hcenriquez
Contributor
Contributor
‎10-14-2021 08:59 AM

Enrolling into a DEP-defined Organization Group

I have a child organization group holding my users and their devices. I have a second organization group with a special set of devices who are placed into the OG during DEP enrollment.

I want users to be able to enroll on those devices and have the devices stay in their special OG without having to change the default enrollment OG on the user.

As an example:

A company has all users and corporate devices in an 'Every day' OG. Those users are set to default enrolled devices to the 'Every day' OG so that whenever a user is issued a normal work phone, the device goes into the 'Every day' OG.

The company goes on an annual week long retreat. While there, they receive iPads pre-configured and pre-loaded with settings and content special to the trip. A second OG, 'Retreat' hold those iPads for the trip and a DEP profile sets them in that OG during enrollment. Users need to be able to be issued a 'Retreat' iPad and have it stay in the 'Retreat' OG, not be moved to the 'Every day' OG as a result of user enrollment.

Is this possible?

Labels (2)
Reply
0 Kudos
rterakedis
VMware Employee
VMware Employee
‎10-19-2021 11:02 PM

When macOS enrolls to Workspace ONE UEM, numerous factors control the specific organization group where the device is placed.   Before the Organization Group for the device is finalized, Workspace ONE checks multiple attributes for both the DEP profile and the User account enrolling to best determine where the device should go.  The following attributes are considered during Organization Group selection:

  • User's "Enrollment Organization Group" -- Found in the User Account properties under the General tab
  • User's "Managed By" Organization Group -- The level at which this user is integrated into the console
  • The "Device Organization Group" associated with the Automated Device Enrollment (or "DEP") Profile
  • "User Group Mapping" setting in the console Groups & Settings > All Settings > Devices & Users > General > Enrollment > Grouping
  • "Batch Import" for device Organization Group Override following Automated Device Enrollment (or "DEP").  Note: This method is not typically advised.

For devices enrolling with Automated Device Enrollment (or "DEP") via Apple Business Manager:

  1. ONLY if the Automated Device Enrollment (or "DEP") Profile specifies "Authentication = OFF" and staging is configured, the device will enroll to the Staging User's "Enrollment Organization Group" and NOT the Automated Device Enrollment (or "DEP") Profile's "Device Organization Group"
  2. If "User Group Mapping" is configured, the device will enroll to the organization group based on the preconfigured AD user group and organization group mapping.  In this scenario, the Automated Device Enrollment (or "DEP") Profile's "Device Organization Group" and the User's "Enrollment Organization Group" are not considered.
  3. Without User Group Mapping, if the Automated Device Enrollment (or "DEP") Profile's "Device Organization Group" and the User's "Enrollment Organization Group" are in the same branch (parent/child), the device enrolls to the lower (child) Organization Group.
  4. Without User Group Mapping, if the Automated Device Enrollment (or "DEP") Profile's "Device Organization Group" and the User's "Enrollment Organization Group" are siblings, then the device enrolls to the Automated Device Enrollment (or "DEP") Profile's "Device Organization Group".

For more information (and a flowchart), refer to VMware KB 83132 - Organization Group Assignment In Workspace ONE for Automated Device Enrollment (AD....

Reply