When the Fortigate 5.4.0 managed the FortiClient, I was able to apply the policies to users based on their AD group. With the changes in 5.4.1, it forced us to move to EMS and we lost a bit of functionality. The policies no longer apply to users in certain AD groups, they now apply to OU's that the workstation is in. This seems like a step backwards. We now have to change the way our enterprise does things with shared workstations since the policies no longer follow the user.
I now see in the manual that I can get my AD group membership functionality back if I also purchase FortiAuthenticator, but I don't understand why I need to purchase yet another product when I was promised all this functionality with my initial Fortigate purchase. This almost seems like a bait and switch tactic. I wouldn't be surprised if Fortinet gets sued over this one.
Anyhow, has anyone used EMS with the FortiAuthenticator and is it true that different policies can be applied by user AD group? If I have to go ask for funding to purchase this, I need to make 100% sure it will give us the functionality we need.