Zero Trust tagging rule types
The following table describes Zero Trust tagging rule types and the OSes that they are available for. For all rule types, you can configure multiple conditions using the + button.
Rule type |
OS |
Description |
---|---|---|
AD Group |
|
From the AD Group dropdown list, select the desired AD group. EMS considers the endpoint as satisfying the rule if the logged in user belongs to the selected AD group. The rule considers the logged-in user's group membership, not the computer's attributes. You can also use the NOT option to indicate that the rule requires that the logged in user does not belong to certain AD groups. You cannot use the NOT option to indicate that the rule requires that the logged in user does not belong to any AD group. EMS does not support a rule to dynamically group all endpoints that do not belong to a domain. To use this option, you must configure your domain under Endpoints. See Adding endpoints using an AD domain server. Only FortiClient 6.2.2+ endpoints support this rule type. |
AntiVirus Software |
|
From the AV Software dropdown list, select the desired conditions. You can require that an endpoint have AV software installed and running and that the AV signature is up-to-date. You can also use the NOT option for the rule to require that the endpoint does not have AV software installed or running or that the AV signature is not up-to-date. This rule applies for FortiClient AV and third-party AV software that registers to the Windows Security Center. The third-party software notifies the Windows Security Center of the status of its signatures. FortiClient queries the Windows Security Center to determine what third party AV software is installed and if the software reports signatures as up-to-date. The endpoint must satisfy all configured conditions to satisfy this rule. Only FortiClient 6.2.2+ endpoints support this rule type. |
Certificate |
|
In the Subject CN and Issuer CN fields, enter the certificate subject and issuer. You can also use the NOT option to indicate that the rule requires that a certain certificate is not present for the endpoint. FortiClient checks certificates in the current user personal store and local computer personal store. It does not check in trusted root or other stores. The endpoint must satisfy all conditions to satisfy this rule. For example, if the rule is configured to require certificate A, certificate B, and NOT certificate C, then the endpoint must have both certificates A and B and not certificate C. |
EMS Management |
|
EMS considers the endpoint as satisfying the rule if the endpoint has FortiClient installed and Telemetry connected to EMS. |
File |
|
In the File field, enter the file path. You can also use the NOT option to indicate that the rule requires that a certain file is not present on the endpoint. The endpoint must satisfy all configured conditions to satisfy this rule. For example, if the rule is configured to require file A, file B, and NOT file C, then the endpoint must have both files A and B and not file C. |
Logged in Domain |
|
In the Domain field, enter the domain name. If the rule is configured for multiple domains, EMS considers the endpoint as satisfying the rule if it belongs to one of the configured domains. |
OS Version |
|
From the OS Version field, select the OS version. If the rule is configured for multiple OS versions, EMS considers the endpoint as satisfying the rule if it has one of the configured OS versions installed. |
On-Fabric Status |
|
By default, the rule requires that the endpoint is on-Fabric. You can also use the NOT option to indicate that the rule requires that the endpoint is off-Fabric. |
Registry Key |
|
In the Registry Key field, enter the registry path or value name. End the path with \ to indicate a registry path, or without \ to indicate a registry value name. You can also use the NOT option to indicate that the rule requires that a certain registry path or value name is not present on the endpoint. This rule does not support using the value data. For example, the following shows a system where Firefox is installed. In this example, the registry path is
The endpoint must satisfy all configured conditions to satisfy this rule. For example, if the rule is configured to require registry key A, registry key B, and NOT registry key C, then the endpoint must have both registry keys A and B and not registry key C. |
Running Process |
|
In the Running Process field, enter the process name. You can also use the NOT option to indicate that the rule requires that a certain process is not running on the endpoint. The endpoint must satisfy all configured conditions to satisfy this rule. For example, if the rule is configured to require process A, process B, and NOT process C, then the endpoint must have both processes A and B running and process C not running. |
Sandbox Detection |
|
From the Sandbox Detection dropdown list, select the desired condition. You can require that Sandbox detected malware on the endpoint in the last seven days. You can also use the NOT option for the rule to require that Sandbox did not detect malware on the endpoint in the last seven days. Only FortiClient 6.2.2+ endpoints support this rule type. |
Vulnerable Devices |
|
From the Severity Level dropdown list, select the desired vulnerability severity level. If the rule is configured for multiple severity levels, EMS considers the endpoint as satisfying the rule if it has a vulnerability of one of the configured severity levels or higher. |
Security |
|
Select the checkbox to require that File Vault is enabled on the endpoint. You can also use the NOT option to indicate that the rule requires that File Vault is disabled on the endpoint. |
Windows Security |
|
From the Windows Security dropdown list, select the desired conditions. You can require that an endpoint have Windows Defender, Bitlocker Disk Encryption, Exploit Guard, Application Guard, and/or Windows Firewall enabled. You can also use the NOT option for the rule to require that the endpoint have Windows Defender, Bitlocker Disk Encryption, Exploit Guard, Application Guard, and/or Windows firewall disabled. The endpoint must satisfy all configured conditions to satisfy this rule. Only FortiClient 6.2.2+ endpoints support this rule type. |
User Identity |
|
Under User Identity, select the following:
EMS considers the endpoint as satisfying the rule if it satisfies one of the conditions. You can also use the NOT option for the rule to require that the endpoint user has not manually entered user details or logged in to a social network account to allow FortiClient to obtain user details. Only FortiClient 6.2.2+ endpoints support this rule type. FortiClient iOS does not support social network login with LinkedIn or Salesforce. FortiClient Android does not support social network login with Salesforce. |