In FortiClient 6.4.4, compliance depends on EMS and FortiOS. This feature is only available if using FortiClient 6.4.4 with EMS 6.4.4 and FortiOS 6.4.4.
The administrator can define Zero Trust tagging rules in EMS based on criteria such as certificates, the logged in domain, files present, OS versions, running processes, and registry keys. When a FortiClient endpoint registers to EMS, EMS dynamically groups the endpoint based on the Zero Trust tagging rules. FortiOS can receive the dynamic endpoint groups from EMS and use them to create dynamic firewall policies. The endpoint may be unable to access the network based on the Zero Trust tagging rules.
See the FortiClient EMS Administration Guide.