JumpCloud’s Dynamic Groups capabilities are about to take a big step forward and this article is going to provide a preview of the main highlights, the impacts to the existing Dynamic User Groups experience and touch on other Dynamic Groups capabilities.
The ability to have a user group’s membership dynamically change based upon attribute driven rules has existed for some time within JumpCloud. Our first step towards dynamic groups was introduced with User Group Suggestions, allowing admins to build group rules that generate suggested changes to group membership. The User Groups Automation Beta enabled these suggestions to be automatically accepted. With the new release being previewed, we are excited to now bring automation to Device Groups for the first time along with a new admin experience for Dynamic User Groups.
To start, we have retained all existing group assets (members, rules, exemptions, etc). All existing groups will still function the same as before but the admin experience in working with these groups changes.
Group Types
User groups can now be one of two types - Static or Dynamic
-
A static group is one in which group membership is modified by manually adding and removing users or devices. This is the standard way in which user or device group membership is managed.
-
A dynamic group is one in which membership is managed on what users or devices satisfy the rules applied to the group.
For any existing user groups where attribute rules had been applied, they will now be referred to as dynamic. All other groups that don’t have attribute rules applied are now referred to as static.
For any new group created, the administrator will be presented with an option to specify the group as static v. dynamic. The default for new groups is static. If the administrator selects dynamic, the attribute rules build will appear and the dynamic group can be configured.
Another change is that user group membership controls have moved from the users tab to the details tab within the user groups section. All of the configuration options around user group membership will now exist on the details tab. The same will apply for device groups.
Fully Automated v. Review Required
When the administrator selects “dynamic” for the group type, the group will default to being automated - meaning that the administrator doesn’t need to review any membership changes. The group membership will automatically update based upon the attribute rules defined for that group. The administrator has the option to require a review of updates if they want that behavior.
For any existing user groups where attribute rules had been applied, the group will already have the “review required” option selected and all of the existing rules will be in place. The experience of reviewing membership changes does not change.
If an organization was participating in the group automation beta and had opted to make a group’s membership suggestions automated, the “review required” option will not be selected and all of the existing rules will be in place. These will continue to be fully automated dynamic user groups.
Note that dynamic user groups and the resulting membership changes are no longer called “suggestions”. This is an intentional step towards automation. All dynamic groups are now automated by default with the option for “review required” when the administrator wants that behavior.
Exemptions
Previously, administrators could add a user to an exemptions list such that the user was not considered when the attribute rules were applied. It was then up to the administrator to determine if the user should be a part of the group or not and manually make that adjustment from the users list tab of the user group page.
We have streamlined the exemptions experience. Now, when the administrator creates an exemption for a dynamic user or device group, they will select whether or not that user or device should either (1) always be a member of the group or (2) never be a member of the group. They can make this selection straight from the details tab where they are managing the membership controls for that group.
Administrators could also make manual membership changes to a dynamic group straight from the users or devices tab. When this is done, exemptions will automatically be created on the details tab in the corresponding include v. exclude sections.
New Dynamic User Group Attribute
Administrators now have the ability to leverage User State as an attribute in the dynamic user groups rule builder. They can now configure a rule leveraging the following User State values - 'activated', 'staged', 'suspended'.
Device Groups
All of the same dynamic user groups capabilities now also exist for dynamic device groups. The functionality, ui, language, etc is now consistent between user group membership controls and device group membership controls. Obviously, the attributes are different but the group membership behavior is the same.
Default Groups
All organizations had previously been created with the following default groups:
-
User Groups - All Users
-
Device Groups - All Devices, All Android Devices, All iOS Devices, All Mac Devices, All Linux Devices, All Windows Devices
Administrators had to manually populate these groups by adding users or devices to their corresponding groups. With the introduction of Dynamic Groups, this can now be automated. None of the existing default groups have been changed. The following table illustrates how an administrator could change these default groups to be automated via Dynamic Groups.
|
Group Name |
Dynamic Group Rule |
|---|---|
|
All Users |
User State equals 'Staged' OR 'Activated' OR 'Suspended' |
|
All Devices |
OS Family equals 'MacOS' OR 'Windows' OR 'Linux' OR 'iOS/iPadOS' OR 'Android' |
|
All Android Devices |
OS Family equals 'Android' |
|
All iOS Devices |
OS Family equals 'iOS/iPadOS' |
|
All Mac Devices |
OS Family equals 'MacOS' |
|
All Linux Devices |
OS Family equals 'Linux' |
|
All Windows Devices |
OS Family equals 'Windows' |
In case you want to see even more information on Dynamic Groups, we have already published two support articles: Configure Dynamic User Groups and Configure Dynamic Device Groups
We hope that you are as excited about our new Dynamic Groups capabilities as we are. If you are interested in joining our Early Access program for these features, just reach out to your account team for help. If you are already participating in the User Group Suggestion Automation Beta, you will automatically be enabled for the Early Access program once we start. The Early Access program will be starting with Device Groups the week of 7/31 with User Groups to follow the week of 8/7. Our plan is to move these features to General Availability by the end of August.
