MDM Service Connectors

FortiNAC Manager Environments: The MDM Service Connector can be configured either on the FortiNAC Manager or the individual managed FortiNAC servers. For details see MDM services in the Manager Guide.

Configure a MDM Service Connector to establish a connection with the MDM server. MDM Service Connectors are used to configure the connection or integration between FortiNAC and MDM server.

In the Administration UI, navigate to Network > Service Connectors.
Click Create New.
Click on the appropriate MDM Server.

Use the field definitions for the MDM Service Connector in the following table to enter the MDM Service information. Click OK to save.

MDM Service Connector Field Definitions

Field	Definition
Name	Name of the connection configuration for the connection between an MDM system and FortiNAC.
Request URL	The URL for the API to which FortiNAC must connect to request data. This will be a unique URL based on the MDM system. Note: If secured with SSL certificate, requires the server name as it appears in the certificate. (Example: https://services.m3.mydomain.com) For some MDMs (such as Jamf), this could be either an on-premise server URL or cloud based URL.
Authentication Type	Airwatch: Select the desired authentication method (Basic or OAuth). For details see Create Authentication Account.
Basic	User ID - Username/userid of an existing Airwatch user account Password - Password for the user account
OAuth	Token URL - The URL for the Workspace ONE Token Service. Token URLs are region-specific. If no token URL is specified, the following default token URL will be used: https://na.uemauth.vmwservices.com/connect/token Client ID - The client identifier associated with the OAuth Client. Client Secret - The application secret associated with the OAuth Client.
Credential JSON (v9.4.6 and greater)	GSuite: Imports the Service Account Key JSON file downloaded from the Google Developers Console. 1) Select the Modify Credential JSON button. 2) Populate the Credential JSON field with the JSON file. This can be done in two ways: Option 1 (Recommended): Click Browse and select the file. Its contents will appear in the Credential JSON window. Option 2: Copy and paste the file contents.
User ID	User name of the account used by FortiNAC to log into the MDM system when requesting data. GSuite: Email address of the Google cloud account used to generate the service account (do not use the email generated for the service account).
Password	Password for the account used by FortiNAC to log into the MDM system when requesting data. This field displays only when adding a new MDM connection configuration. It is not displayed in the table of MDM servers.
Identifier	A type of key used to identify FortiNAC to the MDM server. This field is not required for all MDM products. Airwatch/Workspace One, This is the API Key generated during the Airwatch/Workspace One Configuration. An API key is a unique code that identifies the FortiNAC server to Airwatch/Workspace One and is part of the authentication process for Airwatch/Workspace One.
Application ID	Enter the application ID.
Platform ID	Enter the platform version number.
Application Version	Enter the application version number.
Access Key	Enter the application access key (API key).
Enable Automatic Registration Polling (MDM Polling)	Indicates how often FortiNAC should poll the MDM system to collect managed device information. Each time a poll executes, queries are sent to the MDM to: Obtain an API login token (Claroty systems only) Retrieve the asset list Claroty: One query per 500 entries All other MDM systems: One query per 100 entries One additional query per each managed device If MDM notifications are configured, set the MDM Poll frequency to 1 Day. If notifications are not configured, the frequency can be set higher. Note: When choosing an interval, consider the number of queries sent per MDM poll, the size of the MDM’s database and the number of PODs integrated with the same MDM. If the frequency is set too high, the MDM may not be able to manage the rate of queries from FortiNAC, causing performance issues.
Enable On Demand Registration	If enabled, when an unknown host reaches the captive portal, FortiNAC queries the MDM server for information about that host. If the host exists in the MDM server, it is registered in FortiNAC using the data from the MDM server. Google GSuite: Full (paged) poll is performed. FortiNAC stops looking once the endpoint is found. Jamf: Single device lookup using the MAC address.
Revalidate Health Status On Connect	If enabled, when the host connects to the network FortiNAC queries the MDM server to determine if the host is compliant with MDM policies. NOTE: This setting is disabled by default. When enabled, the MDM may not be able to manage the rate of queries from FortiNAC, causing performance issues. Instead of enabling Revalidate Health Status On Connect, you can enable automatic registration polling to occur once a day, which will also retrieve Health Status, but with less frequency. Nozomi: Currently not applicable
Revalidate Health Status On Connect	Not applicable: FortiNAC does not read health information from the Jamf Server.
Remove Hosts Deleted from MDM Server	If enabled, when FortiNAC polls the MDM server it deletes hosts from the FortiNAC database if they have been removed or disabled on the MDM server. GSuite: FortiNAC does not remove records based on host status (e.g. ACTIVE, DISABLED, DEPROVISIONED).
Enable Application Updating	If enabled, when FortiNAC polls the MDM server it retrieves and stores the Application Inventory for hosts that are in the FortiNAC database. NOTE: This setting is disabled by default. When enabled, the MDM may not be able to manage the rate of queries from FortiNAC, causing performance issues. InTune: Currently not applicable Nozomi: Currently not applicable
Poll OT Assets Only (Claroty)	Only poll Claroty assets with a class type of OT. FortiNAC host records for other class types like IT will not be created.
Poll Approved Assets Only (Claroty)	Only poll assets that have an approved value of true. FortiNAC host records will not be created for Claroty’s assets with a false or non-existent approved value.
Compliance Level (Claroty)	None: Assets will not be evaluated for MDM Compliance in FortiNAC. Medium, High, or Critical: Assets with a Medium risk_level 1, High risk_level 2, or Critical risk_level 3 will be marked as not MDM Compliant in FortiNAC. High or Critical: Assets with a High risk_level 2 or Critical risk_level 3 will be marked as not MDM Compliant in FortiNAC. Critical Only: Assets with a Critical risk_level 3 will be marked as not MDM Compliant in FortiNAC.
Disable Hostname Verification (Claroty)	If enabled, SSL Hostname Verification will be disabled

The new connector will appear under the MDM Servers section.

To verify FortiNAC can reach the MDM Server, right-click on the connector and select Test Connection.
To manually poll the MDM Server, right-click on the connector and select Poll.
To make any changes to the connector configuration, right-click and select Edit.

Proceed to Captive Portal Configuration.

MDM Service Connectors

Configure a MDM Service Connector to establish a connection with the MDM server. MDM Service Connectors are used to configure the connection or integration between FortiNAC and MDM server.

In the Administration UI, navigate to Network > Service Connectors.

Click Create New.

Click on the appropriate MDM Server.

Use the field definitions for the MDM Service Connector in the following table to enter the MDM Service information. Click OK to save.

MDM Service Connector Field Definitions

Field	Definition
Name	Name of the connection configuration for the connection between an MDM system and FortiNAC.
Request URL	The URL for the API to which FortiNAC must connect to request data. This will be a unique URL based on the MDM system. Note: If secured with SSL certificate, requires the server name as it appears in the certificate. (Example: https://services.m3.mydomain.com) For some MDMs (such as Jamf), this could be either an on-premise server URL or cloud based URL.
Authentication Type	Airwatch: Select the desired authentication method (Basic or OAuth). For details see Create Authentication Account.
Basic	User ID - Username/userid of an existing Airwatch user account Password - Password for the user account
OAuth	Token URL - The URL for the Workspace ONE Token Service. Token URLs are region-specific. If no token URL is specified, the following default token URL will be used: https://na.uemauth.vmwservices.com/connect/token Client ID - The client identifier associated with the OAuth Client. Client Secret - The application secret associated with the OAuth Client.
Credential JSON (v9.4.6 and greater)	GSuite: Imports the Service Account Key JSON file downloaded from the Google Developers Console. 1) Select the Modify Credential JSON button. 2) Populate the Credential JSON field with the JSON file. This can be done in two ways: Option 1 (Recommended): Click Browse and select the file. Its contents will appear in the Credential JSON window. Option 2: Copy and paste the file contents.
User ID	User name of the account used by FortiNAC to log into the MDM system when requesting data. GSuite: Email address of the Google cloud account used to generate the service account (do not use the email generated for the service account).
Password	Password for the account used by FortiNAC to log into the MDM system when requesting data. This field displays only when adding a new MDM connection configuration. It is not displayed in the table of MDM servers.
Identifier	A type of key used to identify FortiNAC to the MDM server. This field is not required for all MDM products. Airwatch/Workspace One, This is the API Key generated during the Airwatch/Workspace One Configuration. An API key is a unique code that identifies the FortiNAC server to Airwatch/Workspace One and is part of the authentication process for Airwatch/Workspace One.
Application ID	Enter the application ID.
Platform ID	Enter the platform version number.
Application Version	Enter the application version number.
Access Key	Enter the application access key (API key).
Enable Automatic Registration Polling (MDM Polling)	Indicates how often FortiNAC should poll the MDM system to collect managed device information. Each time a poll executes, queries are sent to the MDM to: Obtain an API login token (Claroty systems only) Retrieve the asset list Claroty: One query per 500 entries All other MDM systems: One query per 100 entries One additional query per each managed device If MDM notifications are configured, set the MDM Poll frequency to 1 Day. If notifications are not configured, the frequency can be set higher. Note: When choosing an interval, consider the number of queries sent per MDM poll, the size of the MDM’s database and the number of PODs integrated with the same MDM. If the frequency is set too high, the MDM may not be able to manage the rate of queries from FortiNAC, causing performance issues.
Enable On Demand Registration	If enabled, when an unknown host reaches the captive portal, FortiNAC queries the MDM server for information about that host. If the host exists in the MDM server, it is registered in FortiNAC using the data from the MDM server. Google GSuite: Full (paged) poll is performed. FortiNAC stops looking once the endpoint is found. Jamf: Single device lookup using the MAC address.
Revalidate Health Status On Connect	If enabled, when the host connects to the network FortiNAC queries the MDM server to determine if the host is compliant with MDM policies. NOTE: This setting is disabled by default. When enabled, the MDM may not be able to manage the rate of queries from FortiNAC, causing performance issues. Instead of enabling Revalidate Health Status On Connect, you can enable automatic registration polling to occur once a day, which will also retrieve Health Status, but with less frequency. Nozomi: Currently not applicable
Revalidate Health Status On Connect	Not applicable: FortiNAC does not read health information from the Jamf Server.
Remove Hosts Deleted from MDM Server	If enabled, when FortiNAC polls the MDM server it deletes hosts from the FortiNAC database if they have been removed or disabled on the MDM server. GSuite: FortiNAC does not remove records based on host status (e.g. ACTIVE, DISABLED, DEPROVISIONED).
Enable Application Updating	If enabled, when FortiNAC polls the MDM server it retrieves and stores the Application Inventory for hosts that are in the FortiNAC database. NOTE: This setting is disabled by default. When enabled, the MDM may not be able to manage the rate of queries from FortiNAC, causing performance issues. InTune: Currently not applicable Nozomi: Currently not applicable
Poll OT Assets Only (Claroty)	Only poll Claroty assets with a class type of OT. FortiNAC host records for other class types like IT will not be created.
Poll Approved Assets Only (Claroty)	Only poll assets that have an approved value of true. FortiNAC host records will not be created for Claroty’s assets with a false or non-existent approved value.
Compliance Level (Claroty)	None: Assets will not be evaluated for MDM Compliance in FortiNAC. Medium, High, or Critical: Assets with a Medium risk_level 1, High risk_level 2, or Critical risk_level 3 will be marked as not MDM Compliant in FortiNAC. High or Critical: Assets with a High risk_level 2 or Critical risk_level 3 will be marked as not MDM Compliant in FortiNAC. Critical Only: Assets with a Critical risk_level 3 will be marked as not MDM Compliant in FortiNAC.
Disable Hostname Verification (Claroty)	If enabled, SSL Hostname Verification will be disabled

The new connector will appear under the MDM Servers section.

To verify FortiNAC can reach the MDM Server, right-click on the connector and select Test Connection.

To manually poll the MDM Server, right-click on the connector and select Poll.

To make any changes to the connector configuration, right-click and select Edit.

Third Party MDM Device Integration

MDM Service Connectors

MDM Service Connectors