Intune Managed

Adventures in Intune management

The Wonderful World of GroupTags

When using SCCM, one of the steps in our task sequence was to prompt the technician to select a profile type. The profile would contain applications and customization required for that specific device’s workflow. For example, in a hospital setting, you may have a different profile for front desk and patient room devices.

A similar approach can be created in Intune by utilizing GroupTags. From my example above, you could create a GroupTag for the front desk and one for patient rooms. But before you just start creating GroupTags, you should think about layout and hierarchy.

Layout and Hierarchy

The first question to ask: Do we really need a hierarchy? The simple answer is… maybe. It really depends on your environment, but for most, absolutely! Especially if you are setting up Intune for the first time, creating a structured hierarchy keeps everything organized. This makes your life soooooo much easier when troubleshooting. Here are some examples of possible layouts:

Example – Grocery chain located in 3 different regions:

  • ABC-Shared-Checkout-123
  • ABC-Shared-Warehouse-123
  • ABC-Shared-CustomerService-123
  • ABC-Assigned-Staff-123
  • XYZ-Shared-Checkout-978
  • XYZ-Shared-Warehouse-978
  • XYZ-Shared-CustomerService-978
  • XYZ-Assigned-Staff-978

Format: Region-Shared/Assigned-WorkstationType-StoreNumber

Example – Medical clinic in different states:

  • NY-Shared-FrontDesk
  • NY-Shared-XRAY
  • NY-Shared-Training
  • NY-Assigned-Leadership
  • NY-Assigned-Staff
  • FL-Shared-FrontDesk
  • FL-Shared-XRAY
  • FL-Shared-Training
  • FL-Assigned-Leadership
  • FL-Assigned-Staff

Format: State-Shared/Assigned-WorkstationType

So what exactly am I using “Shared” and “Assigned” for? Well, it’s for AutoPilot profiles. Our Shared profiles go through self-deploy AutoPilot. Self-deploy is great for setting up devices that are not “Assigned” to specific users….You may see what I did there… Assigned profiles use user-driven AutoPilot. Not necessarily required, but something to keep in mind when creating GroupTags.

As for the remaining GroupTag structure, I find that an ‘Entity > Broad > Narrow > Unique’ approach works best. In my Grocery store example, the region is first, followed by AP profile, workstation type, and store number. While a store might have 10 devices, those devices are unique to that location. Everything preceding that is a larger grouping of devices; 100s of Checkout stations in a Region with 1000s of devices.

Dynamic Rules

Having a structured layout makes it easy to create efficient dynamic group rules to apply AutoPilot profiles, applications, and policies. We can use dynamic groups to organize GroupTags in a whole bunch of ways:

  • All devices in ABC region: -startsWith “ABC”
  • All shared devices: -startsWith “ABC-Shared” -or “XYZ-Shared”
  • All devices in Store 123: -endsWith “123”
  • Warehouse devices in Store 978: -endsWith “Warehouse-978”

You may have noticed I avoided equals and contains operators. While contains should be avoided for performance concerns, I find that equals can also cause silly rules and future rework. For example, see the 2 rules below:

(device.devicePhysicalIds -any (_ -eq "[OrderID]:ABC-Shared-Checkout-123")) -or 
(device.devicePhysicalIds -any (_ -eq "[OrderID]:ABC-Shared-Warehouse-123")) -or 
(device.devicePhysicalIds -any (_ -eq "[OrderID]:ABC-Shared-CustomerService-123")) -or 
(device.devicePhysicalIds -any (_ -eq "[OrderID]:ABC-Assigned-Staff-123"))
(device.devicePhysicalIds -any (_ -endsWith "[OrderID]:123"))

Both of these rules are valid, but the endsWith rule reduces processing time and membership evaluation. It also enables new profile types added in the future to be automatically accounted for. Let’s say the grocery store puts in a customer facing kiosk. You can create a GroupTag like ABC-Shared-CustomerKiosk-123. This GroupTag will populate into the endsWith group without modifying the rule!

App & Policy Assignment

With the hierarchy, app & policy assignment is made simple. Have apps and policies that apply to all workstations? Assign the topmost ‘Entity’ dynamic group. Need to deploy map printers for a specific location? Deploy to your ‘Unique’ dynamic group. Have something only pushed to Assigned devices? Push to the assigned dynamic group.

Tips

  • Follow an ‘Entity > Broad > Narrow > Unique’ approach when developing group tags,
  • Reduce rule complexity in dynamic groups for faster performance.
  • Fun fact, GroupTags & dynamic rules are NOT case sensitive.
  • Dynamic Rule Syntax Examples

Thanks for taking the time to read this post. If you have any questions or feedback, please comment below!

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.