Forum Discussion

MarPas's avatar
MarPas
Brass Contributor
Nov 29, 2024
Solved

Best Practices for Managing Autopilot Profiles Across Multiple Locations

Hello everyone,
I have a question, and I’d like to get your thoughts on it.

In a scenario where an organization manages Hybrid Join devices using Autopilot, distributed across different locations, each with its own Autopilot profile, how do you prefer to manage groups and profile assignments?

The options I’m considering are:

Option 1

Using a single dynamic group (e.g., “All Autopilot Devices”), with a query like: 

(device.devicePhysicalIDs -any (_ -startsWith "[ZTDid]"))

to include all corporate devices, and then assigning profiles using Scope Tags.

Option 2

Creating multiple dynamic groups, one for each location (e.g., “Location 1 Autopilot Devices,” “Location 2 Autopilot Devices,” etc.), with queries like: 

(device.devicePhysicalIds -any (_ -eq "[OrderID]: Location 1"))

and then assigning the respective Autopilot profile to each dynamic group.

 

What’s your approach, and what advantages/disadvantages have you encountered?

Thank you to anyone willing to share their experience!

Autopilot
Intune
Mobile Device Management (MDM)
  • G4ia's avatar
    G4ia
    Dec 02, 2024

    Hi MarPas,

    Managing Autopilot profiles across multiple locations can indeed be challenging, and it’s great that you’re evaluating the best approach for your setup. Both options you mentioned are valid, but they come with their own pros and cons depending on your organization’s needs.

    Option 1: Single Dynamic Group with Scope Tags

    This approach simplifies group management since you only have one dynamic group (All Autopilot Devices) to maintain. Scope tags can then help you segment devices by location.

    Advantages:

    • Easier to manage groups: You avoid creating and maintaining multiple dynamic groups for each location.
    • Centralized control: All Autopilot devices are in one place, which can be handy for reporting and troubleshooting.

    Disadvantages:

    • Scope tags may require additional effort to set up and maintain.
    • If your organization grows or locations change frequently, managing scope tags across multiple locations could become complex.

    Best for:

    • Organizations with fewer locations or a simpler structure.
    • Teams looking to minimize group management overhead.

    Option 2: Multiple Dynamic Groups for Each Location

    This approach gives you more granularity by creating location-specific dynamic groups and assigning profiles directly.

    Advantages:

    • Granular control: Profiles are tied to specific groups, making it easier to apply unique configurations or policies per location.
    • Clear segmentation: If you ever need to troubleshoot or audit a specific location, the group structure is already aligned to physical locations.

    Disadvantages:

    • More administrative overhead: You’ll need to maintain separate queries and groups as your locations grow or change.
    • Scaling challenges: If new locations are added, creating additional groups and queries may require more time.

    Best for:

    • Organizations with many locations that need distinct configurations or policies.
    • Teams that prioritize location-specific autonomy over centralized management.

    My Recommendation

    If your organization has a manageable number of locations and distinct profile requirements, Option 2 provides clarity and easier troubleshooting for location-specific needs. However, if simplicity and scalability are your priorities, Option 1 might be the better choice.

    In my experience, a hybrid approach can also work. You could start with Option 1 to centralize control and then gradually move to Option 2 for high-priority or complex locations.

    Cheers,
    [G4ia!]

  • Ankido's avatar
    Ankido
    Iron Contributor
    Dec 03, 2024

    Hi, it depends on how many locations you have, but you can also use tags with locations and departments, so if a machine is going to be enrolled and it’s located in the USA and the person works in the sales department, it should go to the USA group, and so on. From my perspective, you can use option 1 but with some tags like department, for example. This way, everyone working in sales would go to the sales group, and those working in logistics would go to the logistics group. This will make it easier later when deploying a policy, for example, for logistics, as it will apply to all devices in the logistics group.

  • G4ia's avatar
    G4ia
    Brass Contributor
    Dec 02, 2024

    Hi MarPas,

    Managing Autopilot profiles across multiple locations can indeed be challenging, and it’s great that you’re evaluating the best approach for your setup. Both options you mentioned are valid, but they come with their own pros and cons depending on your organization’s needs.

    Option 1: Single Dynamic Group with Scope Tags

    This approach simplifies group management since you only have one dynamic group (All Autopilot Devices) to maintain. Scope tags can then help you segment devices by location.

    Advantages:

    • Easier to manage groups: You avoid creating and maintaining multiple dynamic groups for each location.
    • Centralized control: All Autopilot devices are in one place, which can be handy for reporting and troubleshooting.

    Disadvantages:

    • Scope tags may require additional effort to set up and maintain.
    • If your organization grows or locations change frequently, managing scope tags across multiple locations could become complex.

    Best for:

    • Organizations with fewer locations or a simpler structure.
    • Teams looking to minimize group management overhead.

    Option 2: Multiple Dynamic Groups for Each Location

    This approach gives you more granularity by creating location-specific dynamic groups and assigning profiles directly.

    Advantages:

    • Granular control: Profiles are tied to specific groups, making it easier to apply unique configurations or policies per location.
    • Clear segmentation: If you ever need to troubleshoot or audit a specific location, the group structure is already aligned to physical locations.

    Disadvantages:

    • More administrative overhead: You’ll need to maintain separate queries and groups as your locations grow or change.
    • Scaling challenges: If new locations are added, creating additional groups and queries may require more time.

    Best for:

    • Organizations with many locations that need distinct configurations or policies.
    • Teams that prioritize location-specific autonomy over centralized management.

    My Recommendation

    If your organization has a manageable number of locations and distinct profile requirements, Option 2 provides clarity and easier troubleshooting for location-specific needs. However, if simplicity and scalability are your priorities, Option 1 might be the better choice.

    In my experience, a hybrid approach can also work. You could start with Option 1 to centralize control and then gradually move to Option 2 for high-priority or complex locations.

    Cheers,
    [G4ia!]

  • iu360's avatar
    iu360
    Copper Contributor
    Dec 02, 2024

    hello

    To manage Autopilot profiles effectively across multiple locations, it's best to create dynamic Azure AD groups that are based on location-specific attributes. Each group can then be assigned its own Autopilot profile, ensuring devices are configured correctly for their respective locations. Use clear naming conventions for groups and automate profile assignments through policies to make the process more efficient and adaptable to changes in the organization.

Resources