cancel
Showing results for 
Search instead for 
Did you mean: 
urvashi
Bronze I
Bronze I

This is an edited transcript of the IT Hour 05.10.24

Overview 

  • Trevor Wiemann, Product Manager and Tim Song, Software Engineer joined us to talk about the latest on Dynamic User Groups and Dynamic Device Groups
  • They did a quick recap of the feature, announced the latest additions and answered questions from the audience 

Transcript 

Dynamic Groups Recap 

Trevor: So we’re here to talk about new stuff, specifically new attributes and operators in Dynamic Groups. But before we get into the new stuff I’m going to quickly do a crash course in Dynamic Groups to make sure we’re all on the same playing field. But do go back and watch the previous content as well. Derek has done some presentations on Dynamic Groups that you can go back and watch. 

What are Dynamic Groups? A user that has attributes, you go and set some rules on a dynamic group known as attribute conditions and the combination of that attribute on the user and attribute condition rules that you set, make that user group dynamic. So you can think of it as a smart group or an automated group or a magic group. Basically you go and set rules. You decide who should be in that group. We put them in the group.

User (with attributes) + Attribute Conditions (rules) = Dynamic User Groups 

On the device side it’s very similar. The device has some attributes like hostname, the operating system, when it was created etc. You go to the group, you set some rules, some attribute conditions to decide which one should be in the group, and then that group becomes dynamic/automated/smart and all the devices that should be in that group get put into that group automatically forevermore. 

Devices (with attributes) + Attribute Conditions (rules) = Dynamic Device Groups

Going in a bit deeper, how’s that working? What’s triggering those rules to run? The first thing is you create a dynamic group and you set some rules. After those rules are created, any time those rules get updated, or any time an attribute is changed, we run the rules to make sure that the group membership is always accurate. 

So you have a group and you set a bunch of rules and you comin in the future and say, “Actually I need to tweak that one a little bit. I need to add some more rules.” You change the operators, you change the value on the rules, or you change the attributes on the actual underlying object (user/device), we’re going to run the group rule so that group should be as accurate as possible at all times. For example if it’s a user, maybe someone changed their job title, maybe they moved to a different location. If it’s a device that used to have MacOS and you decided to wipe it and install Windows on it. Whatever you do, anytime we change those attributes on the underlying objects, every single time, we’re going to run the group rule. 

So that’s what’s actually triggering those rules to run and keeping those groups accurate. Making sure the people in those groups always have access to the right thing, the devices in those groups are getting the right policies, getting the right command to run on them, etc. 

What if I need to make an exception to the rules? I have a problem user or device that doesn’t quite match the criteria. You can exempt them on both user groups and device groups. You can go in and add someone to that group with an Include. Say the rule is that it’s only your product managers, but you have someone that needs to be in that product manager group. No problem, you can include them. You can also do the opposite. You have someone that matches that rule but for some reason they shouldn't be in that group. You can always exclude them. When you add an exemption, what you’re basically saying is “Hey JumpCloud, ignore the rules and either keep them in the group or remove them from the group. Ignore the rules that are running.” It’s the same thing on the devices side. I have a group that’s windows and the rule is “Hostname contains ‘VM’” but I know that I have Trevor’s VM down here that really shouldn’t be in the group. I can always exclude that object, that device from the group and we’ll never put that device in the group. 

Cool Things you can do with Dynamic Groups

So on the user side, think about user lifecycle management here. You have your HRIS directory, you import users and attributes from that HRIS into JumpCloud. You go and schedule an onboarding for that user. You schedule their activation. When that user becomes active, all those rules you set on the group get applied, the users get added to the groups and we're going and giving them access to all the things that are bound to those groups. So basically from the time they get imported from your HRIS, if they have all the attributes and you've gone ahead and done the pre-work to set up those groups, they're automatically getting access to all the resources that JumpCloud manages automatically. So on day one, they're already able to be productive and get access to the things they need to do their job. 

On the device side, we’re able to enable device onboarding with basically zero touch through dynamic device groups. So you have a device that gets enrolled, JumpCloud reads all those attributes from the device, you already have your device group rules set up, and they're automatically added. They get policies applied, get put in policy groups, software management applied, they're getting bound to user groups to make sure users are able to access the devices in that group. And again, that's all happening automatically. Those devices are being configured appropriately based on those rules that you've set up ahead of time.

What’s New with Dynamic Groups?

  • Operators - Contains, Does not contain, Starts with, Ends with, Or (in Not equals)
  • User Attributes - Manager, Company Email 
  • Device Attributes - Hostname, Vendor, IP

So you can now use Manager. You can set up a group and say “All of Becky's direct reports should be in this group”. You can also flip this around and do a Not Equals here and get everyone that doesn’t report to Becky in a group. We have Company Email and if you pair that with Contains/Starts With/Ends With, that can be really powerful, especially if you're an organization that has some different divisions or you're trying to only get users that are using a Google alias email, and we'll get into that in the demo, but two new attributes on the user side. 

As a quick note, you can always request a review of updates and you can get emails to let you know when those updates happen. That kind of reduces the “automagicness” of it but it does give you a bit more control because you can go in and manually approve all the updates before JumpCloud does them. 

In our previous experience, if we wanted to set up our product manager group, on Job Title, we use our Equals operator and we say ‘PM’. We see all our PMs in the preview. Now that we have Contains, you’ll notice that the preview list gets a lot bigger because now we’re not only pulling in people whose title is ‘PM’ but also ‘Senior PM’ and ‘Junior PM’. Using Contains we can look at their full title so you can make the rules a bit simpler and still be able to capture all the users you want. Looking at another example, we could do ‘Engineer’. If we wanted to pair that Contains with a Department operator, now we can get smart and say “only give me the engineers that are in the engineering department” and you’ll see that security engineers will get filtered out. 

Now let’s look at Starts With. If we wanted to get only the senior employees, we can do a Starts With. We can enter ‘Senior’ and now we’re getting all the senior employees in the company. Looking at our new Email operator. If we want everyone whose email contains ‘JumpCloud’, we’re going to get this big list of employees in our company. But what if we want to make this more specific. We could use our Ends With operator and do something like “JumpCloud Canada” and get a list of users that are in JumpCloud Canada. If you want to get only users that are using a gmail alias, you can do that as well. 

Tim: When we first released Dynamic Device Groups we allowed you to mix and match any of the attributes available on the device. The problem was that some of these attributes were tied to a specific OS. So we allowed admins to put their group rules into a bad state. So we took that feedback and made that experience better. 

Now you need to select an OS before you can select the attributes, and if you don’t they’re disabled until you do. By doing this we prevent admins from making mistakes and putting their rules into a bad spot. For example we’ve got this distribution which is heavily tied to Linux. We add one condition with ‘Operating System’ Equals ‘Linux’ and then we add an addition. Now we have the capability to add a distribution into the rule. So hopefully this helps make sure that you’re building the right rules on the device side. 

The next couple of things I want to talk through are some of the new attributes and the new operators and some use cases for them. The first one is OS or Version. Everyone who has managed Windows devices understands the pain in how they version/number their OS version. I think everything is labeled 10 even though 11 is available so what we wanted to do is give you an option to manage that. Once you’ve selected ‘Operating System’ Equals ‘Windows’, we’ve got this new version attribute available. Once we have that, with our new operators Contains or Starts With or Ends With you can easily go find all your Windows 10 or 11 devices. So if I do a Contains, I can do ‘10’, and preview all the different Windows 10 devices - Pro, Home, whatever you have here. So hopefully that helps with folks having to manage Windows 10 and 11 and wanting to segregate that demographic of devices. 

Next is the attribute Hostname. When you’re naming your devices you probably have some sort of naming convention, especially if you’re managing a fleet of devices, to identify the location, purpose, or maybe an application tied to the device. Now with ‘Hostname’ available and things like Contains you can segregate those devices into categories like database servers or application servers, things like that. There are other ones like Vendor if you want to segregate by Lenovo, Dell etc. even any of the Parallels you have, if you’re running Macs and you want to run a Parallels for Windows, you can do that too.

The last one I want to touch on is ‘IP Address’. Like Trevor said, this has been a big request. This is not a true IP range that we’re going to be able to provide you up front, that’s something that we’re working on, but there are some simple things that you can do with ‘IP Address’ that are very helpful with the new operators. I would say Starts With is one of your best options here. You can essentially segregate or search by the different octets in an IP address.  So if you segregate by subnets, this may be helpful. It’s a little bit on the simpler side but hopefully it adds value. 

Q&A

Q: How do these JumpCloud groups integrate with groups elsewhere like Google or Slack? 

A: For both Google and our pre-built integration with Slack, with SCIM, we’ll be able to push the groups downstream to both of those applications. One thing to note is that you can also have dynamic groups in Google and in Microsoft so the recommendation is to pick where your source of data lives and don’t turn on dynamic groups in both places. We’ve seen strange behavior having dynamic groups on JumpCloud and having that same dynamic group in Google. 

Q: Is there a way to use “is/is not member of a group”? 

A: This will have to be a feature request

Q: Is the group adding fast enough to add a printer based on the LAN IP? 

A: For the most part these rules run in near real time, so a few seconds. If it’s a static IP then it should be pretty quick to get it added to a group automatically. 

Q: Is there any chance that JumpCloud will be able to pull from available options to allow us to simply select things such as department, etc. rather than having to type them in? It’s a bit more error proof to look through options.

A: This is along the lines of something we’re talking about potentially doing but please put in a feature request. There’s a chance this could happen. 

Q: Can Dynamic Groups be influenced by directories that are syncing with JumpCloud? 

A: Yes, directories are syncing with JumpCloud and I’m going to assume you mean an upstream directory. So if you have SCIM integration upstream of JumpCloud that syncs into JumpCloud in real time, then changes in the upstream directory will influence dynamic group membership. 

Q: Could we do something like “Is in the Admins AD OU”?

A: It’s all about what’s on those attributes on the user. So if you can get that information onto an attribute onto a user, we’ll be able to use that. If it’s outside of those attributes that are on a user we won’t be able to get insight for our rules. 

Q: Can I create a dynamic group and apply it across multiple tenants? 

A: Not yet, that’s something we’ve been hearing a lot so a feature request would be great. 

Q: Any talk about having an option for security groups with email address? 

A: That’ll be a feature request 

Q: Any plans for nested groups? 

A: Not exactly nesting but we are absolutely looking at being able to “if you’re a member in one group, you should be a member of a second group”. So being able to look at a Member Of attribute to drive membership between various groups. 

Q: Any chance to add the Employee ID attribute?

A: Yes, we’re always looking at adding additional attributes to the rules. But a feature request would be great. 

Version history
Last update:
‎06-13-2024 09:26 AM
Updated by:
Contributors