Get ride of Fortinet startup agent on macOS (and of other agents)

How to prevent agents from starting themselves on boot, pollute your icon bar and your system

Introduction

Your macOS system is often plenty of agents that starts on boot:

  • Flash Player Install Manager
  • Java Updater
  • Microsoft AU Daemon
  • Etc. 
On my system, I have a total of 29 agents and most of them displays an icon in the Menu Bar.

Technically, they are called Launch Deamons and Lauch Agents. Launch Agents are user-specific while Launch Deamons are system-specific. In the remaining of this documents, I call both "agents".

In these times of suspicion (do I own my system or it is owned by the applications I have installed on it?) and of privacy concerns, it is good to know which agents are started and how to disable them.

In particular, I had to install Fortinet client (FortiClient) in order to access to some servers remotely. FortiClient is not bad at all (in fact, I found their Vulnerability scanner very useful), but it is an heavy client, doing too much things (and exactly what, I do not know). For some time, I was looking for a solution to remove the automatic startup of FortiClient but was not able to find anything useful (i.e by using Google). 

So I decided to investigate more how these agents are working and this is my solution. It is for FortiClient, but it works also with other agents.

Determine which agents are started

There are several ways to do that. You can do this manually by looking into these folders:

  • /Library/LaunchDaemons/
  • /Library/LaunchAgents/
  • ~/Library/LaunchAgent/

They contain plist files that describe which processes to launch and how. It is of course possible to follow this way, but it is a little cumbersome.

Another, more automated way, is to use KnockKnock. It is small utility similar to AutoRuns on Windows. It gives a list of what is launched when your system is started and has even VirtualTotal integration. Just install it, click on Scan and then look at the results under Launch Items. In the case of FortiClient, there are two entries:

  • CredentialStore
  • FCTLauncher

To determine that they are related to Fortinet, look at the name of the plist files:

  • /Library/LaunchAgents/com.fortinet.forticlient.fct_launcher.plist
  • /Library/LaunchAgents/com.fortinet.forticlient.credential_store.plist

Disable agents auto start

To disable that starting of these agents, just delete or rename the plist files:

sudo mv /Library/LaunchAgents/com.fortinet.forticlient.fct_launcher.plist /Library/LaunchAgents/com.fortinet.forticlient.fct_launcher.plist0

sudo mv /Library/LaunchAgents/com.fortinet.forticlient.credential_store.plist /Library/LaunchAgents/com.fortinet.forticlient.credential_store.plist0

Reboot your system and verify that everything is working as expected. You can still use the FortiClient by starting it the usual way (like any application). It will automatically starts the necessary agents.

Other agents

The same principles can be applied to other applications and agents. In KnockKnock, you have also plenty other informations like Browser Extensions, Cron Jobs, etc.

However, BE CAREFU when disabling agents. You may disable a required component with unpredictable consequences. In general, I am only disabling auto update agents and agents of applications I are no more using (such as software related to old printers)


Use at your own risk