Fortinet black logo

EMS Administration Guide

Global and per-site configuration

Global and per-site configuration

When you enable multitenancy, you can configure some settings only from the global level and other settings only from the site level. You cannot view site-level settings from the global site. For setting descriptions, see the relevant section in this document.

Global configuration

The following lists settings you must configure from the global site:

  • System Settings > EMS Settings:
    • Shared Settings:
      • Hostname
      • Listen on IP
      • Use FQDN
      • Remote HTTPS access
      • SSL certificate
      • Use SSL certificate for Endpoint Control
      • Show FortiGate Server List
    • EMS Settings:
      • Listen on port
      • Enable TLS 1.0/1.1
      • FortiClient download URL
      • Enable login banner. This login banner only shows when you sign in to the global site.
    • EMS for Chromebooks Settings:
      • Listen on port
      • SSL certificate
      • Service account
    • EMS FSSO Settings
  • Administrators with multisite access. See Adding a multitenancy administrator.
  • Database backup and restoration
  • (On-premise EMS-only) License management: You must license EMS from the global site. You can then assign the licenses to other sites. For example, consider that you have three other sites: Sites A, B, and C. If you then activate 500 Fabric Agent licenses on the global site, you could assign 200 Fabric Agent licenses to Site A, 150 to Site B, and 150 Site C. See Editing a site.
  • EMS Alerts
  • SMTP Server

On the global site Dashboard, you can only view the System and License Information widgets. The other widgets, which display endpoint information, are available at the site level.

Site level configuration

The following lists settings you must configure separately for each site:

  • System Settings > EMS Settings:
    • Shared Settings > Reset Stalled Deployment Interval
    • EMS Settings:
      • Sign software packages
      • Enable Managed by EMS
      • Enable login banner. This login banner only shows when you sign in to the current specified site.
    • EMS for Chromebooks Settings:
      • User inactivity timeout
      • Profile update interval
    • Endpoints Settings
  • System Settings > FortiGuard Services
  • System Settings > Custom Messages
  • System Settings > Feature Select
  • Dashboard widgets and charts. The License Information widget for each site displays the information for the licenses that are assigned to that site. When using an on-premise EMS, you cannot update any licensing information from the site-level Dashboard.
  • (FortiClient Cloud-only) License management: You must license EMS at the site level. You cannot later assign these licenses to other sites.
  • Site-level administrator permissions
  • Endpoint management
  • Endpoint policies
  • Endpoint profiles
  • Deployment packages. When an endpoint installs FortiClient using a deployment package configured from a particular site, it registers to that site automatically.
  • Endpoint profile components
  • Zero Trust tagging rules
  • Software Inventory
  • Email endpoint alerts

Global and per-site configuration

Global and per-site configuration

When you enable multitenancy, you can configure some settings only from the global level and other settings only from the site level. You cannot view site-level settings from the global site. For setting descriptions, see the relevant section in this document.

Global configuration

The following lists settings you must configure from the global site:

  • System Settings > EMS Settings:
    • Shared Settings:
      • Hostname
      • Listen on IP
      • Use FQDN
      • Remote HTTPS access
      • SSL certificate
      • Use SSL certificate for Endpoint Control
      • Show FortiGate Server List
    • EMS Settings:
      • Listen on port
      • Enable TLS 1.0/1.1
      • FortiClient download URL
      • Enable login banner. This login banner only shows when you sign in to the global site.
    • EMS for Chromebooks Settings:
      • Listen on port
      • SSL certificate
      • Service account
    • EMS FSSO Settings
  • Administrators with multisite access. See Adding a multitenancy administrator.
  • Database backup and restoration
  • (On-premise EMS-only) License management: You must license EMS from the global site. You can then assign the licenses to other sites. For example, consider that you have three other sites: Sites A, B, and C. If you then activate 500 Fabric Agent licenses on the global site, you could assign 200 Fabric Agent licenses to Site A, 150 to Site B, and 150 Site C. See Editing a site.
  • EMS Alerts
  • SMTP Server

On the global site Dashboard, you can only view the System and License Information widgets. The other widgets, which display endpoint information, are available at the site level.

Site level configuration

The following lists settings you must configure separately for each site:

  • System Settings > EMS Settings:
    • Shared Settings > Reset Stalled Deployment Interval
    • EMS Settings:
      • Sign software packages
      • Enable Managed by EMS
      • Enable login banner. This login banner only shows when you sign in to the current specified site.
    • EMS for Chromebooks Settings:
      • User inactivity timeout
      • Profile update interval
    • Endpoints Settings
  • System Settings > FortiGuard Services
  • System Settings > Custom Messages
  • System Settings > Feature Select
  • Dashboard widgets and charts. The License Information widget for each site displays the information for the licenses that are assigned to that site. When using an on-premise EMS, you cannot update any licensing information from the site-level Dashboard.
  • (FortiClient Cloud-only) License management: You must license EMS at the site level. You cannot later assign these licenses to other sites.
  • Site-level administrator permissions
  • Endpoint management
  • Endpoint policies
  • Endpoint profiles
  • Deployment packages. When an endpoint installs FortiClient using a deployment package configured from a particular site, it registers to that site automatically.
  • Endpoint profile components
  • Zero Trust tagging rules
  • Software Inventory
  • Email endpoint alerts