Smart Groups

Smart groups are dynamic user groups created and managed based on Active Directory group, user attributes, and device attributes. The members of a smart group are defined dynamically in WebUI, rather than being manually defined by an administrator. You can target multiple devices using smart groups that a user or a device is subscribed to and you can manage apps, device access, group membership and so on.

Advantages

Smart groups facilitate scalable management of MDM-enrolled devices via user-based enrollment and device targeting. Smart groups help IT administrators to manage devices in many ways including the following:

Smart groups can also be used as an effective access control system to provide access permissions to resources based onuser attributes and device attributes. For example, you can create a smart group to include all users who belong to "Engineering" department, located in "the United States", using iOS mobile phones, and you can grant access to specific engineering-related resources applicable to iOS mobile phones compliant to the United States.

With Smart Group, you can manage users where you can store user and attribute data.

User attributes

User attributes help to uniquely identify end users based on the information managed in your organization's Directory services, such as Microsoft Active Directory or LDAP (Lightweight Directory Access Protocol) directories. User attributes can include any alphanumeric ID, Email ID, or a common attribute that is shared amongst various users. These user attributes facilitate authentication, authorization, and information retrieval. Examples of user attributes are:

  • Identity Information: Usernames, Email addresses, user ID numbers, job title, department, or location
  • Access Credentials: Passwords, security questions/answers, authentication tokens
  • Permissions: Access rights, roles and responsibilities
Based on your directory services, you can define user attributes and associate them to smart groups. This helps to efficiently filter and target a group of devices and manage them consistently in the following ways.
  • Access Control: By associating devices with specific users, organizations can control who has access to particular resources, systems, or data.
  • Security: Administrators can set security policies based on user roles, ensuring that sensitive information is only accessible to authorized individuals.
  • Device Configuration: User attributes can be used to tailor device configurations based on individual needs. This ensures that users have the necessary tools and settings for their roles.
  • User Experience: Managing devices based on user attributes allows for a personalized user experience. Users can have customized settings, applications, and access permissions that align with their roles and responsibilities.
  • Policy Enforcement: Enforce IT policies more effectively by associating devices with specific users. This includes policies related to software installations, updates, antivirus protection, and other security measures.
  • Remote Device Management: IT administrators can remotely troubleshoot issues, deploy updates, and perform maintenance tasks more efficiently when devices are associated with specific users.
  • Identity Management: Ensure that the right individuals have access to the right resources, promoting a secure and efficient IT environment.
  • Adaptability to Organizational Changes: As users change roles or leave the organization, managing devices based on user attributes allows for seamless transitions. Device access and configurations can be adjusted to reflect changes in user status and responsibilities.
  • Deploy customized policies such as passcode policy, restriction policy, certificate policy for a specific set of devices.
  • Trigger customized actions such as lock, wipe as applicable on specific set of devices.

Device attributes

Device attributes refer to various characteristics and information associated with an MDM enrolled device. These attributes include hardware specifications, operating system details, network configuration, and other relevant information.

MDM server gathers and updates device information in the following ways:
  • Device enrollment: During the enrollment process, the MDM server collects basic device information such as device type, model, serial number, and hardware specifications.
  • BigFix Agent installation: BigFix Agent collects and transmits information about the device to BigFix.
  • Device queries: MDM server might send a request to a device to provide details about its current location, installed applications, or security settings.
  • Platform-specific APIs: MDM server uses platform-specific APIs provided by the operating system to get device information. For example, on iOS devices, the MDM server can use Apple's MDM protocol and APIs to gather information about the device.
  • Network communication: Devices regularly communicate with the MDM server for updates, policies, and other instructions. During these communications, the MDM server can request and receive information about the device.
  • User Input: Some attributes may require user input or permission. For instance, obtaining the device's location might require the user to grant location access.
  • Device refresh: Device information is updated when a device is refreshed.
By associating these device attributes, you can create a smart group to consistently configure and manage a group of devices with specific attributes. This helps in efficiently implementing policies, enforce security measures, and streamline device management based on their unique characteristics. Following are some examples where you can associate device attributes in smart groups to manage a group of devices.
  • Security policies: You can define a smart group based on the device model and operating system version, and you can push security configurations such as passcode requirements, encryption settings, and other authentication policies.
  • Application management: You can define a smart group based on operating system and available storage, and push specific applications to devices or restrict the installation of certain apps based on their compatibility and organizational policies.
  • Network configurations: Based on the device attributes related to network connectivity, you can push Wi-Fi policies to ensures that devices connect to approved networks and adhere to organization-specific network policies.
  • Email and communication policies: You can use device attributes to configure email and communication settings. This includes setting up and managing corporate email accounts, VPN configurations, and defining communication restrictions based on the device type and operating system.
  • Updates: Based on the device inventory details such as device type, model, OS version, hardware specifications, and more, you can manage updates and plan for hardware upgrades.
  • Remote wipe and lock: In case of a lost or stolen device or when an employee leaves the organization, you can use device attributes to remotely wipe or lock the device.
  • Location-based policies: You can configure different security settings based on device location, for example, when inside the corporate premises compared and when it is outside.
  • Compliance checks: You can monitor if a device falls out of compliance (example outdated OS version, security settings not met), and can automatically remediate the issue by applying necessary configurations.
  • Custom configurations: You can create custom configurations based on device attributes to tailor the management approach according to the organization's needs and industry regulations.

Best practices

Consider the following while you create a smart group:
  • Create Smart Groups to define either user or device criteria that must be met by a new enrollment to match a specific Policy Group and associated configuration.
  • Smart Group name:
    • It should reflect the set of criteria defined in the smart group.
    • Avoid any specific device type references unless the smart group contains device criteria that identifies a specific device and/or specific OS criteria.
    • Avoid any application or policy references, as those are not defined within a Smart Group.
  • The same Smart Group can apply to any number of Policy Groups.