Endpoint groups

An endpoint group is a bucket of machines that share a policy. New endpoints land in your tenant's default group unless their enrollment token specifies a different one.

Why groups

Different teams need different policies. Engineering might allow approved thumb drives; the kiosk in the lobby should be HID-only; the warehouse scanners only need their HID scanner. Groups let you set those independently without policy duplication.

Per-group policy

Each group has exactly one assigned policy at a time. v1 enforces a 1:1 group → policy assignment; many-to-many is on the v1.1 list if it turns out to be useful.

Per-group discovery mode

Each group has an optional discovery_mode_until field. While it's set in the future, every rule's action served to that group's agents is coerced to audit. See discovery mode.

Default group

Each tenant has exactly one default group, created during tenant bootstrap. Newly-enrolled endpoints land here unless their enrollment token specifies a different group. You can change which group is the default any time from the Endpoint groups list.

Pre-assigning groups at enrollment

When generating an enrollment token, pick the target group from the dropdown. Endpoints enrolled with that token land directly in the chosen group. Useful for GPO / Intune rollouts where you know up-front which group a batch of machines should join.

Moving endpoints

From Endpoints, change a row's group via the per-row picker. Or bulk-move from the group's detail page. Either way, the endpoint picks up the new group's policy on its next poll (within ~60 seconds).