Managing endpoints with FortiClient Cloud

With FortiClient Cloud, you can manage up to 500 endpoints with a simplified cloud infrastructure created and managed by Fortinet. Using FortiClient Cloud provides you with the opportunity to focus on your endpoint management needs rather than infrastructure configuration and maintenance.

You can execute EMS functions from the cloud-based EMS. You must complete the following steps to create a cloud-based EMS instance under your FortiCloud user account:

You must register the FortiCloud premium subscription before you can register FortiClient endpoint licenses.

If you attempt to register the endpoint license before the FortiCloud premium subscription, you will not be able to deploy FortiClient & FortiClient EMS Cloud from this FortiCloud account.

This section provides the following information about FortiClient Cloud:

Requirements
Differences between FortiClient Cloud and on-premise EMS
Deploying FortiClient Cloud
Adding a new invitation for a deployment package
Adding a secondary admin account
Adding a FortiClient deployment package
Installing FortiClient on an endpoint and registering to FortiClient Cloud

Requirements

The following items are required before you can initialize your FortiClient Cloud instance:

Requirement	Description
FortiCloud account with premium subscription	Create a FortiCloud account if you do not have one and register a FortiCloud premium subscription to this account. Launching FortiClient Cloud requires a primary FortiCloud account with a premium subscription. A primary FortiCloud account with a premium subscription can invite other users to launch FortiClient Cloud. Each FortiCloud account that will access FortiClient Cloud must be registered with its own FortiCloud premium subscription. You must register the FortiCloud premium subscription before registering any endpoint licensing; otherwise, you cannot deploy FortiClient Cloud.
Licensing	A license for each endpoint that will be managed using FortiClient Cloud. Purchase one of the following FortiClient license types from Fortinet: Fabric Agent with Endpoint Protection Sandbox Cloud When registering the license contract, you must specify that the endpoints will be managed using FortiClient Cloud, as described in Deploying FortiClient Cloud. Registering a Fabric Agent license for FortiClient Cloud management does not support all features supported for on-premise EMS. See Differences between FortiClient Cloud and on-premise EMS for the list of supported features.
Internet access	You must have Internet access to create a FortiClient Cloud instance.
Browser	Device with a browser to access FortiClient Cloud.

FortiClient Cloud only supports FortiClient 6.2.1 and later versions.

Differences between FortiClient Cloud and on-premise EMS

FortiClient Cloud does not currently support the following features. To use these features, use an on-premise EMS instead of FortiClient Cloud:

Active Directory (AD) integration
Chromebook management

In addition to the removal of GUI elements that relate to AD integration and Chromebook management, the following lists screens and features that have been modified from what is available in on-premise EMS

GUI pane	Modification
Dashboard	System Information widget shows FortiCare account organization name and EMS node ID.
Manage Installers > Deployment Packages	Deployment packages have an expiry date. After this date, users cannot use this deployment package to install FortiClient. The Manage Installers > Deployment Packages page displays a download link. You can directly download the .zip file that contains the FortiClient installer using this link. Each deployment package contains an invitation code. Automatic registration is enabled by default for each deployment package.
Compliance Verification	Fabric Device Monitor is not available.
Administration	Shows users imported from the FortiCare account. Administrators page only allows changing a user's role. Administrators page displays a Primary User column.
System Settings	Server only displays the DHCP onnet/offnet and Sign software packages options. FortiGuard does not have the option to use FortiManager for software and signature updates.

Deploying FortiClient Cloud

This section explains how to deploy FortiClient Cloud. This section assumes that you have already purchased the desired subscription licenses for your deployment from a Fortinet partner or reseller and received your license activation codes.

You can create only one EMS instance in the Cloud per FortiCloud account with premium subscription.

To deploy FortiClient Cloud:

You must register the FortiCloud premium subscription as described in step 1 before you can register FortiClient endpoint licenses as described in step 2.

If you attempt to register the endpoint license before the FortiCloud premium subscription, you will not be able to deploy FortiClient Cloud from this FortiCloud account.

Register the FortiCloud premium subscription contract (FC-15-CLDPS-219-02-DD) to your FortiCloud account:
1. On the Customer Service & Support site, go to Asset > Register/Activate.
2. In the Specify Registration Code field, enter your license activation code and select Next to continue registering the product.
3. Enter your details in the other fields and complete the registration. This is a yearly subscription.
Register the FortiClient endpoint licenses for management by FortiClient Cloud:
1. On the Customer Service & Support site, go to Asset > Register/Activate.
2. In the Specify Registration Code field, enter your license activation code and select Next to continue registering the product.
3. On the Specify Fortinet Registration Information screen, select the Used for Cloud Purpose checkbox.
4. Enter your details in the other fields and complete the registration.
You may need to wait a few minutes for the cloud instance to initialize before you can proceed to step 2 or 3.
Access FortiClient Cloud in one of the following ways:
1. Access FortiClient Cloud from FortiCare.
2. Access FortiClient Cloud from the FortiClient Cloud portal:
  1. In a browser, go to the FortiClient Cloud portal.
  2. Log in with your FortiCloud credentials.
3. Access FortiClient Cloud from the link included in the welcome email.

Adding a new invitation for a deployment package

Users can connect to FortiClient Cloud without an IP address or FQDN by using an invitation. FortiClient Cloud offers two invitation types: individual, which can be used once; and bulk, which can be used multiple times. FortiClient Cloud displays how many times an invitation has been used to register an endpoint in the Use Count column on the Invitations page. The Expiry Date column displays the date until the invitation can be used to connect to FortiClient Cloud.

To add a new invitation for a deployment package:

Go to Invitations.
Select an existing invitation code for the desired deployment package.
Click Add.
To send the code to a single recipient, select Individual. Otherwise, select Bulk.
If desired, select Send email notifications.
In the Email recipients field, enter the email addresses of the desired end users.
If desired, enable Send SMS notifications.
In the Expiry date field, set the expiry date. Click Save. You will see a new invitation code for the deployment package.

Adding a secondary admin account

The FortiClient Cloud primary administrator (the user who created the FortiClient Cloud instance) can add secondary administrators from their FortiCare account. You cannot create a user directly in the FortiClient Cloud GUI. FortiClient Cloud pulls users from the primary administrator's FortiCare account.

To create a secondary admin account:

Log in to Fortinet Service & Support with your FortiCloud account.
Click the account icon in the top-right corner.
Select Manage User.
Click the Add User icon.
Enter the user information as required. If the new user does not have a FortiCare account, they must create one. Click Save. A user added on this page becomes visible on the FortiClient Cloud GUI in Administrators and can log in to FortiClient Cloud with their FortiCloud account. These users have limited permissions.

Adding a FortiClient deployment package

To add a deployment package:

Go to Manage Installers > Deployment Packages.
Click Add.

On the Version tab, set the following options:

Installer Type	Use an official FortiClient installer or a custom FortiClient installer. See the FortiClient EMS Administration Guide for details on uploading a custom installer.
Release	Select the FortiClient release version to install.
Patch	Select the specific FortiClient patch version to install.
Keep updated to the latest patch	Select to enable FortiClient to automatically update to the latest patch release when FortiClient is installed on an endpoint.
Custom installer	Select the desired custom FortiClient installer.

Click Next. On the General tab, set the following options:

Name	Enter the FortiClient deployment package's name.
Expiry Date	Enter this deployment package's expiry date. After this date, users cannot use this deployment package to install FortiClient.
Notes	(Optional) Enter any notes about the FortiClient deployment package.

Click Next. On the Features tab, set the following options:

Security Fabric Agent	Enabled by default and cannot be disabled. Installs FortiClient with Telemetry and Vulnerability Scan enabled.
Secure Access Architecture Components	Install FortiClient with SSL and IPsec VPN enabled. Disable to omit SSL and IPsec VPN support from the FortiClient deployment package.
Advanced Persistent Threat (APT) Components	Install FortiClient with APT components enabled. Disable to omit APT components from the FortiClient deployment package. Includes FortiSandbox detection and quarantine features.
Additional Security Features	Enable any of the following features: AntiVirus Web Filtering Application Firewall Single Sign-On (SSO) mobility agent Disable to exclude features from the FortiClient deployment package.

Click Next. On the Advanced tab, set the following options:

Enable automatic registration	Configure FortiClient to automatically connect Telemetry to FortiClient after FortiClient installs on the endpoint. Disable to turn off this feature and require endpoint users to manually connect Telemetry to FortiClient.
Enable desktop shortcut	Configure the FortiClient deployment package to create a desktop shortcut on the endpoint.
Enable start menu shortcut	Configure the FortiClient deployment package to create a Start menu shortcut on the endpoint.
Enable Installer ID	Configure an installer ID. Select an existing installer ID or enter a new installer ID. If creating an installer ID, select a group path or create a new group in the Group Path field. FortiClient automatically groups endpoints according to installer ID group assignment rules.
Enable Endpoint Profile	Select an endpoint profile to include in the installer. EMS applies the profile to the endpoint once it has installed FortiClient. This option is necessary if it is required to have certain security features enabled prior to contact with EMS, or if users require VPN connection to connect to EMS.

Click Next. The Telemetry tab displays the hostname and IP address of the FortiClient server, which will manage FortiClient once it is installed on the endpoint. Also configure the following option:

Enable telemetry connection to Security Fabric (FortiGate)

Enable this option, and select the name of the gateway list to use. The gateway list defines the IP address for the FortiGate.

If you have not created a gateway list, this option is not available. See FortiClient EMS Administration Guide for details on configuring a gateway list.

Click Finish. The FortiClient deployment package is added to FortiClient and displays on the Manage Installers > Deployment Packages pane. The deployment package may include .exe (32-bit and 64-bit), .msi, and .dmg files depending on the configuration.

Installing FortiClient on an endpoint and registering to FortiClient Cloud

To install FortiClient on an endpoint:

When installing FortiClient on an endpoint from a deployment package created in FortiClient Cloud, the administrator carries out some actions, while the endpoint user carries out others.

(Administrator) In EMS, go to Manage Installers > Deployment Packages. Note the invitation code for the desired deployment package.
(Administrator) Go to Invitations.
(Administrator) Select the invitation code that was noted in step 2. Click Edit.
(Administrator) To send the code to a single recipient, select Individual. Otherwise, select Bulk.
(Administrator) In the Email recipients field, enter the email addresses of the desired end users.
(Administrator) If desired, enable Send SMS notifications.
(Administrator) If desired, in the Expiry date field, set the expiry date. Click Save.
(End user) Click the FortiClient download link in the invitation email or text message that you received. Extract and run the installer file.
(End user) Your FortiClient should automatically register to FortiClient Cloud after installation. If your FortiClient did not automatically register to FortiClient Cloud, use the instructions below to register to FortiClient Cloud.

To register to FortiClient Cloud:

You can use the following instructions to register to FortiClient Cloud in one of the following scenarios:

If you want to register a FortiClient Linux, iOS, or Android endpoint to FortiClient Cloud. Since you cannot create a deployment package for these operating systems in EMS, this is the only way to register these endpoints to FortiClient Cloud.
If you did not follow the instructions above to install FortiClient on your endpoint, such as if you downloaded a publicly available FortiClient deployment package.
If you followed the installation instructions above, but your FortiClient did not automatically register to FortiClient Cloud after installation.

Enter the invitation code in the Join FortiClient Cloud field on the Fabric Telemetry tab in FortiClient. Your EMS administrator should have provided the code to you.
Click Connect. FortiClient is now managed by FortiClient Cloud.

Managing endpoints with FortiClient Cloud

You can execute EMS functions from the cloud-based EMS. You must complete the following steps to create a cloud-based EMS instance under your FortiCloud user account:

You must register the FortiCloud premium subscription before you can register FortiClient endpoint licenses.

If you attempt to register the endpoint license before the FortiCloud premium subscription, you will not be able to deploy FortiClient & FortiClient EMS Cloud from this FortiCloud account.

This section provides the following information about FortiClient Cloud:

Requirements
Differences between FortiClient Cloud and on-premise EMS
Deploying FortiClient Cloud
Adding a new invitation for a deployment package
Adding a secondary admin account
Adding a FortiClient deployment package
Installing FortiClient on an endpoint and registering to FortiClient Cloud

Requirements

The following items are required before you can initialize your FortiClient Cloud instance:

Requirement	Description
FortiCloud account with premium subscription	Create a FortiCloud account if you do not have one and register a FortiCloud premium subscription to this account. Launching FortiClient Cloud requires a primary FortiCloud account with a premium subscription. A primary FortiCloud account with a premium subscription can invite other users to launch FortiClient Cloud. Each FortiCloud account that will access FortiClient Cloud must be registered with its own FortiCloud premium subscription. You must register the FortiCloud premium subscription before registering any endpoint licensing; otherwise, you cannot deploy FortiClient Cloud.
Licensing	A license for each endpoint that will be managed using FortiClient Cloud. Purchase one of the following FortiClient license types from Fortinet: Fabric Agent with Endpoint Protection Sandbox Cloud When registering the license contract, you must specify that the endpoints will be managed using FortiClient Cloud, as described in Deploying FortiClient Cloud. Registering a Fabric Agent license for FortiClient Cloud management does not support all features supported for on-premise EMS. See Differences between FortiClient Cloud and on-premise EMS for the list of supported features.
Internet access	You must have Internet access to create a FortiClient Cloud instance.
Browser	Device with a browser to access FortiClient Cloud.

FortiClient Cloud only supports FortiClient 6.2.1 and later versions.

Differences between FortiClient Cloud and on-premise EMS

FortiClient Cloud does not currently support the following features. To use these features, use an on-premise EMS instead of FortiClient Cloud:

Active Directory (AD) integration
Chromebook management

GUI pane	Modification
Dashboard	System Information widget shows FortiCare account organization name and EMS node ID.
Manage Installers > Deployment Packages	Deployment packages have an expiry date. After this date, users cannot use this deployment package to install FortiClient. The Manage Installers > Deployment Packages page displays a download link. You can directly download the .zip file that contains the FortiClient installer using this link. Each deployment package contains an invitation code. Automatic registration is enabled by default for each deployment package.
Compliance Verification	Fabric Device Monitor is not available.
Administration	Shows users imported from the FortiCare account. Administrators page only allows changing a user's role. Administrators page displays a Primary User column.
System Settings	Server only displays the DHCP onnet/offnet and Sign software packages options. FortiGuard does not have the option to use FortiManager for software and signature updates.

Deploying FortiClient Cloud

You can create only one EMS instance in the Cloud per FortiCloud account with premium subscription.

To deploy FortiClient Cloud:

You must register the FortiCloud premium subscription as described in step 1 before you can register FortiClient endpoint licenses as described in step 2.

If you attempt to register the endpoint license before the FortiCloud premium subscription, you will not be able to deploy FortiClient Cloud from this FortiCloud account.

Register the FortiCloud premium subscription contract (FC-15-CLDPS-219-02-DD) to your FortiCloud account:
1. On the Customer Service & Support site, go to Asset > Register/Activate.
2. In the Specify Registration Code field, enter your license activation code and select Next to continue registering the product.
3. Enter your details in the other fields and complete the registration. This is a yearly subscription.
Register the FortiClient endpoint licenses for management by FortiClient Cloud:
1. On the Customer Service & Support site, go to Asset > Register/Activate.
2. In the Specify Registration Code field, enter your license activation code and select Next to continue registering the product.
3. On the Specify Fortinet Registration Information screen, select the Used for Cloud Purpose checkbox.
4. Enter your details in the other fields and complete the registration.
You may need to wait a few minutes for the cloud instance to initialize before you can proceed to step 2 or 3.
Access FortiClient Cloud in one of the following ways:
1. Access FortiClient Cloud from FortiCare.
2. Access FortiClient Cloud from the FortiClient Cloud portal:
  1. In a browser, go to the FortiClient Cloud portal.
  2. Log in with your FortiCloud credentials.
3. Access FortiClient Cloud from the link included in the welcome email.

Adding a new invitation for a deployment package

To add a new invitation for a deployment package:

Go to Invitations.
Select an existing invitation code for the desired deployment package.
Click Add.
To send the code to a single recipient, select Individual. Otherwise, select Bulk.
If desired, select Send email notifications.
In the Email recipients field, enter the email addresses of the desired end users.
If desired, enable Send SMS notifications.
In the Expiry date field, set the expiry date. Click Save. You will see a new invitation code for the deployment package.

Adding a secondary admin account

To create a secondary admin account:

Log in to Fortinet Service & Support with your FortiCloud account.
Click the account icon in the top-right corner.
Select Manage User.
Click the Add User icon.
Enter the user information as required. If the new user does not have a FortiCare account, they must create one. Click Save. A user added on this page becomes visible on the FortiClient Cloud GUI in Administrators and can log in to FortiClient Cloud with their FortiCloud account. These users have limited permissions.

Adding a FortiClient deployment package

To add a deployment package:

Go to Manage Installers > Deployment Packages.
Click Add.

On the Version tab, set the following options:

Installer Type	Use an official FortiClient installer or a custom FortiClient installer. See the FortiClient EMS Administration Guide for details on uploading a custom installer.
Release	Select the FortiClient release version to install.
Patch	Select the specific FortiClient patch version to install.
Keep updated to the latest patch	Select to enable FortiClient to automatically update to the latest patch release when FortiClient is installed on an endpoint.
Custom installer	Select the desired custom FortiClient installer.

Click Next. On the General tab, set the following options:

Name	Enter the FortiClient deployment package's name.
Expiry Date	Enter this deployment package's expiry date. After this date, users cannot use this deployment package to install FortiClient.
Notes	(Optional) Enter any notes about the FortiClient deployment package.

Click Next. On the Features tab, set the following options:

Security Fabric Agent	Enabled by default and cannot be disabled. Installs FortiClient with Telemetry and Vulnerability Scan enabled.
Secure Access Architecture Components	Install FortiClient with SSL and IPsec VPN enabled. Disable to omit SSL and IPsec VPN support from the FortiClient deployment package.
Advanced Persistent Threat (APT) Components	Install FortiClient with APT components enabled. Disable to omit APT components from the FortiClient deployment package. Includes FortiSandbox detection and quarantine features.
Additional Security Features	Enable any of the following features: AntiVirus Web Filtering Application Firewall Single Sign-On (SSO) mobility agent Disable to exclude features from the FortiClient deployment package.

Click Next. On the Advanced tab, set the following options:

Enable automatic registration	Configure FortiClient to automatically connect Telemetry to FortiClient after FortiClient installs on the endpoint. Disable to turn off this feature and require endpoint users to manually connect Telemetry to FortiClient.
Enable desktop shortcut	Configure the FortiClient deployment package to create a desktop shortcut on the endpoint.
Enable start menu shortcut	Configure the FortiClient deployment package to create a Start menu shortcut on the endpoint.
Enable Installer ID	Configure an installer ID. Select an existing installer ID or enter a new installer ID. If creating an installer ID, select a group path or create a new group in the Group Path field. FortiClient automatically groups endpoints according to installer ID group assignment rules.
Enable Endpoint Profile	Select an endpoint profile to include in the installer. EMS applies the profile to the endpoint once it has installed FortiClient. This option is necessary if it is required to have certain security features enabled prior to contact with EMS, or if users require VPN connection to connect to EMS.

Enable telemetry connection to Security Fabric (FortiGate)

Enable this option, and select the name of the gateway list to use. The gateway list defines the IP address for the FortiGate.

If you have not created a gateway list, this option is not available. See FortiClient EMS Administration Guide for details on configuring a gateway list.

Click Finish. The FortiClient deployment package is added to FortiClient and displays on the Manage Installers > Deployment Packages pane. The deployment package may include .exe (32-bit and 64-bit), .msi, and .dmg files depending on the configuration.

Installing FortiClient on an endpoint and registering to FortiClient Cloud

To install FortiClient on an endpoint:

When installing FortiClient on an endpoint from a deployment package created in FortiClient Cloud, the administrator carries out some actions, while the endpoint user carries out others.

(Administrator) In EMS, go to Manage Installers > Deployment Packages. Note the invitation code for the desired deployment package.
(Administrator) Go to Invitations.
(Administrator) Select the invitation code that was noted in step 2. Click Edit.
(Administrator) To send the code to a single recipient, select Individual. Otherwise, select Bulk.
(Administrator) In the Email recipients field, enter the email addresses of the desired end users.
(Administrator) If desired, enable Send SMS notifications.
(Administrator) If desired, in the Expiry date field, set the expiry date. Click Save.
(End user) Click the FortiClient download link in the invitation email or text message that you received. Extract and run the installer file.
(End user) Your FortiClient should automatically register to FortiClient Cloud after installation. If your FortiClient did not automatically register to FortiClient Cloud, use the instructions below to register to FortiClient Cloud.

To register to FortiClient Cloud:

You can use the following instructions to register to FortiClient Cloud in one of the following scenarios:

If you want to register a FortiClient Linux, iOS, or Android endpoint to FortiClient Cloud. Since you cannot create a deployment package for these operating systems in EMS, this is the only way to register these endpoints to FortiClient Cloud.
If you did not follow the instructions above to install FortiClient on your endpoint, such as if you downloaded a publicly available FortiClient deployment package.
If you followed the installation instructions above, but your FortiClient did not automatically register to FortiClient Cloud after installation.

Enter the invitation code in the Join FortiClient Cloud field on the Fabric Telemetry tab in FortiClient. Your EMS administrator should have provided the code to you.
Click Connect. FortiClient is now managed by FortiClient Cloud.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

New Features

Managing endpoints with FortiClient Cloud

Managing endpoints with FortiClient Cloud

Requirements

Differences between FortiClient Cloud and on-premise EMS

Deploying FortiClient Cloud

To deploy FortiClient Cloud:

Adding a new invitation for a deployment package

To add a new invitation for a deployment package:

Adding a secondary admin account

To create a secondary admin account:

Adding a FortiClient deployment package

To add a deployment package:

Installing FortiClient on an endpoint and registering to FortiClient Cloud