Fortinet Document Library

Version:


Table of Contents

6.2.0
Download PDF
Copy Link

Automatic group assignment

EMS 6.0.0 introduced the automatic group assignment feature to dynamically group endpoints based on user-defined automatic group assignment rules. This feature minimizes the process to manually create or move endpoints to custom groups, as EMS automatically moves endpoints to preassigned groups based on rules and their priority levels. EMS 6.2.0 adds support for two additional rule types: OS and AD group.

You can apply OS rules on endpoints in workgroups and AD group rules on endpoints in AD groups. You can configure one or multiple rules, but EMS applies only the first applicable rule to an endpoint. You can view the priority level for each rule in Endpoints > Group Assignment Rules.

To configure an OS group assignment rule:
  1. Go to Endpoints > Group Assignment Rules. Click Add.
  2. In the Group Assignment Rule window, from the Type dropdown list, select OS.
  3. In the OS field, enter the desired OS.
  4. From the Group dropdown list, select or create the desired group. Click Save. This rule identifies the endpoint's OS version, and, if there is a match, places the endpoint in the configured group.
To configure an AD group assignment rule:

You can use AD groups to categorize users into different groups and move endpoints into preassigned custom groups. EMS can then easily apply different policies in a domain.

  1. Go to Endpoints > Manage Domains. Click Add.
  2. Configure the desired domain to import.
  3. Go to Endpoints > Group Assignment Rules. Click Add.
  4. In the Group Assignment Rule window, from the Type dropdown list, select AD Group.
  5. From the AD Group dropdown list, select the desired group.
  6. From the Group dropdown list, select or create the desired custom group. Click Save.

  7. Go to Endpoints > Group Assignment Rules to view the newly created rule.

    Whenever an AD user logs in, FortiClient sends user login information to EMS. EMS checks the login information against the AD group rules and moves endpoints into custom groups accordingly. The custom group that EMS assigns an endpoint to depends on the AD group that the logged in user currently belongs to.

    In the following example, the AD user, Dennis Auger, belongs to the Users/Sales Department AD group. Whenever Dennis logs in, EMS assigns the endpoint to the Sales Department group in the qa.fortinet.local domain.

    You can use the Schedule Run and Run Rules Now buttons in Endpoints > Group Assignment Rules to periodically or immediately run rules to adapt to endpoint changes, such as IP address or logged-in AD user changes.

Automatic group assignment

EMS 6.0.0 introduced the automatic group assignment feature to dynamically group endpoints based on user-defined automatic group assignment rules. This feature minimizes the process to manually create or move endpoints to custom groups, as EMS automatically moves endpoints to preassigned groups based on rules and their priority levels. EMS 6.2.0 adds support for two additional rule types: OS and AD group.

You can apply OS rules on endpoints in workgroups and AD group rules on endpoints in AD groups. You can configure one or multiple rules, but EMS applies only the first applicable rule to an endpoint. You can view the priority level for each rule in Endpoints > Group Assignment Rules.

To configure an OS group assignment rule:
  1. Go to Endpoints > Group Assignment Rules. Click Add.
  2. In the Group Assignment Rule window, from the Type dropdown list, select OS.
  3. In the OS field, enter the desired OS.
  4. From the Group dropdown list, select or create the desired group. Click Save. This rule identifies the endpoint's OS version, and, if there is a match, places the endpoint in the configured group.
To configure an AD group assignment rule:

You can use AD groups to categorize users into different groups and move endpoints into preassigned custom groups. EMS can then easily apply different policies in a domain.

  1. Go to Endpoints > Manage Domains. Click Add.
  2. Configure the desired domain to import.
  3. Go to Endpoints > Group Assignment Rules. Click Add.
  4. In the Group Assignment Rule window, from the Type dropdown list, select AD Group.
  5. From the AD Group dropdown list, select the desired group.
  6. From the Group dropdown list, select or create the desired custom group. Click Save.

  7. Go to Endpoints > Group Assignment Rules to view the newly created rule.

    Whenever an AD user logs in, FortiClient sends user login information to EMS. EMS checks the login information against the AD group rules and moves endpoints into custom groups accordingly. The custom group that EMS assigns an endpoint to depends on the AD group that the logged in user currently belongs to.

    In the following example, the AD user, Dennis Auger, belongs to the Users/Sales Department AD group. Whenever Dennis logs in, EMS assigns the endpoint to the Sales Department group in the qa.fortinet.local domain.

    You can use the Schedule Run and Run Rules Now buttons in Endpoints > Group Assignment Rules to periodically or immediately run rules to adapt to endpoint changes, such as IP address or logged-in AD user changes.