I have a setup where the Fortigate has Microsoft Entra Single Sign-On as an authentication scheme and a ZTNA setup that uses groups from that. The devices are Entra joined Intune managed, and synced and verified to the Forticlient EMS server. Everything works when using Windows devices. It automatically knows who the user is, matches the groups he is in and allows access to whatever is setup on the proxy policy. But when i do it for macOS devices, it doesn't work. I am having issues understanding what this means from the documentation FortiClient (macOS) does not support native Entra ID integration with EMS. For the integration to work, macOS endpoints must be managed by Intune or JAMF and enrolled to company portal using Entra ID.For the integration to work macOS endpoints must be managed by Intune and enrolled to the company portal using Entra ID. My mac device is managed by Intune and enrolled to the company portal using Entra ID (though it is also setup with an Apple Business Manager). But i can't use the groups. The only weird thing i see is on the forticlient, the domain field is blank. https://docs.fortinet.com/document/forticlient/7.4.5/ems-administration-guide/792170/adding-an-entra-id-server

New Member

Question

ZTNA sso sign in for macOS

Forum|Forum|3 months ago
February 24, 2026
1 reply
368 views

I have a setup where the Fortigate has Microsoft Entra Single Sign-On as an authentication scheme and a ZTNA setup that uses groups from that. The devices are Entra joined Intune managed, and synced and verified to the Forticlient EMS server.

Everything works when using Windows devices. It automatically knows who the user is, matches the groups he is in and allows access to whatever is setup on the proxy policy.

But when i do it for macOS devices, it doesn't work.

I am having issues understanding what this means from the documentation

FortiClient (macOS) does not support native Entra ID integration with EMS. For the integration to work, macOS endpoints must be managed by Intune or JAMF and enrolled to company portal using Entra ID.

For the integration to work macOS endpoints must be managed by Intune and enrolled to the company portal using Entra ID.

My mac device is managed by Intune and enrolled to the company portal using Entra ID (though it is also setup with an Apple Business Manager).

But i can't use the groups.

The only weird thing i see is on the forticlient, the domain field is blank.

https://docs.fortinet.com/document/forticlient/7.4.5/ems-administration-guide/792170/adding-an-entra-id-server

Stephen_G

Moderator

Hello BrokenInternet,

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

If anybody else has any info or advice, please feel free to contribute!

Regards,

Stephen_G - Fortinet Community Team

BrokenInternetAuthor

New Member

Thank you

Stephen_G

Moderator

Hi again BrokenInternet,

Unfortunately, you'll probably need to open a TAC ticket. We have a few documents that may be useful though, if you haven't already seen them:

I hope any of the info provided helps!

Stephen_G - Fortinet Community Team

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded