The pop-up where we enter credentials does not come up. It does not appear to be online. There's a red bolt

A red bolt means the there is no communication between the agent and FNAC. It can be one of the following reasons:

• Certificate is not installed or not trusted (the most common case)
• Agent is down
• Client firewall or network firewall may block the communication

I have installed the domain certificate. Is there any other certificate I need to install ? Do I need to install the certificate in Fortinac ? In which directory do I need to install the certificate ? I can access Nac from the host where the agent is located.

The agent certificate should be applied to target "Persistent Agent" and should also include the trust chain. Same CA used to sign this PA certificate should be present in the end host.

For more information you can check also the agent logs in the end host as shown here.

Do we need to add this certificate to the login or do we need to add it to the keychain?

Actually I don't have experience with MacOS' PA. But if I follow the doc I see that you need to check the following output:

sudo defaults read /Library/Preferences/com.bradfordnetworks.bndaemon.policy

Value of LoginDialogDisabled should be 0 (zero), otherwise set it to 0 and restart the agent service.

Just for info, on Windows clients that are part of the domain we don't need to enable this feature, since the user info is obtained automatically by PA and sent to FNAC. But on Mac I actually don't now if it is required, so I think you should check if there is a good reason for which you may need it.

what is the Persistent Agent version? User tracking by PA on MACOS supported with PA version 10.7.0.

https://docs.fortinet.com/document/fortinac-f/7.2.0/macos-agent-release-notes/773481/new-features