DOCUMENT LIBRARY

EMS Administration Guide

Introduction
- FortiClient EMS components
- Documentation
Getting started
- Getting started with managing Windows, macOS, and Linux endpoints
- Getting started with managing Chromebooks
Installation preparation
- System requirements
- License types
  - FortiClient EMS
  - Component applications
- Required services and ports
- Management capacity
- FortiClient Telemetry security features
- Server readiness checklist for installation
- Upgrading from an earlier FortiClient EMS version
- Install preparation for managing Chromebooks
Installation and licensing
- Downloading the installation file
- Installing FortiClient EMS
- Installing FortiClient EMS using the CLI
- Starting FortiClient EMS and logging in
- Configuring EMS after installation
- Licensing FortiClient EMS
- Specifying different ports
- Upgrading Microsoft SQL Server Express to Microsoft SQL Server Standard or Enterprise
- Uninstalling FortiClient EMS
- Installation and setup for managing Chromebooks
  - Google Admin Console setup
  - Service account credentials
    - Configuring default service account credentials
    - Configuring unique service account credentials
- Verifying ports and services and connection between EMS and FortiClient
GUI
- Banner
- Left pane
- Content pane
Dashboard
- Viewing the Status
- Viewing the Vulnerability Scan dashboard
- Viewing Chromebook Status
Endpoint management
- Windows, macOS, and Linux endpoints
- Group assignment rules
- Google Domains
Deployment & Installers
- Manage Deployment
- FortiClient Installer
Endpoint Policy & Components
- Manage Policies
- CA Certificates
- On-fabric Detection Rules
Chromebook Policy
Endpoint Profiles
- Editing a default profile
- Creating a profile to configure FortiClient
- Adding a new Chromebook profile
- Viewing profiles
- Managing profiles
- Profile Name
- Malware Protection
- Sandbox Detection
- Web Filter
  - Importing a Web Filter profile from FortiOS or FortiManager
  - Enabling and disabling Safe Search
- Application Firewall
- VPN
- Vulnerability Scan
- System Settings
  - Configuring identity compliance for endpoints
- XML Configuration
  - Importing a profile from an XML file
  - Creating a profile with XML
Zero Trust Tags
- Zero Trust Tagging Rules
- Zero Trust Tag Monitor
- FortiOS dynamic policies using EMS dynamic endpoint groups
- Fabric Device Monitor
Software Inventory
- Applications
- Hosts
Quarantine Management
- Files
- Allowlist
Administration
- Administrators
- Admin roles
- Configuring User Settings
- Fabric Devices
  - Configuring EMS to share tagging information with multiple FortiGates
- SAML SSO
- Licenses
- Log Viewer
- Marking all endpoints as uninstalled
System Settings
- Configuring EMS settings
  - Adding an SSL certificate to FortiClient EMS
  - Adding an SSL certificate to FortiClient EMS for Chromebook endpoints
- Configuring Logs settings
- Configuring FortiGuard Services settings
- Alerts
- Custom Messages
  - Customizing the endpoint quarantine message
  - Customizing Web Filter messages
- Feature Select
- Generating a QR code for centrally managing FortiClient (Android) and (iOS) endpoints
Multitenancy
- Enabling and configuring multitenancy
- Global and per-site configuration
- Left pane with multitenancy enabled
- Editing a site
- Adding a multitenancy administrator
- Logging into EMS with multitenancy enabled
Creating a support package
Migrating to another EMS instance
Appendix A - Examples
- Support banned word check in URL

Home FortiClient 6.4.7 EMS Administration Guide

6.4.7

Windows, macOS, and Linux endpoint licenses

The following are the latest license bundles for FortiClient EMS:

License name	Description
Endpoint Protection Platform (EPP)	Full license that offers all FortiClient features. Includes all features detailed for the Zero Trust Network Access (ZTNA) license, as well as antivirus (AV), antiransomware, anti-exploit, cloud-based malware detection, Application Firewall, software inventory, and advanced threat protection via FortiClient Cloud Sandbox.
Zero Trust Network Access	Includes support for Fabric Agent for endpoint telemetry, security posture check via ZTNA tagging, remote access (SSL and IPsec VPN), Vulnerability Scan, Web Filter, threat protection via Sandbox (appliance only) and USB device control. Each purchased ZTNA license allows management of one FortiClient Windows, macOS, Linux, iOS, Android, or Chromebook endpoint. You must purchase a minimum of 25 endpoint licenses, and you can have these EMS licenses for a maximum three year term. You can specify the number of endpoints and the term duration at time of purchase. If there is no ZTNA license applied to EMS, no endpoints can register to EMS.

License name

Description

Endpoint Protection Platform (EPP)

Full license that offers all FortiClient features. Includes all features detailed for the Zero Trust Network Access (ZTNA) license, as well as antivirus (AV), antiransomware, anti-exploit, cloud-based malware detection, Application Firewall, software inventory, and advanced threat protection via FortiClient Cloud Sandbox.

Zero Trust Network Access

Includes support for Fabric Agent for endpoint telemetry, security posture check via ZTNA tagging, remote access (SSL and IPsec VPN), Vulnerability Scan, Web Filter, threat protection via Sandbox (appliance only) and USB device control.

Each purchased ZTNA license allows management of one FortiClient Windows, macOS, Linux, iOS, Android, or Chromebook endpoint. You must purchase a minimum of 25 endpoint licenses, and you can have these EMS licenses for a maximum three year term. You can specify the number of endpoints and the term duration at time of purchase.

If there is no ZTNA license applied to EMS, no endpoints can register to EMS.

The following shows a more comprehensive comparison between the features included in the EPP and ZTNA licenses:

Feature	EPP	ZTNA
Zero Trust Security
Zero Trust Agent	Yes	Yes
Central management via EMS	Yes	Yes
Dynamic Security Fabric connector	Yes	Yes
Vulnerability agent and remediation	Yes	Yes
SSL VPN with multifactor authentication (MFA)	Yes	Yes
IPsec VPN with MFA	Yes	Yes
Sandbox appliance	Yes	Yes
Next Generation Endpoint Security
AI-powered next generation AV	Yes
FortiClient Cloud Sandbox	Yes
Automated endpoint quarantine	Yes
Application inventory	Yes
Application Firewall	Yes
Software Inventory	Yes

The following are individual licenses that you can purchase for FortiClient EMS:

License name	Description
Fabric Agent with Endpoint Protection and Cloud Sandbox	Full license that offers all FortiClient features including endpoint protection and Sandbox Cloud. Includes all features detailed for the Fabric Agent with Endpoint Protection and Sandbox Cloud licenses.
Fabric Agent with Endpoint Protection	Includes support for Telemetry and endpoint protection and management (AV, on-premise FortiSandbox, Web Filter, Application Firewall, Vulnerability Scan, Fortinet Single Sign-On (FSSO), and FortiGate registration). Each purchased Fabric Agent license allows management of one FortiClient Windows, macOS, or Linux endpoint. You must purchase a minimum of 25 endpoint licenses, and you can have these EMS licenses for a maximum three year term. You can specify the number of endpoints and the term duration at time of purchase. The Fabric Agent license also applies for iOS and Android endpoints. You can also use the Fabric Agent license to license Chromebooks if no Chromebook license is present on the EMS instance.
Sandbox Cloud	Adds support for FortiSandbox Cloud for Windows and macOS endpoints.

License name

Description

Fabric Agent with Endpoint Protection and Cloud Sandbox

Full license that offers all FortiClient features including endpoint protection and Sandbox Cloud.

Includes all features detailed for the Fabric Agent with Endpoint Protection and Sandbox Cloud licenses.

Fabric Agent with Endpoint Protection

Includes support for Telemetry and endpoint protection and management (AV, on-premise FortiSandbox, Web Filter, Application Firewall, Vulnerability Scan, Fortinet Single Sign-On (FSSO), and FortiGate registration).

Each purchased Fabric Agent license allows management of one FortiClient Windows, macOS, or Linux endpoint. You must purchase a minimum of 25 endpoint licenses, and you can have these EMS licenses for a maximum three year term. You can specify the number of endpoints and the term duration at time of purchase.

The Fabric Agent license also applies for iOS and Android endpoints.

You can also use the Fabric Agent license to license Chromebooks if no Chromebook license is present on the EMS instance.

Sandbox Cloud

Adds support for FortiSandbox Cloud for Windows and macOS endpoints.

When using both Fabric Agent and Sandbox Cloud licenses, you must purchase the same number of licenses for both license types:

If you already have purchased Fabric Agent licenses for 1000 endpoints, then decide to add the Sandbox Cloud licenses, you must also purchase 1000 Sandbox Cloud licenses.
If you have purchased Sandbox Cloud licenses for 500 endpoints, then decide to add the Fabric Agent licenses, you must also purchase 500 Fabric Agent licenses.
If you purchase both Fabric Agent and Sandbox Cloud licenses at the same time, you must purchase the same number of both licenses.
If the license amounts differ, the lowest common number of licenses is available. For example, if you purchase 500 Fabric Agent licenses and 300 Sandbox Cloud licenses, EMS only has 300 licenses available.

You must purchase a license for each registered endpoint.

Windows, macOS, and Linux endpoint licenses

The following are the latest license bundles for FortiClient EMS:

License name	Description
Endpoint Protection Platform (EPP)	Full license that offers all FortiClient features. Includes all features detailed for the Zero Trust Network Access (ZTNA) license, as well as antivirus (AV), antiransomware, anti-exploit, cloud-based malware detection, Application Firewall, software inventory, and advanced threat protection via FortiClient Cloud Sandbox.
Zero Trust Network Access	Includes support for Fabric Agent for endpoint telemetry, security posture check via ZTNA tagging, remote access (SSL and IPsec VPN), Vulnerability Scan, Web Filter, threat protection via Sandbox (appliance only) and USB device control. Each purchased ZTNA license allows management of one FortiClient Windows, macOS, Linux, iOS, Android, or Chromebook endpoint. You must purchase a minimum of 25 endpoint licenses, and you can have these EMS licenses for a maximum three year term. You can specify the number of endpoints and the term duration at time of purchase. If there is no ZTNA license applied to EMS, no endpoints can register to EMS.

License name

Description

Endpoint Protection Platform (EPP)

Zero Trust Network Access

If there is no ZTNA license applied to EMS, no endpoints can register to EMS.

The following shows a more comprehensive comparison between the features included in the EPP and ZTNA licenses:

Feature	EPP	ZTNA
Zero Trust Security
Zero Trust Agent	Yes	Yes
Central management via EMS	Yes	Yes
Dynamic Security Fabric connector	Yes	Yes
Vulnerability agent and remediation	Yes	Yes
SSL VPN with multifactor authentication (MFA)	Yes	Yes
IPsec VPN with MFA	Yes	Yes
Sandbox appliance	Yes	Yes
Next Generation Endpoint Security
AI-powered next generation AV	Yes
FortiClient Cloud Sandbox	Yes
Automated endpoint quarantine	Yes
Application inventory	Yes
Application Firewall	Yes
Software Inventory	Yes

The following are individual licenses that you can purchase for FortiClient EMS:

License name	Description
Fabric Agent with Endpoint Protection and Cloud Sandbox	Full license that offers all FortiClient features including endpoint protection and Sandbox Cloud. Includes all features detailed for the Fabric Agent with Endpoint Protection and Sandbox Cloud licenses.
Fabric Agent with Endpoint Protection	Includes support for Telemetry and endpoint protection and management (AV, on-premise FortiSandbox, Web Filter, Application Firewall, Vulnerability Scan, Fortinet Single Sign-On (FSSO), and FortiGate registration). Each purchased Fabric Agent license allows management of one FortiClient Windows, macOS, or Linux endpoint. You must purchase a minimum of 25 endpoint licenses, and you can have these EMS licenses for a maximum three year term. You can specify the number of endpoints and the term duration at time of purchase. The Fabric Agent license also applies for iOS and Android endpoints. You can also use the Fabric Agent license to license Chromebooks if no Chromebook license is present on the EMS instance.
Sandbox Cloud	Adds support for FortiSandbox Cloud for Windows and macOS endpoints.

License name

Description

Fabric Agent with Endpoint Protection and Cloud Sandbox

Full license that offers all FortiClient features including endpoint protection and Sandbox Cloud.

Includes all features detailed for the Fabric Agent with Endpoint Protection and Sandbox Cloud licenses.

Fabric Agent with Endpoint Protection

The Fabric Agent license also applies for iOS and Android endpoints.

You can also use the Fabric Agent license to license Chromebooks if no Chromebook license is present on the EMS instance.

Sandbox Cloud

Adds support for FortiSandbox Cloud for Windows and macOS endpoints.

When using both Fabric Agent and Sandbox Cloud licenses, you must purchase the same number of licenses for both license types:

If you already have purchased Fabric Agent licenses for 1000 endpoints, then decide to add the Sandbox Cloud licenses, you must also purchase 1000 Sandbox Cloud licenses.
If you have purchased Sandbox Cloud licenses for 500 endpoints, then decide to add the Fabric Agent licenses, you must also purchase 500 Fabric Agent licenses.
If you purchase both Fabric Agent and Sandbox Cloud licenses at the same time, you must purchase the same number of both licenses.
If the license amounts differ, the lowest common number of licenses is available. For example, if you purchase 500 Fabric Agent licenses and 300 Sandbox Cloud licenses, EMS only has 300 licenses available.

You must purchase a license for each registered endpoint.

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

EMS Administration Guide

Windows, macOS, and Linux endpoint licenses

Windows, macOS, and Linux endpoint licenses

Windows, macOS, and Linux endpoint licenses

Windows, macOS, and Linux endpoint licenses