It would be awesome if policies could be inherited to sub-groups of the parents to be honest! Would make managing policies a little easier for sure. I think this is a feature request already though.
The typical setups we see most commonly are:
- Group by OS type
- Group by office location
- Larger companies will do separate orgs for one level of organization, then organize each of the groups underneath that. Downside is you have to switch orgs and you can’t do any cross-org configuration or coordination.
Good point on the inheritance @Westyy and that’s something we need to look at as we work on endpoints in multiple groups and dynamic groups as a feature.
We have individual Device Groups based on groups of servers that customers requested be patched at the same time (generally location or application focused).
- e.g. Group1111_Devices, Group1112_Devices, etc
We also built custom automation outside the platform that references an auxillary table housing each of these device groups, their subscribed devices, and their scheduling information. This automation ensures the correct devices are assigned to the correct Device Groups, creates the Device Group if it’s new, and creates policies and attaches (or maintains if already created) them to their respective group with the same naming scheme.
- e.g. Group1111_Policy > Group1111_Devices, Group1112_Policy > Group1112_Devices
TL;DR - we built custom automation to create & maintain group/policy assignments and facilitate scalability based on CMDB information.
