Fortinet black logo

MDM Integration

Home FortiNAC-F 7.4.0 MDM Integration
7.4.0
7.4.0

Validate

Validate

Execute the following use cases to verify the MDM integration is performing as expected.

Mobile Devices with Supported Operating Systems (MDM Agent installed)

  1. Connect a rogue mobile device to the network (ensure device is registered in MDM and has MDM agent installed).

  2. In FortiNAC Administration UI, navigate to Users & Hosts > Hosts and search for the device’s MAC address – the device’s host record should appear and its adapter record should reflect the device being assigned to the FNAC Service Network.

  3. FortiNAC queries the MDM server for information about that host and registers using the MDM server information. The On Demand Registration setting determines when FortiNAC queries the MDM server.

    • On Demand Registration is enabled: FortiNAC queries the MDM server immediately.

    • On Demand Registration is not enabled: FortiNAC waits for the next MDM polling interval.

    How the host is registered in FortiNAC

    • Associated username in the MDM matches username in FortiNAC:

      • Host is registered to that user.

      • Mobile devices registered from Airwatch/Workspace One will be assigned one of the following roles:

        • Employee Owned

        • Corporate - Shared

        • Corporate - Dedicated

        • NAC - Default (if not defined in Airwatch/Workspace One)

          These roles can be used as a filter in User/Host Profiles. Roles that are defined by Airwatch/Workspace One are not added to the list of possible roles in FortiNAC and will not be available in any drop-down lists used for role assignment.

    • Associated username in the MDM does not match any usernames in FortiNAC:

      • Host is registered as a device.

      • Host role is set to NAC-Default.

  4. FortiNAC should then re-provision the mobile device's network access to the appropriate VLAN or policy dependent upon the Network Access Policy defined. If unexpected results occur, see Troubleshooting.

Mobile Devices with Supported Operating Systems (No MDM Agent)

  1. Connect a mobile device that is running one of the Operating Systems supported by the MDM. Ensure the MDM agent is not installed.

  2. In FortiNAC Administration UI, navigate to Users & Hosts > Hosts and search for the device’s MAC address – the device’s host record should appear and its adapter record should reflect the device being assigned to the isolation network.

  3. Open browser on the mobile device - browser should be redirected to the Captive Portal page that directs the user to install the MDM agent.

  4. Download and install the agent - host record should update and display as either a registered host to a user (if user record already exists in FortiNAC) or as a device.

  5. FortiNAC should then re-provision the mobile device's network access to the appropriate VLAN or policy dependent upon the Network Access Policy defined.

If unexpected results occur, see Troubleshooting.

Mobile Devices with Unsupported Operating Systems

  1. Connect a mobile device that is not running one of the Operating Systems supported by the MDM.

  2. In FortiNAC Administration UI, navigate to Users & Hosts > Hosts and search for the device’s MAC address – the device’s host record should appear as a Rogue and its adapter record should reflect the device being assigned to the isolation network.

  3. If a Device Profiling Rule is not configured to register the device, open browser on the mobile device - browser should be redirected to the Registration Captive Portal page (not the MDM Registration page).

  4. Register via normal means.

  5. FortiNAC should then re-provision the mobile device's network access to the appropriate VLAN or policy dependent upon the Network Access Policy defined.

If unexpected results occur, see Troubleshooting.

Remove Hosts Deleted from MDM Server

  1. Disable or delete Host in the MDM*.

  2. In a separate window, navigate to Network > Service Connectors

  3. Right-click on the MDM server connector and click Poll Now (or wait for the next polling cycle if Automatic Polling is enabled). The host should disappear from the Host View.

*GSuite: Currently hosts are not removed automatically in FortiNAC.

If unexpected results occur, see Troubleshooting.

Previous
Next

Validate

Execute the following use cases to verify the MDM integration is performing as expected.

Mobile Devices with Supported Operating Systems (MDM Agent installed)

  1. Connect a rogue mobile device to the network (ensure device is registered in MDM and has MDM agent installed).

  2. In FortiNAC Administration UI, navigate to Users & Hosts > Hosts and search for the device’s MAC address – the device’s host record should appear and its adapter record should reflect the device being assigned to the FNAC Service Network.

  3. FortiNAC queries the MDM server for information about that host and registers using the MDM server information. The On Demand Registration setting determines when FortiNAC queries the MDM server.

    • On Demand Registration is enabled: FortiNAC queries the MDM server immediately.

    • On Demand Registration is not enabled: FortiNAC waits for the next MDM polling interval.

    How the host is registered in FortiNAC

    • Associated username in the MDM matches username in FortiNAC:

      • Host is registered to that user.

      • Mobile devices registered from Airwatch/Workspace One will be assigned one of the following roles:

        • Employee Owned

        • Corporate - Shared

        • Corporate - Dedicated

        • NAC - Default (if not defined in Airwatch/Workspace One)

          These roles can be used as a filter in User/Host Profiles. Roles that are defined by Airwatch/Workspace One are not added to the list of possible roles in FortiNAC and will not be available in any drop-down lists used for role assignment.

    • Associated username in the MDM does not match any usernames in FortiNAC:

      • Host is registered as a device.

      • Host role is set to NAC-Default.

  4. FortiNAC should then re-provision the mobile device's network access to the appropriate VLAN or policy dependent upon the Network Access Policy defined. If unexpected results occur, see Troubleshooting.

Mobile Devices with Supported Operating Systems (No MDM Agent)

  1. Connect a mobile device that is running one of the Operating Systems supported by the MDM. Ensure the MDM agent is not installed.

  2. In FortiNAC Administration UI, navigate to Users & Hosts > Hosts and search for the device’s MAC address – the device’s host record should appear and its adapter record should reflect the device being assigned to the isolation network.

  3. Open browser on the mobile device - browser should be redirected to the Captive Portal page that directs the user to install the MDM agent.

  4. Download and install the agent - host record should update and display as either a registered host to a user (if user record already exists in FortiNAC) or as a device.

  5. FortiNAC should then re-provision the mobile device's network access to the appropriate VLAN or policy dependent upon the Network Access Policy defined.

If unexpected results occur, see Troubleshooting.

Mobile Devices with Unsupported Operating Systems

  1. Connect a mobile device that is not running one of the Operating Systems supported by the MDM.

  2. In FortiNAC Administration UI, navigate to Users & Hosts > Hosts and search for the device’s MAC address – the device’s host record should appear as a Rogue and its adapter record should reflect the device being assigned to the isolation network.

  3. If a Device Profiling Rule is not configured to register the device, open browser on the mobile device - browser should be redirected to the Registration Captive Portal page (not the MDM Registration page).

  4. Register via normal means.

  5. FortiNAC should then re-provision the mobile device's network access to the appropriate VLAN or policy dependent upon the Network Access Policy defined.

If unexpected results occur, see Troubleshooting.

Remove Hosts Deleted from MDM Server

  1. Disable or delete Host in the MDM*.

  2. In a separate window, navigate to Network > Service Connectors

  3. Right-click on the MDM server connector and click Poll Now (or wait for the next polling cycle if Automatic Polling is enabled). The host should disappear from the Host View.

*GSuite: Currently hosts are not removed automatically in FortiNAC.

If unexpected results occur, see Troubleshooting.

Previous
Next