You can use FortiClient with EMS and FortiGate or with EMS only. You apply FortiClient licensing to EMS.
When you connect FortiClient only to EMS, EMS manages FortiClient. However, FortiClient cannot participate in the Fortinet Security Fabric.
When using FortiClient with EMS and FortiGate, FortiClient integrates with the Security Fabric to provide endpoint awareness, compliance, and enforcement by sharing endpoint telemetry regardless of device location, such as corporate headquarters or a café. At its core, FortiClient automates prevention of known and unknown threats through its built-in host-based security stack and integration with FortiSandbox. FortiClient also provides secure remote access to corporate assets via VPN with native two-factor authentication coupled with single sign on (SSO).
FortiClient works cooperatively with the Security Fabric. This is done by extending it down to the endpoints to secure them via security profiles, by sharing endpoint telemetry to increase awareness of where systems, users, and data reside within an organization, and by enabling the implementation of proper segmentation to protect these endpoints.
At regular intervals, FortiClient sends Zero Trust telemetry data to EMS. This visibility coupled with built-in controls from EMS allows the security administrator to construct a policy to deny access to endpoints with known vulnerabilities or to quarantine compromised endpoints with a single click.