Endpoint Central allows IT admins to group their resources with it's custom group feature, wherein a group can be created either manually or automatically by populating resources from AD Objects. Custom groups can be created to automate certain tasks to be performed on pre-defined targets, thus bringing in a great degree of efficiency. The advantages of custom groups are:
You can have any number of custom groups to group computers and users of a specific department.
You can add or remove users/computers from groups at any point of time.
Groups once created can be used in any number of configurations.
Creating unique custom groups, will leverage user management by defining specific scope (unique custom Groups) to specific users.
Custom groups with computers or users that belong to different domains and workgroups can be created. For configurations that have to be deployed to computers or users belonging to different domains and workgroups, this custom group can be used.
In version 10.0.598 and above, custom groups can be created by technicians with write permission for deployment activities. However these custom groups can be created only on the basis of computers and not users. The managed computers can be filtered by the created custom groups using custom group Filters.
In version 11.2.2331.01 and above, custom groups can be created from Active Directory groups. Replicate organizational structure as exists in the Active Directory into the scope of the product, instead of repeating the process of defining individual groups to perform tasks such as patching, software deployment etc. Predefined objects in the AD will be created and reflected as different groups in the product.
Custom Group creation can also be done on the basis of Domains/Organizational Units (OUs)/AD Groups that exist in the Active Directory. Any sub-objects/ child OUs present under the selected domain/parent OUs will be automatically created as separate custom unique groups.
Grouping of resources can be done in three different ways according to your needs:
Static groups can be defined when you have a definite set of users/computers from a single or different domains to be added or when you want the existing Active Directory group structure to be added to the product. These groups are created as targets, for various tasks. A computer can be a part of more than one static custom group.
Static custom groups can also be created by directly choosing the pre-existing subgroups from the AD. All the available groups under the AD will be listed in the product, and the necessary groups can be selected and created into a separate custom groups. Existing subgroups in the selected objects of the AD will be created as individual custom groups (if they aren't already a custom group in the product), with the following naming pattern: AD Group Name - Parent OU - Domain. In the case that the provided name already exists, sequential numbers will be added at the end. [Eg: AD Group Name - Parent OU - Domain (1)]
A static unique group is a static custom group, where the computers belonging to this group cannot be added to any other groups. Computers added to a static unique group once, will not be listed when you try to create another group of the same kind. The main purpose of creating a static unique group is to associate these groups as Scope for the users. All the privileges to manage this group can be defined only by the administrator.
The creation of static unique custom groups can also be done by syncing the AD with Endpoint Central. By selecting the Domain/Organizational Unit (OU) while creating the static unique group, all the computers listed under that domain/OU will be associated into that static unique group. If a computer already exists in another group, it will not be added to the new static unique group. Only one particular Domain/OU can be mapped to a custom group. Sub OUs in the selected OU of the AD will be created as individual custom groups (if they aren't already a custom group in the product), with the following naming pattern: AD OU - Parent OU - Domain The Sub-OU based CGs will be mapped to the parent OU CGs.
A dynamic custom group is created with a set of rules or criteria. Based on the defined criteria, the computers get automatically included to this group. Any new computers matching the criteria will automatically get added to this group. The computers belonging to this group are generated only during the execution configuration. The defined queries will be applied and the result will be published as the dynamic custom group. dynamic Groups can be created on the basis of various criteria like:
Here are a few scenarios where dynamic custom groups can be used.
To deploy a bitlocker policy to machines that have a specific TPM version
To get a list of computers that have a particular service running on them
To create a custom group, follow the steps below:
Select the Admin tab
Navigate to Global Settings -> Custom Groups.
Click the Create New Group button and choose if the group should be based on Users or Computers. (Note: For User-based custom groups, only static CG can be created).
Specify the following information:
A name for the custom group. This should be unique.
Define the Category of the custom group you want to create (Static/Static Unique/Dynamic).
Choose to either populate the custom group manually or automatically from the Active Directory.
Creating custom groups
Static Groups (automatic creation from AD):
Static Unique Groups (automatic creation from AD):
To create custom groups (both static and static unique) manually, select 'Assign Manually' under the Membership section and add the computers from the available list.
You have successfully created a custom group, which can be used for management purposes.
You can also import a csv file to add computers to a static or static unique group. The csv should contain the name of the computer followed by the domain name as explained below:
Computer Name,Domain Name (Eg: system101,companyorg)
Custom groups can be created automatically using Active Directory objects by configuring the sync setting as follows:
You have now automated custom group creation from the Active Directory.
Note: A sync between the AD and Endpoint Central happens everyday at particular time intervals each day (can be configured by the administrator). To reflect the AD changes immediately in the product, the sync can be initiated manually as well. The maximum number of tries for manual sync between the product and the Active Directory is limited to 4 times a day.
Custom group settings allow an administrator to provide access to custom groups to all technicians handling the various scope of computers, for deploying patches, applications, and configurations. Custom groups created by administrators can be viewed and accessed by a technician only when the custom group settings is Enabled.