Fortinet white logo
Fortinet white logo

MacOS Machines (Silent Onboard)

MacOS Machines (Silent Onboard)

Note: Due to the length of the following commands, unless separated by a space, consider syntax to be all on one line.

The macOS machine automatically registers upon connecting to the network once the installed Persistent Agent communicates with FortiNAC. This method is transparent to the end user.

How it Works:

  1. Device connects to the network.

  2. Persistent Agent initiates communication with FortiNAC.

  3. FortiNAC registers the device (does not associate device with user).

Note the Following:

  • This method can be used in conjunction with the Windows Domain Single-Sign-On method.

  • Logged on users are not tracked for Mac and Linux.

Requirements:

  • Agent Deployment Method: Software Management Program

  • Root access to the Mac machine

Review Software Modifiable Settings for the Persistent Agent for other settings that may need to be modified.

Configuration

  1. Navigate to Security Configuration > Agent Settings > Credential Configuration

  2. Select “Enable Registration” and “Register as Device.”

  3. Configure any other necessary FortiNAC configurations. See FortiNAC Settings.

  4. Create the Persistent Agent Settings policy file to be pushed to macOS machines. This file will override the default settings.

    1. Install Persistent agent on a test machine. For instructions, see section Installation for macOS of the Administration Guide in the Fortinet Document Library.

    2. In the test machine CLI using Terminal, create the policy file com.bradfordnetworks.bndaemon.policy

      sudo cp /Library/Preferences/com.bradfordnetworks.bndaemon.plist /Library/Preferences/com.bradfordnetworks.bndaemon.policy.plist

    3. Note: Root access is required. If already logged in as root, the use of “sudo” in the syntax is not required.

    4. Modify the new policy plist file with the appropriate Persistent Agent Settings. The following table provides recommended settings. Review Software Modifiable Settings for the Persistent Agent for additional options.

      sudo defaults write /Library/Preferences/com.bradfordnetworks.bndaemon.policy <value> -<Data Type> <Data>

      Recommended Persistent Agent Settings

      Option

      Value

      Data Type

      Data

      Function

      Home Server

      homeServer

      String

      FortiNAC Server or Application Server fully-qualified hostname

      Name of FortiNAC appliance with which the agent must communicate.

      Allowed Servers

      allowedServers

      String

      Comma-separated list of fully-qualified hostnames with which the agent can communicate.

      “a.example.com, b.example.com”

      (Important: no spaces between commas and names)

      Needed if agent could potentially roam to multiple FortiNAC appliances (NCM environment or High Availability).

      Restrict Roaming

      restrictRoaming

      Integer

      1

      Agent will only communicate with server names provided by homeServer and allowedServers settings.

      Login Dialog

      LoginDialogDisabled

      Integer

      1

      Credential popup will not display to the user.

      System Tray Icon

      ShowIcon

      Integer

      0

      System tray icon will not display.

      Balloon Notifications

      ClientStateEnabled

      Integer

      0

      State change notifications will not display.

      Example

      sudo defaults write /Library/Preferences/com.bradfordnetworks.bndaemon.policy allowedServers -string server1.company.com,server2.company.com

      sudo defaults write /Library/Preferences/com.bradfordnetworks.bndaemon.policy restrictRoaming -integer 1

      sudo defaults write /Library/Preferences/com.bradfordnetworks.bndaemon.policy LoginDialogDisabled -integer 1

      sudo defaults write /Library/Preferences/com.bradfordnetworks.bndaemon.policy ShowIcon -integer 0

      sudo defaults write /Library/Preferences/com.bradfordnetworks.bndaemon.policy ClientStateEnabled -integer 0

      To view contents of the file:

      sudo defaults read /Library/Preferences/com.bradfordnetworks.bndaemon.policy

  5. Push com.bradfordnetworks.bndaemon.policy to the /Library/Preferences/ directory on existing macOS machines using a software management program.

  6. Push the agent package to macOS machines using the software management program.

Validate

  1. Connect host to network.

  2. Search for Windows machine in Users & Hosts > Hosts.

  3. Verify the following:

  • Host record displays as registered.

  • UserID is displayed under “Logged On User” column.

  • The appropriate Endpoint Compliance Policy matches (right click on host and select Policy Details)

  • The applicable scan runs (right click on host and select Host Health)

  • The scan result accurately reflects the machine posture (e.g. does the scan pass when it should have failed?)

If any of the above do not work as expected, see KB article Troubleshooting the Persistent Agent.

After the network has been enforced:

  1. Leave “Register as Device” enabled.

  2. Create a scan policy that checks for a specific value defining the asset.

  3. Do one of the following:

    1. Enable Forced Remediation. If the host fails the scan, the host will register. However, it will be marked “At Risk” and placed in an Isolation VLAN.

    2. Forced Remediation alternative: send an email notification for the Security Risk Host event. Note: if Forced Remediation is not used, non-domain machines with the Persistent Agent that auto register may gain access to the production network.

MacOS Machines (Silent Onboard)

MacOS Machines (Silent Onboard)

Note: Due to the length of the following commands, unless separated by a space, consider syntax to be all on one line.

The macOS machine automatically registers upon connecting to the network once the installed Persistent Agent communicates with FortiNAC. This method is transparent to the end user.

How it Works:

  1. Device connects to the network.

  2. Persistent Agent initiates communication with FortiNAC.

  3. FortiNAC registers the device (does not associate device with user).

Note the Following:

  • This method can be used in conjunction with the Windows Domain Single-Sign-On method.

  • Logged on users are not tracked for Mac and Linux.

Requirements:

  • Agent Deployment Method: Software Management Program

  • Root access to the Mac machine

Review Software Modifiable Settings for the Persistent Agent for other settings that may need to be modified.

Configuration

  1. Navigate to Security Configuration > Agent Settings > Credential Configuration

  2. Select “Enable Registration” and “Register as Device.”

  3. Configure any other necessary FortiNAC configurations. See FortiNAC Settings.

  4. Create the Persistent Agent Settings policy file to be pushed to macOS machines. This file will override the default settings.

    1. Install Persistent agent on a test machine. For instructions, see section Installation for macOS of the Administration Guide in the Fortinet Document Library.

    2. In the test machine CLI using Terminal, create the policy file com.bradfordnetworks.bndaemon.policy

      sudo cp /Library/Preferences/com.bradfordnetworks.bndaemon.plist /Library/Preferences/com.bradfordnetworks.bndaemon.policy.plist

    3. Note: Root access is required. If already logged in as root, the use of “sudo” in the syntax is not required.

    4. Modify the new policy plist file with the appropriate Persistent Agent Settings. The following table provides recommended settings. Review Software Modifiable Settings for the Persistent Agent for additional options.

      sudo defaults write /Library/Preferences/com.bradfordnetworks.bndaemon.policy <value> -<Data Type> <Data>

      Recommended Persistent Agent Settings

      Option

      Value

      Data Type

      Data

      Function

      Home Server

      homeServer

      String

      FortiNAC Server or Application Server fully-qualified hostname

      Name of FortiNAC appliance with which the agent must communicate.

      Allowed Servers

      allowedServers

      String

      Comma-separated list of fully-qualified hostnames with which the agent can communicate.

      “a.example.com, b.example.com”

      (Important: no spaces between commas and names)

      Needed if agent could potentially roam to multiple FortiNAC appliances (NCM environment or High Availability).

      Restrict Roaming

      restrictRoaming

      Integer

      1

      Agent will only communicate with server names provided by homeServer and allowedServers settings.

      Login Dialog

      LoginDialogDisabled

      Integer

      1

      Credential popup will not display to the user.

      System Tray Icon

      ShowIcon

      Integer

      0

      System tray icon will not display.

      Balloon Notifications

      ClientStateEnabled

      Integer

      0

      State change notifications will not display.

      Example

      sudo defaults write /Library/Preferences/com.bradfordnetworks.bndaemon.policy allowedServers -string server1.company.com,server2.company.com

      sudo defaults write /Library/Preferences/com.bradfordnetworks.bndaemon.policy restrictRoaming -integer 1

      sudo defaults write /Library/Preferences/com.bradfordnetworks.bndaemon.policy LoginDialogDisabled -integer 1

      sudo defaults write /Library/Preferences/com.bradfordnetworks.bndaemon.policy ShowIcon -integer 0

      sudo defaults write /Library/Preferences/com.bradfordnetworks.bndaemon.policy ClientStateEnabled -integer 0

      To view contents of the file:

      sudo defaults read /Library/Preferences/com.bradfordnetworks.bndaemon.policy

  5. Push com.bradfordnetworks.bndaemon.policy to the /Library/Preferences/ directory on existing macOS machines using a software management program.

  6. Push the agent package to macOS machines using the software management program.

Validate

  1. Connect host to network.

  2. Search for Windows machine in Users & Hosts > Hosts.

  3. Verify the following:

  • Host record displays as registered.

  • UserID is displayed under “Logged On User” column.

  • The appropriate Endpoint Compliance Policy matches (right click on host and select Policy Details)

  • The applicable scan runs (right click on host and select Host Health)

  • The scan result accurately reflects the machine posture (e.g. does the scan pass when it should have failed?)

If any of the above do not work as expected, see KB article Troubleshooting the Persistent Agent.

After the network has been enforced:

  1. Leave “Register as Device” enabled.

  2. Create a scan policy that checks for a specific value defining the asset.

  3. Do one of the following:

    1. Enable Forced Remediation. If the host fails the scan, the host will register. However, it will be marked “At Risk” and placed in an Isolation VLAN.

    2. Forced Remediation alternative: send an email notification for the Security Risk Host event. Note: if Forced Remediation is not used, non-domain machines with the Persistent Agent that auto register may gain access to the production network.