Question - How far do you generally go, to subdivide devices into groups?
Posted by Donkey_God-D@reddit | sysadmin | View on Reddit | 15 comments
As the title states, my question is about subdividing devices into groups, and what is your limit?
Background info: We're a small-ish company, with about 60 employee's, and roughly 80 devices. We have some NUC's that are being used for testing, development, and product testing. These NUC's generally don't switch places from R&D to Product testing for example, but it can happen if needed.
More context for my question:
I'm debating on whether or not I should create groups for those specific NUC's, keep them in one group, or do something I haven't thought of. I fear that when I divide it too much, it'll become as much spaghetti as it is when I don't divide it enough.
Any advice?
I'll try to respond to everything as properly as I can.
RepulsiveDuck331@reddit
Group by policy intent, not org chart. If R&D and Product Testing NUCs need different rules, they're different groups - doesn't matter if it's 5 devices or 50. The "too small to bother" trap is what creates spaghetti later when someone bolts on exceptions.
What's worked for us: dynamic groups in Intune based on device naming or category. Something like NUC-RND-01, NUC-PT-01, then dynamic membership rules do the sorting. Set it once, new devices auto-land in the right bucket.
Keep a baseline policy assigned to all corp devices, then layer purpose-specific stuff on top. Way easier to audit than a flat pile of overlapping assignments.
Donkey_God-D@reddit (OP)
Thanks for the info about how you handle it. I will definitely look into applying the same kind of idea, to see if it would work for us, too!
David-Gallium@reddit
The question is why? Are you trying to target policies to those devices? Security rules? Are we talking about AD groups? Intune? Something else?
What is the specific problem you are trying to solve?
As a bit of MSP pragmatism I've never bothered too much with trying to divvy up devices like this. I've used groups that each apply one specifc rule eg "These devices get X software group". Because I always ended up with that one user in finance who needed that one bit of software from R&D and broke the role based answer anyway.
xendr0me@reddit
Agree, what are you trying to accomplish? At a minimum I would have devices in OU's by Location>Department and if you have only one location, just Department. Especially with 80 devices. If they all have uniform names, then that's not overwhelming or an issue at all.
Donkey_God-D@reddit (OP)
We're using Intune, where we can divide them into different OU's, which we haven't done yet. I will update the post with more context based on your question.
Previous-Low4715@reddit
All my device based rules are global and I have thousands of devices
SevaraB@reddit
This. Context is everything. Group policy/Intune CSPs? Get as specific as you can manage without going underwater. Asset management? Track the serials and call it a day. NAC? Two buckets: one for devices that support EAP-TLS and roll it out to those devices, MAC allow lists to function-specific networks defined as specifically as possible to avoid data leakage.
Donkey_God-D@reddit (OP)
What we want to accomplish is to have an easy way to update the devices in their respective groups, where they get the correct amount of freedom they need. This means, that we want to try and set our rules in such a way, that the employee's can do their work, without any issue, but nothing more than that.
I will update the post with more information, based on your questions.
Donkey_God-D@reddit (OP)
I will add this reply to the main post aswell.
But yes, I want to apply security rules from Intune. The policies are going to be slightly different from eachother, since the NUC's in question need to have different access. Some need to be able to access certain websites or databases, while the others are just running constant scripts or programs for testing.
David-Gallium@reddit
So my go-to here is one group equals one outcome eg:
- SG-EnableRemoteDesktop
- SG-AccessToFileShare1
Depending on the lifecycle I would either automate application of said groups or tie them 1:1 to the user/computer request form.
Keep in mind I'm coming from a MSP world where techs cannot be expected to remember every nuance about what group infers which rights. It needed to be totally unambiguous, even if that meant a very long list of groups.
Donkey_God-D@reddit (OP)
I appreciate your input, and I will see if your suggestion makes sense for our company. I think that creating a separate group per device type/department is good option.
SudoZenWizz@reddit
From my point of view, group them based on the destination.
For example: we have multiple customers and we grouped their systems:
Customer1 -> Network -> Routers
Customer1 -> Network -> Switches
Customer1 -> Servers -> APP1
Customer1 -> Servers -> APP2
In your case, you can group based on app, criticality.
Donkey_God-D@reddit (OP)
That might also be an option to work with. That would require some restructuring within our Intune environment, but that is not the worst to do. Thank you for the advice, I'll look into it!
Curious201@reddit
I’d group by policy/risk, not by “nice tidy department map.” If the terminals all need the same lockdown, updates, remote access, and app set, they can probably live together even if they’re in different places. Split only when something actually changes: different software, different update window, different security baseline, different owner, or different compliance need. Otherwise you end up maintaining 40 groups just because the org chart looks neat.
Donkey_God-D@reddit (OP)
That is the point - they do need different security baselines, because the groups that we use, have different functionalities, with widely ranging needs for their work.