When it comes to leveraging DEP, my understanding is that you set the ' Device Organization Group' under Settings > Devices & Users > Apple > Device Enrollment Program' to whichever OG you want your devices to be added to upon DEP enrollment. But then there is also the Group Assignment mapping under ' Settings > Devices & Users > General > Enrollment > Grouping' where you can also set which OG the device will be added to based on the enrollment user's AD group membership.
So my question is what happens when the DEP profile settings instruct the device to be added to OG 1 but then the grouping settings instruct the device to be added to OG 2. Which of the two takes precedence?
The reason why I am asking is because we see DEP devices ending up in the wrong (top) OG upon enrollment however, it may be that we do want to do so for non-DEP devices while all users are members of the same AD group.
The Enrollment Grouping has a ranking system where you have to set unique user group assignments before the default groups. In other words we have 200 different assignments and the last two entries are the catch all groups for anyone that isn't found in one of the defined groups. Our last ranked (199 and 200) group enrollment entries are for ' AllStaff' and ' AllStudents.' If a user is not found in any of the 198 other groups they are defaulted to the company level OG where we normally have no devices since all devices are normally enrolled to sub-OG's based on the user's AD credentials and their assigned AD groups (OU's or Security Groups).
The Enrollment Grouping has a ranking system where you have to set unique user group assignments before the default groups. In other words we have 200 different assignments and the last two entries are the catch all groups for anyone that isn't found in one of the defined groups. Our last ranked (199 and 200) group enrollment entries are for ' AllStaff' and ' AllStudents.' If a user is not found in any of the 198 other groups they are defaulted to the company level OG where we normally have no devices since all devices are normally enrolled to sub-OG's based on the user's AD credentials and their assigned AD groups (OU's or Security Groups).
Hey Rich, thanks for replying. So let's suppose a student is a member of group number 10 which instructs the device to be added to OG 1 according to the Enrollment Grouping ranking you mentioned and that user enrolls a DEP device which follows the DEP profile settings and is expected to add the device to OG 2, which OG will the device be added to then? OG 1 or OG 2? If it is OG 1 then what is the role of the ' Device Organization Group' field in the DEP profile settings?
What we are seeing is this: User A is not a member of any AD group and enrolls a DEP device which should result to the device be added to OG 1. However, the device ends up in the top-level OG even though the user is not in any AD groups listed in the Enrollment Grouping ranking. What is also interesting to note is that the device's ownership reports as ' Corporate' which is what you would expect from a DEP device so that setting is correct however, the OG assignment based on the DEP profile settings is wrong! So the device ownership is right but the OG membership is wrong. Logically, if there was some kind of relation to the Enrollment Grouping ranking list, I would also expect the device to show up as ' Personal' since the ' Default Device Ownership' on the top-level OG is ' Employee Owned' so...