According to support, this is by design.

It´s impossible to shutdown FortiClient manually when you have configured a "Settings Password" in the EMS profile.

This is insane.

Disabling AV completely for a short period of time as a troubleshooting technique to rule out AV as a factor/cause of an end user issue is a L1 task. Disabling AV to uninstall/update AV is also a L1 task (yep, we do this manually since FortiClient's update process is so unbelievably - yet believably, because it's Fortinet - convoluted).

Now we have a setting called "Password Lock Configuration" that does not actually unlock the configuration when you enter the password. Now we have L1 techs who apparently will need access to our AV console, and subsequently (since EMS cannot have multiple local users) either the AV console server or our management domain.

Yesterday a Fortinet rep told me on the phone that they are the leading and de facto information security company. He couldn't see it, but I rolled my eyes. EMS cannot even import a trusted cert, no MITM protection for our AV console?

Industry pioneers? Definitely.

Enterprise-ready functionality? Not so fast.

Edit: As of v1.2, EMS supports importing a CA-signed cert so you are no longer forced to use the self-signed one that it ships with.

Yep, that you can do.

But what do you do when you have someone outside the office, traveling or something that cannot reach your EMS server ?

Ok, you can of course run FortiClient tools and import a new profile etc. without a password but it´s way more complicated than it should be.

Evil people make everything more complicated!  I understand that Fortinet has to keep the bad guys from stopping FortiClient but they've probably got this password thing backwards.  If you have a p/w then you should be able to shutdown FortiClient.  No password, then you can't without EMS taking you out of management.

Do you have VPN or publicly publish the EMS server on the Internet?  Definitely need one or both of those if you have remote clients.  If EMS isn't available for other reasons then you're pretty much hosed, anyway.  But I agree that some method of local authentication is still needed because sometimes you just have to be able to shut that sucker down!

That is crazy. I wasn't able to reproduce this hack to bypass the password lock, but I do find it interesting that the door is wide open for anyone to have at the java functions, especially without admin permissions.

And yes, you can create a copy of every policy you have in place, create an EMS "group" or an AD OU, and apply the copy of the policy to your container of choice and finally remove the password lock. However you still have to give L1 staff access to EMS, an infrastructure security solution. And given the lack of granularity of permissions you can assign EMS users, that is why I felt the word "insane" was warranted.

The ridiculous thing is that it used to work, so we know that it can work, they simply changed the behavior to appease a subset of their customers instead of making the behavior configurable so that their solution meets the needs of a wider customer base.