Fortinet black logo

Third Party MDM Device Integration

Home FortiNAC 9.4.0 Third Party MDM Device Integration
9.4.0
9.4.0
9.2.0
9.1.0
8.8.0
8.7.0
8.6.0
8.5.0
8.3.0

Application Permissions (v9.4.6 and greater)

Application Permissions (v9.4.6 and greater)

Host Data Collection Performance Enhancements

FortiNAC InTune integration now supports the use of the Microsoft NAC-API. This change improves FortiNAC’s efficiency when collecting data for MSInTune managed hosts. Previously, FortiNAC retrieved the entire asset list from InTune whenever MDM polling was performed. FortiNAC can now use the Microsoft NAC-API to collect data for a single host without having to retrieve the entire list.

Configuring InTune and FortiNAC to use the Microsoft NAC-API is the new recommended configuration, especially for larger environments. Appliances with InTune integrations previously configured will continue to operate as expected in higher versions of code.

New On Demand Registration Workflow:

When a rogue client is detected on the network and added to the FortiNAC database, an MDM poll is triggered to collect the host data associated with the device.

  1. The host connects to the network.

  2. FortiNAC detects the host's MAC address.

  3. A rogue host record is created in the FortiNAC database.

  4. FortiNAC collects the MDM host data

    1. MSInTune NAC API is polled to resolve the MSInTune DeviceID using the host MAC address.

    2. Using the MSInTuneID, the MDM host data is collected by calling the MSInTune MDM API.

  5. The host record is updated in the FortiNAC database and automatically registered as managed by MDM.

Requirements

FortiNAC

  • Supported Version: 9.4.6 or greater

MSIntune

  • MSGraph APIs for MSIntune: Supported Server Version - Microsoft Intune January 22, 2024 (Service release 2401) or greater

  • MSIntune NAC API: Supported Server Version - Microsoft Compliance Retrieval Service/NAC 2.0 or greater

Considerations

Step 1: Configure Microsoft Azure Application

  1. Navigate to Azure Portal App Registration

    1. https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps

  2. Create a new Application or select existing Application

  3. Select API Permissions

  4. Add permission for the MSIntune MDM API

    1. Click on Add a Permission

  5. Select Microsoft Graph

  6. Select Application Permissions

  7. Search and Select DeviceManagementManagedDevices, and add the permission for DeviceManagementManagedDevices.Read.All

  8. Add permissions for the MSIntune NAC Service Discovery API

    1. Click on Add a Permission

  9. Select APIs My Organization uses

  10. In the search field, type Windows Azure Active Directory

  11. Select Application Permissions

  12. In the search field, type Applications and add the permission for Application.Read.All

  13. Add permission for the MSIntune NAC API

    1. Click on Add a Permission

    2. Select Intune

  14. Select Application Permissions

  15. In the search field, type get_device_compliance and add the permission for get_device_compliance

  16. Click on Admin consent for all the permissions

  17. Verify that all the API permissions have admin consent.

Step 2: Configure FortiNAC MSIntune Service Connector

  1. Navigate to Network > Service Connectors and create new Microsoft InTune connector.

  2. Use the field definitions for the MDM Services in the following table to enter the MDM Service information.

    MDM Services Field Definitions

    Field

    Definition

    Name

    Name of the connection configuration for the connection between an MDM system and FortiNAC.

    Login API URL

    Default: https://login.microsoftonline.com

    Can be modified if necessary (e.g.if international domain is required).

    Graph API URL

    Default: https://graph.microsoft.com

    Can be modified if necessary (e.g.if international domain is required).

    Identifier

    Add the Directory (tenant) ID.

    Application ID

    Add the Application (client) ID.

    Access Key

    Add the Client Secret Value.

    Enable Delegated Permissions

    Set to disabled.

  3. Use the field definitions for the MDM Services in the following table to enter the MDM Service information.

    MDM Services Field Definitions

    Field

    Definition

    Enable On Demand Registration

    If enabled, when an unknown host reaches the captive portal, FortiNAC queries the MDM server for information about that host. If the host exists in the MDM server, it is registered in FortiNAC using the data from the MDM server.

    Revalidate Health Status on Connect

    If enabled, when the host connects to the network FortiNAC queries the MDM server to determine if the host is compliant with MDM policies. This setting is disabled by default. When enabled, the MDM may not be able to manage the rate of queries from FortiNAC, causing performance issues. Instead of enabling Revalidate Health Status On Connect, you can enable automatic registration polling to occur once a day, which will also retrieve Health Status, but with less frequency.

    Enable Compliance Retrieval Status

    Set to enable. Required when using the MSInTune NAC API.

    FortiNAC will retrieve the compliance status for a device from the MSInTune NAC API. This will require application-level permissions to read device compliance status from MSInTune.

    Remove Hosts Deleted from MDM Server

    If enabled, when FortiNAC polls the MDM server it deletes hosts from the FortiNAC database if they have been removed or disabled on the MDM server.

    Enable Network Details

    Set to enable when Compliance Retrieval Status is enabled.

    The FortiNAC MSIntune connector will make an extra API call to resolve the ethernet/physical MAC address for each wired device that is returned by the MSIntune MDM API.

    Enable Automatic Registration Polling

    (MDM Polling)

    Indicates how often FortiNAC should poll the MDM system to collect managed device information. Each time a poll executes, queries are sent to the MDM for:

    • The managed device list (one query per 100 entries)

    • One additional query per each managed device

    If MDM notifications are configured, set the MDM Poll frequency to 1 Day.

    If Compliance Retrieval Status is enabled, set the MDM Poll frequency to 1 Day.

    If neither notifications nor Compliance Retrieval Statusare configured, the frequency can be set higher.

    Note: When choosing an interval, consider the number of queries sent per MDM poll, the size of the MDM’s database and the number of PODs integrated with the same MDM. If the frequency is set too high, the MDM may not be able to manage the rate of queries from FortiNAC, causing performance issues.

  4. Use the field definitions in the following table to configure Advanced Settings.

    MDM Services Field Definitions – Advanced Settings

    Field

    Definition

    Enable Server Certificate Verification

    If enabled, server certificate that is presented by MSGraph API is signed by a trusted certificate authority.

    Enable Hostname Verification

    If enabled, the hostname in the URL FortiNAC uses to connect to the MSGraph API must match the hostname in the server’s certificate.

    Connect Timeout(secs)

    The time in seconds to establish the connection to Microsoft Cloud Services.

    Read Timeout(secs)

    The time in seconds waiting for data after establishing the connection.

  5. Click OK to save.

  6. To verify FortiNAC can reach the MDM Server, right-click on the connector and select Test Connection.

    https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/141a6e69-00f5-11ee-8e6d-fa163e15d75b/images/92d8b8571400e6dc0d5c2258af79793d_Microsoft%20InTune_7.png

  7. To manually poll the MDM Server, right-click on the connector and select Poll.

  8. To make any changes to the connector configuration, right-click and select Edit.

  9. (Versions 9.1.5, 9.2.2 and above): Enable Host by Serial Number lookup. Allows FortiNAC to find hosts by serial number if unable to find by MAC address. Refer to ID 0761623 in Release Notes. In the FortiNAC CLI, login as root and run

    globaloptiontool -name persistentAgentSecMgmt.findHostBySerialNumber -set true

Proceed to Events.

Previous
Next

Application Permissions (v9.4.6 and greater)

Host Data Collection Performance Enhancements

FortiNAC InTune integration now supports the use of the Microsoft NAC-API. This change improves FortiNAC’s efficiency when collecting data for MSInTune managed hosts. Previously, FortiNAC retrieved the entire asset list from InTune whenever MDM polling was performed. FortiNAC can now use the Microsoft NAC-API to collect data for a single host without having to retrieve the entire list.

Configuring InTune and FortiNAC to use the Microsoft NAC-API is the new recommended configuration, especially for larger environments. Appliances with InTune integrations previously configured will continue to operate as expected in higher versions of code.

New On Demand Registration Workflow:

When a rogue client is detected on the network and added to the FortiNAC database, an MDM poll is triggered to collect the host data associated with the device.

  1. The host connects to the network.

  2. FortiNAC detects the host's MAC address.

  3. A rogue host record is created in the FortiNAC database.

  4. FortiNAC collects the MDM host data

    1. MSInTune NAC API is polled to resolve the MSInTune DeviceID using the host MAC address.

    2. Using the MSInTuneID, the MDM host data is collected by calling the MSInTune MDM API.

  5. The host record is updated in the FortiNAC database and automatically registered as managed by MDM.

Requirements

FortiNAC

  • Supported Version: 9.4.6 or greater

MSIntune

  • MSGraph APIs for MSIntune: Supported Server Version - Microsoft Intune January 22, 2024 (Service release 2401) or greater

  • MSIntune NAC API: Supported Server Version - Microsoft Compliance Retrieval Service/NAC 2.0 or greater

Considerations

Step 1: Configure Microsoft Azure Application

  1. Navigate to Azure Portal App Registration

    1. https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/RegisteredApps

  2. Create a new Application or select existing Application

  3. Select API Permissions

  4. Add permission for the MSIntune MDM API

    1. Click on Add a Permission

  5. Select Microsoft Graph

  6. Select Application Permissions

  7. Search and Select DeviceManagementManagedDevices, and add the permission for DeviceManagementManagedDevices.Read.All

  8. Add permissions for the MSIntune NAC Service Discovery API

    1. Click on Add a Permission

  9. Select APIs My Organization uses

  10. In the search field, type Windows Azure Active Directory

  11. Select Application Permissions

  12. In the search field, type Applications and add the permission for Application.Read.All

  13. Add permission for the MSIntune NAC API

    1. Click on Add a Permission

    2. Select Intune

  14. Select Application Permissions

  15. In the search field, type get_device_compliance and add the permission for get_device_compliance

  16. Click on Admin consent for all the permissions

  17. Verify that all the API permissions have admin consent.

Step 2: Configure FortiNAC MSIntune Service Connector

  1. Navigate to Network > Service Connectors and create new Microsoft InTune connector.

  2. Use the field definitions for the MDM Services in the following table to enter the MDM Service information.

    MDM Services Field Definitions

    Field

    Definition

    Name

    Name of the connection configuration for the connection between an MDM system and FortiNAC.

    Login API URL

    Default: https://login.microsoftonline.com

    Can be modified if necessary (e.g.if international domain is required).

    Graph API URL

    Default: https://graph.microsoft.com

    Can be modified if necessary (e.g.if international domain is required).

    Identifier

    Add the Directory (tenant) ID.

    Application ID

    Add the Application (client) ID.

    Access Key

    Add the Client Secret Value.

    Enable Delegated Permissions

    Set to disabled.

  3. Use the field definitions for the MDM Services in the following table to enter the MDM Service information.

    MDM Services Field Definitions

    Field

    Definition

    Enable On Demand Registration

    If enabled, when an unknown host reaches the captive portal, FortiNAC queries the MDM server for information about that host. If the host exists in the MDM server, it is registered in FortiNAC using the data from the MDM server.

    Revalidate Health Status on Connect

    If enabled, when the host connects to the network FortiNAC queries the MDM server to determine if the host is compliant with MDM policies. This setting is disabled by default. When enabled, the MDM may not be able to manage the rate of queries from FortiNAC, causing performance issues. Instead of enabling Revalidate Health Status On Connect, you can enable automatic registration polling to occur once a day, which will also retrieve Health Status, but with less frequency.

    Enable Compliance Retrieval Status

    Set to enable. Required when using the MSInTune NAC API.

    FortiNAC will retrieve the compliance status for a device from the MSInTune NAC API. This will require application-level permissions to read device compliance status from MSInTune.

    Remove Hosts Deleted from MDM Server

    If enabled, when FortiNAC polls the MDM server it deletes hosts from the FortiNAC database if they have been removed or disabled on the MDM server.

    Enable Network Details

    Set to enable when Compliance Retrieval Status is enabled.

    The FortiNAC MSIntune connector will make an extra API call to resolve the ethernet/physical MAC address for each wired device that is returned by the MSIntune MDM API.

    Enable Automatic Registration Polling

    (MDM Polling)

    Indicates how often FortiNAC should poll the MDM system to collect managed device information. Each time a poll executes, queries are sent to the MDM for:

    • The managed device list (one query per 100 entries)

    • One additional query per each managed device

    If MDM notifications are configured, set the MDM Poll frequency to 1 Day.

    If Compliance Retrieval Status is enabled, set the MDM Poll frequency to 1 Day.

    If neither notifications nor Compliance Retrieval Statusare configured, the frequency can be set higher.

    Note: When choosing an interval, consider the number of queries sent per MDM poll, the size of the MDM’s database and the number of PODs integrated with the same MDM. If the frequency is set too high, the MDM may not be able to manage the rate of queries from FortiNAC, causing performance issues.

  4. Use the field definitions in the following table to configure Advanced Settings.

    MDM Services Field Definitions – Advanced Settings

    Field

    Definition

    Enable Server Certificate Verification

    If enabled, server certificate that is presented by MSGraph API is signed by a trusted certificate authority.

    Enable Hostname Verification

    If enabled, the hostname in the URL FortiNAC uses to connect to the MSGraph API must match the hostname in the server’s certificate.

    Connect Timeout(secs)

    The time in seconds to establish the connection to Microsoft Cloud Services.

    Read Timeout(secs)

    The time in seconds waiting for data after establishing the connection.

  5. Click OK to save.

  6. To verify FortiNAC can reach the MDM Server, right-click on the connector and select Test Connection.

    https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/resources/141a6e69-00f5-11ee-8e6d-fa163e15d75b/images/92d8b8571400e6dc0d5c2258af79793d_Microsoft%20InTune_7.png

  7. To manually poll the MDM Server, right-click on the connector and select Poll.

  8. To make any changes to the connector configuration, right-click and select Edit.

  9. (Versions 9.1.5, 9.2.2 and above): Enable Host by Serial Number lookup. Allows FortiNAC to find hosts by serial number if unable to find by MAC address. Refer to ID 0761623 in Release Notes. In the FortiNAC CLI, login as root and run

    globaloptiontool -name persistentAgentSecMgmt.findHostBySerialNumber -set true

Proceed to Events.

Previous
Next