Fortinet white logo
Fortinet white logo

EMS Administration Guide

Group assignment rule types

Group assignment rule types

You can use group assignment rules to automatically place endpoints into custom groups based on certain traits.

Installer ID group assignment rules

Creating a FortiClient deployment package includes an option to specify an installer ID. For example, you may want to place all endpoints located in your company's headquarters in the same endpoint group. You can configure a FortiClient deployment package with an "HQ" installer ID, then deploy this deployment package to the desired endpoints. When the endpoints' FortiClient connects to FortiClient EMS, FortiClient EMS places them in the desired group. In this situation, the process is as follows:

  1. In FortiClient EMS, create an installer ID group assignment rule that requires EMS to place endpoints with the installer ID "HQ" into the HQ group. The installer ID and group name do not need to match. See Adding a group assignment rule.
  2. Create a FortiClient deployment package. Specify the "HQ" installer ID when creating or uploading the installer. See Adding a FortiClient deployment package.
  3. Deploy the deployment package to the desired endpoints or send the download link to the desired users.
  4. The endpoints install FortiClient. When FortiClient connects to FortiClient EMS, EMS places the endpoint in the HQ group.

If you manually move the endpoint to another group after EMS places it into the group defined by the installer ID group assignment rule, EMS returns the endpoint to the group defined by the installer ID group assignment rule.

IP address group assignment rules

You can create a group assignment rule to automatically place all endpoints within a specified subnet or IP address range into the same custom group. In this situation, the process is as follows:

  1. In FortiClient EMS, create an IP address group assignment rule that requires endpoints within a certain subnet or IP address range to be placed into the desired group. See Adding a group assignment rule.
  2. With the next FortiClient Telemetry communication, endpoints within the specified subnet or IP address range are placed in the specified group.

OS group assignment rules

You can create a group assignment rule to automatically place all endpoints that have a specific OS installed into the same custom group. In this situation, the process is as follows:

  1. In FortiClient EMS, create an OS group assignment rule that requires endpoints with a certain OS installed to be placed into the desired group. See Adding a group assignment rule.
  2. With the next FortiClient Telemetry communication, endpoints with the specified OS installed are placed in the specified group.

Invitation group assignment rules

You can create a group assignment rule to automatically place all endpoints that connected to EMS using a specific invitation code into the same custom group. In this situation, the process is as follows:

  1. In FortiClient EMS, create an invitation group assignment rule that requires endpoints that connected to EMS using a specific invitation code to be placed into the desired group. See Adding a group assignment rule.
  2. With the next FortiClient Telemetry communication, endpoints with the specified invitation code are placed in the specified group.

Group assignment rule types

Group assignment rule types

You can use group assignment rules to automatically place endpoints into custom groups based on certain traits.

Installer ID group assignment rules

Creating a FortiClient deployment package includes an option to specify an installer ID. For example, you may want to place all endpoints located in your company's headquarters in the same endpoint group. You can configure a FortiClient deployment package with an "HQ" installer ID, then deploy this deployment package to the desired endpoints. When the endpoints' FortiClient connects to FortiClient EMS, FortiClient EMS places them in the desired group. In this situation, the process is as follows:

  1. In FortiClient EMS, create an installer ID group assignment rule that requires EMS to place endpoints with the installer ID "HQ" into the HQ group. The installer ID and group name do not need to match. See Adding a group assignment rule.
  2. Create a FortiClient deployment package. Specify the "HQ" installer ID when creating or uploading the installer. See Adding a FortiClient deployment package.
  3. Deploy the deployment package to the desired endpoints or send the download link to the desired users.
  4. The endpoints install FortiClient. When FortiClient connects to FortiClient EMS, EMS places the endpoint in the HQ group.

If you manually move the endpoint to another group after EMS places it into the group defined by the installer ID group assignment rule, EMS returns the endpoint to the group defined by the installer ID group assignment rule.

IP address group assignment rules

You can create a group assignment rule to automatically place all endpoints within a specified subnet or IP address range into the same custom group. In this situation, the process is as follows:

  1. In FortiClient EMS, create an IP address group assignment rule that requires endpoints within a certain subnet or IP address range to be placed into the desired group. See Adding a group assignment rule.
  2. With the next FortiClient Telemetry communication, endpoints within the specified subnet or IP address range are placed in the specified group.

OS group assignment rules

You can create a group assignment rule to automatically place all endpoints that have a specific OS installed into the same custom group. In this situation, the process is as follows:

  1. In FortiClient EMS, create an OS group assignment rule that requires endpoints with a certain OS installed to be placed into the desired group. See Adding a group assignment rule.
  2. With the next FortiClient Telemetry communication, endpoints with the specified OS installed are placed in the specified group.

Invitation group assignment rules

You can create a group assignment rule to automatically place all endpoints that connected to EMS using a specific invitation code into the same custom group. In this situation, the process is as follows:

  1. In FortiClient EMS, create an invitation group assignment rule that requires endpoints that connected to EMS using a specific invitation code to be placed into the desired group. See Adding a group assignment rule.
  2. With the next FortiClient Telemetry communication, endpoints with the specified invitation code are placed in the specified group.