Step 2: Configure FortiNAC MSIntune Service Connector
-
Navigate to Network > Service Connectors and create new Microsoft InTune connector.
-
Use the field definitions for the MDM Services in the following table to enter the MDM Service information.
MDM Services Field Definitions
Field
Definition
Name
Name of the connection configuration for the connection between an MDM system and FortiNAC.
Login API URL
Default: https://login.microsoftonline.com
Can be modified if necessary (e.g.if international domain is required).
Graph API URL
Default: https://graph.microsoft.com
Can be modified if necessary (e.g.if international domain is required).
Identifier
Add the Directory (tenant) ID.
Application ID
Add the Application (client) ID.
Access Key
Add the Client Secret Value.
Enable Delegated Permissions
Set to disabled.
-
Use the field definitions for the MDM Services in the following table to enter the MDM Service information.
MDM Services Field Definitions
Field
Definition
Enable On Demand Registration
If enabled, when an unknown host reaches the captive portal, FortiNAC queries the MDM server for information about that host. If the host exists in the MDM server, it is registered in FortiNAC using the data from the MDM server.
Revalidate Health Status on Connect
If enabled, when the host connects to the network FortiNAC queries the MDM server to determine if the host is compliant with MDM policies. This setting is disabled by default. When enabled, the MDM may not be able to manage the rate of queries from FortiNAC, causing performance issues. Instead of enabling Revalidate Health Status On Connect, you can enable automatic registration polling to occur once a day, which will also retrieve Health Status, but with less frequency.
Enable Compliance Retrieval Status
Set to enable. Required when using the MSInTune NAC API.
FortiNAC will retrieve the compliance status for a device from the MSInTune NAC API. This will require application-level permissions to read device compliance status from MSInTune.
Remove Hosts Deleted from MDM Server
If enabled, when FortiNAC polls the MDM server it deletes hosts from the FortiNAC database if they have been removed or disabled on the MDM server.
Enable Network Details
Set to enable when Compliance Retrieval Status is enabled.
The FortiNAC MSIntune connector will make an extra API call to resolve the ethernet/physical MAC address for each wired device that is returned by the MSIntune MDM API.
Enable Automatic Registration Polling
(MDM Polling)
Indicates how often FortiNAC should poll the MDM system to collect managed device information. Each time a poll executes, queries are sent to the MDM for:
-
The managed device list (one query per 100 entries)
-
One additional query per each managed device
If MDM notifications are configured, set the MDM Poll frequency to 1 Day.
If Compliance Retrieval Status is enabled, set the MDM Poll frequency to 1 Day.
If neither notifications nor Compliance Retrieval Statusare configured, the frequency can be set higher.
Note: When choosing an interval, consider the number of queries sent per MDM poll, the size of the MDM’s database and the number of PODs integrated with the same MDM. If the frequency is set too high, the MDM may not be able to manage the rate of queries from FortiNAC, causing performance issues.
-
-
Use the field definitions in the following table to configure Advanced Settings.
MDM Services Field Definitions – Advanced Settings
Field
Definition
Enable Server Certificate Verification
If enabled, server certificate that is presented by MSGraph API is signed by a trusted certificate authority.
Enable Hostname Verification
If enabled, the hostname in the URL FortiNAC uses to connect to the MSGraph API must match the hostname in the server’s certificate.
Connect Timeout(secs)
The time in seconds to establish the connection to Microsoft Cloud Services.
Read Timeout(secs)
The time in seconds waiting for data after establishing the connection.
-
Click OK to save.
-
To verify FortiNAC can reach the MDM Server, right-click on the connector and select Test Connection.
-
To manually poll the MDM Server, right-click on the connector and select Poll.
-
To make any changes to the connector configuration, right-click and select Edit.
-
(Versions 9.1.5, 9.2.2 and above): Enable Host by Serial Number lookup. Allows FortiNAC to find hosts by serial number if unable to find by MAC address. Refer to ID 0761623 in Release Notes. In the FortiNAC CLI, login as root and run
globaloptiontool -name persistentAgentSecMgmt.findHostBySerialNumber -set true
Proceed to Events.