Add or modify a configuration
- Select Policy > Policy Configuration.
- In the menu on the left click the + sign next to Endpoint Compliance.
- From the menu on the left, select Configuration.
- On the Endpoint Compliance Configurations window, click the Add button or select an existing configuration and click Modify.
- On the General tab, click in the Name field and enter a name for this configuration.
- Select a Scan from the drop-down menu. You can use the icons next to the Scan field to add a new scan or modify the scan shown in the drop-down menu. Note that if you modify this scan, it is modified for all features that make use of it. See Add or modify a scan.
- If you would like to add a list of installed applications to the host record, enable the Collect Application Inventory check box. This only applies to hosts that are assigned an agent. An application inventory cannot be generated for hosts unless an agent is in use.
-
If you would like to grant varying levels of access based on the host's role, select Advanced Scan Controls. This displays additional options that allow you to select and map a security action to scan success, failure, and warning. See Chaining configuration scans .
You must have ATR access enabled to use the Advanced Scan Controls feature.
- The Note field is optional.
- Click the Agent tab to select it.
- Select an agent for each operating system. You may choose not to use an agent for a particular operating system, however, scans can only be applied via an agent.
- No agent exists for some operating systems. In those cases select either None-Deny Access or None-Bypass. Refer to the table below for information on each field.
- Click OK to save the configuration.
Settings
Field |
Definition |
---|---|
General tab |
|
Name |
User specified name for this configuration. |
Scan |
Select the scan to be associated with this configuration. Hosts that match the Endpoint Compliance Policy containing this configuration will be scanned with the selected Scan. |
Collect Application Inventory |
If enabled, the agent assigned to the host will collect information about installed applications and add that information to the host record. An application inventory cannot be generated for a hosts unless an agent is in use. |
Advanced Scan Controls |
If enabled, allows you to select a security action mapped to an Endpoint Compliance activity that will be taken based on scan results. See Chaining configuration scans . |
Note |
User specified note field. This field may contain notes regarding the conversion of policies from a previous version of FortiNAC. |
Agent tab |
|
Windows macOS Linux |
Allows you to select a separate agent or treatment for each operating system. For example, a host with a Windows operating system may be scanned by the Persistent Agent while a host with a Mac operating system may be scanned with the Dissolvable Agent. See Determining host operating system. The names of all the agent versions and types available on the appliance are included in the list. The .exe is recommended for user-interactive installation. The .msi is recommended for use for a managed install by a non-user-interactive means. Agent options include:
|
Android |
See Mobile Agent. |
Settings For Operating Systems Without Agents |
This section provides a list of additional operating systems and allows you to select treatment for each one. For example, iPod devices could be set to None-Bypass indicating that no agent is necessary and allowing that device to connect to the network. Options for additional platforms include:
Use the Set all to None-Bypass or Set all to None-Deny Access buttons to modify settings for all additional platforms at once. The last platform labeled Other is used as a catch-all for devices with new or unsupported operating systems. Any platform not listed in the Policy, is treated as specified by the setting associated with Other. |