Description
This article describes troubleshooting tips for FortiEDR macOS Collectors.
Scope
FortiEDR macOS Collectors 4.1.x and 6.0.x.
Solution
Troubleshooting macOS Collector.
Uninstall from Manager:
- MacOS can be uninstalled via the manager. See the steps in the screenshot below.
Uninstall with script:
- sudo /Applications/FortiEDR.app/fortiedr_collector.sh stop {registration password}
- sudo /Applications/FortiEDR.app/fortiedr_uninstaller.sh
- Manually remove FortiEDR files in the list of Full Disk Access as they will not be removed automatically. This is by Design of Apple macOS.
- Reboot.
Version 6.0+.
- sudo /Applications/FortiEDR.app/Contents/Library/LaunchServices/fortiedr_uninstaller.sh
Stopping and starting the collector in terminal:
- Version 4.1: /Applications/FortiEDR.app/fortiedr_collector.sh stop and /Applications/FortiEDR.app/fortiedr_collector.sh start
- Version 6.0+: /Applications/FortiEDR.app/Contents/MacOS/FortiEDRCollector.app/Contents/MacOS/FortiEDRCollector --stop
macOS Status:
This is the shell script that is used for collector start/stop/status:
- /Applications/FortiEDR.app/fortiedr_collector.sh status.
The output will be along the lines of:
- Service: Up/Down.
- Fortinet NetworkExtension: Up/Up (not enabled)/Down
- Fortinet EndPoint Extension: Up/Up (not enabled)/Down
- Fortinet Status: Enabled/Disabled
The '(not enabled)' should appear when the extension was not approved yet.
Version 6.0+
- /Applications/FortiEDR.app/Contents/MacOS/FortiEDRCollector.app/Contents/MacOS/FortiEDRCollector --status
Help commands:
- Version 4.1: /Applications/FortiEDR.app/fortiedr_collector.sh --help (To see additional commands use the help command).
- Version 6.0+: /Applications/FortiEDR.app/Contents/MacOS/FortiEDRCollector.app/Contents/MacOS/FortiEDRCollector --help
Show system extensions:
systemextensionsctl list
Remove system extensions:
(Another way to remove stale extensions manually.)
- Boot into Recovery Mode.
- Open Utilities/Terminal.
- Run 'csrutil disable'.
- Reboot
- In the terminal, run:
sudo systemextensionsctl uninstall A97R6J3L29 com.ensilo.ftnt.
sudo systemextensionsctl uninstall A97R6J3L29 com.ensilo.ftnt.sysext.
- Boot into Recovery Mode.
- Open Utilities/Terminal.
- Run 'csrutil enable'.
- Reboot.
Additional Troubleshooting steps:
- Uninstalling and reinstalling fresh as listed earlier in this article.
- Use the other commands to confirm it is removed.
- It is necessary to manually remove FortiEDR files from FDA by highlighting the files and selecting the '- 'sign.
- Reboot.
- Confirm FortiEDR files are removed after reboot from FDA
- Run this command:
systemextensionsctl list
- Confirm FortiEDR extensions are not in the list.
- If it is clean, run a fresh new install:
- Approve Extensions.
- Give FDA to FortiEDR files.
- Look in console to see what the status shows. If it is degraded, reboot.
- Check FortiEDR files are selected again in FDA - there should be 3 in the list or 2 (reboot to be sure).
- Run this command in Terminal and check the output:
systemextensionsctl list
Gather logs:
- Version 4.1: /Applications/FortiEDR.app/FortiEDRCollector --support.
- Version 6.0: /Applications/FortiEDR.app/Contents/MacOS/FortiEDRCollector.app/Contents/MacOS/FortiEDRCollector --support
If there is still a problem, check to see if there was an app that crashed by viewing crash reports:
- Check to see if an app crashed under ~/Library/Logs/DiagnosticReports/.
- To do so, first open Finder.
- Press the Option key and then select 'Go' (while pressing the Option key):
- Select 'Library'.
- Select the Logs folder.
- Select the DiagnosticReports folder.
- Open the file that says 'Crash'.
- Check for a file with approximately the same time of install. Gather the. crash file.
Related documents:
