Description
This article describes how to uninstall and install macOS.
Scope
Solution
Troubleshooting macOS Collector.
Uninstall from Manager:
1) macOS can be uninstalled via the manager see the steps below in screenshot.
Uninstall with script:
1) sudo /Applications/FortiEDR.app/fortiedr_collector.sh stop {registration password}
2) sudo /Applications/FortiEDR.app/fortiedr_uninstaller.sh
3) Manually remove FortiEDR files in the list of Full Disk Access as they will not be removed automatically. This is by Design of Apple macOS.
4) Reboot.
Stopping and starting the collector in terminal:
1) /Applications/FortiEDR.app/fortiedr_collector.sh stop.
2) /Applications/FortiEDR.app/fortiedr_collector.sh start.
macOS STATUS:
This is the shell script that is used for collector start/stop/status.
1) /Applications/FortiEDR.app/fortiedr_collector.sh status.
The output will be along the lines of:
1) Service: Up/Down
2) Fortinet NetworkExtension: Up/Up (not enabled)/Down
2) Fortinet EndPoint Extension: Up/Up (not enabled)/Down
4) Fortinet Status: Enabled/Disabled
The '(not enabled)' should appear when the extension was not approved yet.
HELP COMMANDS:
1) /Applications/FortiEDR.app/fortiedr_collector.sh --help (To see additional commands use the help command).
SHOW STYTEM EXTENSIONS:
1) systemextensionsctl list
REMOVE SYSTEM EXTENSIONS:
(Another way to remove stale extensions manually).
1) Boot into Recovery Mode.
2) Open Utilities/Terminal.
3) Run 'csrutil disable'.
4) Reboot
5) In terminal, run
- sudo systemextensionsctl uninstall A97R6J3L29 com.ensilo.ftnt.
- sudo systemextensionsctl uninstall A97R6J3L29 com.ensilo.ftnt.sysext.
1) Boot into Recovery Mode.
2) Open Utilities/Terminal.
3) Run 'csrutil enable'.
4) Reboot.
Additional Troubleshooting steps:
1) uninstalling and reinstalling fresh listed earlier in this article.
2) Use the other commands to confirm it is removed.
3) It is necessary to manually remove FortiEDR files from FDA by highlighting the files and selecting the '- 'sign.
4) Reboot.
5) Confirm FortiEDR files are removed after reboot from FDA
6) Run this command: systemextensionsctl list
7) Confirm FortiEDR extensions are not in the list.
8) If it is clean run a fresh new install:
- Approve Extension's
- Give FDA to FortiEDR files
- Look in console > what is the status see? Degraded? Reboot.
- Check FortiEDR files are selected again in FDA there should be 3 in the list or 2 (reboot to be sure).
- Run this command in Terminal: systemextensionsctl list (What is the output?).
- Run this command in Terminal: /Applications/FortiEDR.app/fortiedr_collector.sh. fortiedr_collector.sh status (What is the output?).
- (Screenshots help for documenting every step of the way).
GATHER LOGS:
1) For macOS.
2) /Applications/FortiEDR.app/FortiEDRCollector --support.
3) Found in /Library/Caches/TemporaryItems/.
If there is still a problem maybe there was an app that crashed? CRASH REPORTS:
1) Check to see if it had an app crash:in ~/Library/Logs/DiagnosticReports/.
2) Steps to access below.
3) Go to Finder.
4) Now press the Option key and then select 'Go' (while pressing the Option key):
- Select 'Library'.
- Select the Logs folder.
- Select the DiagnosticReports folder.
- Open the file that says 'Crash'.
- Check for a file with same time of install approximant gather the. crash file.
Related documents:
https://community.fortinet.com/t5/FortiEDR/FortiEDR-Collector-installation-on-a-Mac-Big-Sur-Operatin...
Technical Tip: Automated installation collector deployment on a Mac Big Sur Operating System Device Using Jamf PRO.
Description Automated Deployment with Jamf. Solution Access permissions issue when installing the MacOS v4 Collector. In the link one can find a new path-based Jamf profile that installs FortiED...
Linux extra https://community.fortinet.com/t5/FortiEDR/Troubleshooting-Tip-nbsp-Linux-Installation-collector/ta-...
