Same thing happens, multiple unique endpoints register as new workgroup endpoints, getting default policy instead of whatever you intended. With Macs, this happens super frequently if the scutil param for hostname isn't set (apparently MacOS has 20 different ways of uniquely identifying a machine, Fortinet wants "hostname"). This results in the endpoint registering as a unique workgroup endpoint that might not match the expected policy for your targeted domain OU. We see windows machines register to EMS before EMS knows they are domain joined, or when some random issue keeps EMS from syncing ldap (about once or twice a week). In the second, check the device in EMS and see if it is getting the policy it should have for VPN. In the first case, make sure you can resolve the hostname of your ems server from the endpoint, and that required ports are open. As /u/nostalia-nse7 pointed out, it's from a lack of connectivity to management, or connectivity to management but without proper policy applied. I've found one main cause for a few different reasons. Is this an EMS managed endpoint, or the free consumer app?We are seeing this a lot too with licensed endpoints managed with EMS and it's super frustrating.