Fortinet black logo

New Features

Home FortiClient 6.2.2 New Features

Managing endpoints with FortiClient Cloud

6.2.2
7.2.0
7.0.0
6.4.0
6.2.3
6.2.2
6.2.1
6.2.0
Copy Link
Copy Doc ID 98b4e085-ff54-11e9-8977-00505692583a:330901
Download PDF

Managing endpoints with FortiClient Cloud

With FortiClient Cloud, you can manage up to 500 endpoints with a simplified cloud infrastructure created and managed by Fortinet. Using FortiClient Cloud provides you with the opportunity to focus on your endpoint management needs rather than infrastructure configuration and maintenance.

You can execute EMS functions from the cloud-based EMS. You must complete the following steps to create a cloud-based EMS instance under your FortiCloud user account:

  1. Register a FortiCloud premium subscription to your FortiCloud account.
  2. Register a FortiClient license contract for management by FortiClient Cloud to your FortiCloud account.
Caution

You must register the FortiCloud premium subscription before you can register FortiClient endpoint licenses.

If you attempt to register the endpoint license before the FortiCloud premium subscription, you will not be able to deploy FortiClient & FortiClient EMS Cloud from this FortiCloud account.

This section provides the following information about FortiClient Cloud:

Requirements

The following items are required before you can initialize your FortiClient Cloud instance:

Requirement

Description

FortiCloud account with premium subscription

Create a FortiCloud account if you do not have one and register a FortiCloud premium subscription to this account. Launching FortiClient Cloud requires a primary FortiCloud account with a premium subscription. A primary FortiCloud account with a premium subscription can invite other users to launch FortiClient Cloud. Each FortiCloud account that will access FortiClient Cloud must be registered with its own FortiCloud premium subscription. You must register the FortiCloud premium subscription before registering any endpoint licensing; otherwise, you cannot deploy FortiClient Cloud.

Licensing

A license for each endpoint that will be managed using FortiClient Cloud. Purchase one of the following FortiClient license types from Fortinet:

  • Fabric Agent with Endpoint Protection
  • Sandbox Cloud

When registering the license contract, you must specify that the endpoints will be managed using FortiClient Cloud, as described in Deploying FortiClient Cloud.

Registering a Fabric Agent license for FortiClient Cloud management does not support all features supported for on-premise EMS. See Differences between FortiClient Cloud and on-premise EMS for the list of supported features.

Internet access

You must have Internet access to create a FortiClient Cloud instance.

Browser

Device with a browser to access FortiClient Cloud.
Note

FortiClient Cloud only supports FortiClient 6.2.1 and later versions.

Differences between FortiClient Cloud and on-premise EMS

FortiClient Cloud does not currently support the following features. To use these features, use an on-premise EMS instead of FortiClient Cloud:

  • Active Directory (AD) integration
  • Chromebook management

In addition to the removal of GUI elements that relate to AD integration and Chromebook management, the following lists screens and features that have been modified from what is available in on-premise EMS

GUI pane

Modification

Dashboard

System Information widget shows FortiCare account organization name and EMS node ID.

Manage Installers > Deployment Packages
  • Deployment packages have an expiry date. After this date, users cannot use this deployment package to install FortiClient.
  • The Manage Installers > Deployment Packages page displays a download link. You can directly download the .zip file that contains the FortiClient installer using this link.
  • Each deployment package contains an invitation code.
  • Automatic registration is enabled by default for each deployment package.

Compliance Verification

Fabric Device Monitor is not available.

Administration
  • Shows users imported from the FortiCare account.
  • Administrators page only allows changing a user's role.
  • Administrators page displays a Primary User column.

System Settings
  • Server only displays the DHCP onnet/offnet and Sign software packages options.
  • FortiGuard does not have the option to use FortiManager for software and signature updates.

Deploying FortiClient Cloud

This section explains how to deploy FortiClient Cloud. This section assumes that you have already purchased the desired subscription licenses for your deployment from a Fortinet partner or reseller and received your license activation codes.

Note

You can create only one EMS instance in the Cloud per FortiCloud account with premium subscription.
To deploy FortiClient Cloud:
Caution

You must register the FortiCloud premium subscription as described in step 1 before you can register FortiClient endpoint licenses as described in step 2.

If you attempt to register the endpoint license before the FortiCloud premium subscription, you will not be able to deploy FortiClient Cloud from this FortiCloud account.
  1. Register the FortiCloud premium subscription contract (FC-15-CLDPS-219-02-DD) to your FortiCloud account:
    1. On the Customer Service & Support site, go to Asset > Register/Activate.
    2. In the Specify Registration Code field, enter your license activation code and select Next to continue registering the product.
    3. Enter your details in the other fields and complete the registration. This is a yearly subscription.
  2. Register the FortiClient endpoint licenses for management by FortiClient Cloud:
    1. On the Customer Service & Support site, go to Asset > Register/Activate.
    2. In the Specify Registration Code field, enter your license activation code and select Next to continue registering the product.
    3. On the Specify Fortinet Registration Information screen, select the Used for Cloud Purpose checkbox.
    4. Enter your details in the other fields and complete the registration.
    Note

    You may need to wait a few minutes for the cloud instance to initialize before you can proceed to step 2 or 3.
  3. Access FortiClient Cloud in one of the following ways:
    1. Access FortiClient Cloud from FortiCare.
    2. Access FortiClient Cloud from the FortiClient Cloud portal:
      1. In a browser, go to the FortiClient Cloud portal.
      2. Log in with your FortiCloud credentials.
    3. Access FortiClient Cloud from the link included in the welcome email.

Adding a new invitation for a deployment package

Users can connect to FortiClient Cloud without an IP address or FQDN by using an invitation. FortiClient Cloud offers two invitation types: individual, which can be used once; and bulk, which can be used multiple times. FortiClient Cloud displays how many times an invitation has been used to register an endpoint in the Use Count column on the Invitations page. The Expiry Date column displays the date until the invitation can be used to connect to FortiClient Cloud.

To add a new invitation for a deployment package:
  1. Go to Invitations.
  2. Select an existing invitation code for the desired deployment package.
  3. Click Add.
  4. To send the code to a single recipient, select Individual. Otherwise, select Bulk.
  5. If desired, select Send email notifications.
  6. In the Email recipients field, enter the email addresses of the desired end users.
  7. If desired, enable Send SMS notifications.
  8. In the Expiry date field, set the expiry date. Click Save. You will see a new invitation code for the deployment package.

Adding a secondary admin account

The FortiClient Cloud primary administrator (the user who created the FortiClient Cloud instance) can add secondary administrators from their FortiCare account. You cannot create a user directly in the FortiClient Cloud GUI. FortiClient Cloud pulls users from the primary administrator's FortiCare account.

To create a secondary admin account:
  1. Log in to Fortinet Service & Support with your FortiCloud account.
  2. Click the account icon in the top-right corner.

  3. Select Manage User.
  4. Click the Add User icon.

  5. Enter the user information as required. If the new user does not have a FortiCare account, they must create one. Click Save. A user added on this page becomes visible on the FortiClient Cloud GUI in Administrators and can log in to FortiClient Cloud with their FortiCloud account. These users have limited permissions.

Adding a FortiClient deployment package

To add a deployment package:
  1. Go to Manage Installers > Deployment Packages.
  2. Click Add.
  3. On the Version tab, set the following options:

    Installer Type

    Use an official FortiClient installer or a custom FortiClient installer. See the FortiClient EMS Administration Guide for details on uploading a custom installer.

    Release

    Select the FortiClient release version to install.

    Patch

    Select the specific FortiClient patch version to install.

    Keep updated to the latest patch

    Select to enable FortiClient to automatically update to the latest patch release when FortiClient is installed on an endpoint.

    Custom installer

    Select the desired custom FortiClient installer.
  4. Click Next. On the General tab, set the following options:

    Name

    Enter the FortiClient deployment package's name.
    Expiry Date Enter this deployment package's expiry date. After this date, users cannot use this deployment package to install FortiClient.

    Notes

    (Optional) Enter any notes about the FortiClient deployment package.
  5. Click Next. On the Features tab, set the following options:

    Security Fabric Agent

    Enabled by default and cannot be disabled. Installs FortiClient with Telemetry and Vulnerability Scan enabled.

    Secure Access Architecture Components

    Install FortiClient with SSL and IPsec VPN enabled. Disable to omit SSL and IPsec VPN support from the FortiClient deployment package.

    Advanced Persistent Threat (APT) Components

    Install FortiClient with APT components enabled. Disable to omit APT components from the FortiClient deployment package. Includes FortiSandbox detection and quarantine features.

    Additional Security Features

    Enable any of the following features:

    • AntiVirus
    • Web Filtering
    • Application Firewall
    • Single Sign-On (SSO) mobility agent

    Disable to exclude features from the FortiClient deployment package.
  6. Click Next. On the Advanced tab, set the following options:

    Enable automatic registration

    Configure FortiClient to automatically connect Telemetry to FortiClient after FortiClient installs on the endpoint. Disable to turn off this feature and require endpoint users to manually connect Telemetry to FortiClient.

    Enable desktop shortcut

    Configure the FortiClient deployment package to create a desktop shortcut on the endpoint.

    Enable start menu shortcut

    Configure the FortiClient deployment package to create a Start menu shortcut on the endpoint.

    Enable Installer ID

    Configure an installer ID. Select an existing installer ID or enter a new installer ID. If creating an installer ID, select a group path or create a new group in the Group Path field. FortiClient automatically groups endpoints according to installer ID group assignment rules.

    Enable Endpoint Profile

    Select an endpoint profile to include in the installer. EMS applies the profile to the endpoint once it has installed FortiClient. This option is necessary if it is required to have certain security features enabled prior to contact with EMS, or if users require VPN connection to connect to EMS.
  7. Click Next. The Telemetry tab displays the hostname and IP address of the FortiClient server, which will manage FortiClient once it is installed on the endpoint. Also configure the following option:

    Enable telemetry connection to Security Fabric (FortiGate)

    Enable this option, and select the name of the gateway list to use. The gateway list defines the IP address for the FortiGate.

    If you have not created a gateway list, this option is not available. See FortiClient EMS Administration Guide for details on configuring a gateway list.
  8. Click Finish. The FortiClient deployment package is added to FortiClient and displays on the Manage Installers > Deployment Packages pane. The deployment package may include .exe (32-bit and 64-bit), .msi, and .dmg files depending on the configuration.

Installing FortiClient on an endpoint and registering to FortiClient Cloud

To install FortiClient on an endpoint:

When installing FortiClient on an endpoint from a deployment package created in FortiClient Cloud, the administrator carries out some actions, while the endpoint user carries out others.

  1. (Administrator) In EMS, go to Manage Installers > Deployment Packages. Note the invitation code for the desired deployment package.
  2. (Administrator) Go to Invitations.
  3. (Administrator) Select the invitation code that was noted in step 2. Click Edit.
  4. (Administrator) To send the code to a single recipient, select Individual. Otherwise, select Bulk.
  5. (Administrator) In the Email recipients field, enter the email addresses of the desired end users.
  6. (Administrator) If desired, enable Send SMS notifications.
  7. (Administrator) If desired, in the Expiry date field, set the expiry date. Click Save.
  8. (End user) Click the FortiClient download link in the invitation email or text message that you received. Extract and run the installer file.
  9. (End user) Your FortiClient should automatically register to FortiClient Cloud after installation. If your FortiClient did not automatically register to FortiClient Cloud, use the instructions below to register to FortiClient Cloud.

To register to FortiClient Cloud:

You can use the following instructions to register to FortiClient Cloud in one of the following scenarios:

  • If you want to register a FortiClient Linux, iOS, or Android endpoint to FortiClient Cloud. Since you cannot create a deployment package for these operating systems in EMS, this is the only way to register these endpoints to FortiClient Cloud.
  • If you did not follow the instructions above to install FortiClient on your endpoint, such as if you downloaded a publicly available FortiClient deployment package.
  • If you followed the installation instructions above, but your FortiClient did not automatically register to FortiClient Cloud after installation.

  1. Enter the invitation code in the Join FortiClient Cloud field on the Fabric Telemetry tab in FortiClient. Your EMS administrator should have provided the code to you.
  2. Click Connect. FortiClient is now managed by FortiClient Cloud.
Previous
Next

Managing endpoints with FortiClient Cloud

With FortiClient Cloud, you can manage up to 500 endpoints with a simplified cloud infrastructure created and managed by Fortinet. Using FortiClient Cloud provides you with the opportunity to focus on your endpoint management needs rather than infrastructure configuration and maintenance.

You can execute EMS functions from the cloud-based EMS. You must complete the following steps to create a cloud-based EMS instance under your FortiCloud user account:

  1. Register a FortiCloud premium subscription to your FortiCloud account.
  2. Register a FortiClient license contract for management by FortiClient Cloud to your FortiCloud account.
Caution

You must register the FortiCloud premium subscription before you can register FortiClient endpoint licenses.

If you attempt to register the endpoint license before the FortiCloud premium subscription, you will not be able to deploy FortiClient & FortiClient EMS Cloud from this FortiCloud account.

This section provides the following information about FortiClient Cloud:

Requirements

The following items are required before you can initialize your FortiClient Cloud instance:

Requirement

Description

FortiCloud account with premium subscription

Create a FortiCloud account if you do not have one and register a FortiCloud premium subscription to this account. Launching FortiClient Cloud requires a primary FortiCloud account with a premium subscription. A primary FortiCloud account with a premium subscription can invite other users to launch FortiClient Cloud. Each FortiCloud account that will access FortiClient Cloud must be registered with its own FortiCloud premium subscription. You must register the FortiCloud premium subscription before registering any endpoint licensing; otherwise, you cannot deploy FortiClient Cloud.

Licensing

A license for each endpoint that will be managed using FortiClient Cloud. Purchase one of the following FortiClient license types from Fortinet:

  • Fabric Agent with Endpoint Protection
  • Sandbox Cloud

When registering the license contract, you must specify that the endpoints will be managed using FortiClient Cloud, as described in Deploying FortiClient Cloud.

Registering a Fabric Agent license for FortiClient Cloud management does not support all features supported for on-premise EMS. See Differences between FortiClient Cloud and on-premise EMS for the list of supported features.

Internet access

You must have Internet access to create a FortiClient Cloud instance.

Browser

Device with a browser to access FortiClient Cloud.
Note

FortiClient Cloud only supports FortiClient 6.2.1 and later versions.

Differences between FortiClient Cloud and on-premise EMS

FortiClient Cloud does not currently support the following features. To use these features, use an on-premise EMS instead of FortiClient Cloud:

  • Active Directory (AD) integration
  • Chromebook management

In addition to the removal of GUI elements that relate to AD integration and Chromebook management, the following lists screens and features that have been modified from what is available in on-premise EMS

GUI pane

Modification

Dashboard

System Information widget shows FortiCare account organization name and EMS node ID.

Manage Installers > Deployment Packages
  • Deployment packages have an expiry date. After this date, users cannot use this deployment package to install FortiClient.
  • The Manage Installers > Deployment Packages page displays a download link. You can directly download the .zip file that contains the FortiClient installer using this link.
  • Each deployment package contains an invitation code.
  • Automatic registration is enabled by default for each deployment package.

Compliance Verification

Fabric Device Monitor is not available.

Administration
  • Shows users imported from the FortiCare account.
  • Administrators page only allows changing a user's role.
  • Administrators page displays a Primary User column.

System Settings
  • Server only displays the DHCP onnet/offnet and Sign software packages options.
  • FortiGuard does not have the option to use FortiManager for software and signature updates.

Deploying FortiClient Cloud

This section explains how to deploy FortiClient Cloud. This section assumes that you have already purchased the desired subscription licenses for your deployment from a Fortinet partner or reseller and received your license activation codes.

Note

You can create only one EMS instance in the Cloud per FortiCloud account with premium subscription.
To deploy FortiClient Cloud:
Caution

You must register the FortiCloud premium subscription as described in step 1 before you can register FortiClient endpoint licenses as described in step 2.

If you attempt to register the endpoint license before the FortiCloud premium subscription, you will not be able to deploy FortiClient Cloud from this FortiCloud account.
  1. Register the FortiCloud premium subscription contract (FC-15-CLDPS-219-02-DD) to your FortiCloud account:
    1. On the Customer Service & Support site, go to Asset > Register/Activate.
    2. In the Specify Registration Code field, enter your license activation code and select Next to continue registering the product.
    3. Enter your details in the other fields and complete the registration. This is a yearly subscription.
  2. Register the FortiClient endpoint licenses for management by FortiClient Cloud:
    1. On the Customer Service & Support site, go to Asset > Register/Activate.
    2. In the Specify Registration Code field, enter your license activation code and select Next to continue registering the product.
    3. On the Specify Fortinet Registration Information screen, select the Used for Cloud Purpose checkbox.
    4. Enter your details in the other fields and complete the registration.
    Note

    You may need to wait a few minutes for the cloud instance to initialize before you can proceed to step 2 or 3.
  3. Access FortiClient Cloud in one of the following ways:
    1. Access FortiClient Cloud from FortiCare.
    2. Access FortiClient Cloud from the FortiClient Cloud portal:
      1. In a browser, go to the FortiClient Cloud portal.
      2. Log in with your FortiCloud credentials.
    3. Access FortiClient Cloud from the link included in the welcome email.

Adding a new invitation for a deployment package

Users can connect to FortiClient Cloud without an IP address or FQDN by using an invitation. FortiClient Cloud offers two invitation types: individual, which can be used once; and bulk, which can be used multiple times. FortiClient Cloud displays how many times an invitation has been used to register an endpoint in the Use Count column on the Invitations page. The Expiry Date column displays the date until the invitation can be used to connect to FortiClient Cloud.

To add a new invitation for a deployment package:
  1. Go to Invitations.
  2. Select an existing invitation code for the desired deployment package.
  3. Click Add.
  4. To send the code to a single recipient, select Individual. Otherwise, select Bulk.
  5. If desired, select Send email notifications.
  6. In the Email recipients field, enter the email addresses of the desired end users.
  7. If desired, enable Send SMS notifications.
  8. In the Expiry date field, set the expiry date. Click Save. You will see a new invitation code for the deployment package.

Adding a secondary admin account

The FortiClient Cloud primary administrator (the user who created the FortiClient Cloud instance) can add secondary administrators from their FortiCare account. You cannot create a user directly in the FortiClient Cloud GUI. FortiClient Cloud pulls users from the primary administrator's FortiCare account.

To create a secondary admin account:
  1. Log in to Fortinet Service & Support with your FortiCloud account.
  2. Click the account icon in the top-right corner.

  3. Select Manage User.
  4. Click the Add User icon.

  5. Enter the user information as required. If the new user does not have a FortiCare account, they must create one. Click Save. A user added on this page becomes visible on the FortiClient Cloud GUI in Administrators and can log in to FortiClient Cloud with their FortiCloud account. These users have limited permissions.

Adding a FortiClient deployment package

To add a deployment package:
  1. Go to Manage Installers > Deployment Packages.
  2. Click Add.
  3. On the Version tab, set the following options:

    Installer Type

    Use an official FortiClient installer or a custom FortiClient installer. See the FortiClient EMS Administration Guide for details on uploading a custom installer.

    Release

    Select the FortiClient release version to install.

    Patch

    Select the specific FortiClient patch version to install.

    Keep updated to the latest patch

    Select to enable FortiClient to automatically update to the latest patch release when FortiClient is installed on an endpoint.

    Custom installer

    Select the desired custom FortiClient installer.
  4. Click Next. On the General tab, set the following options:

    Name

    Enter the FortiClient deployment package's name.
    Expiry Date Enter this deployment package's expiry date. After this date, users cannot use this deployment package to install FortiClient.

    Notes

    (Optional) Enter any notes about the FortiClient deployment package.
  5. Click Next. On the Features tab, set the following options:

    Security Fabric Agent

    Enabled by default and cannot be disabled. Installs FortiClient with Telemetry and Vulnerability Scan enabled.

    Secure Access Architecture Components

    Install FortiClient with SSL and IPsec VPN enabled. Disable to omit SSL and IPsec VPN support from the FortiClient deployment package.

    Advanced Persistent Threat (APT) Components

    Install FortiClient with APT components enabled. Disable to omit APT components from the FortiClient deployment package. Includes FortiSandbox detection and quarantine features.

    Additional Security Features

    Enable any of the following features:

    • AntiVirus
    • Web Filtering
    • Application Firewall
    • Single Sign-On (SSO) mobility agent

    Disable to exclude features from the FortiClient deployment package.
  6. Click Next. On the Advanced tab, set the following options:

    Enable automatic registration

    Configure FortiClient to automatically connect Telemetry to FortiClient after FortiClient installs on the endpoint. Disable to turn off this feature and require endpoint users to manually connect Telemetry to FortiClient.

    Enable desktop shortcut

    Configure the FortiClient deployment package to create a desktop shortcut on the endpoint.

    Enable start menu shortcut

    Configure the FortiClient deployment package to create a Start menu shortcut on the endpoint.

    Enable Installer ID

    Configure an installer ID. Select an existing installer ID or enter a new installer ID. If creating an installer ID, select a group path or create a new group in the Group Path field. FortiClient automatically groups endpoints according to installer ID group assignment rules.

    Enable Endpoint Profile

    Select an endpoint profile to include in the installer. EMS applies the profile to the endpoint once it has installed FortiClient. This option is necessary if it is required to have certain security features enabled prior to contact with EMS, or if users require VPN connection to connect to EMS.
  7. Click Next. The Telemetry tab displays the hostname and IP address of the FortiClient server, which will manage FortiClient once it is installed on the endpoint. Also configure the following option:

    Enable telemetry connection to Security Fabric (FortiGate)

    Enable this option, and select the name of the gateway list to use. The gateway list defines the IP address for the FortiGate.

    If you have not created a gateway list, this option is not available. See FortiClient EMS Administration Guide for details on configuring a gateway list.
  8. Click Finish. The FortiClient deployment package is added to FortiClient and displays on the Manage Installers > Deployment Packages pane. The deployment package may include .exe (32-bit and 64-bit), .msi, and .dmg files depending on the configuration.

Installing FortiClient on an endpoint and registering to FortiClient Cloud

To install FortiClient on an endpoint:

When installing FortiClient on an endpoint from a deployment package created in FortiClient Cloud, the administrator carries out some actions, while the endpoint user carries out others.

  1. (Administrator) In EMS, go to Manage Installers > Deployment Packages. Note the invitation code for the desired deployment package.
  2. (Administrator) Go to Invitations.
  3. (Administrator) Select the invitation code that was noted in step 2. Click Edit.
  4. (Administrator) To send the code to a single recipient, select Individual. Otherwise, select Bulk.
  5. (Administrator) In the Email recipients field, enter the email addresses of the desired end users.
  6. (Administrator) If desired, enable Send SMS notifications.
  7. (Administrator) If desired, in the Expiry date field, set the expiry date. Click Save.
  8. (End user) Click the FortiClient download link in the invitation email or text message that you received. Extract and run the installer file.
  9. (End user) Your FortiClient should automatically register to FortiClient Cloud after installation. If your FortiClient did not automatically register to FortiClient Cloud, use the instructions below to register to FortiClient Cloud.

To register to FortiClient Cloud:

You can use the following instructions to register to FortiClient Cloud in one of the following scenarios:

  • If you want to register a FortiClient Linux, iOS, or Android endpoint to FortiClient Cloud. Since you cannot create a deployment package for these operating systems in EMS, this is the only way to register these endpoints to FortiClient Cloud.
  • If you did not follow the instructions above to install FortiClient on your endpoint, such as if you downloaded a publicly available FortiClient deployment package.
  • If you followed the installation instructions above, but your FortiClient did not automatically register to FortiClient Cloud after installation.

  1. Enter the invitation code in the Join FortiClient Cloud field on the Fabric Telemetry tab in FortiClient. Your EMS administrator should have provided the code to you.
  2. Click Connect. FortiClient is now managed by FortiClient Cloud.
Previous
Next