Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
AEK
SuperUser
SuperUser

Created on ‎06-26-2023 08:29 AM

FortiClient Android automatically managed

Hello

We have FortiClient EMS 7.0.8.

We use invitations in order to integrate Windows PCs to the EMS managed hosts.

However last time we discovered that when we install FortiClient (7.0.9) on any Android host and configure a connection to our FCT EMS, then the Android phone gets automatically managed by EMS without any invitation!

 

FCT_EMS_Android.png

 

Is that behavior normal?

 

Then we tried to disable this unwanted behavior by enabling "Enforce invitation-only registration for ALL", but the result is that all managed hosts were ejected from managed hosts!

Is that behavior also normal?

 

So what is the best way to disable auto Android registration without affecting the current managed hosts.

 

AEK
AEK
Labels:
562
0 Kudos
1 Solution
btan
Staff
Staff

Created on ‎06-26-2023 07:05 PM

Hello,


Assuming you did not enable 'Enforce invitation-only registration' and 'FortiClient telemetry connection key', any device will be able to join to EMS using EMS IP or FQDN.
So it is normal behavior if Android FCT join to EMS after you input EMS IP.

Then we tried to disable this unwanted behavior by enabling "Enforce invitation-only registration for ALL", but the result is that all managed hosts were ejected from managed hosts!
> This looks like a behavior for 'Enforce User Verification'
> Are you sure you enable 'Enforce invitation-only registration for ALL', and not ''Enforce User Verification'?

If you end goal is to have another level of security to join to EMS, you can use 'FortiClient telemetry connection key'.

Enabling 'Enforce invitation-only registration' meaning new devices can only join via Invitation code, and not EMS IP/FQDN.

Regards,
Bon

View solution in original post

529
0 Kudos
2 REPLIES 2
btan
Staff
Staff

Created on ‎06-26-2023 07:05 PM

Hello,


Assuming you did not enable 'Enforce invitation-only registration' and 'FortiClient telemetry connection key', any device will be able to join to EMS using EMS IP or FQDN.
So it is normal behavior if Android FCT join to EMS after you input EMS IP.

Then we tried to disable this unwanted behavior by enabling "Enforce invitation-only registration for ALL", but the result is that all managed hosts were ejected from managed hosts!
> This looks like a behavior for 'Enforce User Verification'
> Are you sure you enable 'Enforce invitation-only registration for ALL', and not ''Enforce User Verification'?

If you end goal is to have another level of security to join to EMS, you can use 'FortiClient telemetry connection key'.

Enabling 'Enforce invitation-only registration' meaning new devices can only join via Invitation code, and not EMS IP/FQDN.

Regards,
Bon
530
0 Kudos
AEK
SuperUser
SuperUser
In response to btan

Created on ‎07-02-2023 01:29 AM

Thanks Bon

I confirm I've enabled 'Enforce invitation-only registration for ALL', and not ''Enforce User Verification'. I did the same test again and got same result.

 

AEK
AEK
494
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.