Introduction to Group Policy

This article gives a general introduction to Group Policy, explains the main differences with Group Commands and describes two use-cases.

Article overview
Group Policy
Use-case
Further reading

Group Policy

A Group Policy is a rule that you define for a specific use of devices within a group. A Policy will override commands or configurations set by users if they don't correspond to what is defined in a Policy. Policies can be defined and sent to your devices from your Device Hub.

Our system checks periodically, and especially on boot up, if the Commands that are defined in the Group Policy are executed on the devices, if not, they are resent. You will notice the Policy updates on the Commands page of each individual device that have the system as a creator.

When do I set a Group Policy and when do I send a Group Command?

The main difference to keep in mind between a Group Policy and a Group Command, is that Commands in a Group Policy will be executed as often as necessary, while Commands sent to a device, or a device group, will be executed only once.

Therefore, for example, if you want to reboot all your device, best practice is to send a Group Command. Because, if you add a reboot command to the Group Policy, this will lead to infinite reboots. While the Group Command will be sent to all the devices within the Device Group and will only be executed once. If the device is offline, the Command will be pending until the device is switched on again.

Another difference between a Group Policy and a Group Command, is what happens when you add new devices to a Group. If you add a Group Command it will only have effect on devices currently present in the group. When you add a new device, after you have added the Group Command, the Command will not have any effect on the new device. But if you add the new device to a group with a Group Policy, the Policy will be applied to the new device. You can find a use-case for this below, in the next section.

Use-case

A common use-case is to add the “enable Kiosk Mode” command to the Group Policy. Your device communicates its state to the MDM server on a regular basis. For example, when it’s connected to MDM, periodically afterwards and on request from MDM. When it communicates its state, one of the values sent will contain the information that the Kiosk Mode is enabled or not. If the value communicated to MDM shows that Kiosk Mode is not enabled, a command is sent to this device to enable Kiosk Mode.

This means that, each time the user makes changes to the device state that do not correspond to the defined Group Policy, Commands will be sent to the device in order to bring the device back to the predefined state.

The second common use-case follows the same example as above, having "enable Kiosk Mode" as part of the Group Policy of the original group of your devices. You can then set up a maintenance group for your devices, where Kiosk Mode is disabled. When you move your devices to this group, it will allow the service personnel to have full access to the devices. When the maintenance is done, the devices can be moved back into their original group, and the Kiosk Mode will be enabled again by the set Group Policy.

Further reading

Read the following tutorial on how to set a Group Policy.