In this scenario, EMS provides FortiClient endpoint provisioning. FortiClient EMS connects Telemetry to EMS to receive configuration information in an endpoint profile as part of an endpoint policy from EMS. EMS also sends Zero Trust tagging rules to FortiClient, and use the results from FortiClient to dynamically group endpoints in EMS. Only EMS can control the connection between FortiClient EMS and EMS. You must make any changes to the connection from EMS, not FortiClient EMS. When FortiClient EMS is connected to EMS, EMS locks FortiClient EMS settings so that the endpoint user cannot change any configuration. To disconnect FortiClient EMS from EMS, the EMS administrator must deregister the endpoint in EMS.
In this scenario, EMS and FortiClient EMS cannot participate in the Security Fabric, since a FortiGate is not present.