Organization groups (OG) are still the primary means of performing the following tasks in Workspace ONE UEM. User groups do not replace organization groups in Workspace ONE UEM, rather, they are used to represent security groups and business roles.
- The primary difference between organization groups and user groups is that devices are always tied to an OG.
- You set the administration management permissions in the UEM console through an organization group.
- Profiles, policies, and applications are assigned to organization groups.
- Even though it is possible to assign these resources to user groups, user groups only act as an extra filter on top of organization groups.
- Tracking assets on Workspace ONE UEM dashboards. Organization groups are still the primary filter on all console pages for all dashboards and views. OGs define at which business units the devices live, so consider the device groupings you want to view on the Workspace ONE UEM dashboards.
- Configuring system config settings. System settings are tied to organization groups. If you need different system settings, then you must define different organization groups. Examples of important settings to consider include the following.
- Enrollment Settings and Restrictions
- Privacy Policies
Existing MDM assignments are not affected once you import user groups. Facilitate the transition process and ensure that users do not experience any disruption to their current configurations by applying policies to user groups manually as needed.
- Use user groups to represent security groups or business roles within your organization.
- Users can belong to multiple user groups, but devices still belong to only one organization group.
- Workspace ONE UEM currently supports the assignment of profiles, policies, and internal apps to user groups.
Transition Options for Best Practices
When defining OGs to represent user groups, one of the following options may help you reconfigure your OG and user group structure to be more streamlined.
- Reconfigure your system to associate profiles, applications, and enrollment restrictions with user groups.
- Assign each profile, app, and enrollment restriction to the appropriate user groups.
- Change the organization group assignment to one organization group up.
- Add a user group assignment.
- You may choose to reconfigure your hierarchy to remove old or unused organization groups.
- Move up devices one organization group (from child to parent).
- Delete old organization groups.
- You can choose to leave your structure as-is.
- At this point, the organization group can be considered the “Primary Security Group” of the device.
- The user groups are used for assigning profiles and policies.
- The old, unused organization groups can remain for asset tracking purposes.