Dynamic Device Groups give Admins the ability to streamline membership of device groups using rules-based automation. The configurable rules are built on common device attributes and operators. After you've configured dynamic groups, you can scale your day-to-day tasks via groups without having to spend precious time manually managing groups.
Group membership updates are made nightly and also whenever the following events occur:
- A change is made to the group – rules or otherwise.
- A device attribute value changes.
- A new device is created.
Dynamic device groups allow Admins to:
- Save time and increase efficiency by completing group-based tasks at scale.
- Embrace a more secure just-in-time approach to granting users access to resources.
- Automate the management of software on devices.
- Improve compliance by automatically applying policies to devices at scale and quickly identifying devices that require attention.
Considerations
JumpCloud organizations created after August 27, 2023 will have dynamic device grouping enabled for all default OS groups:
- All Devices
- Android Devices
- iOS Devices
- Linux Devices
- Mac Devices
- Windows Devices
JumpCloud organizations created prior to August 28, 2023 will retain static (legacy) device grouping for all default OS groups.
Actions to unbind a policy* that has been bound to a device through its membership in a dynamic device group will not take effect; the rules of the dynamic group will re-bind the device. If you want to remove a policy* from an individual device, you must create an exemption for that device within the dynamic device group.
*Or other types of bindings, such as commands or software.
Enabling Dynamic Device Groups
Here's a guided simulation: Enable and Configure Dynamic Device Groups.
- Log in to the JumpCloud Admin Portal.
- Go to DEVICE MANAGEMENT > Device Groups.
- Choose an existing group from the list or create a new group. See Create a Device Group to learn how to create a new device group.
- Under the device group aside Details tab, scroll to Membership Controls.
- Choose Dynamic.
- (Optional) To require review before membership changes take effect, select Require administrator review of updates.
- (Optional) Select Receive emails when administrator review is needed for updates to opt in to emails notifying all administrators in the organization that new group membership changes are awaiting approval.
- See Reviewing Membership Updates below for more information.
- Click save.
In the Device Groups list, dynamic device groups have a status of Dynamic or Dynamic (Review Required) in the Device Membership Controls column.
Configuring Dynamic Device Groups
Building Rules
Considerations:
- If group-associated MDM-enrolled devices are added to a dynamic device group, those devices are subject to the dynamic rule(s) applied to that same group. Use caution when creating dynamic device groups with MDM-enrolled devices to avoid creating conflicting rule sets.
- While there is no firm limit to the number of conditions you can configure for a single rule, for best results, we have found that 3-4 conditions is usually sufficient. Adding more than 4 conditions to a rule is a sign that you should consider adjusting the query to be more specific.
- There is no validation in the rule builder, meaning that you could potentially configure rules that aren’t logical or that contradict each other. Leverage the Preview before saving the group configuration to confirm that your rules make sense.
A note on Windows Major Version limitations:
Currently, due to the way that Windows defines its versioning structure, all Windows 11 Major Versions (e.g. Windows 11 Enterprise 10.0.22000.832) are categorized in JumpCloud as Major Version = 10. Use the Version (Windows) attribute to differentiate between Windows devices based on version.
Use the table below as a reference for the attributes, operators, and values that exist for dynamic device groups.
Attribute Rules for Dynamic Device Groups
Attribute | Operator | Value |
---|---|---|
Operating System |
*If not equals is selected, the next two rows don't apply |
|
↳ Version (Windows only) |
|
Free text field with no validation. Input is case sensitive. See the version field in the API. For example:
|
↳ Distribution (Linux only) |
|
|
↳ OS Major Version |
|
Note: Windows is not included in this list since Major Version = 10 for all Windows Versions |
Arch Family |
|
|
Vendor |
|
Free text field |
Creation Date |
|
<date picker> Note: Date selected are in Coordinated Universal Time (UTC) and not your local time zone. |
Hostname |
|
Free text field |
Public IP Address |
|
Free text field |
To create an attribute-based rule:
- Select the Attribute from the drop-down.
- Select an Operator.
- Select a Value.
- (Optional) Click + to add a second attribute value.
Additional attribute values are applied with an "or" operator. In the following example, new mobile devices will be added automatically to this group.
- (Optional) Click Add Condition to add multiple conditions to a rule for the dynamic group.
Additional conditions are applied with an "and" operator. In the following example, all existing and new macOS 14 Sonoma devices will be added to this group.
- Continue to the next section to add exemptions to the rule, or click save.
Click the trash can icon to remove an added attribute or an added condition from the rule.
Using Exemptions
Under the Exemptions section, you can specify devices to include in or exclude from the dynamic group, regardless of the rules of the group. Devices added here will automatically be bound or unbound on the Devices tab.
To add a device to the inclusion or exclusion list:
This action can be accomplished from the device group's devices list. If a device is removed or added from the devices list, the corresponding action will automatically take place on the exemptions list.
- In the Devices to Include or Devices to Exclude section, click in the Search bar.
- Search for the device you would like to add to the list and then select the checkbox next to the device in the dropdown.
- Devices appear in alphabetical order by Device Name (assigned under the device’s Details tab).
- Selected devices appear as pills below the Search bar.
- When finished adding devices, click save.
- Exemptions configured to include a device in or exclude a device from a device group are NOT reflected in the Preview Group Membership modal.
- Configure rules strategically to result in the targeted group membership, using exemptions sparingly. If you find you can’t reach the desired group membership without a large number of exemptions, reach out to JumpCloud so that we can understand what additional rules or conditions may be needed.
To remove a device from the inclusion or exclusion list:
- In the Devices to Include or Devices to Exclude section, click in the Search bar.
- Search for the device(s) you would like to remove from the list and then clear the checkbox next to the device(s) in the dropdown.
- Alternately, click x on the pill next to the name of the device you want to remove.
- When finished removing users, click save.
To remove a device from the Devices list:
- In the device group aside, select the Devices tab. A list of the devices that are included in the device group is displayed.
- Clear the checkbox next to any devices you want to exclude from the list.
- Click Save.
- A Membership Conflict message appears. Manual changes made to the device group by deselecting devices under the Devices tab will create an automatic exemption. Click Continue to accept.
Devices that have been added or removed from a dynamic group using an Exemption display a Manual Include or Manual Exclude status in the Exemption column on the Devices list.
Previewing Configuration
There is no validation in the rule builder, meaning that you could potentially configure rules that aren't logical or that contradict each other. Leverage the Preview before saving the group configuration to confirm that your rules make sense.
Exemptions configured to include a device in or exclude a device from a device group are NOT reflected in the Preview Group Membership modal.
When you have finished configuring attribute-based rules and exemptions for the dynamic device group, click Preview before saving the group configuration to see a list of membership updates that will take place upon save. When you have finished reviewing, click Close, then click save to save the group.
Reviewing Membership Updates
When configuring a dynamic device group, you have the option to add a review requirement before membership changes are made.
Considerations:
- All administrators, excluding those with Read Only or Help Desk roles, will be able to review and accept or reject membership updates.
- If the option to send email notifications is selected, the emails will be sent to all applicable administrators in the organization. See Admin Portal Roles for more information.
Optional settings for membership updates include:
- Require administrator review of updates: Select this option to require that membership changes be reviewed and manually applied by the administrator.
- Receive emails when administrator review is needed for updates: This option becomes available when Require administrator review of updates is selected, but it is not selected by default. Select this option to send a nightly email notification to all administrators in the organization with a list of the group membership suggestions that need to be reviewed.
- Click Review Suggestions to open the Review Device Group Membership modal in the Admin Portal.
- Click Review Suggestions to open the Review Device Group Membership modal in the Admin Portal.
When Require administrator review of updates is selected and membership updates are ready to review, you will see Pending changes found | Review in the Device Membership Controls column of the Device Groups list.
- Click Review to see the device group’s membership updates.
- Note: When making configuration changes directly within a group, you must save the changes before you are able to review.
- Use the checkboxes on the select individual updates you would like to apply.
- Click Accept and Save when finished to update the group.
Disabling Dynamic Device Groups
When you convert a dynamic device group, the group becomes a manually controlled static group moving forward, with device membership preserved as-is in that moment.
The attribute-based rules that were configured for the previously dynamic group will persist for the group, making it easy to revert back to a dynamic group.
To turn off dynamic group membership:
- Log in to the JumpCloud Admin Portal.
- Go to DEVICE MANAGEMENT > Device Groups.
- Select the group for which you would like to disable group membership automation.
- Under Membership Controls, select Static.
Applying Policies to Dynamic Device Groups
Dynamic device groups are the foundation for IT Admins to take scalable actions that increase efficiency and security across their organizations.
- Next step: Assign a Policy Group