Configuring Workspace ONE integration to allow FortiClient (iOS) to connect to EMS

Workspace ONE integration allows FortiClient endpoints to connect to EMS. This documentation is based on Workspace ONE 23.

To configure integration between Workspace ONE and FortiClient:

In Workspace ONE, go to Accounts, and add a new user.
Add a new device for the user:
1. From the Device Ownership Type dropdown list, select Corporate - Dedicated.
2. From the Platform dropdown list, select Apple iOS.
3. For Message Type, select EMAIL.
4. Save. This sends an Workspace ONE device activation email to the user.
Go to Assignment Groups. Create a new assignment group and add specific members to the group based on required criteria or devices and users.
Go to Resources, and add FortiClient from the public app store.

When adding an assignment, enter the desired name and select the desired assignment groups. Configure the deployment as desired. In Application Configuration, you can optionally add key-value pairs as shown. This enables FortiClient to read the MAC address and UDID from the iOS device. FortiClient sends this information to EMS.

Supported keys include the following:

Key	Description
mac_address	iOS device MAC address.
udid	iOS device UDID.
ems_server	EMS server IP address.
ems_port	EMS port number.
group_tag	This value is used as a group tag for configuration in EMS. EMS uses this value as an installer ID to assign the endpoint to a group. See Group assignment rule types.
cloud_invite_code	This value is used for connecting FortiClient to FortiClient Cloud. Enter the invite code received from FortiClient Cloud. For FortiClient iOS, this key is mainly meant to support 7.2.2 and earlier versions, as the new `invitation_code` key is available for FortiClient (iOS) 7.2.3 and later versions. However, you can continue to use `cloud_invite_code` for FortiClient (iOS) 7.2.3 and later versions if you do not configure `invitation_code`. This key does not support configuring invitation codes from on-premise EMS.
ems_key	Telemetry connection key. The EMS administrator may require FortiClient to provide this key during connection.
invitation_code	Enter the FortiClient Cloud or on-premise EMS invitation code. FortiClient 7.2.3 and later versions support this key.

You can add more assignments and use different group_tag values.
Go to Resources and add a new profile:
1. Go to the Content Filter section. In the User name field, enter the EMS URL.
2. Go to Single App Mode, and configure as shown to enable single app mode. This makes FortiClient run.
The user installs Intelligent Hub on the device and scans the QR code in the activation email to enroll the device.
When FortiClient starts on the device, it automatically connects to on-premise EMS or FortiClient Cloud, depending on the configuration. Once FortiClient connects to EMS, disable single app mode for the device. Keep the EMS URL in the Content Filter section.
The following shows the on-premise EMS GUI after FortiClient connects Telemetry.

Configuring Workspace ONE integration to allow FortiClient (iOS) to connect to EMS

Workspace ONE integration allows FortiClient endpoints to connect to EMS. This documentation is based on Workspace ONE 23.

To configure integration between Workspace ONE and FortiClient:

In Workspace ONE, go to Accounts, and add a new user.

Add a new device for the user:

From the Device Ownership Type dropdown list, select Corporate - Dedicated.
From the Platform dropdown list, select Apple iOS.
For Message Type, select EMAIL.
Save. This sends an Workspace ONE device activation email to the user.

Go to Assignment Groups. Create a new assignment group and add specific members to the group based on required criteria or devices and users.

Go to Resources, and add FortiClient from the public app store.

Supported keys include the following:

Key	Description
mac_address	iOS device MAC address.
udid	iOS device UDID.
ems_server	EMS server IP address.
ems_port	EMS port number.
group_tag	This value is used as a group tag for configuration in EMS. EMS uses this value as an installer ID to assign the endpoint to a group. See Group assignment rule types.
cloud_invite_code	This value is used for connecting FortiClient to FortiClient Cloud. Enter the invite code received from FortiClient Cloud. For FortiClient iOS, this key is mainly meant to support 7.2.2 and earlier versions, as the new `invitation_code` key is available for FortiClient (iOS) 7.2.3 and later versions. However, you can continue to use `cloud_invite_code` for FortiClient (iOS) 7.2.3 and later versions if you do not configure `invitation_code`. This key does not support configuring invitation codes from on-premise EMS.
ems_key	Telemetry connection key. The EMS administrator may require FortiClient to provide this key during connection.
invitation_code	Enter the FortiClient Cloud or on-premise EMS invitation code. FortiClient 7.2.3 and later versions support this key.

You can add more assignments and use different group_tag values.

Go to Resources and add a new profile:

Go to the Content Filter section. In the User name field, enter the EMS URL.
Go to Single App Mode, and configure as shown to enable single app mode. This makes FortiClient run.

The user installs Intelligent Hub on the device and scans the QR code in the activation email to enroll the device.

When FortiClient starts on the device, it automatically connects to on-premise EMS or FortiClient Cloud, depending on the configuration. Once FortiClient connects to EMS, disable single app mode for the device. Keep the EMS URL in the Content Filter section.

The following shows the on-premise EMS GUI after FortiClient connects Telemetry.

Workspace ONE Deployment Guide

Configuring Workspace ONE integration to allow FortiClient (iOS) to connect to EMS

Configuring Workspace ONE integration to allow FortiClient (iOS) to connect to EMS

To configure integration between Workspace ONE and FortiClient:

Configuring Workspace ONE integration to allow FortiClient (iOS) to connect to EMS

To configure integration between Workspace ONE and FortiClient: