Application Resilience policies for FortiClient Fabric Agent

You can activate an Application Resilience policy for FortiClient® Fabric Agent to collect information about the functional status of FortiClient Fabric Agent installed on your Windows devices and view the results in reports. You can also configure the policy to attempt to repair or reinstall the application.

Application Resilience policies for FortiClient Fabric Agent are supported on devices running:

  • a supported version of the Windows operating system

  • PowerShell version 5.1 or higher

    Due to PowerShell restrictions imposed by Microsoft, the Report and repair, and the Report, repair, and reinstall options aren't supported for this application on devices running Windows 11 SE.

  • one of the following versions of FortiClient Fabric Agent:

    • 6.x or higher

      Significant software changes in higher versions may cause health checks to become invalid.

In addition to checking the version, the following table describes the health checks performed:

If you select Report higher versions as Compliant, higher versions report Compliant without running health checks.

Component Test performed
Services Installed Running Signed by
  • Forticlient Endpoint Protected Process Service (FctSecSvr.exe)1
  • FortiClient Service Scheduler (scheduler.exe)
 P P n/a
Files Exists Signed by
FortiClient (FortiClient.exe) P

One of the signers entered in the policy configuration

By default, Signers contains "Fortinet Inc.", "Fortinet, Inc.", "Fortinet Technologies (Canada) Inc.", and "Fortinet Technologies (Canada) ULC".
Application name

The application uses the following name:

  • FortiClient

1 Only checked if selected in the policy configuration

You can configure an Application Resilience policy for FortiClient Fabric Agent to enable the Application Resilience (RAR) component A lightweight software component of the Secure Endpoint Agent that detects the status of third party applications installed on a device. The component may also attempt to repair the third party application if it is non-compliant. The RAR component is deployed on a device only when the device is associated with a customized policy group and that policy group's Application Resilience policy is activated. to attempt to repair FortiClient Fabric Agent if it's not functioning, or reinstall it if it's missing or can't be repaired.

Depending on the Absolute product licenses associated with your account, the Report and repair and Report, repair, and reinstall options may not be available.

The RAR component of the Secure Endpoint Agent can respond to the following issues:

Issue Resolution
Repair

One or more of the following services aren't running:

  • Forticlient Endpoint Protected Process Service (FctSecSvr.exe)1
  • FortiClient Service Scheduler (scheduler.exe)

The RAR component restarts each stopped service.

One or more of the following services aren't installed and the service's executable can be detected on the device:

  • Forticlient Endpoint Protected Process Service (FctSecSvr.exe)1
  • FortiClient Service Scheduler (scheduler.exe)

The RAR component reinstalls each missing service.
Reinstall

Downgrades are not supported. If the version installed on a device is higher than the expected version, no action is taken.

One or more of the following services aren't installed and the service's executable cannot be detected on the device:

  • Forticlient Endpoint Protected Process Service (FctSecSvr.exe)1
  • FortiClient Service Scheduler (scheduler.exe)

The RAR component downloads and installs the configured version of the application.

A device restart is required after the application is installed. The Secure Endpoint Agent doesn't force the device to restart, so a status of Not Compliant continues to show in the Application Resilience reports until the device user performs a restart. You can review the report's Status details to determine if a restart is required.
FortiClient Fabric Agent failed to be repaired, or the expected version isn't installed

1 Only checked if selected in the policy configuration

You can add a 32-bit installer, a 64-bit installer, or both. The installers:

  • must be MSI files

  • can have any file name

The RAR component looks for the following files names when checking pre-cached installers:

Component File name
Installers
  • FortiClient_Setup.msi
  • forticlient.mst1

1 (Optional) Include if required for your installation

Before you activate an Application Resilience policy you need to configure the policy. You need to configure the application version and indicate if the additional endpoint scan is required for your configuration in addition to the settings in Configuring Application Resilience policies.

To configure the application version and additional endpoint scans:

  1. Under FortiClient Fabric Agent version, enter the version of FortiClient Fabric Agent you expect to be running on your devices.

    • The target version must be a sequence of digits separated by a period.
    • You can use wildcard "*" characters after the major version, for example, 6.* or 6.0.* or 7.0.1.*.

    Make sure the version you are entering is consistent with version 6.x or higher.

  2. Under Additional endpoints that need to be checked, select Forticlient Endpoint Protected Process Service if it is required for your configuration.

If you selected the Report, repair, and reinstall option, you also need to configure these settings in addition to the settings in Configuring Application Resilience policies.

To configure the FortiClient Fabric Agent additional settings:

  1. [Optional] To only reinstall the application if it's missing, select the checkbox next to Do not reinstall or upgrade if the app is already installed. When this option is selected, the application is not reinstalled when either of the following conditions apply:

    • The application version is lower than the expected version.
    • The application can't be repaired.

  2. [Optional] If your installation requires an MST file, you need to upload the MST file, or provide its location.

    Do one of the following:

    For Report, repair, and reinstall with Upload installer selected.

    1. Under MST file (*.mst), select Upload.

    2. Do one of the following:

      • Click browse. Navigate to and select the MST file.
      • Navigate to and select the MST file and drag it to the work area.
    3. Wait for the file to upload.
    4. [Optional] Click Add description (optional) and enter a description, if desired.

    5. When you have finished uploading the file, click Save.

    For Report, repair and reinstall with Host my own installer file selected.

    1. Under URI for MST file, enter the location of the MST file. Use the following format:

      Copy 
      https://example.com/path/example.mst
    2. Click Go to URI to test that you entered the location correctly.

    3. Assign a SHA-256 hash to each application MST file by doing the following:

      1. Use a hash generator tool of your choice to generate a SHA-256 hash for the MST file. For example, you can use the CertUtil.exe command-line utility, which is included with most Windows operating systems.
      2. Enter the hash in the Hash for MST file field. Ensure that you haven't inadvertently inserted any whitespace characters in the field along with the hash.
  3. [Optional] Under Additional installation commands, enter the applicable installation command-line parameters to configure any settings not covered by the policy configuration. If you provided the MST file, TRANSFORMS=<file-name>.mst is automatically included in the preconfigured installation parameters, and does not need to be added in Additional installation commands.

For more information about the MST file and available command-line parameters, see FortiClient's documentation.