Fortinet black logo

Third Party MDM Device Integration

Home FortiNAC 9.4.0 Third Party MDM Device Integration
9.4.0
9.4.0
9.2.0
9.1.0
8.8.0
8.7.0
8.6.0
8.5.0
8.3.0

Airwatch/Workspace ONE

Airwatch/Workspace ONE

Requirements

Supported FortiNAC Engine Version: 8.x and greater

Version 9.4.4 and greater: OAuth authentication support

Considerations

  • Versions 9.2.5, 9.4.0 and greater: Airwatch/Workspace One role assignment takes precedence over existing user/host roles in FortiNAC. To configure FortiNAC for user/host roles to take precedence over Airwatch/Workspace One assigned roles, see Airwatch/Workspace One Role Assignment in Appendix.

Create Authentication Account

Configure the account FortiNAC will use based upon the desired authentication method:

Basic Authentication:

Requires a system administrator user. Username and password is included in the HTTP header for every API request.

Caveat: If the password associated with the user account was changed, all API requests would fail until the password was updated in FortiNAC.

OAuth Authentication (Available as of version 9.4.4): FortiNAC's service connector contacts the Workspace ONE UEM Token Service using a specified Client ID and Secret. If the client credentials are valid, the token service will return an access token which can then be used by the service connector to make API requests. The service connector automatically refreshes the access token if the token expires.

Basic Authentication: Create System Administrator User

  1. Login to Airwatch/Workspace One and navigate to Menu > Configuration > System Configuration > System >Advanced >API >REST API. Enable API Access should be checked. The API Key generated is used later in the FortiNAC MDM Services configuration.

  2. On the REST API screen, click Authentication and make sure Basic is selected.

  3. Determine the URL to which FortiNAC must connect to access the REST API. This URL is used in the FortiNAC MDM Services configuration. If unknown, contact Airwatch/Workspace One for assistance.

  4. Configure a System Administrator user in Airwatch/Workspace One to be used by FortiNAC for authentication when requesting data.

    Note: Airwatch/Workspace One requires a role for each Administrator user. When selecting a role for the Administrator user, make sure that role has permission for REST API.

OAuth Authentication: Create OAuth Client

  1. First, create a new Admin Role for the OAuth Client, in Accounts > Roles > Add Role.

    For the new role, select “API” and click on the “Read” box for the “Devices” REST category.

  2. Create an OAuth Client.

    Go to Group Settings > Configurations and type “OAuth” in the search field.

    Select “OAuth Client Management” and click on the “OAuth Client Management” link.

    Click on the “Add” button to create a new OAuth Client.

  3. Fill in the properties for the new client using the Organization ID and Role that was previously created for the OAuth Client.

  4. Click Save. A new window should popup to show the Client ID and Client Secret.

  5. Copy the Client ID and save it in a secure location. Copy the Client Secret and save it in a secure location.

    Caution

    Important

    This is the only time you will be able to copy the Client Secret, DO NOT click on “Close” until both the Client ID and Client Secrets have been saved in a secure location.

  6. Create a new API Key for the OAuth Client, the API Key is also the Identifier for the service connector. The API Key can be created from the Workspace ONE UEM Console, in Groups & Settings > Settings > Advanced > API > REST API.

  7. Create/Add a new service and select "Admin" for the account type. Copy the API Key and save it in a secure location.

    Caution

    Important

    The account type MUST be "Admin" for REST API to work. In addition, make sure that there are no asterisks in the API Key.

  8. Use the Client ID, Client Secret and Identifier/API Key that was created from the previous steps when creating/editing the Airwatch MDM service connector.

Set Up and Test Notifications (Recommended)

Airwatch/Workspace One can be configured to send notifications to FortiNAC when devices are deleted or updated in the Airwatch/Workspace One database. If notifications are not configured in Airwatch/Workspace One, this information will be obtained during the next poll of the MDM. See MDM Services for details on MDM Polling.

  1. Navigate to Menu > Configuration > System Configuration > System >Advanced >API >Event Notification.

  2. Click Edit Event Notification to bring up the dialog box.

  3. Enter the following settings into the Event Notification dialog box:

    • Target Name: nsserver

    • Target URL: https://{nsserver}:8443/api/notifications (where {nsserver} is the eth0 IP address or hostname of the FortiNAC server)

    • Note: In High Availability (HA) configurations, Airwatch/Workspace One must be configured to push data to the hostnames or eth0 IP addresses of both Primary and Secondary Control Servers

    • User Name: nsadminuser

    • Password: nsadminuserpassword

    • Format: Select XML

    • Events: Select all Events

  4. Click Save.

  5. Browse to https://{nsserver}:8443/api/notifications and download the SSL certificate. See Appendix topic Methods to Export FortiNAC SSL Certificate.

  6. Import the SSL certificate into Airwatch/Workspace One.

  7. Click Test Connection. If notifications have been set up correctly, the message Test is successful is returned. Proceed to Configure FortiNAC.

Previous
Next

Airwatch/Workspace ONE

Requirements

Supported FortiNAC Engine Version: 8.x and greater

Version 9.4.4 and greater: OAuth authentication support

Considerations

  • Versions 9.2.5, 9.4.0 and greater: Airwatch/Workspace One role assignment takes precedence over existing user/host roles in FortiNAC. To configure FortiNAC for user/host roles to take precedence over Airwatch/Workspace One assigned roles, see Airwatch/Workspace One Role Assignment in Appendix.

Create Authentication Account

Configure the account FortiNAC will use based upon the desired authentication method:

Basic Authentication:

Requires a system administrator user. Username and password is included in the HTTP header for every API request.

Caveat: If the password associated with the user account was changed, all API requests would fail until the password was updated in FortiNAC.

OAuth Authentication (Available as of version 9.4.4): FortiNAC's service connector contacts the Workspace ONE UEM Token Service using a specified Client ID and Secret. If the client credentials are valid, the token service will return an access token which can then be used by the service connector to make API requests. The service connector automatically refreshes the access token if the token expires.

Basic Authentication: Create System Administrator User

  1. Login to Airwatch/Workspace One and navigate to Menu > Configuration > System Configuration > System >Advanced >API >REST API. Enable API Access should be checked. The API Key generated is used later in the FortiNAC MDM Services configuration.

  2. On the REST API screen, click Authentication and make sure Basic is selected.

  3. Determine the URL to which FortiNAC must connect to access the REST API. This URL is used in the FortiNAC MDM Services configuration. If unknown, contact Airwatch/Workspace One for assistance.

  4. Configure a System Administrator user in Airwatch/Workspace One to be used by FortiNAC for authentication when requesting data.

    Note: Airwatch/Workspace One requires a role for each Administrator user. When selecting a role for the Administrator user, make sure that role has permission for REST API.

OAuth Authentication: Create OAuth Client

  1. First, create a new Admin Role for the OAuth Client, in Accounts > Roles > Add Role.

    For the new role, select “API” and click on the “Read” box for the “Devices” REST category.

  2. Create an OAuth Client.

    Go to Group Settings > Configurations and type “OAuth” in the search field.

    Select “OAuth Client Management” and click on the “OAuth Client Management” link.

    Click on the “Add” button to create a new OAuth Client.

  3. Fill in the properties for the new client using the Organization ID and Role that was previously created for the OAuth Client.

  4. Click Save. A new window should popup to show the Client ID and Client Secret.

  5. Copy the Client ID and save it in a secure location. Copy the Client Secret and save it in a secure location.

    Caution

    Important

    This is the only time you will be able to copy the Client Secret, DO NOT click on “Close” until both the Client ID and Client Secrets have been saved in a secure location.

  6. Create a new API Key for the OAuth Client, the API Key is also the Identifier for the service connector. The API Key can be created from the Workspace ONE UEM Console, in Groups & Settings > Settings > Advanced > API > REST API.

  7. Create/Add a new service and select "Admin" for the account type. Copy the API Key and save it in a secure location.

    Caution

    Important

    The account type MUST be "Admin" for REST API to work. In addition, make sure that there are no asterisks in the API Key.

  8. Use the Client ID, Client Secret and Identifier/API Key that was created from the previous steps when creating/editing the Airwatch MDM service connector.

Set Up and Test Notifications (Recommended)

Airwatch/Workspace One can be configured to send notifications to FortiNAC when devices are deleted or updated in the Airwatch/Workspace One database. If notifications are not configured in Airwatch/Workspace One, this information will be obtained during the next poll of the MDM. See MDM Services for details on MDM Polling.

  1. Navigate to Menu > Configuration > System Configuration > System >Advanced >API >Event Notification.

  2. Click Edit Event Notification to bring up the dialog box.

  3. Enter the following settings into the Event Notification dialog box:

    • Target Name: nsserver

    • Target URL: https://{nsserver}:8443/api/notifications (where {nsserver} is the eth0 IP address or hostname of the FortiNAC server)

    • Note: In High Availability (HA) configurations, Airwatch/Workspace One must be configured to push data to the hostnames or eth0 IP addresses of both Primary and Secondary Control Servers

    • User Name: nsadminuser

    • Password: nsadminuserpassword

    • Format: Select XML

    • Events: Select all Events

  4. Click Save.

  5. Browse to https://{nsserver}:8443/api/notifications and download the SSL certificate. See Appendix topic Methods to Export FortiNAC SSL Certificate.

  6. Import the SSL certificate into Airwatch/Workspace One.

  7. Click Test Connection. If notifications have been set up correctly, the message Test is successful is returned. Proceed to Configure FortiNAC.

Previous
Next