The concept of overriding settings on a per-organization group basis, when combined with organization group (OG) characteristics such as inheritance and multi-tenancy, can be further combined with authentication. This combination provides for flexible configurations.
The following organization group model illustrates this flexibility.
In this model, Administrators, generally in possession of greater permissions and functionality, are positioned at the top of this OG branch. These administrators log into their OG using SAML that is specific to admins.
Corporate users are subservient to administrators so their OG is arranged as its child. Being users and not administrators, their SAML login setting cannot inherit the administrator setting. Therefore, the Corporate users' SAML setting is overridden.
And while not subservient to Corporate users in a corporate hierarchy sense, placing BYOD users as a child of Corporate users has advantages. This arrangement means that BYOD users inherit settings applicable to ALL corporate user devices simply by applying them to the Corporate users OG.
Inheritance also applies to SAML authentication settings. Since BYOD users is a child of Corporate Users, BYOD users inherit their SAML for users authentication settings.
An alternate model is to make BYOD users a sibling of Corporate users.
Under this alternate model, the following is true.
- All device profiles meant to apply globally to ALL devices, including compliance policies, and other globally applicable device settings are applied to two organization groups instead of one. The reason for this duplication need is because inheritance from Corporate users to BYOD users is no longer a factor in this model. Corporate users and BYOD users are peers and therefore there is no inheritance.
- Another SAML override must be applied to BYOD users. This override is necessary because the system assumes it is inheriting SAML settings from its parent, Administrators. Such an assumption is a mistake because BYOD users are not administrators and do not have the same access and permissions.
- BYOD users continue to be handled separately from Corporate users. This alternate model means that they continue to enjoy their own device profile settings.
What factor determines which model is the best? Compare the number of globally applicable device settings with the number of group-specific device settings. Basically, if you want to treat all devices in generally the same way, then make BYOD users a child of Corporate users. If maintaining separate settings is more important, then make BYOD users a sibling of Corporate users.
For more information, see and Enterprise Wipe for BYOD Devices.
For a detailed example of OG inheritance involving enrollment, see Directory Service Integration and Enrollment Restrictions.