Fortinet black logo

Third Party MDM Device Integration

Home FortiNAC-F 7.2.0 Third Party MDM Device Integration
7.2.0
7.2.0

Certificate Based Authentication (v7.2.6 and greater)

Certificate Based Authentication (v7.2.6 and greater)

Host Data Collection Performance Enhancements

FortiNAC InTune integration now supports the use of the Microsoft NAC-API. This change improves FortiNAC’s efficiency when collecting data for MSInTune managed hosts. Previously, FortiNAC retrieved the entire asset list from InTune whenever MDM polling was performed. FortiNAC can now use the Microsoft NAC-API to collect data for a single host without having to retrieve the entire list.

Configuring InTune and FortiNAC to use the Microsoft NAC-API is the new recommended configuration, especially for larger environments. Appliances with InTune integrations previously configured will continue to operate as expected in higher versions of code.

New On Demand Registration Workflow:

When a rogue client is detected on the network and added to the FortiNAC database, an MDM poll is triggered to collect the host data associated with the device.

  1. The host connects to the network.

  2. FortiNAC detects the host's MAC address.

  3. A rogue host record is created in the FortiNAC database.

  4. FortiNAC collects the MDM host data

    1. MSInTune NAC API is polled to resolve the MSInTune DeviceID using the host MAC address.

    2. Using the MSInTuneID, the MDM host data is collected by calling the MSInTune MDM API.

  5. The host record is updated in the FortiNAC database and automatically registered as managed by MDM.

Certificate-Based Authentication

Before FortiNAC can make calls to the MSIntune API, the MSIntune service connector must first authenticate with the MS Identity service to obtain an access token. FortiNAC InTune integration now supports certificate-based authentication. Digitally signed security-related data (tenant ID, client ID, scope, grant type, and client assertions) is sent to the InTune server instead of an application password. This method is more secure than the other two authentication types available (Delegation Access and Application Access).

Appliances with InTune integrations previously configured will continue to operate as expected in higher versions of code.

Requirements

FortiNAC

  • Supported Version: 7.2.6 or greater

MSIntune

  • Microsoft NAC-API Requirements

    • MSGraph APIs for MSIntune: Supported Server Version - Microsoft Intune January 22, 2024 (Service release 2401) or greater

    • MSIntune NAC API: Supported Server Version - Microsoft Compliance Retrieval Service/NAC 2.0 or greater

  • Certificate-Based Authentication requirement: Private key and a X509 certificate for the corresponding public key.

Considerations

As of October 2021, Intune doesn't display Wi-Fi MAC addresses for newly enrolled personally-owned work profile devices and devices managed with device administrator running Android 9 and above.

Reference

https://techcommunity.microsoft.com/t5/intune-customer-success/android-12-day-zero-support-with-microsoft-endpoint-manager/ba-p/2621665

https://docs.microsoft.com/en-us/mem/intune/remote-actions/device-inventory

FortiNAC requires the MAC address information to lookup these devices in InTune. Consequently, these devices will be unable to register to FortiNAC via the MDM.

Workaround: Use WPA2 and register the device to the Radius User. Automated registration based upon the user’s 802.1x authentication can be enabled on a SSID basis. For details, see Dot1x Auto Registration in the Settings table of the SSID Configuration section in the Administration Guide.

Previous
Next

Certificate Based Authentication (v7.2.6 and greater)

Host Data Collection Performance Enhancements

FortiNAC InTune integration now supports the use of the Microsoft NAC-API. This change improves FortiNAC’s efficiency when collecting data for MSInTune managed hosts. Previously, FortiNAC retrieved the entire asset list from InTune whenever MDM polling was performed. FortiNAC can now use the Microsoft NAC-API to collect data for a single host without having to retrieve the entire list.

Configuring InTune and FortiNAC to use the Microsoft NAC-API is the new recommended configuration, especially for larger environments. Appliances with InTune integrations previously configured will continue to operate as expected in higher versions of code.

New On Demand Registration Workflow:

When a rogue client is detected on the network and added to the FortiNAC database, an MDM poll is triggered to collect the host data associated with the device.

  1. The host connects to the network.

  2. FortiNAC detects the host's MAC address.

  3. A rogue host record is created in the FortiNAC database.

  4. FortiNAC collects the MDM host data

    1. MSInTune NAC API is polled to resolve the MSInTune DeviceID using the host MAC address.

    2. Using the MSInTuneID, the MDM host data is collected by calling the MSInTune MDM API.

  5. The host record is updated in the FortiNAC database and automatically registered as managed by MDM.

Certificate-Based Authentication

Before FortiNAC can make calls to the MSIntune API, the MSIntune service connector must first authenticate with the MS Identity service to obtain an access token. FortiNAC InTune integration now supports certificate-based authentication. Digitally signed security-related data (tenant ID, client ID, scope, grant type, and client assertions) is sent to the InTune server instead of an application password. This method is more secure than the other two authentication types available (Delegation Access and Application Access).

Appliances with InTune integrations previously configured will continue to operate as expected in higher versions of code.

Requirements

FortiNAC

  • Supported Version: 7.2.6 or greater

MSIntune

  • Microsoft NAC-API Requirements

    • MSGraph APIs for MSIntune: Supported Server Version - Microsoft Intune January 22, 2024 (Service release 2401) or greater

    • MSIntune NAC API: Supported Server Version - Microsoft Compliance Retrieval Service/NAC 2.0 or greater

  • Certificate-Based Authentication requirement: Private key and a X509 certificate for the corresponding public key.

Considerations

As of October 2021, Intune doesn't display Wi-Fi MAC addresses for newly enrolled personally-owned work profile devices and devices managed with device administrator running Android 9 and above.

Reference

https://techcommunity.microsoft.com/t5/intune-customer-success/android-12-day-zero-support-with-microsoft-endpoint-manager/ba-p/2621665

https://docs.microsoft.com/en-us/mem/intune/remote-actions/device-inventory

FortiNAC requires the MAC address information to lookup these devices in InTune. Consequently, these devices will be unable to register to FortiNAC via the MDM.

Workaround: Use WPA2 and register the device to the Radius User. Automated registration based upon the user’s 802.1x authentication can be enabled on a SSID basis. For details, see Dot1x Auto Registration in the Settings table of the SSID Configuration section in the Administration Guide.

Previous
Next