Intune groups
Overview
Devices and users are organised into groups and have a naming convention that start with the local authority or school number to identify them. These groups are nested under a top-level local authority group to form a hierarchy of schools within that local authority and are split into two branches (devices and users) to provide separation and flexibility. Configuration items are assigned to groups, so using a hierarchical structure allows common assignments to be placed once at a higher level and inherited by the groups nested within it.
This group structure can be viewed within Intune for Education, and only displays the part of the hierarchy that the administrator is scoped for. In Intune for Education, policy assignments and app deployments can also be made directly on an individual group.
Each school has 3 device groups (Provisioning Devices, Student Devices, and Teacher Devices), and 2 user groups (Students and Teachers) which are maintained by the Hwb provisioning service with data from the school’s Management Information System (MIS).
Additional groups can be created through the User Management Portal to provide flexibility in assigning apps and configuration policies to different sets of devices or users. All user and device groups are created at the same level and cannot be nested further. It’s best practise to create an additional group for a specific purpose and then join a user or device to multiple groups to combine their effects.
Examples:
- An IT suite of computers may require a different app to other computers in the school. By creating an additional device group called “ICT Suite 1” and assigning the app to this group in Intune, it will only be deployed to devices in this group.
- School Devices
- Provisioning Devices
- Student Devices
- Teacher Devices
- iPads
- ICT Suite 1
- School Devices
- Members of the senior management team may require access to a secure share hosted on SharePoint on any device they log into. By creating an additional user group called “Senior Management Team” and assigning a configuration profile set to sync the document library with their OneDrive client, the secure share will be made available to these users on all devices they use.
- School Users
- Students
- Teachers
- Senior Management Team Users
- School Users
Device and User groups cannot be created or managed through Intune by delegated administrators. This must be done through the User Management Portal, as per the guides below.
Provisioning devices group
The Provisioning Devices group is a special group, created by the Hwb team, to automatically put enrolled devices into the administrative scope of the school or local authority. There are several rules to determine membership of the provisioning devices group, and at least one of these must be met to be able to see and manage the device.
- GroupTag = Device Provisioning Identifier*
Only applicable to Windows devices deployed through Autopilot. - Device Name Prefix = Device name starts with the Device Provisioning Identifier*
Applicable to all devices, but is the only rule that can be satisfied when enrolling Windows devices using a provisioning package. - Enrolment profile name prefix = Enrolment profile name starts with the local authority or school number
This is applicable to iPads only – Windows devices using Autopilot should use the GroupTag instead. For LAs, enrolment profiles should start with their 3-digit code followed by a space to satisfy the rule (e.g. “660 Enrolment profile name”).
*The Device Provisioning Identifier (DPId) is a unique 5-character code assigned to each school (4-characters for LAs). These can be looked-up on the Intune Device Groups page in the User Management Portal.
There may be a delay in devices showing up in the provisioning devices group due to the dynamic rules needing to process. Once a device is visible in the provisioning devices group it may need to be joined to other groups to receive the relevant apps and policies, which can be done using the Intune Groups page in the User Management Portal.
We do not recommend applying any apps or policies to the provisioning devices group, it should be treated as a placeholder for devices only. Separate groups should be used for Autopilot enrolment profiles, and policies for common configurations should be applied to the parent devices group.
Managing device groups through the User Management Portal
Device groups can be managed through the Intune Device Groups page in the User Management Portal – Administration -> Intune Device Groups
In this section you can:
- view existing device groups
- create new device groups
- view devices in an existing device group
- move or add devices in a device group to another device group
- view the Device Provisioning Identifier for your local authority or school
- lookup Bitlocker keys and LAPS managed passwords on Windows devices
-
- Click Create device group
- Enter a suitable name - this is prefixed with the school number and cannot be edited afterwards
- Click Create
-
- Click the current device group to list the devices
- Select the device or devices you wish to move
- Click Join to another group
- Select the target group from the drop-down list
- Click to Moveor Add the device to the target group
Move will remove the device from the current group and join it to the target group. Add will just join the device to the target group and keep it in the current one.
-
- Click the group you want to remove the device from
- Select the device(s) you wish to remove
- Click Remove device from group
- Click Confirm on the pop-up
Devices cannot be removed from the provisioning devices group manually. To remove a device you must change the property (or properties) of the device that satisfies the group rules:
- Autopilot (Windows) – Remove the GroupTag in Autopilot
- Provisioning package (Windows) – Change the device name
- iPads – delete device object
If you are setting a Windows device name with the DPId prefix via a configuration policy you may need to remove the device from the group assigned to that policy, or add it to a group excluding that policy, to prevent the device being renamed again and satisfying the rule.
-
- Click the device group to list the devices
- Select the device or devices you wish to delete
- Click Delete Device
- Click Proceed on the pop-up to confirm deletion
This will remove the selected device(s) from Intune, Autopilot (Windows only) and Azure AD.
-
Delegated admins are unable to delete device groups, but this can be requested with the Hwb service desk.
Please ensure that the requested group is removed from any app or policy assignments in Intune before making the request, as deletion while assignments still exist can cause issues editing other group assignments on those policies.
-
- Remove the device from any device groups in the current school (other than the provisioning devices group)
- Remove the device from the provisioning devices group
- Factory reset the device through Intune
- Re-enrol the device
Managing user groups through the User Management Portal
User groups can be managed through the Intune Device Groups page in the User Management Portal – Administration -> Intune User Groups
In this section you can:
- view default Intune user groups
- create and view custom user groups
- add or remove users to a custom user group
You can only manage members of a custom Intune group. Default groups are managed by the Hwb Provisioning service.
-
- Click Add Group
- Enter a suitable name - this is prefixed with the school number and cannot be edited afterwards
- Click Add
-
- Select the custom Intune group to add a user to
- Click Add user to group
- Enter the Hwb username for the user to add and click Search
- Repeat search for more users, if desired
- Double check the list of users to add and click Add
This can also be done in bulk from the user lists - View Users -> View Learners/Staff
- Select one or more users to add to the group
- Click Selected Users > Assign to Group
- Select Intune Group as the group type
- Select the target group from the Group drop-down
- Click Add to group
-
- Select the custom Intune group to remove the user from
- Filter for the target user, if required
- Click Remove next to the user to remove
- Click Remove on the pop-up to confirm removal
This can also be done in bulk from the user lists - View Users -> View Learners/Staff
- Select one or more users to add to the group
- Click Selected Users > Assign to Group
- Select Intune Group as the group type
- Select the target group from the Group drop-down
- Click Remove from group