Forticlient Ios 7.0 Admin Guide

Administration Guide
FortiClient (iOS) 7.0

FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com
FORTINET VIDEO GUIDE

https://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com
FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/training-certification
NSE INSTITUTE
https://training.fortinet.com
FORTIGUARD CENTER
https://www.fortiguard.com
END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: techdoc@fortinet.com
January 28, 2022

FortiClient (iOS) 7.0 Administration Guide
04-700-726781-20220128
TABLE OF CONTENTS
Introduction 4
Features 4
SSL DNS server for split tunnel 4
Supported platforms 5
Initial configuration 6
Running FortiClient (iOS) 6
Creating a Mobileconfig profile 7
Web Filtering 8
Zero Trust Telemetry 10
User profile 12
SSL VPN 14
Enterprise mobility management 17
Configuring AirWatch integration 17
Configuring Jamf integration 25
Configuring Microsoft Intune integration 30
Logs 34
Standalone VPN client 36
Change log 37
FortiClient (iOS) 7.0 Administration Guide 3

Fortinet Inc.
Introduction
FortiClient is an all-in-one comprehensive endpoint security solution that extends the power of Fortinet’s Advanced
Threat Protection to end user devices. As the endpoint is the ultimate destination for malware that is seeking credentials,
network access, and sensitive information, ensuring that your endpoint security combines strong prevention with
detection and mitigation is critical.
You must license FortiClient (iOS) for use. See the FortiClient Licensing Guide for descriptions of the available license
bundles. You can license FortiClient (iOS) by applying the license to EMS, then connecting Zero Trust Telemetry from
FortiClient (iOS) to EMS. See Zero Trust Telemetry on page 10.
This guide describes how to install and set up FortiClient (iOS) for the first time.
Features
Feature Description
SSL VPN (tunnel mode) SSL VPN in tunnel mode supports the following:
l IPv4
Example: https://24.1.20.17
l IPv6
Example: https://[1002:470:71f1:63::2]
l Full tunnel and split tunnel (IP address and subnet-based), including
negative split tunnel
l SSL realm, custom DNS server, DNS suffix
l Username and password authentication
l PKI user with a personal certificate, FortiToken, and client certificate
l Always up
FortiClient (iOS) does not support SSL VPN resiliency.
Web Filter FortiClient (iOS) supports all browser traffic.
Zero Trust Telemetry Connect to FortiGate and EMS for central management.
mobileconfig Use the mobileconfig file to preconfigure a Zero Trust Telemetry preferred host.
Once FortiClient starts, it uses this preferred host to connect.
FortiAnalyzer support Send logs to FortiAnalyzer when configured from FortiClient EMS. See the
FortiClient EMS Administration Guide.
SSL DNS server for split tunnel
To use the SSL DNS server for split tunnel, you must configure the DNS suffix on the FortiGate side. Following is an
example of configuring SSL DNS server for split tunnel using FortiOS:
config vpn ssl settings

Fortinet Inc.
Introduction
set dns-suffix
"domain1.com;domain2.com;domain3.com;domain4.com;domain5.com;domain6.com;domain7.com;domain8
.com"
set dns-server1 10.10.10.10
end
config vpn ssl web portal
edit "full-access"
set split-tunneling enable
next
end
If you configure the split tunnel, only DNS requests that match DNS suffixes use the DNS
servers configured in the VPN. Due to iOS limitations, the DNS suffixes are not used for
search as in Windows. Using short (not fully qualified domain name (FQDN)) names may not
be possible.
Supported platforms
iOS versions 9, 10, 11, 12, 13, and 14 support FortiClient (iOS). FortiClient (iOS) also includes support for iPad OS.

Fortinet Inc.
Initial configuration
Running FortiClient (iOS)
After downloading the FortiClient installer and running the application for the first time, you must acknowledge some
popups before continuing to add a VPN configuration. Acknowledge the notifications shown.
To disable a VPN connection:
1. Select the VPN connection.

2. Swipe left to disable the VPN connection.
To edit or delete a VPN connection:
1. Select a VPN connection.

2. Tap Edit or Delete.
3. Tap Done twice.
To connect to a VPN tunnel using SAML authentication:
If your EMS administrator has enabled it, you can establish an SSL VPN tunnel connection using SAML authentication.
See SAML support for SSL VPN.

Fortinet Inc.
1. In FortiClient (iOS), go to the VPN tab.

2. Select the desired VPN tunnel.
3. Tap SAML Login.
4. FortiClient displays an identity provider authorization page. Enter your login credentials. Tap Login. Once
authenticated, FortiClient establishes the SSL VPN tunnel.
Creating a Mobileconfig profile
To enable web filtering, the iOS device must be supervised and you must install a Mobileconfig profile with a content filter
on the device. Installing a mobileconfig profile requires the following:
l Apple Configurator 2 (or equivalent mobile device management (MDM) application) installed.
l iOS devices are supervised.
You can find instructions on how to supervise your iOS devices on the Apple Configurator 2 Help (or your MDM
application) website.
To create a mobileconfig profile for FortiClient web filtering:
1. Launch Apple Configurator 2.

2. Go to File > New Profile.
3. Enter a Name for the profile.
4. Select Content Filter from the left panel.
5. Click Configure.
6. Select Plugin (Third Party App) from the Filter Type dropdown list.

Fortinet Inc.
7. Configure the following:
Filter Name FortiClient
Identifier com.fortinet.forticlient.fabricagent
Service Address fgd1.fortigate.com
Organization Fortinet, Inc.
User Name You can use this field to specify the EMS (IP address or FQDN), port, and
connection key (optional). For example, the following string allows FortiClient
(iOS) to connect to the EMS at ems.example.com at port 8013, with key
“ConnectionKey”:
ems.example.com:8013 ConnectionKey
Filter WebKit Traffic Select the Filter WebKit Traffic checkbox.
8. Click Save.
Due to restrictions that Apple set, you must launch FortiClient (iOS) once before the
configuration takes effect. You can use EMS Zero Trust tagging rules to ensure users launch
FortiClient (iOS) before browsing the Internet. See the FortiClient EMS Administration Guide.
Web Filtering
By default, FortiClient iOS disables Web Filtering.To enable Web Filtering, the iOS device
must be supervised and you must install a Mobileconfig profile with a content filter on the
device. See Creating a Mobileconfig profile.
To configure the Web Filtering settings:
1. Tap Settings.
2. Tap Web Security Settings.
3. Enter the passcode in the FortiClient Authentication popup.

4. Enable the Web Filter by swiping right.

Fortinet Inc.
5. Configure the Website Blocking by Categories to suit requirements.

Fortinet Inc.
When FortiClient (iOS) blocks a website, a restricted website error page appears.
Zero Trust Telemetry
To connect Telemetry to an on-premise EMS or FortiClient Cloud:
1. Go to Zero Trust Telemetry.

2. Do one of the following:
a. To automatically detect and connect to an on-premise EMS:
i. Enable Zero Trust Telemetry Connection by swiping right. When FortiClient detects a Telemetry server, a
confirmation popup appears.

Fortinet Inc.
ii. Tap Send Zero Trust Telemetry Data to connect to the server.
b. To connect to an on-premise EMS by entering the server IP address:
i. Tap Connect to.
ii. In the Select Connection dialog, tap EMS.
iii. Enter the EMS server IP address. FortiClient (iOS) connects to the specified EMS server.
c. To connect to an on-premise EMS or FortiClient Cloud using an invitation code:
i. Tap Connect to.
ii. In the Select Connection dialog, tap EMS or FortiClient Cloud.
iii. In the Invitation Code field, enter the invitation code.
iv. Tap Done.
When FortiClient (iOS) achieves connection to EMS or FortiClient Cloud, it becomes managed and
receives a license.
d. To connect to an on-premise EMS or FortiClient Cloud using a QR code:

i. Tap Connect to.
ii. In the Select Connection dialog, tap Scan QR Code.
iii. Scan the QR code with the device camera. You must allow FortiClient (iOS) permissions to access the
device camera. FortiClient (iOS) automatically connects to the EMS server based on the scanned
QR code.
To specify a Zero Trust Telemetry server:
1. Tap Specify Preferred Host.

2. Enter Host and Port.
3. If the EMS administrator has enabled multitenancy, in the Site field, enter the site name.
4. Tap Done.
You can use the mobileconfig file to preconfigure a Telemetry preferred host. Once FortiClient
starts, it uses this preferred host to register. See Creating a Mobileconfig profile on page 7.

Fortinet Inc.
User profile
You can direct FortiClient to retrieve information about you from one of the following cloud applications, if you have an
account:
l LinkedIn
l Google
l Facebook
You can also manually add or edit a name, phone number, and email address in FortiClient. FortiClient (iOS) sends this
user data to FortiClient EMS, where it displays on the Endpoints content pane.
To retrieve user details from a cloud application:
1. Tap Settings at the bottom of the screen.

2. Tap User Profile.
3. Tap the desired cloud application.
4. If you are not logged into the cloud application already on this device, you must log in. Grant FortiClient (iOS)
permission to use your information.

Fortinet Inc.
To add user details manually:
1. Tap Settings at the bottom of the screen.

2. Tap User Profile.
3. Tap User Input.
4. Tap to edit the photo, name, email, and phone number as desired.
5. Tap Save.

Fortinet Inc.
SSL VPN
There are three ways to add a VPN connection:

l Manually configure the VPN tunnel settings in the FortiClient (iOS) app. See To manually configure a VPN
connection: on page 14.
l Provision a VPN tunnel in EMS and assign the profile to the mobile device. See To provision a VPN tunnel in
EMS and assign the profile to the mobile device: on page 15.
l Scan a QR code to load VPN tunnel settings. See To scan a QR code to load VPN tunnel settings: on page 15.
To manually configure a VPN connection:
1. In the Add VPN Configurations popup, tap Allow.
2. Tap the VPN icon at the bottom of the screen to switch to the VPN page.
3. Tap Connections > Edit > Add Configuration, then configure the following. Enter your passcode to confirm adding
the VPN.
4. Tap Done twice.
The Name, Host, and Port fields are required. The User, Hide invalid certificate warning,
and User Certificate fields are optional.

Fortinet Inc.
To provision a VPN tunnel in EMS and assign the profile to the mobile device:
In the following instructions, the FortiClient end user takes some steps, while the FortiClient EMS administrator takes
others.
1. (FortiClient (iOS) end user) Connect FortiClient to EMS. See Zero Trust Telemetry on page 10.
2. (EMS administrator) Configure an endpoint profile in EMS to apply to the iOS device.
3. (EMS administrator) Configure the desired SSL VPN settings in the profile that they created in step 2. See SSL
VPN.
To scan a QR code to load VPN tunnel settings:
1. In the Add VPN Configurations popup, tap Allow.

2. Tap VPN at the bottom of the screen to switch to the VPN page.
3. Select Scan QR Code to add VPN.
4. Once FortiClient (iOS) has scanned the code, the VPN menu lists the new tunnel.
To install a certificate received via email:
1. Open the email, then download the received certificate. The certificate must have the .fctp12 extension for
FortiClient (iOS) to import it. If the certificate does not have the .fctp12 extension, rename it so that it does.
2. After downloading the certificate, select Copy to FortiClient. FortiClient (iOS) imports the certificate.
3. In FortiClient (iOS), go to the VPN tab.

4. Edit a VPN tunnel and enable Use Certificate.
5. Tap File Name.

Fortinet Inc.
6. Select the certificate imported earlier.

7. On the Add/Edit VPN page, enter a passphrase to initiate the VPN connection.

Fortinet Inc.
Enterprise mobility management
FortiClient (iOS) supports integration with enterprise mobility management software. Integration with enterprise mobility
management software allows FortiClient (iOS) endpoints to connect to EMS.
Configuring AirWatch integration
AirWatch integration allows FortiClient (iOS) endpoints to connect to EMS. This documentation is based on Workspace
ONE UEM 20.8.0.6.
To configure integration between AirWatch and FortiClient (iOS):
1. In AirWatch, go to Assignment Groups. Create a new assignment group.

Fortinet Inc.
2. Go to Accounts, and add a new user.
3. Add a new device for the user:

a. From the Device Ownership Type dropdown list, select Corporate - Dedicated.
b. From the Platform dropdown list, select Apple iOS.
c. For Message Type, select EMAIL.

Fortinet Inc.
d. Save. This sends an AirWatch device activation email to the user.

4. The user installs Intelligent Hub on the device and scans the QR code in the activation email to enroll the device.

Fortinet Inc.
5. In AirWatch, go to Apps & Books, and add FortiClient (iOS) from the public app store.
6. When adding an assignment, enter the desired name and select the desired assignment groups. Configure the
deployment as desired.

Fortinet Inc.
In Application Configuration, you can optionally add key-value pairs as shown. This enables FortiClient (iOS) to
read the MAC address and UDID from the iOS device. FortiClient sends this information to EMS.
The following shows the configuration for a FortiClient (iOS) device that will connect Telemetry to FortiClient Cloud:

Fortinet Inc.
Supported keys include the following:
Key Description
mac_address iOS device MAC address.
udid iOS device UDID.
ems_server EMS server IP address.
ems_port EMS port number.
group_tag This value is used as a group tag for configuration in EMS. See FortiClient
EMS Administration Guide.
cloud_invite_code This value is used for connecting FortiClient (iOS) to FortiClient Cloud. Enter
the invite code received from FortiClient Cloud.
ems_key Telemetry connection key. The EMS administrator may require FortiClient
(iOS) to provide this key during connection.

Fortinet Inc.
7. You can add more assignments and use different group_tag values.

Fortinet Inc.
8. Go to Devices, and add a profile:

a. Go to the Content Filter section. In the User name field, enter the EMS URL.
b. Go to Single App Mode, and configure as shown to enable single app mode. This makes FortiClient (iOS) run.
c. Assign the profile to the device.

9. When FortiClient starts on the device, it automatically connects to on-premise EMS or FortiClient Cloud, depending
on the configuration. Once FortiClient connects to EMS, disable single app mode for the device. Keep the EMS URL
in the Content Filter section.

Fortinet Inc.
The following shows the on-premise EMS GUI after FortiClient (iOS) connects Telemetry.
Configuring Jamf integration
To configure integration between Jamf and FortiClient (iOS):
1. In Jamf, go to All Settings. Configure the settings in SMTP Server and Push Certificates.

Fortinet Inc.
2. Go to Global Management, and enable User-Initiated Enrollment.
3. Go to Mobile Device Apps and add FortiClient from the App Store or by uploading it.
4. Configure how the app is installed.
5. Add App Configuration for FortiClient (iOS). This enables FortiClient (iOS) to read the MAC address and UDID from
the iOS device. FortiClient sends this information to EMS. Supported keys include the following:
Key Description

Fortinet Inc.
Key Description
group_tag This value is used as a group tag for configuration in EMS. The example uses
the string "field_engineer" as a group tag, which is used when FortiClient (iOS)
initially connects to EMS. See Group assignment rules in the FortiClient
EMS Administration Guide.
cloud_invite_code This value is used for connecting FortiClient (iOS) to FortiClient Cloud. Enter
the invite code received from FortiClient Cloud.
6. Configure a configuration profile:

a. Go to Configuration Profiles and add a configuration profile.

Fortinet Inc.
b. Under Options, select Content Filter. Add a content filter to point to the desired EMS.
c. Enable Single App Mode for FortiClient. Single app mode launches the FortiClient app and connects it to EMS.
If FortiClient does not launch in single app mode, it does not connect to EMS.

Fortinet Inc.
7. Enroll the device:

a. Go to Devices > Enrollment Invitations, then send an enrollment invitation to the device.
b. Enroll the device.

Fortinet Inc.
8. When the device is enrolled, FortiClient (iOS) automatically connects to on-premise EMS or FortiClient Cloud,
depending on the configuration. Once FortiClient (iOS) is connected to EMS, disable single app mode for the
device. Keep the EMS URL in the Content Filter section.
The following shows the on-premise EMS GUI after FortiClient (iOS) connects Telemetry.
Configuring Microsoft Intune integration
Intune integration allows FortiClient (iOS) endpoints to connect to EMS. FortiClient (iOS) 6.2.2 and later versions support
integration with Intune.

Fortinet Inc.
To configure integration between Microsoft Intune and FortiClient (iOS):
1. In Microsoft Intune, go to Users > All users and select New user. Configure the user as desired. Click Create.
2. Select the user that you created, then go to license.

3. Under Select licenses, select Enterprise Mobility + Security E3. Under Enterprise Mobility + Security E3, enable
Microsoft Intune. Enrolling devices requires the license. Click Save.
4. Go to Groups. Select New Group, then configure the group as desired. Click Create.
5. Go to the group that you created, then go to Members. Click Add members to add desired members to the group,
including the user that you created in step 1.

Fortinet Inc.
6. Enroll the device to the user:

a. Download the Intune Company Portal app from the App Store.
b. Enter the user credentials that you configured in step 1 to download and install the profile.
7. In Intune, go to Apps > All apps. Click Add, then search for and select FortiClient (iOS) from the public App Store.
On the Assignments tab, click Add group, then select the group that you created in step 4.
8. Create an app configuration policy:

a. Go to Apps > App configuration policies, then click Create app configuration policy.
b. On the Basics tab, from the Platform dropdown list, select iOS/iPadOS. Click Next.
c. On the Settings tab, configure the following:
i. From the Configuration settings format dropdown list, select Use configuration designer.
ii. Under Configuration key, enter keys to allow FortiClient (iOS) to register to and send information to EMS.
Intune supports the following keys:
Key Description

Fortinet Inc.
Key Description
group_tag This value is used as a group tag for configuration in EMS. See
FortiClient EMS Administration Guide.
cloud_invite_code FortiClient (iOS) uses this value to connect to FortiClient Cloud. Enter
the invite code that you received from FortiClient Cloud.
user_name FortiClient (iOS) username.
ems_server EMS IP address or hostname.
ems_port Port number for FortiClient (iOS) to connect Telemetry to EMS. By

default, this is 8013.
ems_key Telemetry connection key. The EMS administrator may require

FortiClient (iOS) to provide this key during connection.
9. When FortiClient (iOS) starts on the device, it automatically connects to on-premise EMS or FortiClient Cloud,
depending on the configuration.

Fortinet Inc.
Logs
You can email FortiClient (iOS) logs to Fortinet.
To email logs to Fortinet:
1. Tap About.
2. Tap Diagnostic.
3. Swipe right to enable Logging.

Fortinet Inc.
Logs
4. Tap Email Logs.

Fortinet Inc.
Standalone VPN client
You can download a VPN-only FortiClient (iOS) app. This app is free, supports basic SSL VPN, and does not require
registration with EMS. This version does not include central management, technical support, or some advanced features
such as always up, autoconnect, and so on.
Full-featured FortiClient (iOS) requires registration to EMS. Each endpoint registered with EMS requires a license seat
on EMS.
When you launch the free VPN-only FortiClient (iOS) for the first time, it requests permissions to use the camera and
access storage. Grant permissions as required. Only the VPN feature is available. Configuring settings for a new VPN
connection on the free VPN-only FortiClient (iOS) resembles doing the same on the full-featured FortiClient (iOS). See
SSL VPN on page 14 for details.

Fortinet Inc.
Change log
Date Change Description
2021-06-18 Initial release.
2022-01-28 Added SSL VPN on page 14.

Fortinet Inc.
www.fortinet.com
Copyright© 2022 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein
may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were
attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance
results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract,
signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only
the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal
conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change,
modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

Forticlient Ios 7.0 Admin Guide

Uploaded by

Copyright:

Available Formats

Forticlient Ios 7.0 Admin Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Forticlient Ios 7.0 Admin Guide

Uploaded by

Copyright:

Available Formats

Administration Guide

FortiClient (iOS) 7.0

FORTINET VIDEO GUIDE

CUSTOMER SERVICE & SUPPORT

FORTINET TRAINING & CERTIFICATION PROGRAM

END USER LICENSE AGREEMENT

January 28, 2022

FortiClient (iOS) 7.0 Administration Guide 3

l Username and password authentication

l PKI user with a personal certificate, FortiToken, and client certificate

FortiClient (iOS) does not support SSL VPN resiliency.

Web Filter FortiClient (iOS) supports all browser traffic.

SSL DNS server for split tunnel

FortiClient (iOS) 7.0 Administration Guide 4

FortiClient (iOS) 7.0 Administration Guide 5

Running FortiClient (iOS)

To disable a VPN connection:

1. Select the VPN connection.

To edit or delete a VPN connection:

1. Select a VPN connection.

To connect to a VPN tunnel using SAML authentication:

FortiClient (iOS) 7.0 Administration Guide 6

1. In FortiClient (iOS), go to the VPN tab.

Creating a Mobileconfig profile

To create a mobileconfig profile for FortiClient web filtering:

1. Launch Apple Configurator 2.

FortiClient (iOS) 7.0 Administration Guide 7

7. Configure the following:

Filter Name FortiClient

Service Address fgd1.fortigate.com

Organization Fortinet, Inc.

Filter WebKit Traffic Select the Filter WebKit Traffic checkbox.

To configure the Web Filtering settings:

3. Enter the passcode in the FortiClient Authentication popup.

FortiClient (iOS) 7.0 Administration Guide 8

5. Configure the Website Blocking by Categories to suit requirements.

FortiClient (iOS) 7.0 Administration Guide 9

Zero Trust Telemetry

To connect Telemetry to an on-premise EMS or FortiClient Cloud:

1. Go to Zero Trust Telemetry.

FortiClient (iOS) 7.0 Administration Guide 10

d. To connect to an on-premise EMS or FortiClient Cloud using a QR code:

To specify a Zero Trust Telemetry server:

1. Tap Specify Preferred Host.

FortiClient (iOS) 7.0 Administration Guide 11

To retrieve user details from a cloud application:

1. Tap Settings at the bottom of the screen.

3. Tap the desired cloud application.

FortiClient (iOS) 7.0 Administration Guide 12

To add user details manually:

1. Tap Settings at the bottom of the screen.

3. Tap User Input.

FortiClient (iOS) 7.0 Administration Guide 13

There are three ways to add a VPN connection:

To manually configure a VPN connection:

1. In the Add VPN Configurations popup, tap Allow.

4. Tap Done twice.

FortiClient (iOS) 7.0 Administration Guide 14

To provision a VPN tunnel in EMS and assign the profile to the mobile device: