Creating device groups

This article focuses on creating device groups which allow you to assign a specific policy to specific devices.

NOTE  A video tutorial is available at the end of this article.

Device group

A device group is a collection of devices identified under the same name. For example, you could create a device group named Servers containing the servers (Server A, Server B, etc.) at a specific location. Or you could create a device group named Workstation that includes the desktop computers at a location, as in this example.

NOTE  You can associate a device with one device group only. This prevents devices from having any conflicting policies. In addition, you can unassign a device from a device group.

Associated Policies table - Device Group column

In the Assigned Policies table on the Organization and Location pages, the Device Group column indicates whether a policy has been assigned to a device group. In this example, the Ransomware Detection policy named new rwd policy 1 has been assigned to the servers device group. None in a policy's Device Group field indicates the policy will be applied to devices that are not associated with a device group. In addition, the policy will be applied to a device group when a specific policy has not been assigned to the device group.

Policy application hierarchy

Policies are assigned to organizations and locations. With device groups you can specify a device group within an organization or location that will receive that policy.

In the policy application hierarchy, each policy type is processed. When a device is assigned to a device group it will first honor the policies assigned to that device group.

Keep in mind if a device is assigned to a device group, it could still honor a policy assigned to None in the event there is not a similar policy type assigned to the device group.

Example

The following is an example of the policy application hierarchy and is illustrated below.

  1. Datto Antivirus, Datto EDR, and Ransomware Detection policies have been created at the organization level for Organization A.
  2. Organization A has two locations, Office A and Office B. The Office A location inherits the organization policies from Organization A and therefore, each Office A location device applies these policies.
  3. However, a specific Datto Antivirus policy named Datto Antivirus Workstation has been created at the location level for Office B. And a device group named Workstation Device Group has been created for Office B for which the Datto Antivirus Workstation policy has been assigned. Therefore, the Datto Antivirus Workstation policy has priority over the Datto Antivirus organization policy. When a device is added to the Workstation Device Group, it will apply the Datto Antivirus Workstation policy.
  4. Then, the device will apply the "generic" Datto EDR and Ransomware Detection organization policies because they do not have specific policies assigned to the Workstation Device Group.
  5. In addition, Office B includes a server device which applies the three "generic" organization policies.


NOTE  Assigning all your policies to device groups at the organization level allows you to assign policies using device groups only. The policies will be inherited by all of your locations but can be overridden at the location level.

Automatic Device Groups

With the Automatic Device Groups feature, you can automatically assign a new device to a device group based on the device's operating system (Linux, MacOS, Windows Workstation, Windows Server). The feature makes onboarding new devices and managing device group policies more efficient.

The Automatic Device Group feature is available when creating or editing a device group on the Organizations > Devices > Device Group page.

In the Automatic Device Group section, you select the desired operating system for the device group.

Key points:

  • Devices that existed before you enable the Automatic Device Groups feature will not be auto-assigned to the OS-based device group.
  • New devices do get auto-assigned based on their OS assuming you have the device type mapped to an existing device group.
  • A device can be assigned, unassigned, and moved between device groups.
  • A device can be moved to a different Location without losing its assigned device group.
  • License allocation and removal still works as expected on devices assigned to automatic device groups.
  • Policies can be assigned to automatic device groups and are removed if an automatic device group is deleted.
  1. On the top navigation menu, click Organizations.
  2. In the left navigation pane, click Devices.
  3. Click the Device Groups tab.
  4. Click the Add button.
  5. In the Create Device Group form, complete the following fields:
    • Name: Enter a name for the device group.
    • Description (optional): Enter a device group description.

  6. If you want to create an Automatic Device Group, select the check box for the applicable operating system.
  7. Click Save. The group is listed in the Device Groups table. If you created an Automatic Device Group, the operating system that applies is listed in the Automatic Assignment column.
  8. To add another device group, perform steps 4 through 7.
  1. Click the Devices tab.
  2. For the applicable device, click the ellipses menu in the last column and select Assign Device Group.
  3. In the Select Device Group list, select the desired device group.
  4. Click the Confirm button.

    The device group is listed in the Device Group column for the device.
  5. For the applicable device, in the Location column, click the link.

    In the Devices table, the device group is listed in the Device Group column for the device.

NOTE  To view the list of devices assigned to a device group, on the Device Groups tab, click the name of the device group.

NOTE  To unassign a device from a device group, click the ellipses menu in the last column and select Unassign Device Group. The device reverts to the organization or location policies assigned to the None device group

  1. On the Location page, in the Assigned Policies section, click the Assign Policy button.
  2. In the Assign Policy modal, complete the following fields:
    • Policy Type: Select the applicable policy type.
    • Policy: Select the applicable policy.
    • Device Group (optional): Although the field is labeled optional, you are required to select a device group.
  3. Click the Assign button.

    The policy is listed in the Assigned Policies table and is assigned to the device group.
  1. On the top navigation menu, click Organizations.
  2. In the Organization column, click the name of the desired organization.
  3. In the Assigned Policies section, click the Assign Policy button.
  4. In the Assign Policy modal, complete the following fields:
    • Policy Type: Select the applicable policy type.
    • Policy: Select the applicable policy.
    • Device Group (optional): Although the field is labeled optional, you are required to select a device group.
  5. Click the Assign button. The policy is listed in the Assigned Policies table and is assigned to the device group.
  1. On the top navigation menu, click Organizations.
  2. In the upper-right corner, click the All Devices button.
  3. On the Devices tab, select the check box to the left of the Device column header. This selects all devices.

  4. To the right of the Move button, click the ellipses menu.
  5. Select Assign Device Group.
  6. In the Select Device Group list, select the desired device group.
  7. Click the Confirm button. The device group is listed in the Device Group column for all selected devices.
  1. On the Device Groups tab, click the applicable device group.
  2. Make the desired edits.
  3. Click Save.

NOTE  When a device group is deleted, the devices in the group revert to the organization or location policies assigned to the None device group.

  1. On the Device Groups tab, select the check box of the applicable device group.
  2. Click the Delete button.
  3. Click OK to confirm.

NOTE  Another option is to select the ellipses for the device group and select Delete.

FAQs

What is the policy assignment hierarchy?

When a device is assigned to a location, it will try to apply one policy from each available type, such as EDR, AV, Ransomware, and automated threat response policies.

If a specific policy, for example Datto AV, is assigned to a device group, the devices in that group will apply the Datto AV policy first. Then, they will apply any other assigned policies from their device group or from the None device group.

How can I ensure only device group policies are applied, avoiding generic ones?

First, create the necessary device groups and associate your devices with them. Then, go to the organization or location level, and apply the desired policy for each type to the specific device groups.

What is the recommended setup?

Generally, it's best to have a set of default, generic policies to ensure all devices are protected. When you identify the need for more specific policies, for example, ransomware rollback for workstations, create and assign those policies to the relevant device groups.

Can a device belong to multiple device groups?

No. To prevent conflicting security controls, a device can belong to one device group only.

Can I auto associate devices with a specific device group?

No. This is a new feature that is currently being developed.

How do I see what policies are assigned to each device?

You can go into the device details of any device to view the associated policies. In addition, you can see how this policy was assigned: The device was a member of a matching device group or it was a None policy assigned to the organization or location.

Tutorial: Creating device groups

The Creating device groups video explores EDR device groups and shows you how you can assign a specific policy to a device group.