Home » Creating Custom Groups
 

Custom Groups

Endpoint Central allows IT admins to group their resources with it's custom group feature, wherein a group can be created either manually or automatically by populating resources from AD Objects. Custom groups can be created to automate certain tasks to be performed on pre-defined targets, thus bringing in a great degree of efficiency. The advantages of custom groups are:

  1. You can have any number of custom groups to group computers and users of a specific department.

  2. You can add or remove users/computers from groups at any point of time.

  3. Groups once created can be used in any number of configurations.

  4. Creating unique custom groups, will leverage user management by defining specific scope (unique custom Groups) to specific users.

  5. Custom groups with computers or users that belong to different domains and workgroups can be created. For configurations that have to be deployed to computers or users belonging to different domains and workgroups, this custom group can be used.

  6. In version 10.0.598 and above, custom groups can be created by technicians with write permission for deployment activities. However these custom groups can be created only on the basis of computers and not users. The managed computers can be filtered by the created custom groups using custom group Filters.

  7. In version 11.2.2331.01 and above, custom groups can be created from Active Directory groups. Replicate organizational structure as exists in the Active Directory into the scope of the product, instead of repeating the process of defining individual groups to perform tasks such as patching, software deployment etc. Predefined objects in the AD will be created and reflected as different groups in the product.

  8. Custom Group creation can also be done on the basis of Domains/Organizational Units (OUs)/AD Groups that exist in the Active Directory. Any sub-objects/ child OUs present under the selected domain/parent OUs will be automatically created as separate custom unique groups.

Grouping of resources can be done in three different ways according to your needs:

Static Custom Group

Static groups can be defined when you have a definite set of users/computers from a single or different domains to be added or when you want the existing Active Directory group structure to be added to the product. These groups are created as targets, for various tasks. A computer can be a part of more than one static custom group.

Static custom groups can also be created by directly choosing the pre-existing subgroups from the AD. All the available groups under the AD will be listed in the product, and the necessary groups can be selected and created into a separate custom groups. Existing subgroups in the selected objects of the AD will be created as individual custom groups (if they aren't already a custom group in the product), with the following naming pattern: AD Group Name - Parent OU - Domain. In the case that the provided name already exists, sequential numbers will be added at the end. [Eg: AD Group Name - Parent OU - Domain (1)]

Static Unique Group

A static unique group is a static custom group, where the computers belonging to this group cannot be added to any other groups. Computers added to a static unique group once, will not be listed when you try to create another group of the same kind. The main purpose of creating a static unique group is to associate these groups as Scope for the users. All the privileges to manage this group can be defined only by the administrator.

The creation of static unique custom groups can also be done by syncing the AD with Endpoint Central. By selecting the Domain/Organizational Unit (OU) while creating the static unique group, all the computers listed under that domain/OU will be associated into that static unique group. If a computer already exists in another group, it will not be added to the new static unique group. Only one particular Domain/OU can be mapped to a custom group. Sub OUs in the selected OU of the AD will be created as individual custom groups (if they aren't already a custom group in the product), with the following naming pattern: AD OU - Parent OU - Domain The Sub-OU based CGs will be mapped to the parent OU CGs.

Dynamic Custom Group

A dynamic custom group is created with a set of rules or criteria. Based on the defined criteria, the computers get automatically included to this group. Any new computers matching the criteria will automatically get added to this group. The computers belonging to this group are generated only during the execution configuration. Currently, we only support Windows and Mac devices. The defined queries will be applied and the result will be published as the dynamic custom group. dynamic Groups can be created on the basis of various criteria like:

  • Computer - Name, Type
  • Operating System - Version, Type
  • Device - Model, Manufacturer
  • Processor - Architecture, Type
  • Service Pack
  • Software - Name, Version
  • IP - Address, Range
  • TPM - Status, Version
  • Bios Version
  • Firmware Type
  • Domain
  • Remote Office
  • Script
  • Bitlocker encryption status

Here are a few scenarios where dynamic custom groups can be used.

To deploy a bitlocker policy to machines that have a specific TPM version

    • In the Select Criteria section, enter the fields as shown below and create the dynamic custom group.

dynamiccg1

  • Create the required policy by navigating to Bitlocker Management -> Policy Creation -> Create Policy and associate the policy with the dynamic CG for deployments.

To get a list of computers that have a particular service running on them

    • and upload it to the script repository.
    • In the Select Criteria section, enter the fields as shown below and create the dynamic custom group.

dynamiccg2

dynamiccg3

  • In script-based dynamic custom groups, the script will be executed during each deployment using the arguments provided in the script repository. The exit code will be compared and the deployment will then begin to the computers that match the provided criteria.

Create a Custom Group

To create a custom group, follow the steps below:

    1. Select the Admin tab

    2. Navigate to Global Settings -> Custom Groups.

    3. Click the Create New Group button and choose if the group should be based on Users or Computers. (Note: For User-based custom groups, only static CG can be created).

    4. Specify the following information:

        1. A name for the custom group. This should be unique.

        2. Define the Category of the custom group you want to create (Static/Static Unique/Dynamic).

        3. Choose to either populate the custom group manually or automatically from the Active Directory.

        4. Creating custom groups

      Static Groups (automatic creation from AD):

          • Select 'AD Groups' under the Membership section.
          • Click on +Select AD Groups and select the necessary objects.
          • Click on Save, and then Create Group.

      Static Unique Groups (automatic creation from AD):

          • Select 'Domain/Organizational Unit' under the Membership section.
          • Click on +Select Domain/Organizational Unit and select the necessary objects.
          • Click on Create Group.

      Dynamic Groups:

        • In the Select Criteria section, fill in the necessary details from the available options.
        • Click on Save.
    5. To create custom groups (both static and static unique) manually, select 'Assign Manually' under the Membership section and add the computers from the available list.

You have successfully created a custom group, which can be used for management purposes.

You can also import a csv file to add computers to a static or static unique group. The csv should contain the name of the computer followed by the domain name as explained below:
Computer Name,Domain Name (Eg: system101,companyorg)

Automate Custom Group creation

Custom groups can be created automatically using Active Directory objects by configuring the sync setting as follows:

  1. Navigate to Admin tab -> Global Settings -> Custom Group.
  2. Choose the Sync Settings tab and click on Add AD Path button.
  3. Choose where the sync has to happen from, by clicking on the AD Groups and Organizational Unit checkbox. The AD Groups and subgroups in the selected AD path will be created as individual static groups while the parent and child OUs will be created as static unique groups.
  4. Select the applicable Group Name Format from the drop list.
  5. Select the required AD Path.
  6. After the necessary actions have been performed, click Preview and Save.

You have now automated custom group creation from the Active Directory.

Note: A sync between the AD and Endpoint Central happens everyday at particular time intervals each day (can be configured by the administrator). To reflect the AD changes immediately in the product, the sync can be initiated manually as well. The maximum number of tries for manual sync between the product and the Active Directory is limited to 4 times a day.

Custom Group Settings

Custom group settings allow an administrator to provide access to custom groups to all technicians handling the various scope of computers, for deploying patches, applications, and configurations. Custom groups created by administrators can be viewed and accessed by a technician only when the custom group settings is Enabled.
Note:

  1. A technician can view only the computers in a custom group that are a part of his scope.
  2. Any technician can create multiple custom groups with the computers under his scope.
  3. A custom group created by an administrator, cannot be viewed by a technician if the setting is Disabled.
  4. Upon disabling the custom group settings, a technician will no longer have control over the tasks with custom groups created by administrators.