  2. To do so, first open Finder.
  3. Press the Option key and then select 'Go' (while pressing the Option key):
  • Select 'Library'.
  • Select the Logs folder.
  • Select the DiagnosticReports folder.
  • Open the file that says 'Crash'.
  • Check for a file with approximately the same time of installation. Gather the. crash file.

 

Note:

For the latest macOS Tahoe 26 version, the recommended version is v6.1.0.1455 (requires Core v6.1.0.1270 or higher). If any lower version is installed in Tahoe 26, it will show a Degraded state when running the status command.

 

Related articles:

5755
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.