![Full Logo.png]](https://help.devicie.com/hs-fs/hubfs/Full%20Logo.png?height=30&name=Full%20Logo.png){kind=small}
E8 Guide | Implementation | Setting up groups
Setting up your groups for managing Essential Eight policy assignment and testing is the critical first step in a successful implementation
| Previous: Using the Devicie E8 dashboard | Next: Deploy policies |
User Group Set Up
Creating the right user groups is foundational to successfully implementing the Essential Eight maturity model with Devicie. These groups determine how policies are assigned, tested, and managed across your organisation.
It is recommended that you create the groups for all three maturity levels because they are useful for testing, and if you do decide to increase your maturity level one day, creating them at this point will ensure you are set up for success and a smoother implementation in future. At a minimum, you should create the groups associated with the level you plan to attain.
For example, even though you will start with ML1, if your goal is to eventually get to ML2, then it is important you set those groups up now.
Why Use User Groups Instead of Device Groups?
Devicie strongly recommends using user-based groups rather than device-based groups. This approach offers greater flexibility and long-term manageability, especially when dealing with exemptions and exclusions.
For example:
- Office Macros are often required by specific users (e.g. finance staff), not by specific devices.
- If a macro exemption is tied to a device, and that device is reassigned to a user who doesn’t need macros, the exemption remains unnecessarily active.
- By tying policies to user identity, exemptions follow the person, not the hardware. This ensures more accurate and secure policy application.
This user-centric model aligns with modern identity-based security practices and simplifies ongoing administration.
Using Nested Groups with Devicie Policies
Devicie’s Essential Eight policies are additive across maturity levels. That means:
- ML2 policies build on ML1 policies.
- ML3 policies build on both ML1 and ML2.
To reflect this, Devicie uses nested user groups:
- ML1 Group: Contains users receiving ML1 policies.
- ML2 Group: Contains users receiving ML2 policies and is a nested member of the ML1 group.
- ML3 Group: Contains users receiving ML3 policies and is a nested member of the ML1 and ML2 groups.
This set up ensures that:
- A user added to the ML3 group automatically receives all policies from ML1, ML2, and ML3.
- Policy inheritance is seamless and consistent with the maturity model.
- Group management remains simple—just assign a user to the appropriate maturity level group.
💡 Tip: To learn how to create nested groups in Microsoft Entra ID, refer to the relevant Microsoft Learn guide
Specific groups required
You’ll need to create 10 user groups as listed and described below. We recommend using the naming convention suggested below as it will make the use of this guide much easier and ensure Devicie support can more readily understand your environment if needed.
This structure is designed to support:
- Progressive rollout and testing
- Clear policy inheritance
- Simplified exemption management
|
Group Type
|
Group name(s)
|
Purpose
|
|
ML1 Group
|
Intune-E8-ML1-User
|
Base maturity level policies
|
|
ML2 Group
|
Intune-E8-ML2-User
|
Adds ML2 policies, should be included ML1 group.
|
|
ML3 Group
|
Intune-E8-ML3-User
|
Adds ML3 policies, should be included in both ML1 and ML2 groups.
|
|
App Control Audit Groups
|
Intune-E8-ML1-AppControlAudit
Intune-E8-ML2-AppControlAudit
Intune-E8-ML3-AppControlAudit
|
ML1, ML2, ML3 – for testing application control in audit mode
|
|
App Control Block Groups
|
Intune-E8-ML1-AppControlBlock
Intune-E8-ML2-AppControlBlock
Intune-E8-ML3-AppControlBlock
|
ML1, ML2, ML3 – for enforcing application control in block mode
|
|
Office Macros Allow Group
|
Intune-E8-ML1-OfficeMacro-AllowWithPrompt
|
For users who require macro functionality
|
| Previous: Using the Devicie E8 dashboard | Next: Deploy policies |