I have had a few customers now ask for a way to classify machines at the machine itself rather than in the interface. For this customer, they feel they need this for two reasons:
They have literally dozens of member firms that to a large degree are all doing their own thing and somewhat self-contained. Part of the ask from the customer then is to be able to manage things at the “Firm level” which we have kind of achieved in the policy but this really assumes there will only ever be 1 policy with member firm specific workstyles (all very similar workstyles at present). Customer is actually looking at 3 distinct policies or “working practices” right now, Monitoring, Baseline and High Security. While duplicating the policy is quite an effort (to change exception handling across ALL Workstyles), the bigger issue for the customer is how to get machines / users moved between the various policies (or groups in iC3). The individual member firms do not have access to the portal so cannot move machines themselves. The interface itself also doesn’t allow for easy management of thousands of machines at the same time.
This issue also extends to how they get machines added to the system initially. Adding machines to the correct groups at the start is a challenge as it requires them to have multiple install packages which must be kept up to date etc. When you add the multiple member firm concept to this, I can imagine it will become a bit of a nightmare. Having some way of dynamically assigning machines to groups post install could allow them to automatically assign ALL machine to 1 group, then over time they will naturally find their way into the correct group
I also had another customer with similar requests. Essentially they deploy machines into their estate very dynamically and actually in their case it is the machine that defines privilege NOT the user. For example if a user logs on to a “Dev” machine, they are a dev, if they logon to a standard user machine they are a standard user etc etc. Machines can also be shared.
To complicate things even more, often, it is not known ahead of time what “type” of machine is being be until it is built or all of the software is added to it. It is also possible that post build, a machine can effectively become a Dev machine if the right software is subsequently installed to it!
They have their own app that manages some of this and originally they were hoping to use a value in the registry and the WMI feature of the policy filter engine to decide which workstyle a machine gets somewhat dynamically. Due to potential performance impact, I advised against this and looked to the Group Concept in iC3 to help. Unfortunately however, there is no inbuilt (easy) way to assign machines to groups dynamically (similar to the above).
In all cases, I have been able to demonstrate the iC3 API which will help but ultimately having functionality like tagging or policy deployment rules (a concept borrowed from ePO) could really help.