Application permissions (v9.4.5 and lower)

Requirements

FortiNAC

• Supported Engine Version: 8.5.0 and greater

• Recommended Engine Version: 8.8.6, 9.1 and greater (Refer to ID 698066 in Release Notes)

Considerations

• Certificate-based authentication is currently not supported.

• Automatic registration with Intune endpoints with only Ethernet adapters

  • Requires version 9.2.5, 9.4.0, F7.2.0 or greater

  • For all other FortiNAC versions

    • Workarounds:

      • Register using other methods (Captive Portal, etc).

      • Export clients from Intune and import into FortiNAC.

      • Versions 9.1.2, 9.2.0 and greater: Requires the FortiNAC agent to be installed on the client in order to register. As of 9.1.2 and 9.2.0, FortiNAC can use the InTune client serial number to perform a lookup in InTune if necessary. The agent provides the serial number information.

    • Reference KB article 197812.

• As of October 2021, Intune doesn't display Wi-Fi MAC addresses for newly enrolled personally-owned work profile devices and devices managed with device administrator running Android 9 and above.

  Reference

  https://techcommunity.microsoft.com/t5/intune-customer-success/android-12-day-zero-support-with-microsoft-endpoint-manager/ba-p/2621665

  https://docs.microsoft.com/en-us/mem/intune/remote-actions/device-inventory

  FortiNAC requires the MAC address information to lookup these devices in InTune. Consequently, these devices will be unable to register to FortiNAC via the MDM.

  Workaround: Use WPA2 and register the device to the Radius User. Automated registration based upon the user’s 802.1x authentication can be enabled on a SSID basis. For details, see Dot1x Auto Registration in the Settings table of the SSID Configuration section in the Administration Guide.

Step 1: Create a New Application Registration for Azure Active Directory

1. From the Azure Active Directory > App registrations view, click on + New registration. Enter a unique name for the application (something like “FortiNAC Integration”).

2. Select the application within the Azure AD applications portal and give the Application Permissions.

   a. Select the API permissions view and click the Add a permission button.

   

   b. Select the Microsoft Graph APIs.

   

   c. Select Application permissions.

   

   d. Click the Search box field and search for ManagedDevices. From the search results, select DeviceManagementManagedDevices.Read.All to give FortiNAC access to read all MSIntune devices.

   

   e. Click on the Grant admin consent… to give FortiNAC admin consent to read MSIntune devices in the background.

   

   f. From Certificates & Secrets select + New client secret and create a secret. Copy and store the secret value (not the secret ID). This will be used in FortiNAC configuration.

   

Step 2: Configure Service Connector in FortiNAC

Configure a MDM Service to establish a connection with the Microsoft InTune Graph API.

1. Navigate to Network > Service Connectors and create new Microsoft InTune connector.

2. Use the field definitions for the MDM Services in the following table to enter the MDM Service information.

   MDM Services Field Definitions

   Field	Definition
   Name	Name of the connection configuration for the connection between an MDM system and FortiNAC.
   Login API URL	Default: https://login.microsoftonline.com Can be modified if necessary (e.g.if international domain is required).
   Graph API URL	Default: https://graph.microsoft.com Can be modified if necessary (e.g.if international domain is required).
   Identifier	Add the Directory (tenant) ID.
   Application ID	Add the Application (client) ID.
   Access Key	Add the Client Secret Value.
   Enable Delegated Permissions	Set to disabled.
   Enable On Demand Registration	If enabled, when an unknown host reaches the captive portal, FortiNAC queries the MDM server for information about that host. If the host exists in the MDM server, it is registered in FortiNAC using the data from the MDM server.
   Remove Hosts Deleted from MDM Server	If enabled, when FortiNAC polls the MDM server it deletes hosts from the FortiNAC database if they have been removed or disabled on the MDM server.
   Enable Network Details	Required in order to register endpoints with only Ethernet adapters. If enabled, when FortiNAC polls the MDM server it will also retrieve the Network Details for each device managed by Microsoft Intune. When it’s disabled (the default), only wireless adapters are returned.
   Enable Application Updating	**Leave disabled. Currently not applicable with InTune**
   Enable Automatic Registration Polling (MDM Polling)	Indicates how often FortiNAC should poll the MDM system to collect managed device information. Each time a poll executes, queries are sent to the MDM for: The managed device list (one query per 100 entries) One additional query per each managed device If MDM notifications are configured, set the MDM Poll frequency to 1 Day. If notifications are not configured, the frequency can be set higher. Note: When choosing an interval, consider the number of queries sent per MDM poll, the size of the MDM’s database and the number of PODs integrated with the same MDM. If the frequency is set too high, the MDM may not be able to manage the rate of queries from FortiNAC, causing performance issues.

3. Click OK to save.

4. To verify FortiNAC can reach the MDM Server, right-click on the connector and select Test Connection.

   

5. To manually poll the MDM Server, right-click on the connector and select Poll.

6. To make any changes to the connector configuration, right-click and select Edit.

7. (Versions 9.1.5, 9.2.2 and above): Enable Host by Serial Number lookup. Allows FortiNAC to find hosts by serial number if unable to find by MAC address. Refer to ID 0761623 in Release Notes. In the FortiNAC CLI, login as root and run

   globaloptiontool -name persistentAgentSecMgmt.findHostBySerialNumber -set true

Proceed to Events.