How to do phased deployments in a cloud native world?


  


Back in the days when we had SCCM, we could easily setup phased deployments. In a cloud native world these controls are missing, but we can create phased deployments based (dynamic) groups. 

In this blog post I will show you how to set it up and use it.

Groups

First of we need to create groups that contains the devices for each phase. You can of course fill those groups manually, but in larger environments Dynamic Groups will be a better option. We will use the first character of the DeviceId in our dynamic query to select the devices per group. 

Keep in mind that the DeviceId is containing hexadecimal characters, so that means 16 options (0 till F) per character. How big you want to make the groups is up to you, but I have chosen for a group for each first character, so 16 groups. With 16 group you have around 6.25% of your devices per group. Of course this is a bit depending on the size of the environment, for 60K+ clients environment the distribution looks as follows:

You could of course also use 2 starting characters per group, giving you groups of ~ 12,5%.

The query we will use for the first group is: (device.deviceId -startsWith "0")

Creating a Dynamic Group

In Intune go to Groups and click "New Group"

  • Enter a name, description and select "Dynamic Device" as Membership type.

  • Next click on "Add dynamic query", next enter the query by selecting:
    • Property  : deviceId
    • Operator : Start With
    • Value      : 0

  • Click "+ Add expression" and click save. 

Repeat these steps for the other 15 groups, of course the Value needs to be changed for every group you create.

Above example dynamic group will contain all devices with the specified first character. If you only want Windows devices you could add an additional expression to the dynamic query, for instance:  and (device.deviceOSType -eq "Windows")

Now we have created the phased deployment groups, you might want to create 2 additional groups where you assign the devices directly:

  • A group to hold devices that you want to do the first tests on, let's call this the Canary group.
  • A group to hold the devices of VIP users that should be last (or maybe first) in the deployment.

The approach

There are a number of options how to configure a phased deployment. But the basics are; How many phases do you want, how many days between the phases and does it need to go to all your devices or only specific groups in the end.

Application Deployment

Let's start with applications. If the end goal is to target all devices, you can use "Availability" to control when the app should start deploying to the specified group. 

When you use this option make sure you select the correct Time zone.


In the below the example of assignment based on a availability schedule: Canary devices first and next in phases of ~10%, ~20%, ~30% and ~40% with 3 days between the phases. 


Don't forget to Exclude the VIP devices! Those devices are also included in the phased group and the Exclude of the group will prevent them from being targeted in the phases.

In the last step need to change the assignment of the VIP devices to Include. Or change the assignment completely, remove all the assigned groups and only add the appropriate all devices target group as Include, which will include the VIP devices. 

If your end goal is to deploy to a specific group of devices, let's say a specific country. You need a different approach, which requires multiple changes for the complete cycle.


In the above example the application is deployed only to all devices of NL if they are also in the phase00 and phase01 groups (the groups that are not in the list). Next phases are started after you remove the phases groups, an action that you should do every couple of days based on your preferred schedule. At the end you will only have the assignment for the all NL devices left.

Profile/Policy Deployment

The deployment of profiles or policies requires the same kind of effort as the deployment to a specific group, but there are two options:

Add the phased groups as include assignments, in the example below the profile is assigned to the Canary devices and the devices in the first two phased groups. In the interval you want, add the additional phased groups. When the last phased groups would be added just remove all assignment and add the final target group.

The other option is to set the assignment up in the same way you would do when you deploy an app to a specific group. So, include the final target group and exclude all phased groups and the VIP group. Now you need to remove the phased groups from the exclusion in interval you prefer.

If you are moving from an old to a new policy, don't forget to exclude the groups you include in the new policy on the old one.



Comments

Post a Comment

Popular posts from this blog

Why pre-provision Windows devices?

Image
Recently I was asked again; “Why do you pre-provision devices?” I, or actually we, got that question several times last year. Also, in conversations with Microsoft this question pops up regularly. So, why do we pre-provision (aka. White Glove) devices? There are two main reasons to do this: Security Employee Experience And in addition, of course, the costs. Security Looking at security, by pre-provisioning devices we make sure we block things like Shift-F10, the Recovery Command prompt, etc. and to have the security policies applied before we hand the device over to the employee. Employee Experience Pre-provisioning devices will limit the time the employee needs to enroll the device to around 15 mins, with all applications installed on the device when the employee gets the desktop. As part of the pre-provisioning process, we make sure: The drivers and firmware are updated to the latest version before pre-provisioning. All core applications are installed as part of pre-provisioning....
Read more

Why are we using Autopilot group tags?

Image
  Why are we using Autopilot group tag? Do we need group tags?  Two valid questions which I will discuss in this blog post. So, why do we use group tags? The short answer, to add the device to the correct group! The long answer As we are in over 40 countries and might even have multiple entities in those countries, we have around 90 legal entities with their own local support teams, and so we need to be able to distinguish the devices per entity. Next, we have different device types for different use cases, we call them worker types. We currently have the standard device, engineering device, shared device, virtual device and kiosk device. User can have multiple devices which have different worker types. So, that is the second requirement. Other requirements are to separate laptops, desktops and virtual devices. And yes, we could use filters instead, but they were not available 4 years ago. And finally, the need to mark devices as pre-production and to be able to see which glob...
Read more