002: Device groups
Implementation Effort: Low – IT and Security Operations teams need to create new devices groups.
User Impact: Low - The end users will not experience any new prompt or changes on their devices.
Overview
-
Overview of Intune Grouping and Targeting Concepts:
- Microsoft Entra ID groups: Microsoft Intune primarily uses Microsoft Entra ID groups for grouping and targeting. These groups allow you to assign apps, policies, and other workloads to users and devices. They're also used for role-based administration (RBAC) as scope groups.
- Virtual Groups: The "All users" and "All devices" assignments are Intune's virtual groups. They exist by default in all Intune tenants and don't require manual management. They're highly scalable and optimized.
- Filters: Filters allow you to narrow the assignment scope of apps and policies. You can target user or device groups and filter devices based on specific properties. Filtering is high-performance and evaluated during device check-in without pre-computation¹.
-
Benefits of Device Groups:
- Granularity: Device groups allow precise targeting. You can create groups based on device properties (e.g., OS version, compliance status).
- Efficiency: Assigning policies to smaller device groups reduces synchronization overhead and speeds up deployments.
- Troubleshooting: Device groups help isolate issues by narrowing down the affected devices.
-
Drawbacks and Considerations:
- Synchronization Backlogs: Large Microsoft Entra ID groups with many users or devices can cause synchronization delays. Policy and app deployments take longer to reach managed devices¹.
- Tattooed Settings: If settings or apps are applied before device filters are evaluated, troubleshooting unexpected configurations becomes challenging².
-
Device Groups vs. User Groups:
- Device Groups: Ideal for device-specific policies (e.g., security settings, app installations).
- User Groups: Useful for user-centric policies (e.g., user-targeted apps, conditional access).