Fortinet white logo
Fortinet white logo

EMS Administration Guide

Group assignment rule types

Group assignment rule types

You can use group assignment rules to automatically place endpoints into custom groups based on their installer ID, IP address, OS, or AD group.

Installer ID group assignment rules

Creating a FortiClient 6.0+ deployment package includes an option to specify an installer ID. For example, consider you want all endpoints located in your company's headquarters to be placed in the same endpoint group. You can configure a FortiClient 6.0.1 deployment package with an "HQ" installer ID, then deploy this deployment package to the desired endpoints. When the endpoints' FortiClient connects to FortiClient EMS, FortiClient EMS places them in the desired group. In this situation, the process is as follows:

  1. In FortiClient EMS, create an installer ID group assignment rule that requires endpoints with the installer ID "HQ" to be placed into the HQ group. The installer ID and group name do not need to match. See Adding group assignment rules.
  2. Create a FortiClient 6.0+ deployment package. Specify the "HQ" installer ID when creating or uploading the installer. See Adding FortiClient deployment packages or Adding a custom FortiClient installer.
  3. Deploy the deployment package to the desired endpoints or send the download link to the desired users.
  4. The endpoints install FortiClient. When FortiClient connects to FortiClient EMS, EMS places the endpoint in the HQ group.

IP address group assignment rules

You can create a group assignment rule to automatically place all endpoints within a specified subnet or IP address range into the same custom group. In this situation, the process is as follows:

  1. In FortiClient EMS, create an IP address group assignment rule that requires endpoints within a certain subnet or IP address range to be placed into the desired group. See Adding group assignment rules.
  2. With the next FortiClient Telemetry communication, endpoints within the specified subnet or IP address range are placed in the specified group.

OS group assignment rules

You can create a group assignment rule to automatically place all endpoints that have a specific OS installed into the same custom group. In this situation, the process is as follows:

  1. In FortiClient EMS, create an OS group assignment rule that requires endpoints with a certain OS installed to be placed into the desired group. See Adding group assignment rules.
  2. With the next FortiClient Telemetry communication, endpoints with the specified OS installed are placed in the specified group.

AD group assignment rules

You can create a group assignment rule to automatically place all endpoints in an AD group into the same custom group. In this situation, the process is as follows:

  1. In FortiClient EMS, create an OS group assignment rule that requires endpoints in a certain AD group to be placed into the desired group. See Adding group assignment rules.
  2. With the next FortiClient Telemetry communication, endpoints in the specified AD group are placed in the specified group.

Group assignment rule types

Group assignment rule types

You can use group assignment rules to automatically place endpoints into custom groups based on their installer ID, IP address, OS, or AD group.

Installer ID group assignment rules

Creating a FortiClient 6.0+ deployment package includes an option to specify an installer ID. For example, consider you want all endpoints located in your company's headquarters to be placed in the same endpoint group. You can configure a FortiClient 6.0.1 deployment package with an "HQ" installer ID, then deploy this deployment package to the desired endpoints. When the endpoints' FortiClient connects to FortiClient EMS, FortiClient EMS places them in the desired group. In this situation, the process is as follows:

  1. In FortiClient EMS, create an installer ID group assignment rule that requires endpoints with the installer ID "HQ" to be placed into the HQ group. The installer ID and group name do not need to match. See Adding group assignment rules.
  2. Create a FortiClient 6.0+ deployment package. Specify the "HQ" installer ID when creating or uploading the installer. See Adding FortiClient deployment packages or Adding a custom FortiClient installer.
  3. Deploy the deployment package to the desired endpoints or send the download link to the desired users.
  4. The endpoints install FortiClient. When FortiClient connects to FortiClient EMS, EMS places the endpoint in the HQ group.

IP address group assignment rules

You can create a group assignment rule to automatically place all endpoints within a specified subnet or IP address range into the same custom group. In this situation, the process is as follows:

  1. In FortiClient EMS, create an IP address group assignment rule that requires endpoints within a certain subnet or IP address range to be placed into the desired group. See Adding group assignment rules.
  2. With the next FortiClient Telemetry communication, endpoints within the specified subnet or IP address range are placed in the specified group.

OS group assignment rules

You can create a group assignment rule to automatically place all endpoints that have a specific OS installed into the same custom group. In this situation, the process is as follows:

  1. In FortiClient EMS, create an OS group assignment rule that requires endpoints with a certain OS installed to be placed into the desired group. See Adding group assignment rules.
  2. With the next FortiClient Telemetry communication, endpoints with the specified OS installed are placed in the specified group.

AD group assignment rules

You can create a group assignment rule to automatically place all endpoints in an AD group into the same custom group. In this situation, the process is as follows:

  1. In FortiClient EMS, create an OS group assignment rule that requires endpoints in a certain AD group to be placed into the desired group. See Adding group assignment rules.
  2. With the next FortiClient Telemetry communication, endpoints in the specified AD group are placed in the specified group.