Policies
Configure policies to automatically provision network access based upon specific criteria as registered hosts connect to the network. Network Access Policies are comprised of two components:
-
User/Host Profile: Defines user and/or host data criteria used to assign Network Access Policies. Additional fields that are specific to MDM Services have been added to the host record and can be used as a filter in User/Host Profiles. Refer to sections Host View and Search and filter options of the Administration Guide in the Fortinet Document Library for additional information.
Managed by MDM (Applicable MDM's: All) |
FortiNAC registered the host based on data from MDM database. |
Compliant (Applicable MDM's: Airwatch/Workspace One, Claroty, Fortinet EMS, MS InTune, XenMobile (Citrix), MaaS360, MobileIron) |
FortiNAC gathered endpoint compliance information from the MDM server and marks the host as compliant with MDM policies or not. Note: Does not list vulnerabilities. |
Passcode Enabled (Applicable MDM's: Airwatch/Workspace One, XenMobile (Citrix), MaaS360, MobileIron) |
Indicates if there is a passcode required to access the endpoint. |
Data Encryption (Applicable MDM's: Airwatch/Workspace One, XenMobile (Citrix), MaaS360, MobileIron) |
Indicates whether data encryption is enabled on the endpoint. |
Compromised (Applicable MDM's: Airwatch/Workspace One, XenMobile (Citrix), MaaS360, MobileIron) |
This is an additional field separate from whether it’s complaint, if the MDM marks the endpoint as compromised. |
Note the following when determining criteria for User/Host Profiles:
-
Devices registered using MDM are registered to a user if the user in the MDM matches a user in FortiNAC. If the user is not found, the device will be registered as a device and not to a user.
-
Devices registered from Jamf are assigned NAC-Default as the role.
-
Network Access Configuration: Specifies the network access value (VLAN or role) to apply when a host matches the associated User/Host Profile.
Example: Place all iOS devices on VLAN 10 and all MacOSX devices on VLAN 11.
iOS Network Access Policy:
-
User/Host Profiles specifying iOS operating system
-
Network Access Configuration specifying VLAN 10
MacOSX Network Access Policy:
-
User/Host Profile specifying MacOSX operating system
-
Network Access Configuration specifying VLAN 11
Refer to section Network access policies of the Administration Guide in the Fortinet Document Library for additional information.
Proceed to Validate.