KonstantinosLei
Contributor
Contributor

DEP - Device Organization Group vs. Enrollment - Group assignment mapping

Jump to solution

When it comes to leveraging DEP, my understanding is that you set the ' Device Organization Group'  under Settings > Devices & Users > Apple > Device Enrollment Program'  to whichever OG you want your devices to be added to upon DEP enrollment. But then there is also the Group Assignment mapping under ' Settings > Devices & Users > General > Enrollment > Grouping'  where you can also set which OG the device will be added to based on the enrollment user's AD group membership.


So my question is what happens when the DEP profile settings instruct the device to be added to OG 1 but then the grouping settings instruct the device to be added to OG 2. Which of the two takes precedence?


The reason why I am asking is because we see DEP devices ending up in the wrong (top) OG upon enrollment however, it may be that we do want to do so for non-DEP devices while all users are members of the same AD group.

Labels (1)
0 Kudos
1 Solution

Accepted Solutions
RichB2u2
Hot Shot
Hot Shot

The Enrollment Grouping has a ranking system where you have to set unique user group assignments before the default groups. In other words we have 200 different assignments and the last two entries are the catch all groups for anyone that isn't found in one of the defined groups. Our last ranked (199 and 200) group enrollment entries are for ' AllStaff'  and ' AllStudents.'  If a user is not found in any of the 198 other groups they are defaulted to the company level OG where we normally have no devices since all devices are normally enrolled to sub-OG's based on the user's AD credentials and their assigned AD groups (OU's or Security Groups).


View solution in original post

0 Kudos
8 Replies
RichB2u2
Hot Shot
Hot Shot

The Enrollment Grouping has a ranking system where you have to set unique user group assignments before the default groups. In other words we have 200 different assignments and the last two entries are the catch all groups for anyone that isn't found in one of the defined groups. Our last ranked (199 and 200) group enrollment entries are for ' AllStaff'  and ' AllStudents.'  If a user is not found in any of the 198 other groups they are defaulted to the company level OG where we normally have no devices since all devices are normally enrolled to sub-OG's based on the user's AD credentials and their assigned AD groups (OU's or Security Groups).


View solution in original post

0 Kudos
KonstantinosLei
Contributor
Contributor

Hey Rich, thanks for replying. So let's suppose a student is a member of group number 10 which instructs the device to be added to OG 1 according to the Enrollment Grouping ranking you mentioned and that user enrolls a DEP device which follows the DEP profile settings and is expected to add the device to OG 2, which OG will the device be added to then? OG 1 or OG 2? If it is OG 1 then what is the role of the ' Device Organization Group'  field in the DEP profile settings?


What we are seeing is this: User A is not a member of any AD group and enrolls a DEP device which should result to the device be added to OG 1. However, the device ends up in the top-level OG even though the user is not in any AD groups listed in the Enrollment Grouping ranking. What is also interesting to note is that the device's ownership reports as ' Corporate'  which is what you would expect from a DEP device so that setting is correct however, the OG assignment based on the DEP profile settings is wrong! So the device ownership is right but the OG membership is wrong. Logically, if there was some kind of relation to the Enrollment Grouping ranking list, I would also expect the device to show up as ' Personal'  since the ' Default Device Ownership'  on the top-level OG is ' Employee Owned'  so...

0 Kudos
RichB2u2
Hot Shot
Hot Shot
A user that is not in a defined enrollment grouping will enroll a device at the top company OG for us too and that is expected. All of our users are in AD and they cannot enroll a device with their credentials unless they are. The exception to this is generic users we have created in AirWatch as generic student accounts per site for enrolling iPads that will be shared (but not Apple's definition of shared iPads with individuals logging in). Our default DEP profile would have us enroll all devices at the top company level but with Enrollment Grouping we can control where a device gets enrolled. All users are also located at the top company level and only devices are assigned to sub-OG's..

Why would User A be expected to enroll into OG 1 if they are not in any AD groups? I would expect it to enroll at the top company level.
We don't pay much attention to the device ownership now that we are no longer allowing personal BYOD devices to be enrolled. All our devices start as ' Corporate - Dedicated'  unless changed later to ' Corporate - Shared.'
0 Kudos
KonstantinosLei
Contributor
Contributor
Hey Rich!

The answer to ' Why would User A be expected to enroll into OG 1 if they are not in any AD groups?'  is because that is what is designated in the DEP profile: The DEP profile has OG 1 set in the ' Device Organization Group'  so that by itself should be enough! You may ask why isn't the user not member of an AD group; that could be for many reasons but why should this matter since we have the ' Device Organization Group'  setting in the DEP profile?

What I suspect is that the user needs to be member of any (it does not matter which) AD group listed in the Enrollment Grouping ranking for the DEP setting to work even if the Enrollment Group ranking won't be taken into account after all... just a theory, I will test and provide an update 🙂
0 Kudos
RichB2u2
Hot Shot
Hot Shot
My DEP profile is set to put devices into our top company ' OG 0'  and not a sub-OG. They default there for me when not in any of the designated groups and that is where all the user accounts are stored. I have a catchall enrollment group at the end to tell them where to be enrolled if not found in other groups.

Do you have an enrollment grouping for the desired default at the bottom of the enrollment grouping rankings? That would be how a person gets a device enrolled into the proper group or the desired default if not found in a group. For example, you would have the students of group 10 be enrolled into OG 1 and then an entry ranked after that for All Students that would enroll them to OG 2. This would work in your scenario so if the student was in the group 10 they would enroll into OG 1 and if not enroll into OG 2.
0 Kudos
SebastianNeufin
Contributor
Contributor
maybe this is relevant for you? taken from the release notes:
Version 1902 -> Resolved Issues: AAPP-6311: User group mapping not taking effect for DEP devices with Authentication turned off and Staging mode set to None.
0 Kudos
KonstantinosLei
Contributor
Contributor
Hey Sebastian, Rich

In our case authentication is On so that's not it. I feel this may end up being a bug; picture this:

You have 10000 users who can get a DEP device and/or use their own device. You can't tell which of these users will use their own so you can't really add them to AD groups based on their preference; they will most probably be members of the same AD group.

The DEP profile has the ' Device Organization Group'  field in which you set the OG you want the DEP devices added to, I think this is as straightforward as it can get. Now, if you would then want the Enrollment Grouping ranking to be evaluated after the DEP device has been enrolled then there should be a checkbox in the DEP profile to state that, otherwise it should not. If today AirWatch does take the Enrollment Grouping ranking into account after the DEP enrollment then having the ' Device Organization Group'  field in the DEP profile is pointless, right?

I will keep investigating but your opinion is greatly appreciated.

0 Kudos
KonstantinosLei
Contributor
Contributor
Ok so it looks like you can't do it with automatic group assignment unless you are willing to have a really funky OG setup (which we are not willing to). We will switch to using group IDs during enrollment instead... Thank you all!
0 Kudos