After you create your device groups, you can save time by connecting device groups to user groups or connecting policy groups to device groups. Access to all resources is implicitly denied by default.
Assigning a Device Group to a User Group
Binding a user group to a device group will create a local user account for each user in the user group on each device in the device group. Adding a large number of user accounts to a device may prevent it from operating correctly.
To grant access, user groups must be explicitly bound to resources.
To assign a device group to a user group:
- Log in to the .
- Go to DEVICE MANAGEMENT > Device Groups.
- Select any one of the device groups by clicking anywhere along each row.
- Select the User Groups tab.
- Select the checkbox next to a group of users.
- 颁濒颈肠办听save.
Assigning a Policy Group to a Device Group
You can save time by creating a policy group, adding multiple policies to it, and assigning the group to a device group. For example, you can create a policy group for macOS devices called Mac Security that uses 黑料海角91入口鈥檚 Lock Screen policy to automatically turn on the screen saver if a device is inactive for a specific amount of time. The policy group could also contain a policy to control Apple App Store purchases to allow only updates to existing apps.
A policy group is especially useful in implementing security or compliance-related issues on managed devices.
Prerequisite:
- Policies have been created. See聽Create a Policy.
To assign a policy group to a device group:
- Log in to the .
- Go to DEVICE MANAGEMENT > Device Groups.
- Select any one of the device groups by clicking anywhere in the row.
- Select the Policy Groups tab.
- Select one or more policy groups to assign to this device group.
- 颁濒颈肠办听save.
Setting the Administrator/Sudo Permissions on a User Group
Setting Administrator/Sudo permission at the user group level centralizes management of elevated device permissions in a single place. Permissions set at the user group level will be applied to the associated device groups. Group members will inherit permissions to devices that are associated with those device groups.
Considerations:
- Permissions that are granted directly on a user supersede permissions granted at a group level.
- It鈥檚 possible to have permissions added on both the direct user association to the device and the indirect group association to the device. This is visible on the association of a user and a device. (See example image below).
- It's possible to remove duplicate permission assignments on a user to device association via removing the elevated permission on the associated device by selecting 鈥淣o Elevated Permissions鈥 or via removing the user from the group.
- If permissions are elevated on a direct association prior to a group association, it may be desirable to remove the duplicate access grants.
To give users within a user group Administrator/Sudo access across all device groups:
- Log in to the .
- Go to USER MANAGEMENT > User Groups.
- Select a user group from the list. The Details tab for that user group appears.
- Select Enable users as Administrator/Sudo on all devices associated through device groups checkbox and click save. All users in that user group will be given administrator permissions on all devices bound to any device group associated to the user group. A "Permission Settings Update" email notification is sent.
The聽Global Passwordless Sudo聽setting is applicable to Linux and Mac devices and only recommended for service accounts.