Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
cmaheu
Staff
Staff

Created on ‎10-02-2019 12:28 PM

Article Id 198255

Technical Note: iOS devices can incorrectly trigger macOS agent download

Description
When registering iOS devices in the Captive Portal, the user is prompted to download an agent that is designed for macOS devices. 

Devices running iOS 13 and higher use the same User Agent as macOS if "Request Desktop Setting" is enabled in Safari. 

Refer to the following URL:
User Agent in Safari on iPadOS
https://forums.developer.apple.com/thread/119186


This behavior can prevent the user from registering the device.  When a user enters their credentials in the Captive Portal, the User Agent (sent by the browser) determines which agent file will be prompted for download.  If an iOS device matches an Endpoint Compliance Policy that distributes the macOS Agent, the user will be incorrectly prompted to download that agent.  Since the agent cannot run on iOS, the user will not be able to run the agent and scan, preventing completion of registration.  




Solution
Solution 1:  Disable the "Request Desktop Setting" setting in the device.
1. Click Settings > Safari > Request Desktop Website
2. Deselect All Websites
3. Close and reopen browser.  User should now be able to complete registration.



Solution 2: Create an Endpoint Compliance Policy specifically for iOS devices
Create a policy such that any device whose operating system is something other than Windows, MacOS or Linux do not require an agent.

1. Navigate to Policy > Policy Configuration
2. Click Endpoint Compliance
3. Click Add
4. Name: Apple iOS Devices
5. User Host/Profile: Click the Add User/Host Profile button
6. Create a User Host/Profile:
a. Name: Apple iOS Devices
b. Next to Who/What by attribute click Add
c. Under the Host tab, select Operating System:
d. Enter ![Windows*,Mac*,Linux*]  
e. Click OK

7. Endpoint Compliance Configuration: Click the Add Endpoint Compliance Configuration button
8. Create Endpoint Compliance Configuration:
a. Name: Apple iOS Devices
b. Scan: AgentNoScan
c. Under Agent tab, set all Operating systems to None - Bypass
d. Click OK
9. Click OK again to save the policy
10. Rank Policy at the top to ensure it matches first

Regardless if iOS devices have "Request Desktop Setting" setting enabled, they should now match the Apple iOS Devices Endpoint Compliance Policy and will not be prompted to download an agent.



Labels:
1116
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.