I have a question about best practices for grouping. We are a global organization with about 16 sites. Our ideal grouping of systems would look something like this:
Each site has a “top level group” and each of those groups have subgroups called Office, Lab, Factory, Server looking like the below:
City name:
Office
Lab
Factory
Server
City name:
Office
Lab
Factory
Server
This would then be used to manage deployment of patches, products, reporting, setting up local BES administrators permissions to have access to the systems they are responsible for. This could be a site (city) or a subgroup like Factory under one specific city. Does someone have a best practices, or a recommendation for how to accomplish this? Any help would be greatly appreciated!
If I understand your scheme properly, I would do this:
Use the “location by subnet” wizard to make a “City” property. (Assuming you can identify cities based on subnet).
Create another property called “system group” (or whatever you want) and then your property can identify whether it is a office, lab, factory, or server… Which brings up the question of how does the computer know where/what it is?
With this approach you can filter on “by City > by System Group” or vice versa…
The computers for Office, Factory, Lab, etc are further subneted within the site subnet. So is there just no way to create a retrieve group that will show up under the “By Retrieve Properties” folder structure when looking at computers?
Do I understand right that I would have to use the location wizard, create the retrieve properties, then create automatic groups for deployment and management?
To that end, if a user has access to an automatic group (and that group only) would he then be able to deploy fixlets to that group, but not other computers?
I would avoid groups altogether and just make properties…
If you know the subnet or IP ranges for these systems, then you can just run through the Location By Subnet wizard twice (once for the city, once for the system type). This will give you the ability to filter under the “By Retrieved Property”…
But I am wondering if we are misunderstanding each other here…
For your group question, you can grant operators access to computers based on properties or groups… They can only deploy actions to computers that they can access.
OK, so the access makes sense as far as users go. Here is what I’m missing; we have configured a location by subnet property via the wizard. When I look at “By Retrieved Properties” group of folders under All Computers when looking at the computers tab, I don’t see that as a “folder”
Now, If I go to setup an automatic group for example, I do see our custom property as an item when setting the configuration for “Include computers with the following property:”. Is there a way to see those properties in the “tree structure” under the computers tab?
Also, another issue with not using groups is that we haven’t found a way to report on the sites without groups. From what we have looked at, I can’t get reports for individual sites on properties… or are we missing something there too?
Basically we need to report on each site not only as a whole to compare them to each other, but individually from a patch compliance perspective. So for example; need to report not only on New York, Texas, etc as a whole but also on the Factory group for New York… or the Server group for New York. And even on the Factory groups at each site compared against each other. That kind of thing.
This kind of comparison and metrics are critical for us.