Chapter 14 Managing Devices for FortiOS 5.0 : Endpoint Protection : Endpoint Protection overview : User experience : FortiClient non-compliance
  
FortiClient non-compliance
If the authentication rule in a device identity policy requires endpoint protection, a device without the latest version of FortiClient Endpoint Security installed is denied access. Optionally, the user is redirected to a captive and sees a message like this:
Figure 299: Default FortiClient non-compliance message for Windows
After installing FortiClient Endpoint Security, the user will receive an invitation to register with the FortiGate unit. If the user accepts the invitation, the FortiClient profile is sent to the device's FortiClient application. Now the user can pass the authentication rule and connect to the network. FortiClient Endpoint Security registered with a FortiGate unit does not need to be separately licensed with FortiGuard.
The FortiGate unit can also register endpoints who connect over the Internet through a VPN. The user can accept an invitation to register with the FortiGate unit. See “Configuring endpoint registration over a VPN”.