Fortinet white logo
Fortinet white logo

EMS Administration Guide

Group assignment rule types

Group assignment rule types

You can use group assignment rules to automatically place endpoints into custom groups based on their installer ID, IP address, OS, or AD group.

Installer ID group assignment rules

Creating a FortiClient 6.0+ deployment package includes an option to specify an installer ID. For example, consider you want all endpoints located in your company's headquarters to be placed in the same endpoint group. You can configure a FortiClient 6.0.1 deployment package with an "HQ" installer ID, then deploy this deployment package to the desired endpoints. When the endpoints' FortiClient connects to FortiClient EMS, FortiClient EMS places them in the desired group. In this situation, the process is as follows:

  1. In FortiClient EMS, create an installer ID group assignment rule that requires endpoints with the installer ID "HQ" to be placed into the HQ group. The installer ID and group name do not need to match. See Adding a group assignment rule.
  2. Create a FortiClient 6.0+ deployment package. Specify the "HQ" installer ID when creating or uploading the installer. See Adding a FortiClient deployment package or Adding a custom FortiClient installer.
  3. Deploy the deployment package to the desired endpoints or send the download link to the desired users.
  4. The endpoints install FortiClient. When FortiClient connects to FortiClient EMS, EMS places the endpoint in the HQ group.

If you manually move the endpoint to another group after EMS places it into the group defined by the installer ID group assignment rule, EMS returns the endpoint to the group defined by the installer ID group assignment rule.

IP address group assignment rules

You can create a group assignment rule to automatically place all endpoints within a specified subnet or IP address range into the same custom group. In this situation, the process is as follows:

  1. In FortiClient EMS, create an IP address group assignment rule that requires endpoints within a certain subnet or IP address range to be placed into the desired group. See Adding a group assignment rule.
  2. With the next FortiClient Telemetry communication, endpoints within the specified subnet or IP address range are placed in the specified group.

OS group assignment rules

You can create a group assignment rule to automatically place all endpoints that have a specific OS installed into the same custom group. In this situation, the process is as follows:

  1. In FortiClient EMS, create an OS group assignment rule that requires endpoints with a certain OS installed to be placed into the desired group. See Adding a group assignment rule.
  2. With the next FortiClient Telemetry communication, endpoints with the specified OS installed are placed in the specified group.

AD group assignment rules

You can create a group assignment rule to automatically place all endpoints in an AD group into the same custom group. In this situation, the process is as follows:

  1. In FortiClient EMS, create an OS group assignment rule that requires endpoints in a certain AD group to be placed into the desired group. See Adding a group assignment rule.
  2. With the next FortiClient Telemetry communication, endpoints in the specified AD group are placed in the specified group.

    If at a later time the endpoint is moved to a different AD group on the AD domain server, EMS does not automatically move the endpoint from its current group. To move the endpoint to another endpoint group in EMS, you must configure an AD group assignment rule for the AD group that the endpoint has been moved to. After you run the new rule, EMS moves the endpoint into the new endpoint group on EMS.

Group assignment rule types

Group assignment rule types

You can use group assignment rules to automatically place endpoints into custom groups based on their installer ID, IP address, OS, or AD group.

Installer ID group assignment rules

Creating a FortiClient 6.0+ deployment package includes an option to specify an installer ID. For example, consider you want all endpoints located in your company's headquarters to be placed in the same endpoint group. You can configure a FortiClient 6.0.1 deployment package with an "HQ" installer ID, then deploy this deployment package to the desired endpoints. When the endpoints' FortiClient connects to FortiClient EMS, FortiClient EMS places them in the desired group. In this situation, the process is as follows:

  1. In FortiClient EMS, create an installer ID group assignment rule that requires endpoints with the installer ID "HQ" to be placed into the HQ group. The installer ID and group name do not need to match. See Adding a group assignment rule.
  2. Create a FortiClient 6.0+ deployment package. Specify the "HQ" installer ID when creating or uploading the installer. See Adding a FortiClient deployment package or Adding a custom FortiClient installer.
  3. Deploy the deployment package to the desired endpoints or send the download link to the desired users.
  4. The endpoints install FortiClient. When FortiClient connects to FortiClient EMS, EMS places the endpoint in the HQ group.

If you manually move the endpoint to another group after EMS places it into the group defined by the installer ID group assignment rule, EMS returns the endpoint to the group defined by the installer ID group assignment rule.

IP address group assignment rules

You can create a group assignment rule to automatically place all endpoints within a specified subnet or IP address range into the same custom group. In this situation, the process is as follows:

  1. In FortiClient EMS, create an IP address group assignment rule that requires endpoints within a certain subnet or IP address range to be placed into the desired group. See Adding a group assignment rule.
  2. With the next FortiClient Telemetry communication, endpoints within the specified subnet or IP address range are placed in the specified group.

OS group assignment rules

You can create a group assignment rule to automatically place all endpoints that have a specific OS installed into the same custom group. In this situation, the process is as follows:

  1. In FortiClient EMS, create an OS group assignment rule that requires endpoints with a certain OS installed to be placed into the desired group. See Adding a group assignment rule.
  2. With the next FortiClient Telemetry communication, endpoints with the specified OS installed are placed in the specified group.

AD group assignment rules

You can create a group assignment rule to automatically place all endpoints in an AD group into the same custom group. In this situation, the process is as follows:

  1. In FortiClient EMS, create an OS group assignment rule that requires endpoints in a certain AD group to be placed into the desired group. See Adding a group assignment rule.
  2. With the next FortiClient Telemetry communication, endpoints in the specified AD group are placed in the specified group.

    If at a later time the endpoint is moved to a different AD group on the AD domain server, EMS does not automatically move the endpoint from its current group. To move the endpoint to another endpoint group in EMS, you must configure an AD group assignment rule for the AD group that the endpoint has been moved to. After you run the new rule, EMS moves the endpoint into the new endpoint group on EMS.