Fortinet black logo

EMS Administration Guide

Compliance verification rule types

Compliance verification rule types

The following table lists compliance verification rule types. For all rule types, you can configure multiple conditions using the + button.

Rule type

Description

AD Group

From the AD Group dropdown list, select the desired AD group. EMS considers the endpoint as satisfying the rule if the logged in user belongs to the selected AD group. You can also use the NOT option to indicate that the rule requires that the logged in user certain does not belong to certain AD groups.

This option is not available for Linux endpoints.

To use this option, you must configure connection to an AD server. See Adding a user server.

Only FortiClient 6.2.2+ endpoints support this rule type.

AntiVirus Software

From the AV Software dropdown list, select the desired conditions. You can require that an endpoint have AV software installed and running and that the AV signature is up-to-date. You can also use the NOT option for the rule to require that the endpoint does not have AV software installed or running or that the AV signature is not up-to-date. This rule applies for FortiClient AV and third-party AV software that registers to the Windows Security Center.

The endpoint must satisfy all configured conditions to satisfy this rule.

Only FortiClient 6.2.2+ endpoints support this rule type.

Certificate

In the Subject CN and Issuer CN fields, enter the certificate subject and issuer. You can also use the NOT option to indicate that the rule requires that a certain certificate is not present for the endpoint.

The endpoint must satisfy all conditions to satisfy this rule. For example, if the rule is configured to require certificate A, certificate B, and NOT certificate C, then the endpoint must have both certificates A and B and not certificate C.

File

In the File field, enter the file path. You can also use the NOT option to indicate that the rule requires that a certain file is not present on the endpoint.

The endpoint must satisfy all configured conditions to satisfy this rule. For example, if the rule is configured to require file A, file B, and NOT file C, then the endpoint must have both files A and B and not file C.

Logged in Domain

In the Domain field, enter the domain name. If the rule is configured for multiple domains, EMS considers the endpoint as satisfying the rule if it belongs to one of the configured domains.

This option is not available for Linux endpoints.

OS Version

From the OS Version field, select the OS version. If the rule is configured for multiple OS versions, EMS considers the endpoint as satisfying the rule if it has one of the configured OS versions installed.

Registry Key

In the Registry Key field, enter the registry key or registry data value. End the path with / to indicate a registry key, or without / to indicate a registry data value. You can also use the NOT option to indicate that the rule requires that a certain registry key or data value is not present on the endpoint.

The endpoint must satisfy all configured conditions to satisfy this rule. For example, if the rule is configured to require registry key A, registry key B, and NOT registry key C, then the endpoint must have both registry keys A and B and not registry key C.

This option is only available for Windows endpoints.

The following shows examples of registry key values:

\Computer\HKEY…\Key\

\Computer\HKEY…\Key

Computer\HKEY…\Key\

Computer\HKEY…\Key

\Computer\HKEY…\Key\String\

\Computer\HKEY…\Key\String

Computer\HKEY…\Key\String\

Computer\HKEY…\Key\String

\HKEY…\Key\

\HKEY…\Key

HKEY…\Key\

HKEY…\Key

\HKEY…\Key\String\

\HKEY…\Key\String

HKEY…\Key\String\

HKEY…\Key\String

Running Process

In the Running Process field, enter the process name. You can also use the NOT option to indicate that the rule requires that a certain process is not running on the endpoint.

The endpoint must satisfy all configured conditions to satisfy this rule. For example, if the rule is configured to require process A, process B, and NOT process C, then the endpoint must have both processes A and B running and process C not running.

Sandbox Detection

From the Sandbox Detection dropdown list, select the desired condition. You can require that Sandbox detected malware on the endpoint in the last seven days. You can also use the NOT option for the rule to require that Sandbox did not detect malware on the endpoint in the last seven days.

This option is not available for Linux endpoints.

Only FortiClient 6.2.2+ endpoints support this rule type.

Vulnerable Devices

From the Severity Level dropdown list, select the desired vulnerability severity level. If the rule is configured for multiple severity levels, EMS considers the endpoint as satisfying the rule if it has a vulnerability of one of the configured severity levels or higher.

Windows Security

From the Windows Security dropdown list, select the desired conditions. You can require that an endpoint have Windows Defender, Bitlocker Disk Encryption, Exploit Guard, Application Guard, and/or Windows Firewall enabled. You can also use the NOT option for the rule to require that the endpoint have Windows Defender, Bitlocker Disk Encryption, Exploit Guard, Application Guard, and/or Windows firewall disabled.

The endpoint must satisfy all configured conditions to satisfy this rule.

This option is only available for Windows endpoints.

Only FortiClient 6.2.2+ endpoints support this rule type.

User Identity

Under User Identity, select the following:

  • User Specified: endpoint user entered their personal information using User Input in FortiClient.
  • Social Network Login: endpoint user provided their personal information by logging in to their Google, LinkedIn, or Salesforce account in FortiClient. You can further select one of the following:
    • All Accounts: all endpoints where the user logged in to the specified social network account type.
    • Specified: enter a specific Google, LinkedIn, or Salesforce account. For example, you can enter joanexample@gmail.com to configure the rule to apply specifically to only that Google account. You can specify multiple social network accounts.

EMS considers the endpoint as satisfying the rule if it satisfies one of the conditions.

Only FortiClient 6.2.2+ endpoints support this rule type.

Compliance verification rule types

The following table lists compliance verification rule types. For all rule types, you can configure multiple conditions using the + button.

Rule type

Description

AD Group

From the AD Group dropdown list, select the desired AD group. EMS considers the endpoint as satisfying the rule if the logged in user belongs to the selected AD group. You can also use the NOT option to indicate that the rule requires that the logged in user certain does not belong to certain AD groups.

This option is not available for Linux endpoints.

To use this option, you must configure connection to an AD server. See Adding a user server.

Only FortiClient 6.2.2+ endpoints support this rule type.

AntiVirus Software

From the AV Software dropdown list, select the desired conditions. You can require that an endpoint have AV software installed and running and that the AV signature is up-to-date. You can also use the NOT option for the rule to require that the endpoint does not have AV software installed or running or that the AV signature is not up-to-date. This rule applies for FortiClient AV and third-party AV software that registers to the Windows Security Center.

The endpoint must satisfy all configured conditions to satisfy this rule.

Only FortiClient 6.2.2+ endpoints support this rule type.

Certificate

In the Subject CN and Issuer CN fields, enter the certificate subject and issuer. You can also use the NOT option to indicate that the rule requires that a certain certificate is not present for the endpoint.

The endpoint must satisfy all conditions to satisfy this rule. For example, if the rule is configured to require certificate A, certificate B, and NOT certificate C, then the endpoint must have both certificates A and B and not certificate C.

File

In the File field, enter the file path. You can also use the NOT option to indicate that the rule requires that a certain file is not present on the endpoint.

The endpoint must satisfy all configured conditions to satisfy this rule. For example, if the rule is configured to require file A, file B, and NOT file C, then the endpoint must have both files A and B and not file C.

Logged in Domain

In the Domain field, enter the domain name. If the rule is configured for multiple domains, EMS considers the endpoint as satisfying the rule if it belongs to one of the configured domains.

This option is not available for Linux endpoints.

OS Version

From the OS Version field, select the OS version. If the rule is configured for multiple OS versions, EMS considers the endpoint as satisfying the rule if it has one of the configured OS versions installed.

Registry Key

In the Registry Key field, enter the registry key or registry data value. End the path with / to indicate a registry key, or without / to indicate a registry data value. You can also use the NOT option to indicate that the rule requires that a certain registry key or data value is not present on the endpoint.

The endpoint must satisfy all configured conditions to satisfy this rule. For example, if the rule is configured to require registry key A, registry key B, and NOT registry key C, then the endpoint must have both registry keys A and B and not registry key C.

This option is only available for Windows endpoints.

The following shows examples of registry key values:

\Computer\HKEY…\Key\

\Computer\HKEY…\Key

Computer\HKEY…\Key\

Computer\HKEY…\Key

\Computer\HKEY…\Key\String\

\Computer\HKEY…\Key\String

Computer\HKEY…\Key\String\

Computer\HKEY…\Key\String

\HKEY…\Key\

\HKEY…\Key

HKEY…\Key\

HKEY…\Key

\HKEY…\Key\String\

\HKEY…\Key\String

HKEY…\Key\String\

HKEY…\Key\String

Running Process

In the Running Process field, enter the process name. You can also use the NOT option to indicate that the rule requires that a certain process is not running on the endpoint.

The endpoint must satisfy all configured conditions to satisfy this rule. For example, if the rule is configured to require process A, process B, and NOT process C, then the endpoint must have both processes A and B running and process C not running.

Sandbox Detection

From the Sandbox Detection dropdown list, select the desired condition. You can require that Sandbox detected malware on the endpoint in the last seven days. You can also use the NOT option for the rule to require that Sandbox did not detect malware on the endpoint in the last seven days.

This option is not available for Linux endpoints.

Only FortiClient 6.2.2+ endpoints support this rule type.

Vulnerable Devices

From the Severity Level dropdown list, select the desired vulnerability severity level. If the rule is configured for multiple severity levels, EMS considers the endpoint as satisfying the rule if it has a vulnerability of one of the configured severity levels or higher.

Windows Security

From the Windows Security dropdown list, select the desired conditions. You can require that an endpoint have Windows Defender, Bitlocker Disk Encryption, Exploit Guard, Application Guard, and/or Windows Firewall enabled. You can also use the NOT option for the rule to require that the endpoint have Windows Defender, Bitlocker Disk Encryption, Exploit Guard, Application Guard, and/or Windows firewall disabled.

The endpoint must satisfy all configured conditions to satisfy this rule.

This option is only available for Windows endpoints.

Only FortiClient 6.2.2+ endpoints support this rule type.

User Identity

Under User Identity, select the following:

  • User Specified: endpoint user entered their personal information using User Input in FortiClient.
  • Social Network Login: endpoint user provided their personal information by logging in to their Google, LinkedIn, or Salesforce account in FortiClient. You can further select one of the following:
    • All Accounts: all endpoints where the user logged in to the specified social network account type.
    • Specified: enter a specific Google, LinkedIn, or Salesforce account. For example, you can enter joanexample@gmail.com to configure the rule to apply specifically to only that Google account. You can specify multiple social network accounts.

EMS considers the endpoint as satisfying the rule if it satisfies one of the conditions.

Only FortiClient 6.2.2+ endpoints support this rule type.