Fortinet black logo

MDM Integration

Home FortiNAC-F 7.4.0 MDM Integration
7.4.0
7.4.0

Step 2:  Configure FortiNAC MSIntune Service Connector

Step 2: Configure FortiNAC MSIntune Service Connector

  1. Navigate to Network > Service Connectors and create new Microsoft InTune connector.

  2. Use the field definitions for the MDM Services in the following table to enter the MDM Service information.

    MDM Services Field Definitions

    Field

    Definition

    Name

    Name of the connection configuration for the connection between an MDM system and FortiNAC.

    Login API URL

    Default: https://login.microsoftonline.com

    Can be modified if necessary (e.g.if international domain is required).

    Graph API URL

    Default: https://graph.microsoft.com

    Can be modified if necessary (e.g.if international domain is required).

    Identifier

    Add the Directory (tenant) ID.

    Application ID

    Add the Application (client) ID.

    Access Key

    Add the Client Secret Value.

    Enable Delegated Permissions

    Set to disabled.

  3. Use the field definitions for the MDM Services in the following table to enter the MDM Service information.

    MDM Services Field Definitions

    Field

    Definition

    Enable On Demand Registration

    If enabled, when an unknown host reaches the captive portal, FortiNAC queries the MDM server for information about that host. If the host exists in the MDM server, it is registered in FortiNAC using the data from the MDM server.

    Revalidate Health Status on Connect

    If enabled, when the host connects to the network FortiNAC queries the MDM server to determine if the host is compliant with MDM policies. This setting is disabled by default. When enabled, the MDM may not be able to manage the rate of queries from FortiNAC, causing performance issues. Instead of enabling Revalidate Health Status On Connect, you can enable automatic registration polling to occur once a day, which will also retrieve Health Status, but with less frequency.

    Enable Compliance Retrieval Status

    Set to enable. Required when using the MSInTune NAC API.

    FortiNAC will retrieve the compliance status for a device from the MSInTune NAC API. This will require application-level permissions to read device compliance status from MSInTune.

    Remove Hosts Deleted from MDM Server

    If enabled, when FortiNAC polls the MDM server it deletes hosts from the FortiNAC database if they have been removed or disabled on the MDM server.

    Enable Network Details

    Set to enable when Compliance Retrieval Status is enabled.

    The FortiNAC MSIntune connector will make an extra API call to resolve the ethernet/physical MAC address for each wired device that is returned by the MSIntune MDM API.

    Enable Automatic Registration Polling

    (MDM Polling)

    Indicates how often FortiNAC should poll the MDM system to collect managed device information. Each time a poll executes, queries are sent to the MDM for:

    • The managed device list (one query per 100 entries)

    • One additional query per each managed device

    If MDM notifications are configured, set the MDM Poll frequency to 1 Day.

    If Compliance Retrieval Status is enabled, set the MDM Poll frequency to 1 Day.

    If neither notifications nor Compliance Retrieval Statusare configured, the frequency can be set higher.

    Note: When choosing an interval, consider the number of queries sent per MDM poll, the size of the MDM’s database and the number of PODs integrated with the same MDM. If the frequency is set too high, the MDM may not be able to manage the rate of queries from FortiNAC, causing performance issues.

  4. Use the field definitions in the following table to configure Advanced Settings.

    MDM Services Field Definitions – Advanced Settings

    Field

    Definition

    Enable Server Certificate Verification

    If enabled, server certificate that is presented by MSGraph API is signed by a trusted certificate authority.

    Enable Hostname Verification

    If enabled, the hostname in the URL FortiNAC uses to connect to the MSGraph API must match the hostname in the server’s certificate.

    Connect Timeout(secs)

    The time in seconds to establish the connection to Microsoft Cloud Services.

    Read Timeout(secs)

    The time in seconds waiting for data after establishing the connection.

  5. Click OK to save.

  6. To verify FortiNAC can reach the MDM Server, right-click on the connector and select Test Connection.

  7. To manually poll the MDM Server, right-click on the connector and select Poll.

  8. To make any changes to the connector configuration, right-click and select Edit.

  9. (Versions 9.1.5, 9.2.2 and above): Enable Host by Serial Number lookup. Allows FortiNAC to find hosts by serial number if unable to find by MAC address. Refer to ID 0761623 in Release Notes. In the FortiNAC CLI, login as root and run

    globaloptiontool -name persistentAgentSecMgmt.findHostBySerialNumber -set true

Proceed to Events.

Previous
Next

Step 2: Configure FortiNAC MSIntune Service Connector

  1. Navigate to Network > Service Connectors and create new Microsoft InTune connector.

  2. Use the field definitions for the MDM Services in the following table to enter the MDM Service information.

    MDM Services Field Definitions

    Field

    Definition

    Name

    Name of the connection configuration for the connection between an MDM system and FortiNAC.

    Login API URL

    Default: https://login.microsoftonline.com

    Can be modified if necessary (e.g.if international domain is required).

    Graph API URL

    Default: https://graph.microsoft.com

    Can be modified if necessary (e.g.if international domain is required).

    Identifier

    Add the Directory (tenant) ID.

    Application ID

    Add the Application (client) ID.

    Access Key

    Add the Client Secret Value.

    Enable Delegated Permissions

    Set to disabled.

  3. Use the field definitions for the MDM Services in the following table to enter the MDM Service information.

    MDM Services Field Definitions

    Field

    Definition

    Enable On Demand Registration

    If enabled, when an unknown host reaches the captive portal, FortiNAC queries the MDM server for information about that host. If the host exists in the MDM server, it is registered in FortiNAC using the data from the MDM server.

    Revalidate Health Status on Connect

    If enabled, when the host connects to the network FortiNAC queries the MDM server to determine if the host is compliant with MDM policies. This setting is disabled by default. When enabled, the MDM may not be able to manage the rate of queries from FortiNAC, causing performance issues. Instead of enabling Revalidate Health Status On Connect, you can enable automatic registration polling to occur once a day, which will also retrieve Health Status, but with less frequency.

    Enable Compliance Retrieval Status

    Set to enable. Required when using the MSInTune NAC API.

    FortiNAC will retrieve the compliance status for a device from the MSInTune NAC API. This will require application-level permissions to read device compliance status from MSInTune.

    Remove Hosts Deleted from MDM Server

    If enabled, when FortiNAC polls the MDM server it deletes hosts from the FortiNAC database if they have been removed or disabled on the MDM server.

    Enable Network Details

    Set to enable when Compliance Retrieval Status is enabled.

    The FortiNAC MSIntune connector will make an extra API call to resolve the ethernet/physical MAC address for each wired device that is returned by the MSIntune MDM API.

    Enable Automatic Registration Polling

    (MDM Polling)

    Indicates how often FortiNAC should poll the MDM system to collect managed device information. Each time a poll executes, queries are sent to the MDM for:

    • The managed device list (one query per 100 entries)

    • One additional query per each managed device

    If MDM notifications are configured, set the MDM Poll frequency to 1 Day.

    If Compliance Retrieval Status is enabled, set the MDM Poll frequency to 1 Day.

    If neither notifications nor Compliance Retrieval Statusare configured, the frequency can be set higher.

    Note: When choosing an interval, consider the number of queries sent per MDM poll, the size of the MDM’s database and the number of PODs integrated with the same MDM. If the frequency is set too high, the MDM may not be able to manage the rate of queries from FortiNAC, causing performance issues.

  4. Use the field definitions in the following table to configure Advanced Settings.

    MDM Services Field Definitions – Advanced Settings

    Field

    Definition

    Enable Server Certificate Verification

    If enabled, server certificate that is presented by MSGraph API is signed by a trusted certificate authority.

    Enable Hostname Verification

    If enabled, the hostname in the URL FortiNAC uses to connect to the MSGraph API must match the hostname in the server’s certificate.

    Connect Timeout(secs)

    The time in seconds to establish the connection to Microsoft Cloud Services.

    Read Timeout(secs)

    The time in seconds waiting for data after establishing the connection.

  5. Click OK to save.

  6. To verify FortiNAC can reach the MDM Server, right-click on the connector and select Test Connection.

  7. To manually poll the MDM Server, right-click on the connector and select Poll.

  8. To make any changes to the connector configuration, right-click and select Edit.

  9. (Versions 9.1.5, 9.2.2 and above): Enable Host by Serial Number lookup. Allows FortiNAC to find hosts by serial number if unable to find by MAC address. Refer to ID 0761623 in Release Notes. In the FortiNAC CLI, login as root and run

    globaloptiontool -name persistentAgentSecMgmt.findHostBySerialNumber -set true

Proceed to Events.

Previous
Next