Fortinet white logo
Fortinet white logo

Administration Guide

7.6.0

MDM Servers

MDM Servers

MDM Services allows you to configure the connection or integration between FortiNAC and a Mobile Device Management (MDM) system. FortiNAC and the MDM system work together sharing data via an API to secure the network. FortiNAC leverages the data in the MDM database and registers hosts using that data as they connect to the network.

The MDM Service Connector can be configured either on the FortiNAC Manager or the individual managed FortiNAC servers. Choose the appropriate option based upon which FortiNAC servers require the MDM host record information.

Option 1

Requirement: All servers managed by FortiNAC Manager require MDM host record information.

Configuration: Configure the MDM Service Connector on the FortiNAC Manager. No other configuration is required.

Behavior: The Manager copies all MDM host record information to the servers after each MDM poll.

Benefit: Provides a single point of contact for the MDM server. Reduces the overall number of queries the MDM server has to process.

Option 2

Requirement: Only certain FortiNAC servers require MDM host record information.

Configuration: Configure the MDM Service Connector on the FortiNAC servers requiring the data.

Behavior: The MDM server is polled by each FortiNAC server configured with the MDM Service Connector.

Note

Proxy communication is not supported.

Supported vendors

  • Air Watch

  • Fortinet EMS

  • Google GSuite

  • JAMF

  • MaaS360

  • MicrosoftInTune

  • Mobile Iron

  • Citrix Endpoint Management

For more information about supported vendors, refer to the appropriate reference manual in the the Fortinet Documentation Library:

Settings

Field

Definition

MDM Vendor

Name of the vendor of the MDM system.

Name

Name of the connection configuration for the connection between an MDM system and FortiNAC.

Request URL

The URL for the API to which FortiNAC must connect to request data. This will be a unique URL based on your MDM system.

Identifier

A type of key used to identify FortiNAC to the MDM server. This field is not required for all MDM products.

In the case of AirWatch, this is the API Key generated during the AirWatch Configuration. An API key is a unique code that identifies the FortiNAC server to AirWatch and is part of the authentication process for AirWatch.

Application ID

Enter the application ID.

Platform ID

Enter the platform version number.

Application Version

Enter the application version number.

Access Key

Enter the application access key (API key).

Enable Delegated Permissions

If enabled, API permissions are delegated by a signed-in user. When disabled, API permissions are configured and granted in the MDM application registration portal (recommended configuration).

Note: Existing MS Intune connectors created prior to versions 9.1.6/9.2.3/9.4.0 will have this setting enabled.

User ID

User name of the account used by FortiNAC to log into the MDM system when requesting data.

Password

Password for the account used by FortiNAC to log into the MDM system when requesting data.

This field displays only when adding a new MDM connection configuration. It is not displayed in the table of MDM servers.

Poll Interval

Indicates how often FortiNAC should poll the MDM system for information.

Last Poll

Date and time of the last poll.

Last Successful Poll

Date and time of the last poll that successfully retrieved data.

Create Date

Date that this connection configuration was set up.

On Demand
Registration

If enabled, when an unknown host reaches the captive portal, FortiNAC queries the MDM server for information about that host. If the host exists in the MDM server, it is registered in FortiNAC using the data from the MDM server.

Revalidate Health Status On Connect

If enabled, when the host connects to the network FortiNAC queries the MDM server to determine if the host is compliant with MDM policies. This setting is disabled by default. When enabled, the MDM may not be able to manage the rate of queries from FortiNAC, causing performance issues. Instead of enabling Revalidate Health Status On Connect, you can enable automatic registration polling to occur once a day, which will also retrieve Health Status, but with less frequency.

Remove Hosts

If enabled, when FortiNAC polls the MDM server it deletes hosts from the FortiNAC database if they have been removed or disabled on the MDM server.

Update Applications

If enabled, when FortiNAC polls the MDM server it retrieves and stores the Application Inventory for hosts that are in the FortiNAC database. This setting is disabled by default. When enabled, the MDM may not be able to manage the rate of queries from FortiNAC, causing performance issues.

Last Modified By

User name of the last user to modify the connection configuration.

Last Modified Date

Date and time of the last modification to this connection configuration.

Credential JSON

GSuite: (Introduced in FortiNAC version 9.4) Imports the Service Account Key JSON file downloaded from the Google Developers Console.

1) Select the "Modify Credential JSON" button.

2) Populate the Credential JSON field with the Service Account Key file downloaded from the Google Developers Console. This can be done in two ways:

Option 1 (Recommended): Click Browse and select the file. It's contents will appear in the Credential JSON window.

Option 2: Copy and paste the file contents.

Right click options

Delete

Deletes the MDM Service.

Modify

Opens the Modify MDM Service dialog.

Poll Now

Polls the MDM server immediately.

Show Audit Log

Opens the admin auditing log showing all changes made to the selected item.

For information about the admin auditing log, see Audit Logs.

Note

You must have permission to view the admin auditing log. See Add an administrator profile.

Test Connection

Tests the connection between the selected MDM server and FortiNAC. Error messages indicate which fields are missing or incorrect.

Buttons

Add

Opens the Add MDM Service dialog.

Modify

Opens the Modify MDM Service dialog.

Test Connection

Tests the connection between the selected MDM server and FortiNAC. Error messages indicate which fields are missing or incorrect.

Poll Now

Polls the MDM server immediately.

Add or modify MDM service

  1. Go to Network > Service Connectors
  2. Select Create New and select a vendor or Edit an existing MDM Server.
  3. Use the settings for the MDM Services to enter the MDM Service information.
  4. Click OK to save.
Note

The Revalidate Health Status On Connect and Update Applications settings are disabled by default. When enabled, the MDM may not be able to manage the rate of queries from FortiNAC, causing performance issues.

Note

Instead of enabling Revalidate Health Status On Connect, you can enable automatic registration polling to occur once a day, which will also retrieve Health Status, but with less frequency.

Delete MDM service

  1. Go to Network > Service Connectors
  2. Select an MDM Service record from the table.
  3. Click Delete at the top of the view.
  4. Click Yes on the confirmation message.

MDM Servers

MDM Servers

MDM Services allows you to configure the connection or integration between FortiNAC and a Mobile Device Management (MDM) system. FortiNAC and the MDM system work together sharing data via an API to secure the network. FortiNAC leverages the data in the MDM database and registers hosts using that data as they connect to the network.

The MDM Service Connector can be configured either on the FortiNAC Manager or the individual managed FortiNAC servers. Choose the appropriate option based upon which FortiNAC servers require the MDM host record information.

Option 1

Requirement: All servers managed by FortiNAC Manager require MDM host record information.

Configuration: Configure the MDM Service Connector on the FortiNAC Manager. No other configuration is required.

Behavior: The Manager copies all MDM host record information to the servers after each MDM poll.

Benefit: Provides a single point of contact for the MDM server. Reduces the overall number of queries the MDM server has to process.

Option 2

Requirement: Only certain FortiNAC servers require MDM host record information.

Configuration: Configure the MDM Service Connector on the FortiNAC servers requiring the data.

Behavior: The MDM server is polled by each FortiNAC server configured with the MDM Service Connector.

Note

Proxy communication is not supported.

Supported vendors

  • Air Watch

  • Fortinet EMS

  • Google GSuite

  • JAMF

  • MaaS360

  • MicrosoftInTune

  • Mobile Iron

  • Citrix Endpoint Management

For more information about supported vendors, refer to the appropriate reference manual in the the Fortinet Documentation Library:

Settings

Field

Definition

MDM Vendor

Name of the vendor of the MDM system.

Name

Name of the connection configuration for the connection between an MDM system and FortiNAC.

Request URL

The URL for the API to which FortiNAC must connect to request data. This will be a unique URL based on your MDM system.

Identifier

A type of key used to identify FortiNAC to the MDM server. This field is not required for all MDM products.

In the case of AirWatch, this is the API Key generated during the AirWatch Configuration. An API key is a unique code that identifies the FortiNAC server to AirWatch and is part of the authentication process for AirWatch.

Application ID

Enter the application ID.

Platform ID

Enter the platform version number.

Application Version

Enter the application version number.

Access Key

Enter the application access key (API key).

Enable Delegated Permissions

If enabled, API permissions are delegated by a signed-in user. When disabled, API permissions are configured and granted in the MDM application registration portal (recommended configuration).

Note: Existing MS Intune connectors created prior to versions 9.1.6/9.2.3/9.4.0 will have this setting enabled.

User ID

User name of the account used by FortiNAC to log into the MDM system when requesting data.

Password

Password for the account used by FortiNAC to log into the MDM system when requesting data.

This field displays only when adding a new MDM connection configuration. It is not displayed in the table of MDM servers.

Poll Interval

Indicates how often FortiNAC should poll the MDM system for information.

Last Poll

Date and time of the last poll.

Last Successful Poll

Date and time of the last poll that successfully retrieved data.

Create Date

Date that this connection configuration was set up.

On Demand
Registration

If enabled, when an unknown host reaches the captive portal, FortiNAC queries the MDM server for information about that host. If the host exists in the MDM server, it is registered in FortiNAC using the data from the MDM server.

Revalidate Health Status On Connect

If enabled, when the host connects to the network FortiNAC queries the MDM server to determine if the host is compliant with MDM policies. This setting is disabled by default. When enabled, the MDM may not be able to manage the rate of queries from FortiNAC, causing performance issues. Instead of enabling Revalidate Health Status On Connect, you can enable automatic registration polling to occur once a day, which will also retrieve Health Status, but with less frequency.

Remove Hosts

If enabled, when FortiNAC polls the MDM server it deletes hosts from the FortiNAC database if they have been removed or disabled on the MDM server.

Update Applications

If enabled, when FortiNAC polls the MDM server it retrieves and stores the Application Inventory for hosts that are in the FortiNAC database. This setting is disabled by default. When enabled, the MDM may not be able to manage the rate of queries from FortiNAC, causing performance issues.

Last Modified By

User name of the last user to modify the connection configuration.

Last Modified Date

Date and time of the last modification to this connection configuration.

Credential JSON

GSuite: (Introduced in FortiNAC version 9.4) Imports the Service Account Key JSON file downloaded from the Google Developers Console.

1) Select the "Modify Credential JSON" button.

2) Populate the Credential JSON field with the Service Account Key file downloaded from the Google Developers Console. This can be done in two ways:

Option 1 (Recommended): Click Browse and select the file. It's contents will appear in the Credential JSON window.

Option 2: Copy and paste the file contents.

Right click options

Delete

Deletes the MDM Service.

Modify

Opens the Modify MDM Service dialog.

Poll Now

Polls the MDM server immediately.

Show Audit Log

Opens the admin auditing log showing all changes made to the selected item.

For information about the admin auditing log, see Audit Logs.

Note

You must have permission to view the admin auditing log. See Add an administrator profile.

Test Connection

Tests the connection between the selected MDM server and FortiNAC. Error messages indicate which fields are missing or incorrect.

Buttons

Add

Opens the Add MDM Service dialog.

Modify

Opens the Modify MDM Service dialog.

Test Connection

Tests the connection between the selected MDM server and FortiNAC. Error messages indicate which fields are missing or incorrect.

Poll Now

Polls the MDM server immediately.

Add or modify MDM service

  1. Go to Network > Service Connectors
  2. Select Create New and select a vendor or Edit an existing MDM Server.
  3. Use the settings for the MDM Services to enter the MDM Service information.
  4. Click OK to save.
Note

The Revalidate Health Status On Connect and Update Applications settings are disabled by default. When enabled, the MDM may not be able to manage the rate of queries from FortiNAC, causing performance issues.

Note

Instead of enabling Revalidate Health Status On Connect, you can enable automatic registration polling to occur once a day, which will also retrieve Health Status, but with less frequency.

Delete MDM service

  1. Go to Network > Service Connectors
  2. Select an MDM Service record from the table.
  3. Click Delete at the top of the view.
  4. Click Yes on the confirmation message.