MDM Servers
MDM Services allows you to configure the connection or integration between FortiNAC and a Mobile Device Management (MDM) system. FortiNAC and the MDM system work together sharing data via an API to secure the network. FortiNAC leverages the data in the MDM database and registers hosts using that data as they connect to the network.
The MDM Service Connector can be configured either on the FortiNAC Manager or the individual managed FortiNAC servers. Choose the appropriate option based upon which FortiNAC servers require the MDM host record information.
Option 1
Requirement: All servers managed by FortiNAC Manager require MDM host record information.
Configuration: Configure the MDM Service Connector on the FortiNAC Manager. No other configuration is required.
Behavior: The Manager copies all MDM host record information to the servers after each MDM poll.
Benefit: Provides a single point of contact for the MDM server. Reduces the overall number of queries the MDM server has to process.
Option 2
Requirement: Only certain FortiNAC servers require MDM host record information.
Configuration: Configure the MDM Service Connector on the FortiNAC servers requiring the data.
Behavior: The MDM server is polled by each FortiNAC server configured with the MDM Service Connector.
Proxy communication is not supported. |
Supported vendors
-
Air Watch
-
Fortinet EMS
-
Google GSuite
-
JAMF
-
MaaS360
-
MicrosoftInTune
-
Mobile Iron
-
Citrix Endpoint Management
For more information about supported vendors, refer to the appropriate reference manual in the the Fortinet Documentation Library:
- Fortinet EMS: FortiClient EMS Device Integration
- All others: Third Party MDM Device Integration
Settings
Field |
Definition |
||
MDM Vendor |
Name of the vendor of the MDM system. |
||
Name |
Name of the connection configuration for the connection between an MDM system and FortiNAC. |
||
Request URL |
The URL for the API to which FortiNAC must connect to request data. This will be a unique URL based on your MDM system. |
||
Identifier |
A type of key used to identify FortiNAC to the MDM server. This field is not required for all MDM products. In the case of AirWatch, this is the API Key generated during the AirWatch Configuration. An API key is a unique code that identifies the FortiNAC server to AirWatch and is part of the authentication process for AirWatch. |
||
Application ID |
Enter the application ID. |
||
Platform ID |
Enter the platform version number. |
||
Application Version |
Enter the application version number. |
||
Access Key |
Enter the application access key (API key). |
||
Enable Delegated Permissions |
If enabled, API permissions are delegated by a signed-in user. When disabled, API permissions are configured and granted in the MDM application registration portal (recommended configuration). Note: Existing MS Intune connectors created prior to versions 9.1.6/9.2.3/9.4.0 will have this setting enabled. |
||
User ID |
User name of the account used by FortiNAC to log into the MDM system when requesting data. |
||
Password |
Password for the account used by FortiNAC to log into the MDM system when requesting data. This field displays only when adding a new MDM connection configuration. It is not displayed in the table of MDM servers. |
||
Poll Interval |
Indicates how often FortiNAC should poll the MDM system for information. |
||
Last Poll |
Date and time of the last poll. |
||
Last Successful Poll |
Date and time of the last poll that successfully retrieved data. |
||
Create Date |
Date that this connection configuration was set up. |
||
On Demand |
If enabled, when an unknown host reaches the captive portal, FortiNAC queries the MDM server for information about that host. If the host exists in the MDM server, it is registered in FortiNAC using the data from the MDM server. |
||
Revalidate Health Status On Connect |
If enabled, when the host connects to the network FortiNAC queries the MDM server to determine if the host is compliant with MDM policies. This setting is disabled by default. When enabled, the MDM may not be able to manage the rate of queries from FortiNAC, causing performance issues. Instead of enabling Revalidate Health Status On Connect, you can enable automatic registration polling to occur once a day, which will also retrieve Health Status, but with less frequency. |
||
Remove Hosts |
If enabled, when FortiNAC polls the MDM server it deletes hosts from the FortiNAC database if they have been removed or disabled on the MDM server. |
||
Update Applications |
If enabled, when FortiNAC polls the MDM server it retrieves and stores the Application Inventory for hosts that are in the FortiNAC database. This setting is disabled by default. When enabled, the MDM may not be able to manage the rate of queries from FortiNAC, causing performance issues. |
||
Last Modified By |
User name of the last user to modify the connection configuration. |
||
Last Modified Date |
Date and time of the last modification to this connection configuration. |
||
Credential JSON |
GSuite: (Introduced in FortiNAC version 9.4) Imports the Service Account Key JSON file downloaded from the Google Developers Console. 1) Select the "Modify Credential JSON" button. 2) Populate the Credential JSON field with the Service Account Key file downloaded from the Google Developers Console. This can be done in two ways: Option 1 (Recommended): Click Browse and select the file. It's contents will appear in the Credential JSON window. Option 2: Copy and paste the file contents. |
||
Right click options |
|||
Delete |
Deletes the MDM Service. |
||
Modify |
Opens the Modify MDM Service dialog. |
||
Poll Now |
Polls the MDM server immediately. |
||
Show Audit Log |
Opens the admin auditing log showing all changes made to the selected item. For information about the admin auditing log, see Audit Logs.
|
||
Test Connection |
Tests the connection between the selected MDM server and FortiNAC. Error messages indicate which fields are missing or incorrect. |
||
Buttons |
|||
Add |
Opens the Add MDM Service dialog. |
||
Modify |
Opens the Modify MDM Service dialog. |
||
Test Connection |
Tests the connection between the selected MDM server and FortiNAC. Error messages indicate which fields are missing or incorrect. |
||
Poll Now |
Polls the MDM server immediately. |
Add or modify MDM service
- Go to Network > Service Connectors
- Select Create New and select a vendor or Edit an existing MDM Server.
- Use the settings for the MDM Services to enter the MDM Service information.
- Click OK to save.
The Revalidate Health Status On Connect and Update Applications settings are disabled by default. When enabled, the MDM may not be able to manage the rate of queries from FortiNAC, causing performance issues. |
Instead of enabling Revalidate Health Status On Connect, you can enable automatic registration polling to occur once a day, which will also retrieve Health Status, but with less frequency. |
Delete MDM service
- Go to Network > Service Connectors
- Select an MDM Service record from the table.
- Click Delete at the top of the view.
- Click Yes on the confirmation message.