Fortinet Document Library

Version:


Table of Contents

6.2.0
Download PDF
Copy Link

Endpoint provisioning

FortiClient EMS provides scalable and centralized management of multiple endpoints. One of the following endpoint management structures is recommended depending on the use case.

note icon

Before deploying to the production server, test deployment with a test endpoint group and test profiles. If the test deployment is successful, then attempt deployment on the production server.

Use case

Endpoint management structure

Active Directory (AD) is set up and same structure is desired for endpoint management.

AD integration:

  • Put endpoints in OUs
  • Keep OU structure
  • Group changes made in EMS do not sync back to AD (one-way sync only)
  • Endpoints in security groups are not imported into EMS

Large deployment that needs custom grouping or does not have AD setup

Automated group assignment. See the FortiClient EMS Administration Guide for details.

Small deployment

Custom groups:

  • Manually create groups in EMS, then move endpoints into groups
  • By default, endpoints are placed in the Other Endpoints group

Endpoint provisioning consists of the following steps. For details on each step, see the FortiClient EMS Administration Guide.

  1. Create a profile and gateway IP list. It is recommended to create a profile for each deployment package.

    It is recommended to put the addresses for all FortiGate units in one gateway IP list. Ensure the FortiGate is located as physically close as possible to the endpoints being monitored.

  2. Create a deployment package. Select the desired FortiClient features to deploy to endpoint. See FortiClient feature recommendations for details.
  3. Assign the deployment package to a profile.
  4. Create an endpoint policy. Assign the profile and gateway IP list to the policy. Assign the policy to the desired endpoint group.

FortiClient endpoints lock configuration changes in the FortiClient console. The end user cannot change the configuration.

note icon

For an initial deployment, you can deploy FortiClient using the Microsoft AD server, or send the FortiClient download link from EMS to users. After the initial deployment, you can push future updates from EMS.

note icon

For an initial deployment of FortiClient (macOS), deploy FortiClient (macOS) manually.

note icon

Create a profile for the Other Endpoints group, and assign the profile to the group. This allows you to assign preferred settings to any FortiClient endpoints assigned to the Other Endpoints group.

Endpoint provisioning

FortiClient EMS provides scalable and centralized management of multiple endpoints. One of the following endpoint management structures is recommended depending on the use case.

note icon

Before deploying to the production server, test deployment with a test endpoint group and test profiles. If the test deployment is successful, then attempt deployment on the production server.

Use case

Endpoint management structure

Active Directory (AD) is set up and same structure is desired for endpoint management.

AD integration:

  • Put endpoints in OUs
  • Keep OU structure
  • Group changes made in EMS do not sync back to AD (one-way sync only)
  • Endpoints in security groups are not imported into EMS

Large deployment that needs custom grouping or does not have AD setup

Automated group assignment. See the FortiClient EMS Administration Guide for details.

Small deployment

Custom groups:

  • Manually create groups in EMS, then move endpoints into groups
  • By default, endpoints are placed in the Other Endpoints group

Endpoint provisioning consists of the following steps. For details on each step, see the FortiClient EMS Administration Guide.

  1. Create a profile and gateway IP list. It is recommended to create a profile for each deployment package.

    It is recommended to put the addresses for all FortiGate units in one gateway IP list. Ensure the FortiGate is located as physically close as possible to the endpoints being monitored.

  2. Create a deployment package. Select the desired FortiClient features to deploy to endpoint. See FortiClient feature recommendations for details.
  3. Assign the deployment package to a profile.
  4. Create an endpoint policy. Assign the profile and gateway IP list to the policy. Assign the policy to the desired endpoint group.

FortiClient endpoints lock configuration changes in the FortiClient console. The end user cannot change the configuration.

note icon

For an initial deployment, you can deploy FortiClient using the Microsoft AD server, or send the FortiClient download link from EMS to users. After the initial deployment, you can push future updates from EMS.

note icon

For an initial deployment of FortiClient (macOS), deploy FortiClient (macOS) manually.

note icon

Create a profile for the Other Endpoints group, and assign the profile to the group. This allows you to assign preferred settings to any FortiClient endpoints assigned to the Other Endpoints group.