FortiClient EMS for Chromebooks

October 17, 2018/
/by Akins IT

My previous blogs provided an overview of the FortiClient EMS platform for Windows and Mac OSX endpoints, but did you know that there’s also support for Chromebooks? Previous releases of FortiClient EMS had two versions, Standard and for Chromebooks. These had to be installed as two separate instances on their own dedicated VM, which meant that management of EMS registered devices had to be done from two separate consoles. With the introduction of EMS version 6.0 and above, management of both standard and Chromebook devices can now be accomplished within a single pane of glass.

How Does Licensing Work?

Although both Standard and Chromebook devices can now be managed under a single management console, licensing is still separate.

FortiClient Deployment

The FortiClient Web Filter Extension can be pushed out to endpoints via the Google admin portal. HTTPS communication between the extension and FortiClient EMS requires either a public or self-signed certificate.


FortiClient Web Filter Extension for Chromebooks does not include endpoint AV and Vulnerability scanning. It is strictly for web content filtering but does add a layer of security by preventing endpoints from visiting known malicious sites. User web traffic is also sent back along with telemetry data, providing admins with visibility into the types of sites being visited. Attempts to access blocked sites or categories are displayed in the FortiClient EMS dashboard. Logs can also be sent to a FortiAnalyzer if one has been deployed.

On-net / Off-net Filtering      

Content filtering persists even while the devices are off-net, and new or updated EMS profiles can be pushed out to these devices so long as they can communicate with the EMS server. For off-net devices, this is achieved by having a public DNS entry exactly as the servers FQDN. This would then resolve to your public IP and NAT’d to the EMS servers private IP (The FortiClient Web Filter Extension communicates with the EMS server via its hostname, not IP address).

Learn More About EndPoint Security


Contact Us